128 lines
2.9 KiB
YAML
128 lines
2.9 KiB
YAML
apiVersion: k8s.keycloak.org/v2alpha1
|
|
kind: Keycloak
|
|
metadata:
|
|
name: keycloak
|
|
namespace: {{ .Env.KEYCLOAK_NAMESPACE }}
|
|
spec:
|
|
instances: 1
|
|
image: quay.io/keycloak/keycloak:26.4
|
|
startOptimized: false
|
|
|
|
# Database configuration for external PostgreSQL
|
|
db:
|
|
vendor: postgres
|
|
host: postgres-cluster-rw.postgres
|
|
port: 5432
|
|
database: keycloak
|
|
usernameSecret:
|
|
name: database-config
|
|
key: user
|
|
passwordSecret:
|
|
name: database-config
|
|
key: password
|
|
|
|
# Hostname configuration
|
|
hostname:
|
|
hostname: {{ .Env.KEYCLOAK_HOST }}
|
|
strict: false
|
|
strictBackchannel: false
|
|
|
|
# HTTP configuration
|
|
http:
|
|
httpEnabled: true
|
|
httpPort: 8080
|
|
httpsPort: 8443
|
|
|
|
# Proxy configuration for edge proxy
|
|
proxy:
|
|
headers: xforwarded
|
|
|
|
# http-enabled and hostname-strict are configured via http.httpEnabled and hostname.strict
|
|
additionalOptions:
|
|
- name: metrics-enabled
|
|
value: "true"
|
|
|
|
# Keycloak takes ~20 seconds to start, so we configure probes accordingly
|
|
# Note: Keycloak Operator v2alpha1 only supports periodSeconds and failureThreshold
|
|
startupProbe:
|
|
periodSeconds: 10
|
|
failureThreshold: 20
|
|
|
|
livenessProbe:
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
|
|
readinessProbe:
|
|
periodSeconds: 5
|
|
failureThreshold: 3
|
|
|
|
# Bootstrap admin configuration
|
|
bootstrapAdmin:
|
|
user:
|
|
secret: keycloak-bootstrap-admin
|
|
|
|
# Resources
|
|
# Increased memory limit to 3Gi for Keycloak 26.4 build process
|
|
resources:
|
|
requests:
|
|
memory: "2Gi"
|
|
cpu: "500m"
|
|
limits:
|
|
memory: "3Gi"
|
|
cpu: "1000m"
|
|
|
|
unsupported:
|
|
podTemplate:
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containers:
|
|
- name: keycloak
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
ingress:
|
|
enabled: false
|
|
|
|
---
|
|
# Separate Ingress resource for custom configuration
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: keycloak-ingress
|
|
namespace: {{ .Env.KEYCLOAK_NAMESPACE }}
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
spec:
|
|
ingressClassName: traefik
|
|
tls:
|
|
- hosts:
|
|
- {{ .Env.KEYCLOAK_HOST }}
|
|
secretName: keycloak-tls
|
|
rules:
|
|
- host: {{ .Env.KEYCLOAK_HOST }}
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: keycloak-service
|
|
port:
|
|
number: 8080
|