-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
341 lines (293 loc) · 12.4 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
## @section Common parameters
## @param imagePullSecrets Image pull secrets (e.g. when using an image from a private repository)
imagePullSecrets: []
## @param nameOverride Override the name
nameOverride: ""
## @param fullnameOverride Override the fully qualified domain
fullnameOverride: ""
## @section Keycloak parameters
image:
## @param image.repository The image repository for the Keycloak container
repository: quay.io/keycloak/keycloak
## @param image.pullPolicy Pull policy of the image used for Keycloak
pullPolicy: IfNotPresent
## @param image.tag Overrides the image tag whose default is the chart appVersion.
tag: "22.0.1"
## @param image.digest Overrides the image tag with a specific digest
digest: ""
http:
## @param http.relativePath For compatibility reason this could be set to "/auth"
relativePath: ""
proxy:
## @param proxy.enabled Enable proxy address forwarding if Keycloak is behind a reverse proxy
enabled: false
## @param proxy.mode Specify the proxy mode. Can be "none", "edge", "reencrypt" or "passthrough"
mode: ""
metrics:
## @param metrics.enabled Enable Keycloak's metrics endpoint
enabled: true
health:
## @param health.enabled Enable Keycloak's helath endpoint. This also enables startup, readiness and liveness probes.
enabled: true
## @param command Override the default entrypoint of the Keycloak container
command: []
# - "command"
## @param args Override the default args for the Keycloak container
args: []
# - "argument"
## @param extraEnv Extra environment variables for Keycloak
extraEnv: ""
# - name: KEYCLOAK_ADMIN
# value: admin
# - name: KEYCLOAK_ADMIN_PASSWORD
# value: admin
## @param extraEnvFrom Get extra environment variables for Keycloak from ConfigMap or Secret
extraEnvFrom: ""
## @section Keycloak deployment parameters
## @param replicaCount Number of replicas in the StatefulSet
replicaCount: 1
## @param updateStrategy Update strategy of the StatefulSet
updateStrategy: RollingUpdate
## @param restartPolicy Restart policy of the StatefulSet
restartPolicy: Always
## @param podManagementPolicy Control how pods are created during initial scale up, replacement or when scaling down. Either "OrderedReady" or "Parallel".
podManagementPolicy: OrderedReady
## @param livenessProbe [string] Liveness probe configuration
livenessProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live'
port: http
initialDelaySeconds: 0
timeoutSeconds: 5
## @param readinessProbe [string] Readiness probe configuration
readinessProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready'
port: http
initialDelaySeconds: 10
timeoutSeconds: 1
## @param startupProbe [string] Startup probe configuration
startupProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health'
port: http
initialDelaySeconds: 15
timeoutSeconds: 1
failureThreshold: 60
periodSeconds: 5
statefulSet:
## @param statefulSet.annotations Annotations to add to the StatefulSet
annotations: {}
## @param statefulSet.labels Labels to add to the StatefulSet
labels: {}
## @param podAnnotations Annotations to add to the Pod
podAnnotations: {}
## @param podLabels Labels to add to the Pod
podLabels: {}
## @param podSecurityContext [object] Pod wide SecurityContext. Defines security options the container shold be run with.
podSecurityContext:
fsGroup: 1000
## @param securityContext [object] Security context for the main container.
securityContext:
runAsUser: 1000
runAsNonRoot: true
## @param nodeSelector Specify the node for the pod to be scheduled on.
nodeSelector: {}
## @param affinity Affinity for pod assignment
affinity: {}
## @param tolerations Tolerations for pod assignment
tolerations: []
## @param priorityClassName If specified, indicates the pod's priority.
priorityClassName: ""
## @param terminationGracePeriodSeconds Termination grace period in seconds for Keycloak shutdown. In clusters with a large cache Infinispan might need time to rebalance
terminationGracePeriodSeconds: 60
## @param hostAliases Mapped IPs and hostnames that will be injected into Pod's hosts files
hostAliases: []
# - ip: "10.20.30.40"
# hostname:
# - "abc.domain.com"
## @param extraPorts Extra ports for the pod
extraPorts: []
## @param topologySpreadConstraints Describe how a group of pods can spread across topology domains.
topologySpreadConstraints: []
## @param enableServiceLinks Indicate whether information about serfices should be injected into pod's environment variables
enableServiceLinks: true
## @param extraVolumes Extra volumes, e.g. for additional themes
extraVolumes: ""
## @param extraVolumeMounts Extra volume mounts, e.g. for additional themes
extraVolumeMounts: ""
## @param resources The source limits for Keycloak
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param podDisruptionBudget Pod disruption budget
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 1
# unhealthyPodEvictionPolicy: ""
## @param podDisruptionBudgetAnnotations Annotations for the pod disruption budget
podDisruptionBudgetAnnotations: {}
## @param podDisruptionBudgetLabels Labels for the pod disruption budget
podDisruptionBudgetLabels: {}
serviceAccount:
## @param serviceAccount.create Specifies whether a service account should be created
create: true
## @param serviceAccount.annotations Annotations to add to the service account
annotations: {}
## @param serviceAccount.labels Labels to add to the service account
labels: {}
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
## @param serviceAccount.automountServiceAccountToken Automount API token for the service account
automountServiceAccountToken: true
rbac:
## @param serviceAccount.rbac.enable Enable the creation of ClusterRole and ClusterRoleBinding for the service account to be able to get and list pods
enable: true
## @param serviceAccount.rbac.rules [array] The rules for the ClusterRole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
autoscaling:
## @param autoscaling.enabled Enable autoscaling for Keycloak
enabled: false
## @param autoscaling.minReplicas Minimum number of replicas to scale back
minReplicas: 1
## @param autoscaling.maxReplicas Maximum number of replicas to scale up
maxReplicas: 100
## @param autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage
targetCPUUtilizationPercentage: 80
## @param autoscaling.targetMemoryUtilizationPercentage Target Memory utilization percentage
targetMemoryUtilizationPercentage:
## @param autoscaling.labels Labels for the HPA
labels: {}
## @param postInstallJobs Define a list of jobs to be executed after the installation
postInstallJobs: []
#- name: job-name
# restartPolicy: Never
# hookWeight: 5
# containers:
# - name: realm-creator-container
# imagePullSecrets: []
# image:
# ## @param image.repository The image repository for the realm creator
# repository: "repo/image"
# ## @param image.pullPolicy Pull policy of the image used for the realm creator
# pullPolicy: "IfNotPresent"
# ## @param image.tag Set the image tag or latest is used
# tag: "0.1.0"
# ## @param image.digest Overrides the image tag with a specific digest
# digest: ""
# command: []
# env:
# - name: KEYCLOAK_AUTH_URL
# value: http://keycloak-headless:8080
## @section Database parameters
database:
existingSecret:
## @param database.existingSecret.name Use an existing secret for database password. This takes precedence over password.
name: ""
## @param database.existingSecret.key The key for the existing secret
key: ""
## @param database.vendor Can be dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres
vendor: ""
## @param database.hostname Hostname of the database
hostname: ""
## @param database.port Port of the database
port: ""
## @param database.database The name of the database
database: ""
## @param database.username Username of the database
username: ""
## @param database.password Password of the database. Ignored if existing secret is set
password: ""
## @section Keycloak exposure parameters
service:
## @param service.annotations Annotations to add to the http service
annotations: {}
headless:
## @param service.headless.annotations Annotations to add to the headless serivce
annotations: {}
## @param service.labels Labels to add to the http and the headless services
labels: {}
## @param service.type Specify the type of the service
type: ClusterIP
## @param service.loadBalancerIP Optional IP for service of type loadbalancer
loadBalancerIP: ""
## @param service.httpPort The http Port of the service
httpPort: 80
## @param service.httpsPort The https Port of the service
httpsPort: 443
## @param service.httpNodePort The http Port of the service if its type is NodePort
httpNodePort: null
## @param service.httpsNodePort The https Port of the service if its type is NodePort
httpsNodePort: null
## @param service.extraPorts Specify extra ports for the service
extraPorts: []
## @param service.loadBalancerSourceRanges Restrict source ranges allowed to connect to the loadbalancer if service is of type loadbalancer
loadBalancerSourceRanges: []
## @param service.externalTrafficPolicy If set to "Local", the proxy assumes that external load balancers will take care of balancing the service traffic between nodes and won't masquerade the client source IP. If set to "Cluster" the standard behavior of routing will be used.
externalTrafficPolicy: "Cluster"
## @param service.sessionAffinity Session Affinity
sessionAffinity: ""
## @param service.sessionAffinityConfig Session Affinity Config
sessionAffinityConfig: {}
ingress:
## @param ingress.enabled Enable ingress
enabled: false
## @param ingress.className Set the ingerssClassName on the ingress record
className: ""
## @param ingress.annotations Annotations for the ingress
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## @param ingress.rules [array] List of arbitrary paths to the host
rules:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
## @param ingress.tls List of TLS secrets
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## @section Realm creator parameters
## @descriptionStart
## This Helm chart provides the possibility to create a realm after Keycloak was deployed. This is done using [keycloak-config-cli](https://github.com/adorsys/keycloak-config-cli). All options from realmCreator.options are passed to this cli.
## @descriptionEnd
realmCreator:
## @param realmCreator.realms Specify how the realms should be created. It contains a dictionary mapping a string for enumeration and the string specifying how the realm should be created. See [keycloak-config-cli](https://github.com/adorsys/keycloak-config-cli) for more information
realms: {}
# realms:
# realm1: |-
# id: users
# realm: users
# realms2: |-
# id: another-realm
# realm: another-realm
image:
## @param realmCreator.image.repository The image for the realm creator
repository: adorsys/keycloak-config-cli
## @param realmCreator.image.pullPolicy Pull policy of the image used for the realm creator
pullPolicy: IfNotPresent
## @param realmCreator.image.tag The tag of the image for the realm creator
tag: 5.8.0-22.0.0
## @param realmCreator.image.digest Overrides the image tag with a specific digest
digest: ""
## @param realmCreator.username Specify the username to be used for the Keycloak API
username: admin
## @param realmCreator.password Password for the Keycloak user
password: ""
## @param realmCreator.existingSecret Use an existing secret for Keycloak admin password. This takes precedence over password.
existingSecret: ""
## @param realmCreator.existingSecretKey
existingSecretKey: ""