keycloak
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
12
global:
13
## Global Docker image parameters
14
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
15
## @param global.imageRegistry Global Docker Image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
##
18
imageRegistry: ""
19
imagePullSecrets: []
20
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
21
##
22
defaultStorageClass: ""
23
## Security parameters
24
## @param global.security.allowInsecureImages Allows skipping image verification
25
##
26
security:
27
allowInsecureImages: false
28
## Compatibility adaptations for Kubernetes platforms
29
##
30
compatibility:
31
## Compatibility adaptations for Openshift
32
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
33
##
34
openshift:
35
adaptSecurityContext: auto
36
## @param global.compatibility.omitEmptySeLinuxOptions If set to true, removes the seLinuxOptions from the securityContexts when it is set to an empty object
37
##
38
omitEmptySeLinuxOptions: false
39
org: ""
40
## @section Common parameters
41
42
## @param kubeVersion Override Kubernetes version reported by .Capabilities
43
##
44
kubeVersion: ""
45
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
46
##
47
apiVersions: []
48
## @param nameOverride String to partially override common.names.name
49
##
50
nameOverride: ""
51
## @param fullnameOverride String to fully override common.names.fullname
52
##
53
fullnameOverride: ""
54
## @param namespaceOverride String to fully override common.names.namespace
55
##
56
namespaceOverride: ""
57
## @param commonLabels Labels to add to all deployed objects
58
##
59
commonLabels: {}
60
## @param commonAnnotations Annotations to add to all deployed objects
61
##
62
commonAnnotations: {}
63
## @param clusterDomain Default Kubernetes cluster domain
64
##
65
clusterDomain: cluster.local
66
## @param extraDeploy Array of extra objects to deploy with the release
67
##
68
extraDeploy: []
69
## Diagnostic mode
70
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
71
## @param diagnosticMode.command Command to override all containers in the chart release
72
## @param diagnosticMode.args Args to override all containers in the chart release
73
##
74
diagnosticMode:
75
enabled: false
76
command:
77
- sleep
78
args:
79
- infinity
80
## @param useHelmHooks Enable use of Helm hooks if needed, e.g. on post-install jobs
81
##
82
useHelmHooks: true
83
## @param usePasswordFiles Mount credentials as files instead of using environment variables
84
##
85
usePasswordFiles: true
86
## @section Keycloak parameters
87
88
## Iamguarded Keycloak image version
89
## @param image.registry [default: REGISTRY_NAME] Keycloak image registry
90
## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository
91
## @skip image.tag Keycloak image tag (immutable tags are recommended)
92
## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
93
## @param image.pullPolicy Keycloak image pull policy
94
## @param image.pullSecrets Keycloak image pull secrets
95
## @param image.debug Enable Keycloak image debug mode
96
##
97
image:
98
registry: cgr.dev
99
repository: chainguard-private/keycloak-iamguarded
100
tag: 26.5.6
101
digest: ""
102
## Specify a imagePullPolicy
103
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
104
##
105
pullPolicy: IfNotPresent
106
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
107
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
108
## e.g:
109
## pullSecrets:
110
## - myRegistryKeySecretName
111
##
112
pullSecrets: []
113
debug: false
114
## Keycloak authentication parameters
115
##
116
auth:
117
## @param auth.adminUser Keycloak administrator user
118
##
119
adminUser: user
120
## @param auth.adminPassword Keycloak administrator password for the new user
121
##
122
adminPassword: ""
123
## @param auth.existingSecret Existing secret containing Keycloak admin password
124
##
125
existingSecret: ""
126
## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
127
##
128
passwordSecretKey: ""
129
## @param auth.annotations Additional custom annotations for Keycloak auth secret object
130
##
131
annotations: {}
132
## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy headers
133
##
134
production: false
135
## HTTPS settings
136
##
137
## @param tls.enabled Enable TLS in Keycloak
138
## @param tls.usePemCerts Use PEM certificates as input instead of PKS12/JKS stores
139
## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates
140
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
141
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
142
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
143
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
144
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
145
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
146
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
147
## @param tls.existingSecret The name of an existing Secret containing the TLS certificates for Keycloak replicas
148
## @param tls.certFilename Certificate filename inside the existing secret (when tls.usePemCerts=true and tls.autoGenerated.enabled=false)
149
## @param tls.certKeyFilename Certificate key filename inside the existing secret (when tls.usePemCerts=true and tls.autoGenerated.enabled=false)
150
## @param tls.keystoreFilename Keystore filename inside the existing secret
151
## @param tls.truststoreFilename Truststore filename inside the existing secret
152
## @param tls.keystorePassword Password to access the keystore when it's password-protected
153
## @param tls.truststorePassword Password to access the truststore when it's password-protected
154
## @param tls.passwordsSecret The name of an existing Secret containing the keystore/truststore passwords (expected keys: `tls-keystore-password` and `tls-truststore-password`)
155
##
156
tls:
157
enabled: false
158
usePemCerts: false
159
autoGenerated:
160
enabled: true
161
engine: helm
162
certManager:
163
existingIssuer: ""
164
existingIssuerKind: ""
165
keySize: 2048
166
keyAlgorithm: RSA
167
duration: 2160h
168
renewBefore: 360h
169
## Create this secret following the steps below:
170
## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/server/enabletls)
171
## 2) Rename your truststore to `keycloak.truststore.jks`
172
## 3) Rename your keystores to `keycloak.keystore.jks`
173
## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
174
## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
175
## NOTE: If tls.usePemCerts enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
176
##
177
existingSecret: ""
178
certFilename: "tls.crt"
179
certKeyFilename: "tls.key"
180
keystoreFilename: "keycloak.keystore.jks"
181
truststoreFilename: "keycloak.truststore.jks"
182
keystorePassword: ""
183
truststorePassword: ""
184
passwordsSecret: ""
185
## @param trustedCertsExistingSecret Name of the existing Secret containing the trusted certificates to validate communications with external services
186
## ref: https://www.keycloak.org/server/keycloak-truststore
187
##
188
trustedCertsExistingSecret: ""
189
## @param adminRealm Name of the admin realm
190
##
191
adminRealm: "master"
192
## @param proxyHeaders Set Keycloak proxy headers
193
##
194
proxyHeaders: ""
195
## @param hostnameStrict Disables dynamically resolving the hostname from request headers (ignored if ingress.enabled is false).
196
## Should always be set to true in production, unless your reverse proxy overwrites the Host header.
197
## If enabled, the ingress.hostname option needs to be specified.
198
##
199
hostnameStrict: false
200
## @param httpEnabled Force enabling HTTP endpoint (by default is only enabled if TLS is disabled)
201
##
202
httpEnabled: false
203
## @param httpRelativePath Set the path relative to '/' for serving resources
204
##
205
httpRelativePath: "/"
206
## Keycloak cache configuration
207
## ref: https://www.keycloak.org/server/caching
208
## @param cache.enabled Switch to enable or disable the Keycloak distributed cache for kubernetes.
209
## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
210
## @param cache.stack Cache stack to use
211
## @param cache.configFile Path to the file from which cache configuration should be loaded from
212
## @param cache.useHeadlessServiceWithAppVersion Create a headless service used for ispn containing the app version
213
## @param cache.javaOptsAppendExtra Extra java options to append to the java options
214
##
215
cache:
216
enabled: true
217
stack: jdbc-ping
218
configFile: "cache-ispn.xml"
219
useHeadlessServiceWithAppVersion: false
220
javaOptsAppendExtra: ""
221
## Keycloak logging configuration
222
## ref: https://www.keycloak.org/server/logging
223
## @param logging.output Alternates between the default log output format or json format
224
## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
225
##
226
logging:
227
output: default
228
level: INFO
229
## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
230
## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
231
## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
232
##
233
## Example:
234
## configuration: |-
235
## foo: bar
236
## baz:
237
##
238
configuration: ""
239
## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
240
## NOTE: When it's set the configuration parameter is ignored
241
##
242
existingConfigmap: ""
243
## @param extraStartupArgs Extra default startup args
244
##
245
extraStartupArgs: ""
246
## @param initdbScripts Dictionary of initdb scripts
247
## Specify dictionary of scripts to be run at first boot
248
## Example:
249
## initdbScripts:
250
## my_init_script.sh: |
251
## #!/bin/bash
252
## echo "Do something."
253
##
254
initdbScripts: {}
255
## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
256
##
257
initdbScriptsConfigMap: ""
258
## @param command Override default container command (useful when using custom images)
259
##
260
command: []
261
## @param args Override default container args (useful when using custom images)
262
##
263
args: []
264
## @param extraEnvVars Extra environment variables to be set on Keycloak container
265
## Example:
266
## extraEnvVars:
267
## - name: FOO
268
## value: "bar"
269
##
270
extraEnvVars: []
271
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
272
##
273
extraEnvVarsCM: ""
274
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
275
##
276
extraEnvVarsSecret: ""
277
## @param containerPorts.http Keycloak HTTP container port
278
## @param containerPorts.https Keycloak HTTPS container port
279
## @param containerPorts.management Keycloak management container port
280
##
281
containerPorts:
282
http: 8080
283
https: 8443
284
management: 9000
285
## @param extraContainerPorts Optionally specify extra list of additional ports for Keycloak container
286
## e.g:
287
## extraContainerPorts:
288
## - name: myservice
289
## containerPort: 9090
290
##
291
extraContainerPorts: []
292
## Keycloak pods' SecurityContext
293
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
294
## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context
295
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
296
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
297
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
298
## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
299
##
300
podSecurityContext:
301
enabled: true
302
fsGroupChangePolicy: Always
303
sysctls: []
304
supplementalGroups: []
305
fsGroup: 1001
306
## Keycloak containers' Security Context
307
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
308
## @param containerSecurityContext.enabled Enabled containers' Security Context
309
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
310
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
311
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
312
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
313
## @param containerSecurityContext.privileged Set container's Security Context privileged
314
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
315
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
316
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
317
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
318
##
319
containerSecurityContext:
320
enabled: true
321
seLinuxOptions: {}
322
runAsUser: 1001
323
runAsGroup: 1001
324
runAsNonRoot: true
325
privileged: false
326
readOnlyRootFilesystem: true
327
allowPrivilegeEscalation: false
328
capabilities:
329
drop: ["ALL"]
330
seccompProfile:
331
type: "RuntimeDefault"
332
## Keycloak resource requests and limits
333
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
334
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
335
##
336
resourcesPreset: "small"
337
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
338
## Example:
339
## resources:
340
## requests:
341
## cpu: 2
342
## memory: 512Mi
343
## limits:
344
## cpu: 3
345
## memory: 1024Mi
346
##
347
resources: {}
348
## Configure extra options for Keycloak containers' liveness, readiness and startup probes
349
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
350
## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers
351
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
352
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
353
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
354
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
355
## @param livenessProbe.successThreshold Success threshold for livenessProbe
356
##
357
livenessProbe:
358
enabled: true
359
initialDelaySeconds: 120
360
periodSeconds: 1
361
timeoutSeconds: 5
362
failureThreshold: 3
363
successThreshold: 1
364
## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers
365
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
366
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
367
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
368
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
369
## @param readinessProbe.successThreshold Success threshold for readinessProbe
370
##
371
readinessProbe:
372
enabled: true
373
initialDelaySeconds: 30
374
periodSeconds: 10
375
timeoutSeconds: 1
376
failureThreshold: 3
377
successThreshold: 1
378
## @param startupProbe.enabled Enable startupProbe on Keycloak containers
379
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
380
## @param startupProbe.periodSeconds Period seconds for startupProbe
381
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
382
## @param startupProbe.failureThreshold Failure threshold for startupProbe
383
## @param startupProbe.successThreshold Success threshold for startupProbe
384
##
385
startupProbe:
386
enabled: false
387
initialDelaySeconds: 30
388
periodSeconds: 5
389
timeoutSeconds: 1
390
failureThreshold: 10
391
successThreshold: 1
392
## @param customLivenessProbe Custom Liveness probes for Keycloak
393
##
394
customLivenessProbe: {}
395
## @param customReadinessProbe Custom Readiness probes Keycloak
396
##
397
customReadinessProbe: {}
398
## @param customStartupProbe Custom Startup probes for Keycloak
399
##
400
customStartupProbe: {}
401
## @section Keycloak StatefulSet parameters
402
403
## @param replicaCount Number of Keycloak replicas to deploy
404
##
405
replicaCount: 1
406
## @param updateStrategy.type Keycloak StatefulSet type
407
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
408
##
409
updateStrategy:
410
## Can be set to RollingUpdate or OnDelete
411
##
412
type: RollingUpdate
413
## @param revisionHistoryLimitCount Number of controller revisions to keep
414
##
415
revisionHistoryLimitCount: 10
416
## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update
417
##
418
minReadySeconds: 0
419
## @param statefulsetAnnotations Optionally add extra annotations on the StatefulSet resource
420
##
421
statefulsetAnnotations: {}
422
## @param automountServiceAccountToken Mount Service Account token in Keycloak pods
423
##
424
automountServiceAccountToken: true
425
## @param hostAliases Deployment pod host aliases
426
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
427
##
428
hostAliases: []
429
## @param podLabels Extra labels for Keycloak pods
430
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
431
##
432
podLabels: {}
433
## @param podAnnotations Annotations for Keycloak pods
434
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
435
##
436
podAnnotations: {}
437
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
438
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
439
##
440
podAffinityPreset: ""
441
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
442
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
443
##
444
podAntiAffinityPreset: soft
445
## Node affinity preset
446
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
447
##
448
nodeAffinityPreset:
449
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
450
##
451
type: ""
452
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
453
## E.g.
454
## key: "kubernetes.io/e2e-az-name"
455
##
456
key: ""
457
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
458
## E.g.
459
## values:
460
## - e2e-az1
461
## - e2e-az2
462
##
463
values: []
464
## @param affinity Affinity for pod assignment
465
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
466
##
467
affinity: {}
468
## @param nodeSelector Node labels for pod assignment
469
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
470
##
471
nodeSelector: {}
472
## @param tolerations Tolerations for pod assignment
473
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
474
##
475
tolerations: []
476
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
477
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
478
##
479
topologySpreadConstraints: []
480
## @param podManagementPolicy Pod management policy for the Keycloak StatefulSet
481
##
482
podManagementPolicy: Parallel
483
## @param priorityClassName Keycloak pods' Priority Class Name
484
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
485
##
486
priorityClassName: ""
487
## @param schedulerName Use an alternate scheduler, e.g. "stork".
488
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
489
##
490
schedulerName: ""
491
## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
492
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
493
##
494
terminationGracePeriodSeconds: ""
495
## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
496
##
497
lifecycleHooks: {}
498
## @param dnsPolicy DNS Policy for pod
499
## @param dnsConfig DNS Configuration pod
500
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
501
##
502
dnsPolicy: ""
503
dnsConfig: {}
504
## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
505
## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
506
##
507
enableServiceLinks: true
508
## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
509
##
510
extraVolumes: []
511
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
512
##
513
extraVolumeMounts: []
514
## @param initContainers Add additional init containers to the Keycloak pods
515
## Example:
516
## initContainers:
517
## - name: your-image-name
518
## image: your-image
519
## imagePullPolicy: Always
520
## ports:
521
## - name: portname
522
## containerPort: 1234
523
##
524
initContainers: []
525
## @param sidecars Add additional sidecar containers to the Keycloak pods
526
## Example:
527
## sidecars:
528
## - name: your-image-name
529
## image: your-image
530
## imagePullPolicy: Always
531
## ports:
532
## - name: portname
533
## containerPort: 1234
534
##
535
sidecars: []
536
## @section Traffic Exposure Parameters
537
538
## Service configuration
539
##
540
service:
541
## @param service.type Kubernetes service type
542
##
543
type: ClusterIP
544
## @param service.http.enabled Enable http port on service
545
##
546
http:
547
enabled: true
548
## @param service.ports.http Keycloak service HTTP port
549
## @param service.ports.https Keycloak service HTTPS port
550
##
551
ports:
552
http: 80
553
https: 443
554
## Node ports to expose
555
## @param service.nodePorts.http Node port for HTTP
556
## @param service.nodePorts.https Node port for HTTPS
557
## NOTE: choose port between <30000-32767>
558
##
559
nodePorts:
560
http: ""
561
https: ""
562
## @param service.extraPorts Extra port to expose on Keycloak service
563
##
564
extraPorts: []
565
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
566
## Values: ClientIP or None
567
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
568
##
569
sessionAffinity: None
570
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
571
## sessionAffinityConfig:
572
## clientIP:
573
## timeoutSeconds: 300
574
##
575
sessionAffinityConfig: {}
576
## @param service.clusterIP Keycloak service clusterIP IP
577
## e.g:
578
## clusterIP: None
579
##
580
clusterIP: ""
581
## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
582
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
583
##
584
loadBalancerIP: ""
585
## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
586
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
587
## Example:
588
## loadBalancerSourceRanges:
589
## - 10.10.10.0/24
590
##
591
loadBalancerSourceRanges: []
592
## @param service.externalTrafficPolicy Enable client source IP preservation
593
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
594
##
595
externalTrafficPolicy: Cluster
596
## @param service.annotations Additional custom annotations for Keycloak service
597
##
598
annotations: {}
599
## Headless service properties
600
##
601
headless:
602
## @param service.headless.annotations Annotations for the headless service.
603
##
604
annotations: {}
605
## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service
606
##
607
extraPorts: []
608
## Keycloak ingress parameters
609
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
610
##
611
ingress:
612
## @param ingress.enabled Enable ingress record generation for Keycloak
613
##
614
enabled: false
615
## @param ingress.pathType Ingress path type
616
##
617
pathType: ImplementationSpecific
618
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
619
##
620
apiVersion: ""
621
## @param ingress.hostname Default host for the ingress record (evaluated as template)
622
##
623
hostname: keycloak.local
624
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (evaluated as template)
625
## Required if you have more than one IngressClass marked as the default for your cluster
626
##
627
ingressClassName: ""
628
## @param ingress.controller The ingress controller type. Currently supports `default` and `gce`
629
## leave as `default` for most ingress controllers.
630
## set to `gce` if using the GCE ingress controller
631
##
632
controller: default
633
## @param ingress.path Default path for the ingress record
634
##
635
path: "{{ .Values.httpRelativePath }}"
636
## @param ingress.servicePort Backend service port to use
637
## Default is http. Alternative is https.
638
##
639
servicePort: http
640
## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
641
## Use this parameter to set the required annotations for cert-manager, see
642
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
643
## e.g:
644
## annotations:
645
## kubernetes.io/ingress.class: nginx
646
## cert-manager.io/cluster-issuer: cluster-issuer-name
647
##
648
annotations: {}
649
## @param ingress.labels Additional labels for the Ingress resource.
650
## e.g:
651
## labels:
652
## app: keycloak
653
##
654
labels: {}
655
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
656
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
657
## You can:
658
## - Use the `ingress.secrets` parameter to create this TLS secret
659
## - Rely on cert-manager to create it by setting the corresponding annotations
660
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
661
##
662
tls: false
663
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
664
##
665
selfSigned: false
666
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
667
## e.g:
668
## extraHosts:
669
## - name: keycloak.local
670
## path: /
671
##
672
extraHosts: []
673
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
674
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
675
## extraPaths:
676
## - path: /*
677
## backend:
678
## serviceName: ssl-redirect
679
## servicePort: use-annotation
680
##
681
extraPaths: []
682
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
683
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
684
## extraTls:
685
## - hosts:
686
## - keycloak.local
687
## secretName: keycloak.local-tls
688
##
689
extraTls: []
690
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
691
## key and certificate should start with -----BEGIN CERTIFICATE----- or
692
## -----BEGIN RSA PRIVATE KEY-----
693
##
694
## name should line up with a tlsSecret set further up
695
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
696
##
697
## It is also possible to create and manage the certificates outside of this helm chart
698
## Please see README.md for more information
699
## e.g:
700
## - name: keycloak.local-tls
701
## key:
702
## certificate:
703
##
704
secrets: []
705
## @param ingress.extraRules Additional rules to be covered with this ingress record
706
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
707
## e.g:
708
## extraRules:
709
## - host: keycloak.local
710
## http:
711
## path: /
712
## backend:
713
## service:
714
## name: keycloak
715
## port:
716
## name: http
717
##
718
extraRules: []
719
## Network Policy configuration
720
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
721
##
722
networkPolicy:
723
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
724
##
725
enabled: true
726
## @param networkPolicy.allowExternal Don't require server label for connections
727
## The Policy model to apply. When set to false, only pods with the correct
728
## server label will have network access to the ports server is listening
729
## on. When true, server will accept connections from any source
730
## (with the correct destination port).
731
##
732
allowExternal: true
733
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
734
##
735
allowExternalEgress: true
736
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
737
##
738
addExternalClientAccess: true
739
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
740
##
741
kubeAPIServerPorts: [443, 6443, 8443]
742
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
743
## e.g:
744
## extraIngress:
745
## - ports:
746
## - port: 1234
747
## from:
748
## - podSelector:
749
## - matchLabels:
750
## - role: frontend
751
## - podSelector:
752
## - matchExpressions:
753
## - key: role
754
## operator: In
755
## values:
756
## - frontend
757
extraIngress: []
758
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
759
## e.g:
760
## extraEgress:
761
## - ports:
762
## - port: 1234
763
## to:
764
## - podSelector:
765
## - matchLabels:
766
## - role: frontend
767
## - podSelector:
768
## - matchExpressions:
769
## - key: role
770
## operator: In
771
## values:
772
## - frontend
773
##
774
extraEgress: []
775
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
776
## e.g:
777
## ingressPodMatchLabels:
778
## my-client: "true"
779
#
780
ingressPodMatchLabels: {}
781
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
782
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
783
##
784
ingressNSMatchLabels: {}
785
ingressNSPodMatchLabels: {}
786
## @section Other parameters
787
788
## ServiceAccount configuration
789
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
790
##
791
serviceAccount:
792
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
793
##
794
create: true
795
## @param serviceAccount.name The name of the ServiceAccount to use.
796
## If not set and create is true, a name is generated using the common.names.fullname template
797
##
798
name: ""
799
## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
800
##
801
annotations: {}
802
## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
803
##
804
automountServiceAccountToken: true
805
## @param serviceAccount.extraLabels Additional Service Account labels (evaluated as a template)
806
##
807
extraLabels: {}
808
## Keycloak Pod Disruption Budget configuration
809
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
810
## @param pdb.create Enable/disable a Pod Disruption Budget creation
811
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
812
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
813
##
814
pdb:
815
create: true
816
minAvailable: ""
817
maxUnavailable: ""
818
## Keycloak Autoscaling configuration
819
## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/
820
##
821
autoscaling:
822
## @param autoscaling.vpa.enabled Enable VPA for Keycloak pods
823
## @param autoscaling.vpa.annotations Annotations for VPA resource
824
## @param autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
825
## @param autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
826
## @param autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
827
##
828
vpa:
829
enabled: false
830
annotations: {}
831
controlledResources: []
832
maxAllowed: {}
833
minAllowed: {}
834
## @param autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy
835
## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
836
## Possible values are "Off", "Initial", "Recreate", and "Auto".
837
##
838
updatePolicy:
839
updateMode: Auto
840
## @param autoscaling.hpa.enabled Enable HPA for Keycloak pods
841
## @param autoscaling.hpa.minReplicas Minimum number of Keycloak replicas
842
## @param autoscaling.hpa.maxReplicas Maximum number of Keycloak replicas
843
## @param autoscaling.hpa.targetCPU Target CPU utilization percentage
844
## @param autoscaling.hpa.targetMemory Target Memory utilization percentage
845
##
846
hpa:
847
enabled: false
848
minReplicas: 1
849
maxReplicas: 11
850
targetCPU: ""
851
targetMemory: ""
852
## HPA Scaling Behavior
853
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
854
##
855
behavior:
856
## HPA behavior when scaling up
857
## @param autoscaling.hpa.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up
858
## @param autoscaling.hpa.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up
859
## @param autoscaling.hpa.behavior.scaleUp.policies [array] HPA scaling policies when scaling up
860
## e.g:
861
## Policy to scale 20% of the pod in 60s
862
## - type: Percent
863
## value: 20
864
## periodSeconds: 60
865
##
866
scaleUp:
867
stabilizationWindowSeconds: 120
868
selectPolicy: Max
869
policies: []
870
## HPA behavior when scaling down
871
## @param autoscaling.hpa.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down
872
## @param autoscaling.hpa.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down
873
## @param autoscaling.hpa.behavior.scaleDown.policies [array] HPA scaling policies when scaling down
874
## e.g:
875
## Policy to scale one pod in 300s
876
## - type: Pods
877
## value: 1
878
## periodSeconds: 300
879
##
880
scaleDown:
881
stabilizationWindowSeconds: 300
882
selectPolicy: Max
883
policies:
884
- type: Pods
885
value: 1
886
periodSeconds: 300
887
## @section Metrics parameters
888
metrics:
889
## @param metrics.enabled Enable exposing Keycloak metrics
890
##
891
enabled: false
892
## Keycloak metrics service parameters
893
##
894
service:
895
## @param metrics.service.ports.metrics Metrics service Metrics port
896
##
897
ports:
898
metrics: 9000
899
## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
900
##
901
annotations:
902
prometheus.io/scrape: "true"
903
prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}"
904
## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service
905
##
906
extraPorts: []
907
## Prometheus Operator ServiceMonitor configuration
908
##
909
serviceMonitor:
910
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
911
##
912
enabled: false
913
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
914
##
915
namespace: ""
916
## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
917
##
918
annotations: {}
919
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
920
##
921
labels: {}
922
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
923
##
924
jobLabel: ""
925
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
926
##
927
honorLabels: false
928
## @param metrics.serviceMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus
929
##
930
tlsConfig: {}
931
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
932
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
933
## e.g:
934
## interval: 10s
935
##
936
interval: ""
937
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
938
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
939
## e.g:
940
## scrapeTimeout: 10s
941
##
942
scrapeTimeout: ""
943
## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
944
##
945
metricRelabelings: []
946
## @param metrics.serviceMonitor.relabelings Specify general relabeling
947
##
948
relabelings: []
949
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
950
## selector:
951
## prometheus: my-prometheus
952
##
953
selector: {}
954
## Prometheus Operator alert rules configuration
955
##
956
prometheusRule:
957
## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
958
##
959
enabled: false
960
## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
961
##
962
namespace: ""
963
## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
964
##
965
labels: {}
966
## @param metrics.prometheusRule.groups Groups, containing the alert rules.
967
## Example:
968
## groups:
969
## - name: Keycloak
970
## rules:
971
## - alert: KeycloakInstanceNotAvailable
972
## annotations:
973
## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
974
## expr: |
975
## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
976
## for: 5m
977
## labels:
978
## severity: critical
979
groups: []
980
## @section keycloak-config-cli parameters
981
982
## Configuration for keycloak-config-cli
983
## ref: https://github.com/adorsys/keycloak-config-cli
984
##
985
keycloakConfigCli:
986
## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
987
##
988
enabled: false
989
## Iamguarded keycloak-config-cli image
990
## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry
991
## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository
992
## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag
993
## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
994
## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
995
## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
996
##
997
image:
998
registry: cgr.dev
999
repository: chainguard-private/keycloak-config-cli-iamguarded
1000
tag: 6.5.0
1001
digest: ""
1002
## Specify a imagePullPolicy
1003
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1004
##
1005
pullPolicy: IfNotPresent
1006
## Optionally specify an array of imagePullSecrets.
1007
## Secrets must be manually created in the namespace.
1008
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1009
## e.g:
1010
## pullSecrets:
1011
## - myRegistryKeySecretName
1012
##
1013
pullSecrets: []
1014
## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
1015
##
1016
annotations: {}
1017
## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
1018
##
1019
command: []
1020
## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
1021
##
1022
args: []
1023
## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod
1024
##
1025
automountServiceAccountToken: true
1026
## @param keycloakConfigCli.hostAliases Job pod host aliases
1027
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1028
##
1029
hostAliases: []
1030
## Keycloak config CLI resource requests and limits
1031
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1032
## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production).
1033
##
1034
resourcesPreset: "small"
1035
## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1036
## Example:
1037
## resources:
1038
## requests:
1039
## cpu: 2
1040
## memory: 512Mi
1041
## limits:
1042
## cpu: 3
1043
## memory: 1024Mi
1044
##
1045
resources: {}
1046
## keycloak-config-cli containers' Security Context
1047
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1048
## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context
1049
## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1050
## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser
1051
## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup
1052
## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot
1053
## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged
1054
## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem
1055
## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation
1056
## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1057
## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile
1058
##
1059
containerSecurityContext:
1060
enabled: true
1061
seLinuxOptions: {}
1062
runAsUser: 1001
1063
runAsGroup: 1001
1064
runAsNonRoot: true
1065
privileged: false
1066
readOnlyRootFilesystem: true
1067
allowPrivilegeEscalation: false
1068
capabilities:
1069
drop: ["ALL"]
1070
seccompProfile:
1071
type: "RuntimeDefault"
1072
## keycloak-config-cli pods' Security Context
1073
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1074
## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
1075
## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1076
## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1077
## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups
1078
## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
1079
##
1080
podSecurityContext:
1081
enabled: true
1082
fsGroupChangePolicy: Always
1083
sysctls: []
1084
supplementalGroups: []
1085
fsGroup: 1001
1086
## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
1087
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
1088
##
1089
backoffLimit: 1
1090
## @param keycloakConfigCli.podLabels Pod extra labels
1091
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1092
##
1093
podLabels: {}
1094
## @param keycloakConfigCli.podAnnotations Annotations for job pod
1095
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1096
##
1097
podAnnotations: {}
1098
## @param keycloakConfigCli.nodeSelector Node labels for pod assignment
1099
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1100
##
1101
nodeSelector: {}
1102
##
1103
## @param keycloakConfigCli.tolerations Tolerations for job pod assignment
1104
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1105
##
1106
tolerations: []
1107
## keycloak-config-cli availability-check configuration
1108
## ref: https://github.com/adorsys/keycloak-config-cli#Configuration
1109
## @param keycloakConfigCli.availabilityCheck.enabled Whether to wait until Keycloak is available
1110
## @param keycloakConfigCli.availabilityCheck.timeout Timeout for the availability check (Default is 120s)
1111
##
1112
availabilityCheck:
1113
enabled: true
1114
timeout: ""
1115
## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
1116
## Example:
1117
## extraEnvVars:
1118
## - name: FOO
1119
## value: "bar"
1120
##
1121
extraEnvVars: []
1122
## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
1123
##
1124
extraEnvVarsCM: ""
1125
## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
1126
##
1127
extraEnvVarsSecret: ""
1128
## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
1129
##
1130
extraVolumes: []
1131
## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
1132
##
1133
extraVolumeMounts: []
1134
## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
1135
## Example:
1136
## initContainers:
1137
## - name: your-image-name
1138
## image: your-image
1139
## imagePullPolicy: Always
1140
## ports:
1141
## - name: portname
1142
## containerPort: 1234
1143
##
1144
initContainers: []
1145
## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
1146
## Example:
1147
## sidecars:
1148
## - name: your-image-name
1149
## image: your-image
1150
## imagePullPolicy: Always
1151
## ports:
1152
## - name: portname
1153
## containerPort: 1234
1154
##
1155
sidecars: []
1156
## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
1157
## NOTE: nil keys will be considered files to import locally
1158
## Example:
1159
## configuration:
1160
## realm1.json: |
1161
## {
1162
## "realm": "realm1",
1163
## "clients": []
1164
## }
1165
## realm2.yaml: |
1166
## realm: realm2
1167
## clients: []
1168
##
1169
configuration: {}
1170
## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration
1171
## NOTE: This will override keycloakConfigCli.configuration
1172
##
1173
existingConfigmap: ""
1174
## Automatic Cleanup for Finished Jobs
1175
## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
1176
## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
1177
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
1178
##
1179
cleanupAfterFinished:
1180
enabled: false
1181
seconds: 600
1182
## @section Default init container parameters
1183
1184
## Default init Containers
1185
##
1186
defaultInitContainers:
1187
## 'prepare-write-dirs' init container
1188
## Copies writable directories to an empty dir volume in order to not break the application functionality
1189
##
1190
prepareWriteDirs:
1191
## @param defaultInitContainers.prepareWriteDirs.enabled Enable init container that copies writable directories to an empty dir
1192
##
1193
enabled: true
1194
## Configure "prepare-write-dirs" init-container Security Context
1195
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1196
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.enabled Enabled "prepare-write-dirs" init-containers' Security Context
1197
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "prepare-write-dirs" init-containers
1198
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsUser Set runAsUser in "prepare-write-dirs" init-containers' Security Context
1199
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsGroup Set runAsGroup in "prepare-write-dirs" init-containers' Security Context
1200
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "prepare-write-dirs" init-containers' Security Context
1201
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.privileged Set privileged in "prepare-write-dirs" init-containers' Security Context
1202
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "prepare-write-dirs" init-containers' Security Context
1203
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "prepare-write-dirs" init-containers' Security Context
1204
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "prepare-write-dirs" init-containers
1205
## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.seccompProfile.type Set seccomp profile in "prepare-write-dirs" init-containers
1206
##
1207
containerSecurityContext:
1208
enabled: true
1209
seLinuxOptions: {}
1210
runAsUser: 1001
1211
runAsGroup: 1001
1212
runAsNonRoot: true
1213
privileged: false
1214
readOnlyRootFilesystem: true
1215
allowPrivilegeEscalation: false
1216
capabilities:
1217
drop: ["ALL"]
1218
seccompProfile:
1219
type: "RuntimeDefault"
1220
## Keycloak "prepare-write-dirs" init container resource requests and limits
1221
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1222
## @param defaultInitContainers.prepareWriteDirs.resourcesPreset Set Keycloak "prepare-write-dirs" init container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.prepareWriteDirs.resources is set (defaultInitContainers.prepareWriteDirs.resources is recommended for production).
1223
##
1224
resourcesPreset: "nano"
1225
## @param defaultInitContainers.prepareWriteDirs.resources Set Keycloak "prepare-write-dirs" init container requests and limits for different resources like CPU or memory (essential for production workloads)
1226
## E.g:
1227
## resources:
1228
## requests:
1229
## cpu: 2
1230
## memory: 512Mi
1231
## limits:
1232
## cpu: 3
1233
## memory: 1024Mi
1234
##
1235
resources: {}
1236
## @section Database parameters
1237
1238
## PostgreSQL chart configuration
1239
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
1240
## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
1241
## @param postgresql.auth.username Name for a custom user to create
1242
## @param postgresql.auth.password Password for the custom user to create
1243
## @param postgresql.auth.database Name for a custom database to create
1244
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
1245
## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
1246
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
1247
##
1248
postgresql:
1249
enabled: true
1250
auth:
1251
postgresPassword: ""
1252
username: ig_keycloak
1253
password: ""
1254
database: iamguarded_keycloak
1255
existingSecret: ""
1256
secretKeys:
1257
userPasswordKey: password
1258
architecture: standalone
1259
image:
1260
registry: cgr.dev
1261
repository: chainguard-private/postgres-iamguarded
1262
tag: 18.3-r3
1263
digest: ""
1264
metrics:
1265
image:
1266
registry: cgr.dev
1267
repository: chainguard-private/prometheus-postgres-exporter-iamguarded
1268
tag: 0.19.1
1269
digest: ""
1270
volumePermissions:
1271
image:
1272
registry: cgr.dev
1273
repository: chainguard-private/os-shell-iamguarded
1274
tag: 1.0.0
1275
digest: ""
1276
## External PostgreSQL configuration
1277
## All of these values are only used when postgresql.enabled is set to false
1278
## @param externalDatabase.host Database host
1279
## @param externalDatabase.port Database port number
1280
## @param externalDatabase.user Non-root username for Keycloak
1281
## @param externalDatabase.password Password for the non-root username for Keycloak
1282
## @param externalDatabase.database Keycloak database name
1283
## @param externalDatabase.schema Keycloak database schema
1284
## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
1285
## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user
1286
## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
1287
## @param externalDatabase.annotations Additional custom annotations for external database secret object
1288
## @param externalDatabase.extraParams Additional JDBC connection parameters appended to the JDBC URL (KC_DB_URL).
1289
##
1290
externalDatabase:
1291
host: ""
1292
port: 5432
1293
user: ig_keycloak
1294
database: iamguarded_keycloak
1295
schema: public
1296
password: ""
1297
existingSecret: ""
1298
existingSecretUserKey: ""
1299
existingSecretPasswordKey: ""
1300
annotations: {}
1301
extraParams: ""
1302
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.