infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/keycloak-chart/templates/statefulset.yaml

{{- /*
# *****************************************************************************
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# ******************************************************************************
*/ -}}

{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ include "keycloak.fullname" . }}
  labels:
    {{- include "keycloak.commonLabels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      {{- include "keycloak.selectorLabels" . | nindent 6 }}
  replicas: {{ .Values.keycloak.replicas }}
  serviceName: {{ include "keycloak.fullname" . }}-headless
  podManagementPolicy: Parallel
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        {{- include "keycloak.selectorLabels" . | nindent 8 }}
        {{- with .Values.keycloak.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      annotations:
        checksum/config-sh: {{ include (print .Template.BasePath "/configmap-sh.yaml") . | sha256sum }}
        checksum/config-startup: {{ include (print .Template.BasePath "/configmap-startup.yaml") . | sha256sum }}
        {{- with .Values.keycloak.podAnnotations }}
        {{- range $key, $value := . }}
        {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 8 }}
        {{- end }}
        {{- end }}
    spec:
      {{- with .Values.keycloak.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.keycloak.enableServiceLinks }}
      enableServiceLinks: {{ .Values.keycloak.enableServiceLinks }}
      {{- end }}
      restartPolicy: {{ .Values.keycloak.restartPolicy }}
      serviceAccountName: {{ include "keycloak.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.keycloak.securityContext | nindent 8 }}
    {{- with .Values.keycloak.image.pullSecrets }}
      imagePullSecrets:
      {{- range . }}
        - name: {{ . }}
      {{- end }}
    {{- end }}
    {{- if or .Values.keycloak.persistence.deployPostgres .Values.keycloak.extraInitContainers }}
      initContainers:
      {{- if .Values.keycloak.persistence.deployPostgres }}
        - name: wait-for-postgresql
          image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
          imagePullPolicy: {{ .Values.init.image.pullPolicy }}
          securityContext:
            {{- toYaml .Values.keycloak.containerSecurityContext | nindent 12 }}
          command:
            - sh
            - -c
            - |
              until printf "." && nc -z -w 2 {{ include "keycloak.postgresql.fullname" . }} {{ .Values.postgresql.service.port }}; do
                  sleep 2;
              done;

              echo 'PostgreSQL OK ✓'
          resources:
            {{- toYaml .Values.init.resources | nindent 12 }}
      {{- end }}
      {{- with .Values.keycloak.extraInitContainers }}
        {{- tpl . $ | nindent 8 }}
      {{- end }}
    {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}"
          imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
          securityContext:
            {{- toYaml .Values.keycloak.containerSecurityContext | nindent 12 }}
          command:
            - /scripts/keycloak.sh
          {{- with .Values.keycloak.lifecycleHooks }}
          lifecycle:
            {{- tpl . $ | nindent 12 }}
          {{- end }}
          env:
            - name: KEYCLOAK_USER
              value: {{ .Values.keycloak.username }}
            - name: KEYCLOAK_PASSWORD_FILE
              value: /secrets/{{ include "keycloak.passwordKey" . }}
          {{- if $highAvailability }}
            - name: JGROUPS_DISCOVERY_PROTOCOL
              value: {{ .Values.keycloak.jgroups.discoveryProtocol }}
            - name: JGROUPS_DISCOVERY_PROPERTIES
              value: {{ tpl .Values.keycloak.jgroups.discoveryProperties . }}
            - name: KEYCLOAK_SERVICE_DNS_NAME
              value: "{{ include "keycloak.serviceDnsName" . }}"
          {{- end }}
            {{- include "keycloak.dbEnvVars" . | nindent 12 }}
          {{- with .Values.keycloak.extraEnv }}
            {{- tpl . $ | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: sh
              mountPath: /scripts
              readOnly: true
            - name: secrets
              mountPath: /secrets
              readOnly: true
            {{- if or .Values.keycloak.cli.enabled .Values.keycloak.startupScripts }}
            - name: startup
              mountPath: /opt/jboss/startup-scripts
              readOnly: true
            {{- end }}
            {{- with .Values.keycloak.extraVolumeMounts }}
            {{- tpl . $ | nindent 12 }}
            {{- end }}
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
            - name: https
              containerPort: 8443
              protocol: TCP
          {{- if $highAvailability }}
            - name: jgroups
              containerPort: 7600
              protocol: TCP
          {{- end }}
          {{- with .Values.keycloak.extraPorts }}
            {{- tpl . $ | nindent 12 }}
          {{- end }}
          {{- with .Values.keycloak.livenessProbe }}
          livenessProbe:
            {{- tpl . $ | nindent 12 }}
          {{- end }}
          {{- with .Values.keycloak.readinessProbe }}
          readinessProbe:
            {{- tpl . $ | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.keycloak.resources | nindent 12 }}
      {{- with .Values.keycloak.extraContainers }}
        {{- tpl . $ | nindent 8 }}
      {{- end }}
      {{- with .Values.keycloak.affinity }}
      affinity:
        {{- tpl . $ | nindent 8 }}
      {{- end }}
      {{- with .Values.keycloak.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.keycloak.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.keycloak.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
      terminationGracePeriodSeconds: 60
      volumes:
        - name: sh
          configMap:
            name: {{ include "keycloak.fullname" . }}-sh
            defaultMode: 0555
        - name: secrets
          secret:
            secretName: {{ include "keycloak.secret" . }}
      {{- if or .Values.keycloak.cli.enabled .Values.keycloak.startupScripts }}
        - name: startup
          configMap:
            name: {{ include "keycloak.fullname" . }}-startup
            defaultMode: 0555
      {{- end }}
      {{- with .Values.keycloak.extraVolumes }}
        {{- tpl . $ | nindent 8 }}
      {{- end }}