| # ***************************************************************************** |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # ****************************************************************************** |
| |
| init: |
| image: |
| repository: busybox |
| tag: 1.31 |
| pullPolicy: IfNotPresent |
| resources: {} |
| # limits: |
| # cpu: "10m" |
| # memory: "32Mi" |
| # requests: |
| # cpu: "10m" |
| # memory: "32Mi" |
| |
| clusterDomain: cluster.local |
| |
| ## Optionally override the fully qualified name |
| # fullnameOverride: keycloak |
| |
| ## Optionally override the name |
| # nameOverride: keycloak |
| |
| keycloak: |
| replicas: 1 |
| |
| image: |
| repository: jboss/keycloak |
| tag: 8.0.1 |
| pullPolicy: IfNotPresent |
| |
| ## Optionally specify an array of imagePullSecrets. |
| ## Secrets must be manually created in the namespace. |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| ## |
| pullSecrets: [] |
| # - myRegistrKeySecretName |
| |
| hostAliases: [] |
| # - ip: "1.2.3.4" |
| # hostnames: |
| # - "my.host.com" |
| |
| enableServiceLinks: false |
| |
| restartPolicy: Always |
| |
| serviceAccount: |
| # Specifies whether a service account should be created |
| create: false |
| # The name of the service account to use. |
| # If not set and create is true, a name is generated using the fullname template |
| name: |
| |
| securityContext: |
| fsGroup: 1000 |
| |
| containerSecurityContext: |
| runAsUser: 1000 |
| runAsNonRoot: true |
| |
| ## The path keycloak will be served from. To serve keycloak from the root path, use two quotes (e.g. ""). |
| basepath: auth |
| |
| ## Additional init containers, e. g. for providing custom themes |
| extraInitContainers: | |
| |
| ## Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy |
| extraContainers: | |
| |
| ## lifecycleHooks defines the container lifecycle hooks |
| lifecycleHooks: | |
| # postStart: |
| # exec: |
| # command: ["/bin/sh", "-c", "ls"] |
| |
| ## Additional arguments to start command e.g. -Dkeycloak.import= to load a realm |
| extraArgs: "" |
| |
| ## Username for the initial Keycloak admin user |
| username: ${keycloak_user} |
| |
| ## Password for the initial Keycloak admin user. Applicable only if existingSecret is not set. |
| ## If not set, a random 10 characters password will be used |
| password: "${keycloak_password}" |
| |
| # Specifies an existing secret to be used for the admin password |
| existingSecret: "" |
| |
| # The key in the existing secret that stores the password |
| existingSecretKey: password |
| |
| ## jGroups configuration (only for HA deployment) |
| jgroups: |
| discoveryProtocol: dns.DNS_PING |
| discoveryProperties: > |
| "dns_query={{ template "keycloak.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" |
| |
| ## Allows the specification of additional environment variables for Keycloak |
| extraEnv: | |
| - name: PROXY_ADDRESS_FORWARDING |
| value: "true" |
| # - name: KEYCLOAK_LOGLEVEL |
| # value: DEBUG |
| # - name: WILDFLY_LOGLEVEL |
| # value: DEBUG |
| # - name: CACHE_OWNERS |
| # value: "2" |
| # - name: DB_QUERY_TIMEOUT |
| # value: "60" |
| # - name: DB_VALIDATE_ON_MATCH |
| # value: true |
| # - name: DB_USE_CAST_FAIL |
| # value: false |
| |
| affinity: | |
| podAntiAffinity: |
| requiredDuringSchedulingIgnoredDuringExecution: |
| - labelSelector: |
| matchLabels: |
| {{- include "keycloak.selectorLabels" . | nindent 10 }} |
| matchExpressions: |
| - key: role |
| operator: NotIn |
| values: |
| - test |
| topologyKey: kubernetes.io/hostname |
| preferredDuringSchedulingIgnoredDuringExecution: |
| - weight: 100 |
| podAffinityTerm: |
| labelSelector: |
| matchLabels: |
| {{- include "keycloak.selectorLabels" . | nindent 12 }} |
| matchExpressions: |
| - key: role |
| operator: NotIn |
| values: |
| - test |
| topologyKey: failure-domain.beta.kubernetes.io/zone |
| |
| nodeSelector: {} |
| priorityClassName: "" |
| tolerations: [] |
| |
| ## Additional pod labels |
| ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| podLabels: {} |
| |
| ## Extra Annotations to be added to pod |
| podAnnotations: {} |
| |
| livenessProbe: | |
| httpGet: |
| path: {{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}/ |
| port: http |
| initialDelaySeconds: 300 |
| timeoutSeconds: 5 |
| readinessProbe: | |
| httpGet: |
| path: {{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}/realms/master |
| port: http |
| initialDelaySeconds: 30 |
| timeoutSeconds: 1 |
| |
| resources: {} |
| # limits: |
| # cpu: "100m" |
| # memory: "1024Mi" |
| # requests: |
| # cpu: "100m" |
| # memory: "1024Mi" |
| |
| ## WildFly CLI configurations. They all end up in the file 'keycloak.cli' configured in the configmap which is |
| ## executed on server startup. |
| cli: |
| enabled: false |
| nodeIdentifier: | |
| {{ .Files.Get "scripts/node-identifier.cli" }} |
| |
| logging: | |
| {{ .Files.Get "scripts/logging.cli" }} |
| |
| ha: | |
| {{ .Files.Get "scripts/ha.cli" }} |
| |
| datasource: | |
| {{ .Files.Get "scripts/datasource.cli" }} |
| |
| # Custom CLI script |
| custom: | |
| |
| podDisruptionBudget: {} |
| # maxUnavailable: 1 |
| # minAvailable: 1 |
| |
| service: |
| annotations: {} |
| # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" |
| |
| labels: {} |
| # key: value |
| |
| ## ServiceType |
| ## ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types |
| type: ClusterIP |
| |
| ## Optional static port assignment for service type NodePort. |
| # nodePort: 30000 |
| |
| httpPort: 80 |
| httpNodePort: "" |
| |
| httpsPort: 8443 |
| httpsNodePort: "" |
| |
| # Optional: jGroups port for high availability clustering |
| jgroupsPort: 7600 |
| |
| ## Ingress configuration. |
| ## ref: https://kubernetes.io/docs/user-guide/ingress/ |
| ingress: |
| enabled: true |
| annotations: |
| kubernetes.io/ingress.class: nginx |
| nginx.ingress.kubernetes.io/ssl-redirect: "true" |
| nginx.ingress.kubernetes.io/rewrite-target: /auth |
| path: /auth |
| hosts: |
| - ${ssn_k8s_alb_dns_name} |
| tls: |
| - hosts: |
| - ${ssn_k8s_alb_dns_name} |
| secretName: datalab-ui-tls |
| |
| ## OpenShift route configuration. |
| ## ref: https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html |
| route: |
| enabled: false |
| path: / |
| |
| annotations: {} |
| # kubernetes.io/tls-acme: "true" |
| # haproxy.router.openshift.io/disable_cookies: "true" |
| # haproxy.router.openshift.io/balance: roundrobin |
| |
| labels: {} |
| # key: value |
| |
| # Host name for the route |
| host: |
| |
| # TLS configuration |
| tls: |
| enabled: true |
| insecureEdgeTerminationPolicy: Redirect |
| termination: edge |
| |
| ## Persistence configuration |
| persistence: |
| dbVendor: mysql |
| dbName: ${mysql_db_name} |
| dbHost: keycloak-mysql |
| dbPort: 3306 |
| dbUser: ${mysql_user} |
| dbPassword: "${mysql_user_password}" |
| |
| startupScripts: |
| mystartup.sh: | |
| ${configure_keycloak_file} |
| extraInitContainers: | |
| - name: theme-provider |
| image: epamdlab/ui-theme:0.1 |
| imagePullPolicy: Always |
| command: |
| - sh |
| args: |
| - -c |
| - | |
| echo "Copying theme..." |
| cp -R /datalab/* /theme |
| volumeMounts: |
| - name: theme |
| mountPath: /theme |
| extraVolumeMounts: | |
| - name: theme |
| mountPath: /opt/jboss/keycloak/themes/datalab |
| extraVolumes: | |
| - name: theme |
| emptyDir: {} |
| |
| postgresql: |
| ### PostgreSQL User to create. |
| ## |
| postgresqlUsername: keycloak |
| |
| ## PostgreSQL Password for the new user. |
| ## If not set, a random 10 characters password will be used. |
| ## |
| postgresqlPassword: "" |
| |
| ## PostgreSQL Database to create. |
| ## |
| postgresqlDatabase: keycloak |
| |
| ## Persistent Volume Storage configuration. |
| ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes |
| ## |
| persistence: |
| ## Enable PostgreSQL persistence using Persistent Volume Claims. |
| ## |
| enabled: false |
| |
| test: |
| enabled: false |
| image: |
| repository: unguiculus/docker-python3-phantomjs-selenium |
| tag: v1 |
| pullPolicy: IfNotPresent |
| securityContext: |
| fsGroup: 1000 |
| containerSecurityContext: |
| runAsUser: 1000 |
| runAsNonRoot: true |
| |
| prometheus: |
| operator: |
| ## Are you using Prometheus Operator? |
| enabled: false |
| |
| serviceMonitor: |
| ## Additional labels to add to the ServiceMonitor so it is picked up by the operator. |
| ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release. |
| selector: |
| release: prometheus |
| |
| ## Interval at which Prometheus scrapes metrics |
| interval: 10s |
| |
| ## Timeout at which Prometheus timeouts scrape run |
| scrapeTimeout: 10s |
| |
| ## The path to scrape |
| path: /auth/realms/master/metrics |
| |
| prometheusRules: |
| ## Add Prometheus Rules? |
| enabled: false |
| |
| ## Additional labels to add to the PrometheusRule so it is picked up by the operator. |
| ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' |
| selector: |
| app: prometheus-operator |
| release: prometheus |
| |
| ## Some example rules. |
| rules: {} |
| # - alert: keycloak-IngressHigh5xxRate |
| # annotations: |
| # message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%. |
| # expr: (sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]))/sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m])))*100 > 1 |
| # for: 5m |
| # labels: |
| # severity: warning |
| # - alert: keycloak-IngressHigh5xxRate |
| # annotations: |
| # message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 5%. |
| # expr: (sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]))/sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m])))*100 > 5 |
| # for: 5m |
| # labels: |
| # severity: critical |