mirror of
https://github.com/bitnami/charts.git
synced 2026-03-09 15:38:00 +08:00
642 lines
18 KiB
YAML
642 lines
18 KiB
YAML
## Global Docker image parameters
|
|
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
|
|
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
|
|
##
|
|
# global:
|
|
# imageRegistry: myRegistryName
|
|
# imagePullSecrets:
|
|
# - myRegistryKeySecretName
|
|
# storageClass: myStorageClass
|
|
|
|
## String to partially override aspnet-core.fullname template (will maintain the release name)
|
|
##
|
|
# nameOverride:
|
|
|
|
## String to fully override aspnet-core.fullname template
|
|
##
|
|
# fullnameOverride:
|
|
|
|
## Add labels to all the deployed resources
|
|
##
|
|
commonLabels: {}
|
|
|
|
## Add annotations to all the deployed resources
|
|
##
|
|
commonAnnotations: {}
|
|
|
|
## Kubernetes Cluster Domain
|
|
##
|
|
clusterDomain: cluster.local
|
|
|
|
## Extra objects to deploy (value evaluated as a template)
|
|
##
|
|
extraDeploy: []
|
|
|
|
## Bitnami Keycloak image version
|
|
## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnami/keycloak
|
|
tag: 11.0.3-debian-10-r56
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
## Example:
|
|
## pullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
pullSecrets: []
|
|
## Set to true if you would like to see extra information on logs
|
|
##
|
|
debug: false
|
|
|
|
## Keycloak authentication parameters
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials
|
|
##
|
|
auth:
|
|
## Create administrator user on boot.
|
|
##
|
|
createAdminUser: true
|
|
## Keycloak administrator user and password
|
|
##
|
|
adminUser: user
|
|
adminPassword: ""
|
|
## Wildfly management user and password
|
|
##
|
|
managementUser: manager
|
|
managementPassword: ""
|
|
|
|
## TLS encryption parameters
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#tls-encryption
|
|
##
|
|
tls:
|
|
enabled: false
|
|
## Name of the existing secret containing the truststore and one keystore per Keycloak replica
|
|
## Create this secret following the steps below:
|
|
## 1) Generate your trustore and keystore files (more info at https://github.com/keycloak/keycloak-documentation/blob/master/openshift/topics/advanced_concepts.adoc#creating-https-and-jgroups-keystores-and-truststore-for-the-project_name-server)
|
|
## 2) Rename your truststore to `keycloak.truststore.jks`.
|
|
## 3) Rename your keystores to `keycloak-X.keystore.jks` where X is the ID of each Keycloak replica
|
|
## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
|
|
## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak-0.keystore.jks --from-file=./keycloak-1.keystore.jks ...
|
|
##
|
|
# jksSecret:
|
|
## Password to access the keystore when it's password-protected.
|
|
##
|
|
keystorePassword: ""
|
|
## Password to access the truststore when it's password-protected.
|
|
##
|
|
truststorePassword: ""
|
|
|
|
## Enable Proxy Address Forwarding
|
|
## ref: https://www.keycloak.org/docs/latest/server_installation/#_setting-up-a-load-balancer-or-proxy
|
|
##
|
|
proxyAddressForwarding: false
|
|
|
|
## Keycloak Service Discovery settings
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration
|
|
##
|
|
serviceDiscovery:
|
|
enabled: false
|
|
## Sets the protocol that Keycloak nodes would use to discover new peers
|
|
## Available protocols can be found at http://www.jgroups.org/javadoc3/org/jgroups/protocols/
|
|
##
|
|
protocol: kubernetes.KUBE_PING
|
|
## Properties for the discovery protocol set in serviceDiscovery.protocol parameter
|
|
## List of key=>value pairs
|
|
## Example:
|
|
## properties:
|
|
## - datasource_jndi_name=>"java:jboss/datasources/KeycloakDS"
|
|
## - initialize_sql=>"CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
|
|
##
|
|
properties: []
|
|
## Transport stack for the discovery protocol set in serviceDiscovery.protocol parameter
|
|
##
|
|
transportStack: tcp
|
|
|
|
## Keycloak cache settings
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration
|
|
##
|
|
cache:
|
|
## Number of nodes that will replicate cached data
|
|
##
|
|
ownersCount: 1
|
|
## Number of nodes that will replicate cached authentication data
|
|
##
|
|
authOwnersCount: 1
|
|
|
|
## Keycloak Configuration
|
|
## Specify content for standalone-ha.xml
|
|
## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
|
|
## The standalone-ha.xml is auto-generated based on other parameters when this parameter is not specified
|
|
##
|
|
## Example:
|
|
## configuration: |-
|
|
## foo: bar
|
|
## baz:
|
|
##
|
|
# configuration:
|
|
|
|
## Existing ConfigMap with Keycloak Configuration
|
|
## NOTE: When it's set the configuration parameter is ignored
|
|
##
|
|
# existingConfigmap:
|
|
|
|
## Add extra args to default startup command
|
|
##
|
|
extraStartupArgs:
|
|
|
|
## initdb scripts
|
|
## Specify dictionary of scripts to be run at first boot
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#initializing-a-new-instance
|
|
## Example:
|
|
## initdbScripts:
|
|
## my_init_script.sh: |
|
|
## #!/bin/bash
|
|
## echo "Do something."
|
|
##
|
|
initdbScripts: {}
|
|
|
|
## Existing ConfigMap with custom init scripts
|
|
##
|
|
# initdbScriptsConfigMap:
|
|
|
|
## Command and args for running the container (set to default if not set). Use array form
|
|
##
|
|
command: []
|
|
args: []
|
|
|
|
## An array to add extra env vars
|
|
## Example:
|
|
## extraEnvVars:
|
|
## - name: FOO
|
|
## value: "bar"
|
|
##
|
|
extraEnvVars: []
|
|
|
|
## ConfigMap with extra environment variables
|
|
##
|
|
extraEnvVarsCM:
|
|
|
|
## Secret with extra environment variables
|
|
##
|
|
extraEnvVarsSecret:
|
|
|
|
## Number of Keycloak replicas to deploy
|
|
##
|
|
replicaCount: 1
|
|
|
|
## Keycloak container ports to open
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
|
|
## Keycloak containers' SecurityContext
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
|
|
## Keycloak pods' Security Context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
|
|
## Keycloak resource requests and limits
|
|
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
|
##
|
|
resources:
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
limits: {}
|
|
# cpu: 200m
|
|
# memory: 256Mi
|
|
requests: {}
|
|
# cpu: 200m
|
|
# memory: 10Mi
|
|
|
|
## Keycloak containers' liveness and readiness probes.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
httpGet:
|
|
path: /auth/
|
|
port: http
|
|
initialDelaySeconds: 300
|
|
periodSeconds: 1
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
successThreshold: 1
|
|
readinessProbe:
|
|
enabled: true
|
|
httpGet:
|
|
path: /auth/realms/master
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 3
|
|
successThreshold: 1
|
|
|
|
## Custom Liveness probes for Keycloak
|
|
##
|
|
customLivenessProbe: {}
|
|
|
|
## Custom Rediness probes Keycloak
|
|
##
|
|
customReadinessProbe: {}
|
|
|
|
## Strategy to use to update Pods
|
|
##
|
|
updateStrategy:
|
|
## StrategyType
|
|
## Can be set to RollingUpdate or OnDelete
|
|
##
|
|
type: RollingUpdate
|
|
|
|
## Pod affinity preset
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
podAffinityPreset: ""
|
|
|
|
## Pod anti-affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
nodeAffinityPreset:
|
|
## Node affinity type
|
|
## Allowed values: soft, hard
|
|
##
|
|
type: ""
|
|
## Node label key to match
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## Node label values to match
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
|
|
## Affinity for pod assignment. Evaluated as a template.
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
##
|
|
affinity: {}
|
|
|
|
## Node labels for pod assignment. Evaluated as a template.
|
|
## ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
|
|
## Tolerations for pod assignment. Evaluated as a template.
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
|
|
## Pod extra labels
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
|
|
## Annotations for server pods.
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
|
|
## Keycloak pods' priority.
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
|
##
|
|
# priorityClassName: ""
|
|
|
|
## lifecycleHooks for the Keycloak container to automate configuration before or after startup.
|
|
##
|
|
lifecycleHooks: {}
|
|
|
|
## Extra volumes to add to the deployment
|
|
##
|
|
extraVolumes: []
|
|
|
|
## Extra volume mounts to add to the container
|
|
##
|
|
extraVolumeMounts: []
|
|
|
|
## Add init containers to the Keycloak pods.
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
initContainers: {}
|
|
|
|
## Add sidecars to the Keycloak pods.
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: {}
|
|
|
|
## Service configuration
|
|
##
|
|
service:
|
|
## Service type.
|
|
##
|
|
type: LoadBalancer
|
|
## HTTP Port
|
|
##
|
|
port: 80
|
|
## HTTPS Port
|
|
##
|
|
httpsPort: 443
|
|
## Specify the nodePort values for the LoadBalancer and NodePort service types.
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
|
|
##
|
|
nodePorts:
|
|
http: ""
|
|
https: ""
|
|
## Service clusterIP.
|
|
##
|
|
# clusterIP: None
|
|
## loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
|
|
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
|
|
##
|
|
# loadBalancerIP:
|
|
## Load Balancer sources
|
|
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
|
|
## Example:
|
|
## loadBalancerSourceRanges:
|
|
## - 10.10.10.0/24
|
|
##
|
|
loadBalancerSourceRanges: []
|
|
## Enable client source IP preservation
|
|
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
|
|
##
|
|
externalTrafficPolicy: Cluster
|
|
## Provide any additional annotations which may be required (evaluated as a template).
|
|
##
|
|
annotations: {}
|
|
|
|
## Ingress configuration
|
|
##
|
|
ingress:
|
|
## Set to true to enable ingress record generation
|
|
##
|
|
enabled: false
|
|
|
|
## Set this to true in order to add the corresponding annotations for cert-manager
|
|
##
|
|
certManager: false
|
|
|
|
## When the ingress is enabled, a host pointing to this will be created
|
|
##
|
|
hostname: keycloak.local
|
|
|
|
## Ingress annotations done as key:value pairs
|
|
## For a full list of possible ingress annotations, please see
|
|
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
|
|
##
|
|
## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
|
|
##
|
|
annotations: {}
|
|
|
|
## Enable TLS configuration for the hostname defined at ingress.hostname parameter
|
|
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
|
|
## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or
|
|
## let the chart create self-signed certificates for you
|
|
##
|
|
tls: false
|
|
|
|
## The list of additional hostnames to be covered with this ingress record.
|
|
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
|
|
## Example:
|
|
## extraHosts:
|
|
## - name: keycloak.local
|
|
## path: /
|
|
##
|
|
extraHosts: []
|
|
|
|
## The tls configuration for additional hostnames to be covered with this ingress record.
|
|
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
|
## Example:
|
|
## extraTls:
|
|
## - hosts:
|
|
## - keycloak.local
|
|
## secretName: keycloak.local-tls
|
|
##
|
|
extraTls: []
|
|
|
|
## If you're providing your own certificates, please use this to add the certificates as secrets
|
|
## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
|
|
## name should line up with a secretName set further up
|
|
##
|
|
## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
|
|
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
|
|
## It is also possible to create and manage the certificates outside of this helm chart
|
|
## Please see README.md for more information
|
|
##
|
|
## Example
|
|
## secrets:
|
|
## - name: aspnet-core.local-tls
|
|
## key: ""
|
|
## certificate: ""
|
|
##
|
|
secrets: []
|
|
|
|
## Network Policy configuration
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
|
##
|
|
networkPolicy:
|
|
## Enable creation of NetworkPolicy resources
|
|
##
|
|
enabled: false
|
|
## The Policy model to apply. When set to false, only pods with the correct
|
|
## client label will have network access to the ports Keycloak is listening
|
|
## on. When true, Keycloak will accept connections from any source
|
|
## (with the correct destination port).
|
|
##
|
|
allowExternal: true
|
|
## Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed.
|
|
## Example:
|
|
## additionalRules:
|
|
## - matchLabels:
|
|
## - role: frontend
|
|
## - matchExpressions:
|
|
## - key: role
|
|
## operator: In
|
|
## values:
|
|
## - frontend
|
|
##
|
|
additionalRules: {}
|
|
|
|
## Specifies whether RBAC resources should be created
|
|
##
|
|
rbac:
|
|
create: false
|
|
## Custom RBAC rules
|
|
## Example:
|
|
## rules:
|
|
## - apiGroups:
|
|
## - ""
|
|
## resources:
|
|
## - pods
|
|
## verbs:
|
|
## - get
|
|
## - list
|
|
##
|
|
rules: []
|
|
|
|
## Specifies whether a ServiceAccount should be created
|
|
##
|
|
serviceAccount:
|
|
create: true
|
|
## The name of the ServiceAccount to use.
|
|
## If not set and create is true, a name is generated using the fullname template
|
|
##
|
|
name: ""
|
|
|
|
## Keycloak Pod Disruption Budget configuration
|
|
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
|
|
##
|
|
pdb:
|
|
create: false
|
|
## Min number of pods that must still be available after the eviction
|
|
##
|
|
minAvailable: 1
|
|
## Max number of pods that can be unavailable after the eviction
|
|
##
|
|
# maxUnavailable: 1
|
|
|
|
## Keycloak Autoscaling configuration
|
|
##
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 11
|
|
# targetCPU: 50
|
|
# targetMemory: 50
|
|
|
|
## Metrics configuration
|
|
##
|
|
metrics:
|
|
## Enable Keycloak statistics
|
|
## ref: https://github.com/bitnami/bitnami-docker-keycloak#enabling-statistics
|
|
##
|
|
enabled: false
|
|
|
|
## Keycloak metrics service parameters
|
|
##
|
|
service:
|
|
## HTTP management port
|
|
##
|
|
port: 9990
|
|
## Annotations for the Prometheus exporter service
|
|
##
|
|
annotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/port: "{{ .Values.metrics.service.port }}"
|
|
|
|
## Prometheus Operator ServiceMonitor configuration
|
|
##
|
|
serviceMonitor:
|
|
## If the operator is installed in your cluster, set to true to create a Service Monitor Entry
|
|
##
|
|
enabled: false
|
|
## Specify the namespace in which the serviceMonitor resource will be created
|
|
##
|
|
# namespace: ""
|
|
## Specify the interval at which metrics should be scraped
|
|
##
|
|
interval: 30s
|
|
## Specify the timeout after which the scrape is ended
|
|
##
|
|
# scrapeTimeout: 30s
|
|
## Specify Metric Relabellings to add to the scrape endpoint
|
|
##
|
|
# relabellings:
|
|
## Specify honorLabels parameter to add the scrape endpoint
|
|
##
|
|
honorLabels: false
|
|
## Specify the release for ServiceMonitor. Sometimes it should be custom for prometheus operator to work
|
|
##
|
|
# release: ""
|
|
## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with
|
|
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
|
|
##
|
|
additionalLabels: {}
|
|
##
|
|
## PostgreSQL chart configuration
|
|
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml
|
|
##
|
|
postgresql:
|
|
## Whether to deploy a postgresql server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
|
|
##
|
|
enabled: true
|
|
## PostgreSQL user (has superuser privileges if username is `postgres`)
|
|
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
|
|
##
|
|
postgresqlUsername: bn_keycloak
|
|
## PostgreSQL password
|
|
## Defaults to a random 10-character alphanumeric string if not set
|
|
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
|
|
##
|
|
postgresqlPassword: some-password
|
|
## Database name to create
|
|
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
|
|
##
|
|
postgresqlDatabase: bitnami_keycloak
|
|
## PostgreSQL data Persistent Volume Storage Class
|
|
##
|
|
persistence:
|
|
enabled: true
|
|
|
|
##
|
|
## External database configuration
|
|
##
|
|
externalDatabase:
|
|
## Database host
|
|
##
|
|
host: ""
|
|
## Database port
|
|
##
|
|
port: 5432
|
|
## non admin username for Keycloak Database
|
|
##
|
|
user: bn_keycloak
|
|
## Database password
|
|
##
|
|
password: ""
|
|
## Database name
|
|
##
|
|
database: bitnami_keycloak
|