169 lines
3.7 KiB
YAML
169 lines
3.7 KiB
YAML
replicaCount: 2
|
|
|
|
# NOTE(mrtz): Hack for working with bitnami legacy registry
|
|
global:
|
|
security:
|
|
allowInsecureImages: true
|
|
image:
|
|
repository: bitnamilegacy/keycloak
|
|
|
|
production: true
|
|
|
|
proxy: edge
|
|
|
|
auth:
|
|
adminPassword: en to tre fire
|
|
adminUser: admin
|
|
existingSecret: ""
|
|
managementPassword: ""
|
|
managementUser: manager
|
|
|
|
postgresql:
|
|
enabled: false
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 750m
|
|
ephemeral-storage: 2Gi
|
|
memory: 1500Mi
|
|
requests:
|
|
cpu: 500m
|
|
ephemeral-storage: 50Mi
|
|
memory: 512Mi
|
|
|
|
externalDatabase:
|
|
host: prod-keycloak-db-rw
|
|
port: 5432
|
|
database: app
|
|
existingSecret: prod-keycloak-db-app
|
|
existingSecretUserKey: username
|
|
existingSecretPasswordKey: password
|
|
|
|
extraVolumeMounts:
|
|
- mountPath: /opt/bitnami/keycloak/themes/oceanbox
|
|
name: theme
|
|
|
|
extraVolumes:
|
|
- emptyDir: {}
|
|
name: theme
|
|
|
|
ingress:
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-production
|
|
nginx.ingress.kubernetes.io/enable-cors: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
|
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
enabled: true
|
|
hostname: auth.oceanbox.io
|
|
ingressClassName: nginx
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
selfSigned: false
|
|
servicePort: http
|
|
tls: true
|
|
|
|
adminIngress:
|
|
enabled: false
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-production
|
|
nginx.ingress.kubernetes.io/enable-cors: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
|
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
oceanbox.io/expose: internal
|
|
hostname: keycloak.adm.oceanbox.io
|
|
ingressClassName: nginx
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
selfSigned: false
|
|
servicePort: http
|
|
tls: true
|
|
|
|
keycloakConfigCli:
|
|
enabled: false
|
|
configuration:
|
|
master.json: |
|
|
{
|
|
"realm" : "master",
|
|
"attributes": {
|
|
"frontendUrl": "https://auth.oceanbox.io"
|
|
}
|
|
}
|
|
|
|
initContainers: |
|
|
- name: keycloak-theme-provider
|
|
image: docker.io/juselius/oceanbox-theme:1.2
|
|
imagePullPolicy: Always
|
|
command:
|
|
- sh
|
|
args:
|
|
- -c
|
|
- |
|
|
echo "Copying theme..."
|
|
cp -R /theme/* /keycloak/themes/oceanbox
|
|
volumeMounts:
|
|
- name: theme
|
|
mountPath: /keycloak/themes/oceanbox
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
serviceAccount:
|
|
create: true
|
|
automountServiceAccountToken: true
|
|
|
|
extraDeploy:
|
|
- apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: prod-keycloak-db
|
|
namespace: keycloak
|
|
spec:
|
|
instances: 2
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:17.2-27-bookworm
|
|
storage:
|
|
resizeInUseVolumes: true
|
|
size: 10Gi
|
|
- apiVersion: barmancloud.cnpg.io/v1
|
|
kind: ObjectStore
|
|
metadata:
|
|
name: tos-store
|
|
namespace: keycloak
|
|
spec:
|
|
retentionPolicy: "7d"
|
|
configuration:
|
|
destinationPath: s3://cnpg/prod-keycloak-db
|
|
endpointURL: http://10.255.241.30:30080
|
|
s3Credentials:
|
|
accessKeyId:
|
|
name: cnpg-s3
|
|
key: access_key
|
|
secretAccessKey:
|
|
name: cnpg-s3
|
|
key: access_secret
|
|
wal:
|
|
compression: snappy
|
|
- apiVersion: postgresql.cnpg.io/v1
|
|
kind: ScheduledBackup
|
|
metadata:
|
|
name: prod-keycloak-db
|
|
namespace: keycloak
|
|
spec:
|
|
schedule: "0 0 1 * * *"
|
|
backupOwnerReference: self
|
|
cluster:
|
|
name: prod-keycloak-db
|
|
method: plugin
|
|
pluginConfiguration:
|
|
name: barman-cloud.cloudnative-pg.io
|
|
- apiVersion: monitoring.coreos.com/v1
|
|
kind: PodMonitor
|
|
metadata:
|
|
name: prod-keycloak-db-monitor
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
cnpg.io/cluster: prod-keycloak-db
|
|
podMetricsEndpoints:
|
|
- port: metrics
|