Keycloak.X - Open Source Identity and Access Management for Modern Applications and Services
- https://www.keycloak.org/
- https://github.com/codecentric/helm-charts
- https://github.com/keycloak/keycloak/tree/main/quarkus/container
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
- Find upstream chart's release notes and CHANGELOG here
- Find upstream keycloak project's release notes and CHANGELOG here
- Kubernetes Cluster deployed
- Kubernetes config installed in
~/.kube/config - Helm installed
Install Helm
https://helm.sh/docs/intro/install/
- Clone down the repository
- cd into directory
helm install keycloak chart/| Key | Type | Default | Description |
|---|---|---|---|
| domain | string | "dev.bigbang.mil" |
The base domain for all Big Bang components. Keycloak will be available at keycloak.%domain% |
| istio.enabled | bool | false |
Enable or disable Istio |
| istio.hardened.enabled | bool | false |
Enable or disable istio's hardened mode |
| istio.hardened.customAuthorizationPolicies | list | [] |
Custom authorization policies to be applied to the keycloak namespace |
| istio.hardened.outboundTrafficPolicyMode | string | "REGISTRY_ONLY" |
Specify the Istio outbound traffic policy mode |
| istio.hardened.customServiceEntries | list | [] |
Custom service entries to be applied to the keycloak namespace |
| istio.mtls.mode | string | "STRICT" |
PERMISSIVE = Allow both plain text and mutual TLS traffic |
| istio.keycloak.enabled | bool | false |
Enable or disable the istio virtual service for keycloak |
| istio.keycloak.annotations | object | {} |
Additional annotations to be added to the istio virtual service |
| istio.keycloak.labels | object | {} |
Additional labels to be added to the istio virtual service |
| istio.keycloak.gateways | list | ["istio-system/main"] |
Specify the istio gateways to be used for keycloak |
| istio.keycloak.hosts | list | ["keycloak.dev.bigbang.mil"] |
Specify the hostnames from which keycloak will be accessible |
| networkPolicies.enabled | bool | false |
Enable or disable the bundled network policies |
| networkPolicies.externalServices | object | {} |
Configure external services that keycloak needs to access |
| networkPolicies.ingressLabels | object | {"app":"istio-ingressgateway","istio":"ingressgateway"} |
Configures labelSelectors for network policies allowing ingress from istio gateways |
| networkPolicies.additionalPolicies | list | [] |
Configures additional network policies beyond the ones bundled with the chart |
| bbtests.enabled | bool | false |
Enables the Big Bang test hooks |
| bbtests.image | string | "registry1.dso.mil/ironbank/big-bang/base:2.1.0" |
|
| bbtests.cypress.artifacts | bool | true |
|
| bbtests.cypress.envs.cypress_url | string | "http://keycloak-upstream-http.keycloak.svc.cluster.local" |
|
| bbtests.cypress.envs.cypress_username | string | "admin" |
|
| bbtests.cypress.envs.cypress_password | string | "password" |
|
| bbtests.cypress.envs.cypress_tnr_username | string | "cypress" |
|
| bbtests.cypress.envs.cypress_tnr_password | string | "tnr_w!G33ZyAt@C8" |
|
| bbtests.cypress.envs.tnr_username | string | "cypress" |
|
| bbtests.cypress.envs.tnr_password | string | "tnr_w!G33ZyAt@C8" |
|
| bbtests.cypress.envs.tnr_firstName | string | "Cypress" |
|
| bbtests.cypress.envs.tnr_lastName | string | "TNR" |
|
| bbtests.cypress.envs.tnr_email | string | "[email protected]" |
|
| upstream.podAnnotations."proxy.istio.io/config" | string | "proxyMetadata:\n ISTIO_META_DNS_CAPTURE: \"true\"\n" |
|
| upstream.replicas | int | 1 |
|
| upstream.image.repository | string | "registry1.dso.mil/ironbank/opensource/keycloak/keycloak" |
The Keycloak image repository |
| upstream.image.tag | string | "26.1.4" |
|
| upstream.podSecurityContext | object | {"fsGroup":2000,"runAsGroup":2000,"runAsNonRoot":true,"runAsUser":2000} |
SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this) |
| upstream.securityContext | object | {"capabilities":{"drop":["ALL"]},"runAsGroup":2000,"runAsNonRoot":true,"runAsUser":2000} |
SecurityContext for the Keycloak container |
| upstream.args | list | ["start"] |
Overrides the default args for the Keycloak container arg: "start" needs to be set for the container to start up properly |
| upstream.extraEnvFrom | string | "- secretRef:\n name: '{{ include \"keycloak.fullname\" . }}-env'\n" |
Additional environment variables for Keycloak mapped from Secret or ConfigMap |
| upstream.resources | object | {"limits":{"memory":"1Gi"},"requests":{"cpu":"1","memory":"1Gi"}} |
Pod resource requests and limits |
| upstream.secrets | object | {"env":{"stringData":{"JAVA_OPTS_APPEND":"-Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless","JAVA_TOOL_OPTIONS":"-Dcom.redhat.fips=false","KC_HOSTNAME":"keycloak.dev.bigbang.mil","KEYCLOAK_ADMIN":"admin","KEYCLOAK_ADMIN_PASSWORD":"password"}}} |
Configuration for secrets that should be created The secrets can also be independently created separate from this helm chart. for example with a gitops tool like flux with a kustomize overlay. NOTE: Secret values can be templated |
| upstream.secrets.env | object | {"stringData":{"JAVA_OPTS_APPEND":"-Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless","JAVA_TOOL_OPTIONS":"-Dcom.redhat.fips=false","KC_HOSTNAME":"keycloak.dev.bigbang.mil","KEYCLOAK_ADMIN":"admin","KEYCLOAK_ADMIN_PASSWORD":"password"}} |
Environmental variables |
| upstream.secrets.env.stringData.JAVA_TOOL_OPTIONS | string | "-Dcom.redhat.fips=false" |
https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index |
| upstream.secrets.env.stringData.KEYCLOAK_ADMIN | string | "admin" |
default admin credentials. Override them for production deployments |
| upstream.secrets.env.stringData.JAVA_OPTS_APPEND | string | "-Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless" |
https://www.keycloak.org/server/caching |
| upstream.dbchecker.enabled | bool | false |
If true, the dbchecker init container is enabled; this is incompatible with Big Bang and so is disabled by default. |
| upstream.database | object | {"database":"keycloak","existingSecret":"keycloak-postgresql","existingSecretKey":"password","hostname":"keycloak-postgresql","port":5432,"username":"keycloak","vendor":"postgres"} |
Configures the database connection; can be configured here and/or via environment variables with upstream.secrets.env |
| upstream.database.hostname | string | "keycloak-postgresql" |
you will need to change the hostname to match the release name: %release-name%-postgresql |
| postgresql.enabled | bool | true |
If true, the Postgresql dependency is enabled |
| postgresql.image.registry | string | "registry1.dso.mil" |
|
| postgresql.image.repository | string | "ironbank/bitnami/postgres" |
|
| postgresql.image.tag | string | "17.4.0" |
|
| postgresql.global.security.allowInsecureImages | bool | true |
Allow registry1.dso.mil in lieu of the default bitnami registry |
| postgresql.global.postgresql.auth.username | string | "keycloak" |
PostgreSQL User to create |
| postgresql.global.postgresql.auth.password | string | "keycloak" |
PostgreSQL Password for the new user |
| postgresql.global.postgresql.auth.database | string | "keycloak" |
PostgreSQL Database to create |
Please see the contributing guide if you are interested in contributing.
This file is programatically generated using helm-docs and some BigBang-specific templates. The gluon repository has instructions for regenerating package READMEs.