Skip to content

Instantly share code, notes, and snippets.

@bsamadi
Last active August 15, 2021 01:50
Show Gist options
  • Save bsamadi/cdefd1923f084c6174e4b399f2ce3e79 to your computer and use it in GitHub Desktop.
Save bsamadi/cdefd1923f084c6174e4b399f2ce3e79 to your computer and use it in GitHub Desktop.
---
# Source: keycloak/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: keycloak-sso
labels:
helm.sh/chart: keycloak-14.0.1
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/version: "14.0.0"
app.kubernetes.io/managed-by: Helm
imagePullSecrets:
[]
---
# Source: keycloak/charts/postgresql/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: keycloak-sso-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.3.13
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/managed-by: Helm
namespace: default
type: Opaque
data:
postgresql-postgres-password: "ekFNRTRCSG5KQg=="
postgresql-password: "a2V5Y2xvYWs="
---
# Source: keycloak/templates/configmap-startup.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-sso-startup
labels:
helm.sh/chart: keycloak-14.0.1
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/version: "14.0.0"
app.kubernetes.io/managed-by: Helm
data:
keycloak.cli: |
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo Configuring node identifier
## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a
## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly.
/subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name})
echo Finished configuring node identifier
run-batch
stop-embedded-server
---
# Source: keycloak/charts/postgresql/templates/svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-sso-postgresql-headless
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.3.13
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/managed-by: Helm
# Use this annotation in addition to the actual publishNotReadyAddresses
# field below because the annotation will stop being respected soon but the
# field is broken in some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
namespace: default
spec:
type: ClusterIP
clusterIP: None
# We want all pods in the StatefulSet to have their addresses published for
# the sake of the other Postgresql pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: keycloak-sso
---
# Source: keycloak/charts/postgresql/templates/svc.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-sso-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.3.13
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/managed-by: Helm
annotations:
namespace: default
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: keycloak-sso
role: primary
---
# Source: keycloak/templates/service-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-sso-headless
labels:
helm.sh/chart: keycloak-14.0.1
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/version: "14.0.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: headless
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
---
# Source: keycloak/templates/service-http.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-sso-http
labels:
helm.sh/chart: keycloak-14.0.1
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/version: "14.0.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: http
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
- name: https
port: 8443
targetPort: https
protocol: TCP
- name: http-management
port: 9990
targetPort: http-management
protocol: TCP
selector:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
---
# Source: keycloak/charts/postgresql/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak-sso-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.3.13
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
annotations:
namespace: default
spec:
serviceName: keycloak-sso-postgresql-headless
replicas: 1
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: keycloak-sso
role: primary
template:
metadata:
name: keycloak-sso-postgresql
labels:
app.kubernetes.io/name: postgresql
helm.sh/chart: postgresql-10.3.13
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/managed-by: Helm
role: primary
app.kubernetes.io/component: primary
spec:
affinity:
podAffinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/component: primary
namespaces:
- "default"
topologyKey: kubernetes.io/hostname
weight: 1
nodeAffinity:
securityContext:
fsGroup: 1001
containers:
- name: keycloak-sso-postgresql
image: docker.io/bitnami/postgresql:11.11.0-debian-10-r31
imagePullPolicy: "IfNotPresent"
resources:
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 1001
env:
- name: BITNAMI_DEBUG
value: "false"
- name: POSTGRESQL_PORT_NUMBER
value: "5432"
- name: POSTGRESQL_VOLUME_DIR
value: "/bitnami/postgresql"
- name: PGDATA
value: "/bitnami/postgresql/data"
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-sso-postgresql
key: postgresql-postgres-password
- name: POSTGRES_USER
value: "keycloak"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-sso-postgresql
key: postgresql-password
- name: POSTGRES_DB
value: "keycloak"
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
- name: POSTGRESQL_ENABLE_TLS
value: "no"
- name: POSTGRESQL_LOG_HOSTNAME
value: "false"
- name: POSTGRESQL_LOG_CONNECTIONS
value: "false"
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: "false"
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: "off"
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: "error"
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: "pgaudit"
ports:
- name: tcp-postgresql
containerPort: 5432
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- name: dshm
mountPath: /dev/shm
- name: data
mountPath: /bitnami/postgresql
subPath:
volumes:
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"
---
# Source: keycloak/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak-sso
labels:
helm.sh/chart: keycloak-14.0.1
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
app.kubernetes.io/version: "14.0.0"
app.kubernetes.io/managed-by: Helm
spec:
selector:
matchLabels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
replicas: 1
serviceName: keycloak-sso-headless
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
checksum/config-startup: 560e30a4fb4f087d446b0bb496e9ea8551e08ce18bc35d36ccecd56e33587d03
checksum/secrets: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
labels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
spec:
initContainers:
- name: pgchecker
image: "docker.io/busybox:1.32"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
command:
- sh
- -c
- |
echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 keycloak-sso-postgresql 5432; do
sleep 2;
done;
echo 'PostgreSQL OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
containers:
- name: keycloak
securityContext:
runAsNonRoot: true
runAsUser: 1000
image: "docker.io/jboss/keycloak:14.0.0"
imagePullPolicy: IfNotPresent
command:
[]
args:
[]
env:
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: keycloak-sso-postgresql
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: "keycloak"
- name: DB_USER
value: "keycloak"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-sso-postgresql
key: postgresql-password
envFrom:
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: https
containerPort: 8443
protocol: TCP
- name: http-management
containerPort: 9990
protocol: TCP
livenessProbe:
httpGet:
path: /auth/
port: http
initialDelaySeconds: 0
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /auth/realms/master
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
startupProbe:
httpGet:
path: /auth/
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
failureThreshold: 60
periodSeconds: 5
resources:
{}
volumeMounts:
- name: startup
mountPath: "/opt/jboss/startup-scripts/keycloak.cli"
subPath: "keycloak.cli"
readOnly: true
serviceAccountName: keycloak-sso
securityContext:
fsGroup: 1000
enableServiceLinks: true
restartPolicy: Always
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/instance: keycloak-sso
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: failure-domain.beta.kubernetes.io/zone
terminationGracePeriodSeconds: 60
volumes:
- name: startup
configMap:
name: keycloak-sso-startup
defaultMode: 0555
items:
- key: keycloak.cli
path: keycloak.cli
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment