apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: keycloak namespace: argocd annotations: argocd.argoproj.io/sync-wave: "50" finalizers: - resources-finalizer.argocd.argoproj.io spec: ignoreDifferences: - group: networking.k8s.io kind: Ingress jqPathExpressions: - .spec.rules[].http.paths[] project: hq syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true destination: server: "https://kubernetes.default.svc" namespace: keycloak source: chart: keycloak repoURL: registry-1.docker.io/bitnamicharts targetRevision: 21.1.3 helm: releaseName: keycloak values: | auth: adminUser: admin existingSecret: keycloak-admin-password passwordSecretKey: password global: storageClass: hcloud-volumes replicaCount: 2 pdb: create: true minAvailable: 1 autoscaling: enabled: false resources: limits: cpu: 500m memory: 1Gi requests: cpu: 500m memory: 1Gi # Pods must be spread across nodes # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106 podAntiAffinityPreset: hard updateStrategy: type: RollingUpdate # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods # rollingUpdate: # maxUnavailable: 1 service: type: ClusterIP ingress: enabled: true hostname: sso.mareshq.com servicePort: https ingressClassName: nginx tls: true annotations: cert-manager.io/cluster-issuer: letsencrypt-dns-production cert-manager.io/issue-temporary-certificate: "true" # Allow self-signed certificates on the backend nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_verify off; nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-buffering: "on" nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" adminIngress: enabled: true ingressClassName: nginx pathType: Prefix hostname: keycloak.cthulhu.k8s.vxm.cz servicePort: https tls: true annotations: cert-manager.io/cluster-issuer: letsencrypt-dns-production cert-manager.io/issue-temporary-certificate: "true" # Allow self-signed certificates on the backend nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_verify off; nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" tls: enabled: true autoGenerated: true production: true # metrics: # enabled: true # serviceMonitor: # enabled: false postgresql: enabled: false externalDatabase: existingSecret: keycloak-database-credentials existingSecretHostKey: host existingSecretPortKey: port existingSecretDatabaseKey: database existingSecretUserKey: username existingSecretPasswordKey: password startupProbe: # Keycloak should be ready to serve requests within 15 minutes enabled: true initialDelaySeconds: 180 # 3min periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 80 # 12min successThreshold: 1 containerSecurityContext: readOnlyRootFilesystem: true # Custom theme installation and configuration initContainers: - name: theme-installer image: busybox:latest command: - /bin/sh - "-c" - | wget https://vojtechmares.github.io/cdn/keywind.tar.gz -O /tmp/keywind.tar.gz tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes volumeMounts: - mountPath: /opt/bitnami/keycloak/themes/keywind name: theme extraVolumes: - name: theme emptyDir: {} extraVolumeMounts: - name: theme mountPath: /opt/bitnami/keycloak/themes/keywind