162 lines
		
	
	
	
		
			4.5 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			162 lines
		
	
	
	
		
			4.5 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| apiVersion: argoproj.io/v1alpha1
 | |
| kind: Application
 | |
| metadata:
 | |
|   name: keycloak
 | |
|   namespace: argocd
 | |
|   annotations:
 | |
|     argocd.argoproj.io/sync-wave: "50"
 | |
|   finalizers:
 | |
|     - resources-finalizer.argocd.argoproj.io
 | |
| spec:
 | |
|   ignoreDifferences:
 | |
|     - group: networking.k8s.io
 | |
|       kind: Ingress
 | |
|       jqPathExpressions:
 | |
|         - .spec.rules[].http.paths[]
 | |
|   project: hq
 | |
|   syncPolicy:
 | |
|     automated:
 | |
|       prune: true
 | |
|       selfHeal: true
 | |
|     syncOptions:
 | |
|       - CreateNamespace=true
 | |
|   destination:
 | |
|     server: "https://kubernetes.default.svc"
 | |
|     namespace: keycloak
 | |
|   source:
 | |
|     chart: keycloak
 | |
|     repoURL: registry-1.docker.io/bitnamicharts
 | |
|     targetRevision: 21.1.3
 | |
|     helm:
 | |
|       releaseName: keycloak
 | |
|       values: |
 | |
|         auth:
 | |
|           adminUser: admin
 | |
|           existingSecret: keycloak-admin-password
 | |
|           passwordSecretKey: password
 | |
| 
 | |
|         global:
 | |
|           storageClass: hcloud-volumes
 | |
| 
 | |
|         replicaCount: 2
 | |
| 
 | |
|         pdb:
 | |
|           create: true
 | |
|           minAvailable: 1
 | |
| 
 | |
|         autoscaling:
 | |
|           enabled: false
 | |
| 
 | |
|         resources:
 | |
|           limits:
 | |
|             cpu: 500m
 | |
|             memory: 1Gi
 | |
|           requests:
 | |
|             cpu: 500m
 | |
|             memory: 1Gi
 | |
| 
 | |
|         # Pods must be spread across nodes
 | |
|         # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106
 | |
|         podAntiAffinityPreset: hard
 | |
| 
 | |
|         updateStrategy:
 | |
|           type: RollingUpdate
 | |
|           # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods
 | |
|           # rollingUpdate:
 | |
|           #   maxUnavailable: 1
 | |
| 
 | |
|         service:
 | |
|           type: ClusterIP
 | |
| 
 | |
|         ingress:
 | |
|           enabled: true
 | |
|           hostname: sso.mareshq.com
 | |
|           servicePort: https
 | |
| 
 | |
|           ingressClassName: nginx
 | |
| 
 | |
|           tls: true
 | |
| 
 | |
|           annotations:
 | |
|             cert-manager.io/cluster-issuer: letsencrypt-dns-production
 | |
|             cert-manager.io/issue-temporary-certificate: "true"
 | |
|             # Allow self-signed certificates on the backend
 | |
|             nginx.ingress.kubernetes.io/server-snippet: |
 | |
|               proxy_ssl_verify off;
 | |
|             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 | |
|             nginx.ingress.kubernetes.io/proxy-buffering: "on"
 | |
|             nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
 | |
|             nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
 | |
| 
 | |
|         adminIngress:
 | |
|           enabled: true
 | |
|           ingressClassName: nginx
 | |
|           pathType: Prefix
 | |
|           hostname: keycloak.cthulhu.k8s.vxm.cz
 | |
|           servicePort: https
 | |
|           tls: true
 | |
|           annotations:
 | |
|             cert-manager.io/cluster-issuer: letsencrypt-dns-production
 | |
|             cert-manager.io/issue-temporary-certificate: "true"
 | |
|             # Allow self-signed certificates on the backend
 | |
|             nginx.ingress.kubernetes.io/server-snippet: |
 | |
|               proxy_ssl_verify off;
 | |
|             nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 | |
| 
 | |
|         tls:
 | |
|           enabled: true
 | |
|           autoGenerated: true
 | |
| 
 | |
|         production: true
 | |
| 
 | |
|         # metrics:
 | |
|         #   enabled: true
 | |
| 
 | |
|         #   serviceMonitor:
 | |
|         #     enabled: false
 | |
| 
 | |
|         postgresql:
 | |
|           enabled: false
 | |
| 
 | |
|         externalDatabase:
 | |
|           existingSecret: keycloak-database-credentials
 | |
|           existingSecretHostKey: host
 | |
|           existingSecretPortKey: port
 | |
|           existingSecretDatabaseKey: database
 | |
|           existingSecretUserKey: username
 | |
|           existingSecretPasswordKey: password
 | |
| 
 | |
|         startupProbe:
 | |
|           # Keycloak should be ready to serve requests within 15 minutes
 | |
|           enabled: true
 | |
|           initialDelaySeconds: 180 # 3min
 | |
|           periodSeconds: 10
 | |
|           timeoutSeconds: 5
 | |
|           failureThreshold: 80 # 12min
 | |
|           successThreshold: 1
 | |
| 
 | |
|         containerSecurityContext:
 | |
|           readOnlyRootFilesystem: true
 | |
| 
 | |
|         # Custom theme installation and configuration
 | |
|         initContainers:
 | |
|           - name: theme-installer
 | |
|             image: busybox:latest
 | |
|             command:
 | |
|               - /bin/sh
 | |
|               - "-c"
 | |
|               - |
 | |
|                 wget https://vojtechmares.github.io/cdn/keywind.tar.gz -O /tmp/keywind.tar.gz
 | |
|                 tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes
 | |
| 
 | |
|             volumeMounts:
 | |
|               - mountPath: /opt/bitnami/keycloak/themes/keywind
 | |
|                 name: theme
 | |
| 
 | |
|         extraVolumes:
 | |
|           - name: theme
 | |
|             emptyDir: {}
 | |
| 
 | |
|         extraVolumeMounts:
 | |
|           - name: theme
 | |
|             mountPath: /opt/bitnami/keycloak/themes/keywind
 |