apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: lychee-keycloak namespace: argocd annotations: argocd.argoproj.io/sync-wave: "10" spec: project: infrastructure syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true destination: server: "https://172.16.152.1:6443" namespace: mareshq-keycloak source: chart: keycloak repoURL: https://charts.bitnami.com/bitnami targetRevision: 16.1.1 helm: releaseName: keycloak # valuesObject: # auth: # adminUser: mareshqadmin # existingSecret: keycloak-admin-password # passwordSecretKey: password # global: # storageClass: hcloud-volumes # replicaCount: 2 # pdb: # create: true # minAvailable: 1 # autoscaling: # enabled: false # resources: # limits: # cpu: 500m # memory: 1Gi # requests: # cpu: 500m # memory: 1Gi # # Pods must be spread across nodes # # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106 # podAntiAffinityPreset: hard # updateStrategy: # type: RollingUpdate # # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods # # rollingUpdate: # # maxUnavailable: 1 # service: # type: ClusterIP # # http: # # enable: false # ingress: # enabled: true # hostname: sso.mareshq.com # servicePort: https # ingressClassName: nginx # tls: true # annotations: # cert-manager.io/cluster-issuer: letsencrypt-prod # # Allow self-signed certificates on the backend # nginx.ingress.kubernetes.io/server-snippet: | # proxy_ssl_verify off; # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # nginx.ingress.kubernetes.io/proxy-buffering: "on" # nginx.ingress.kubernetes.io/proxy-buffers-number: "4" # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" # tls: # enabled: true # autoGenerated: true # production: true # metrics: # enabled: true # serviceMonitor: # enabled: false # postgresql: # enabled: false # externalDatabase: # existingSecret: keycloak-database # existingSecretHostKey: host # existingSecretPortKey: port # existingSecretDatabaseKey: database # existingSecretUserKey: username # existingSecretPasswordKey: password # startupProbe: # # Keycloak should be ready to serve requests within 15 minutes # enabled: true # initialDelaySeconds: 180 # 3min # periodSeconds: 10 # timeoutSeconds: 5 # failureThreshold: 80 # 12min # successThreshold: 1 # # Custom theme installation and configuration # initContainers: # - name: theme-installer # image: busybox:latest # command: # - /bin/sh # - "-c" # - | # wget https://cdn.mareshq.com/keywind.tar.gz -O /tmp/keywind.tar.gz # tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes # volumeMounts: # - mountPath: /opt/bitnami/keycloak/themes/keywind # name: theme # extraVolumes: # - name: theme # emptyDir: {} # extraVolumeMounts: # - name: theme # mountPath: /opt/bitnami/keycloak/themes/keywind values: | auth: adminUser: mareshqadmin existingSecret: keycloak-admin-password passwordSecretKey: password global: storageClass: hcloud-volumes replicaCount: 2 pdb: create: true minAvailable: 1 autoscaling: enabled: false resources: limits: cpu: 500m memory: 1Gi requests: cpu: 500m memory: 1Gi # Pods must be spread across nodes # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106 podAntiAffinityPreset: hard updateStrategy: type: RollingUpdate # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods # rollingUpdate: # maxUnavailable: 1 service: type: ClusterIP # http: # enable: false ingress: enabled: true hostname: sso.mareshq.com servicePort: https ingressClassName: nginx tls: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # Allow self-signed certificates on the backend nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_verify off; nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-buffering: "on" nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" tls: enabled: true autoGenerated: true production: true metrics: enabled: true serviceMonitor: enabled: false postgresql: enabled: false externalDatabase: existingSecret: keycloak-database existingSecretHostKey: host existingSecretPortKey: port existingSecretDatabaseKey: database existingSecretUserKey: username existingSecretPasswordKey: password startupProbe: # Keycloak should be ready to serve requests within 15 minutes enabled: true initialDelaySeconds: 180 # 3min periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 80 # 12min successThreshold: 1 # Custom theme installation and configuration initContainers: - name: theme-installer image: busybox:latest command: - /bin/sh - "-c" - | wget https://cdn.mareshq.com/keywind.tar.gz -O /tmp/keywind.tar.gz tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes volumeMounts: - mountPath: /opt/bitnami/keycloak/themes/keywind name: theme extraVolumes: - name: theme emptyDir: {} extraVolumeMounts: - name: theme mountPath: /opt/bitnami/keycloak/themes/keywind