jxsl13/bitnami-keycloak-values.yaml

## bitnami-keycloak-values.yaml
global:
  imageRegistry: docker.io
  imagePullSecrets: []

image:
  repository: bitnami/keycloak
  tag: 18.0.1-debian-11-r2

auth:
  adminUser: admin
  adminPassword: password

proxy: none

service:
  type: ClusterIP

existingConfigmap: ""
extraStartupArgs: ""
initdbScripts: {}
initdbScriptsConfigMap: ""

extraEnvVarsCM: []
extraEnvVarsSecret: ""
extraEnvVars:
  - name: LOGGING_LEVEL_ROOT
    value: INFO

extraVolumeMounts: ""
extraVolumes: ""

resources:
  limits:
    memory: 1Gi
    cpu: 400m
  requests:
    memory: 256Mi
    cpu: 50m

postgresql:
  enabled: false

externalDatabase:
  host: "postgres-postgresql"
  port: "5432"
  user: "user"
  password: "password"
  database: "keycloak"

keycloakConfigCli:
  enabled: true
  backoffLimit: 1
  image:
    registry: docker.io
    pullPolicy: IfNotPresent
    pullSecrets: []
    repository: bitnami/keycloak-config-cli
    tag: 5.2.1-debian-11-r2

  # https://downloads.bitnami.com/files/stacksmith/keycloak-config-cli-5.2.1-0-linux-amd64-debian-11.tar.gz
  # content of the link above
  command:
    - java
    - -jar
    - /opt/bitnami/keycloak-config-cli/keycloak-config-cli-18.0.1.jar


  args: []
  extraEnvVars:
    - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT
      value: 300s
  extraEnvVarsCM: ""
  extraEnvVarsSecret: ""
  extraVolumes: []
  extraVolumeMounts: []

  # https://github.com/bitnami/charts/issues/10034#issuecomment-1119342683
  # do not try to overwrite existing realms like master realm, use a completely  new realm
  # https://github.com/adorsys/keycloak-config-cli/tree/main/src/test/resources/import-files
  configuration:
    realm.json: |-
      {
        "enabled": true,
        "realm": "development",
        "roles":
          {
            "client":
              {
                "svc-application":
                  [
                    {
                      "name": "admin",
                      "description": "admin, allowed to use and manage the application",
                      "composite": false,
                      "clientRole": true,
                    },
                    {
                      "name": "user",
                      "description": "user, allowed to use the api",
                      "composite": false,
                      "clientRole": true,
                    },
                  ],
              },
          },
        "groups":
          [
            {
              "name": "svc-application-group",
              "path": "/svc-application-group",
              "subGroups":
                [
                  {
                    "name": "svc-application-user",
                    "path": "/svc-application-group/svc-application-user",
                    "clientRoles": { "svc-application": ["user"] },
                  },
                  {
                    "name": "svc-application-admin",
                    "path": "/svc-application-group/svc-application-admin",
                    "clientRoles": { "svc-application": ["admin"] },
                  },
                ],
            },
          ],
        "clients":
          [
            {
              "clientId": "public",
              "enabled": true,
              "standardFlowEnabled": false,
              "directAccessGrantsEnabled": true,
              "publicClient": true,
            },
            {
              "clientId": "svc-application",
              "secret": "secret",
              "surrogateAuthRequired": false,
              "enabled": true,
              "alwaysDisplayInConsole": false,
              "clientAuthenticatorType": "client-secret",
              "redirectUris": [],
              "webOrigins": [],
              "notBefore": 0,
              "bearerOnly": false,
              "consentRequired": false,
              "standardFlowEnabled": false,
              "implicitFlowEnabled": false,
              "directAccessGrantsEnabled": true,
              "serviceAccountsEnabled": true,
              "authorizationServicesEnabled": true,
              "publicClient": false,
              "frontchannelLogout": false,
              "protocol": "openid-connect",
              "attributes":
                {
                  "saml.force.post.binding": "false",
                  "saml.multivalued.roles": "false",
                  "frontchannel.logout.session.required": "false",
                  "oauth2.device.authorization.grant.enabled": "true",
                  "backchannel.logout.revoke.offline.tokens": "false",
                  "saml.server.signature.keyinfo.ext": "false",
                  "use.refresh.tokens": "true",
                  "oidc.ciba.grant.enabled": "false",
                  "backchannel.logout.session.required": "true",
                  "client_credentials.use_refresh_token": "false",
                  "require.pushed.authorization.requests": "false",
                  "saml.client.signature": "false",
                  "saml.allow.ecp.flow": "false",
                  "id.token.as.detached.signature": "false",
                  "saml.assertion.signature": "false",
                  "client.secret.creation.time": "1656682818",
                  "saml.encrypt": "false",
                  "saml.server.signature": "false",
                  "exclude.session.state.from.auth.response": "false",
                  "saml.artifact.binding": "false",
                  "saml_force_name_id_format": "false",
                  "acr.loa.map": "{}",
                  "tls.client.certificate.bound.access.tokens": "false",
                  "saml.authnstatement": "false",
                  "display.on.consent.screen": "false",
                  "token.response.type.bearer.lower-case": "false",
                  "saml.onetimeuse.condition": "false",
                },
              "authenticationFlowBindingOverrides": {},
              "fullScopeAllowed": true,
              "nodeReRegistrationTimeout": -1,
              "protocolMappers":
                [
                  {
                    "name": "Client ID",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
                    "consentRequired": false,
                    "config":
                      {
                        "user.session.note": "clientId",
                        "id.token.claim": "true",
                        "access.token.claim": "true",
                        "claim.name": "clientId",
                        "jsonType.label": "String",
                      },
                  },
                  {
                    "name": "Client Host",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
                    "consentRequired": false,
                    "config":
                      {
                        "user.session.note": "clientHost",
                        "id.token.claim": "true",
                        "access.token.claim": "true",
                        "claim.name": "clientHost",
                        "jsonType.label": "String",
                      },
                  },
                  {
                    "name": "Client IP Address",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-usersessionmodel-note-mapper",
                    "consentRequired": false,
                    "config":
                      {
                        "user.session.note": "clientAddress",
                        "id.token.claim": "true",
                        "access.token.claim": "true",
                        "claim.name": "clientAddress",
                        "jsonType.label": "String",
                      },
                  },
                ],
              "defaultClientScopes":
                ["web-origins", "acr", "roles", "profile", "email"],
              "optionalClientScopes":
                ["address", "phone", "offline_access", "microprofile-jwt"],
            },
          ],
        "users":
          [
            {
              "username": "service-account-svc-application",
              "enabled": true,
              "serviceAccountClientId": "svc-application",
              "realmRoles": ["default-roles-development"],
              "clientRoles": { "svc-application": ["uma_protection"] },
              "notBefore": 0,
            },
            {
              "username": "user",
              "email": "user@keycloak.local",
              "enabled": true,
              "firstName": "user first name",
              "lastName": "user last name",
              "credentials": [{ "type": "password", "value": "password" }],
              "groups": ["/svc-application-group/svc-application-user"],
            },
            {
              "username": "admin",
              "email": "admin@keycloak.local",
              "enabled": true,
              "firstName": "admin first name",
              "lastName": "admin last name",
              "credentials": [{ "type": "password", "value": "password" }],
              "groups": ["/svc-application-group/svc-application-admin"],
            },
            {
              "username": "guest",
              "email": "guest@keycloak.local",
              "enabled": true,
              "firstName": "guest first name",
              "lastName": "guest last name",
              "credentials": [{ "type": "password", "value": "password" }],
            },
          ],
      }
	global:
	imageRegistry: docker.io
	imagePullSecrets: []

	image:
	repository: bitnami/keycloak
	tag: 18.0.1-debian-11-r2

	auth:
	adminUser: admin
	adminPassword: password

	proxy: none

	service:
	type: ClusterIP

	existingConfigmap: ""
	extraStartupArgs: ""
	initdbScripts: {}
	initdbScriptsConfigMap: ""

	extraEnvVarsCM: []
	extraEnvVarsSecret: ""
	extraEnvVars:
	- name: LOGGING_LEVEL_ROOT
	value: INFO

	extraVolumeMounts: ""
	extraVolumes: ""

	resources:
	limits:
	memory: 1Gi
	cpu: 400m
	requests:
	memory: 256Mi
	cpu: 50m

	postgresql:
	enabled: false

	externalDatabase:
	host: "postgres-postgresql"
	port: "5432"
	user: "user"
	password: "password"
	database: "keycloak"

	keycloakConfigCli:
	enabled: true
	backoffLimit: 1
	image:
	registry: docker.io
	pullPolicy: IfNotPresent
	pullSecrets: []
	repository: bitnami/keycloak-config-cli
	tag: 5.2.1-debian-11-r2

	# https://downloads.bitnami.com/files/stacksmith/keycloak-config-cli-5.2.1-0-linux-amd64-debian-11.tar.gz
	# content of the link above
	command:
	- java
	- -jar
	- /opt/bitnami/keycloak-config-cli/keycloak-config-cli-18.0.1.jar


	args: []
	extraEnvVars:
	- name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT
	value: 300s
	extraEnvVarsCM: ""
	extraEnvVarsSecret: ""
	extraVolumes: []
	extraVolumeMounts: []

	# https://github.com/bitnami/charts/issues/10034#issuecomment-1119342683
	# do not try to overwrite existing realms like master realm, use a completely new realm
	# https://github.com/adorsys/keycloak-config-cli/tree/main/src/test/resources/import-files
	configuration:
	realm.json: \|-
	{
	"enabled": true,
	"realm": "development",
	"roles":
	{
	"client":
	{
	"svc-application":
	[
	{
	"name": "admin",
	"description": "admin, allowed to use and manage the application",
	"composite": false,
	"clientRole": true,
	},
	{
	"name": "user",
	"description": "user, allowed to use the api",
	"composite": false,
	"clientRole": true,
	},
	],
	},
	},
	"groups":
	[
	{
	"name": "svc-application-group",
	"path": "/svc-application-group",
	"subGroups":
	[
	{
	"name": "svc-application-user",
	"path": "/svc-application-group/svc-application-user",
	"clientRoles": { "svc-application": ["user"] },
	},
	{
	"name": "svc-application-admin",
	"path": "/svc-application-group/svc-application-admin",
	"clientRoles": { "svc-application": ["admin"] },
	},
	],
	},
	],
	"clients":
	[
	{
	"clientId": "public",
	"enabled": true,
	"standardFlowEnabled": false,
	"directAccessGrantsEnabled": true,
	"publicClient": true,
	},
	{
	"clientId": "svc-application",
	"secret": "secret",
	"surrogateAuthRequired": false,
	"enabled": true,
	"alwaysDisplayInConsole": false,
	"clientAuthenticatorType": "client-secret",
	"redirectUris": [],
	"webOrigins": [],
	"notBefore": 0,
	"bearerOnly": false,
	"consentRequired": false,
	"standardFlowEnabled": false,
	"implicitFlowEnabled": false,
	"directAccessGrantsEnabled": true,
	"serviceAccountsEnabled": true,
	"authorizationServicesEnabled": true,
	"publicClient": false,
	"frontchannelLogout": false,
	"protocol": "openid-connect",
	"attributes":
	{
	"saml.force.post.binding": "false",
	"saml.multivalued.roles": "false",
	"frontchannel.logout.session.required": "false",
	"oauth2.device.authorization.grant.enabled": "true",
	"backchannel.logout.revoke.offline.tokens": "false",
	"saml.server.signature.keyinfo.ext": "false",
	"use.refresh.tokens": "true",
	"oidc.ciba.grant.enabled": "false",
	"backchannel.logout.session.required": "true",
	"client_credentials.use_refresh_token": "false",
	"require.pushed.authorization.requests": "false",
	"saml.client.signature": "false",
	"saml.allow.ecp.flow": "false",
	"id.token.as.detached.signature": "false",
	"saml.assertion.signature": "false",
	"client.secret.creation.time": "1656682818",
	"saml.encrypt": "false",
	"saml.server.signature": "false",
	"exclude.session.state.from.auth.response": "false",
	"saml.artifact.binding": "false",
	"saml_force_name_id_format": "false",
	"acr.loa.map": "{}",
	"tls.client.certificate.bound.access.tokens": "false",
	"saml.authnstatement": "false",
	"display.on.consent.screen": "false",
	"token.response.type.bearer.lower-case": "false",
	"saml.onetimeuse.condition": "false",
	},
	"authenticationFlowBindingOverrides": {},
	"fullScopeAllowed": true,
	"nodeReRegistrationTimeout": -1,
	"protocolMappers":
	[
	{
	"name": "Client ID",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config":
	{
	"user.session.note": "clientId",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientId",
	"jsonType.label": "String",
	},
	},
	{
	"name": "Client Host",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config":
	{
	"user.session.note": "clientHost",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientHost",
	"jsonType.label": "String",
	},
	},
	{
	"name": "Client IP Address",
	"protocol": "openid-connect",
	"protocolMapper": "oidc-usersessionmodel-note-mapper",
	"consentRequired": false,
	"config":
	{
	"user.session.note": "clientAddress",
	"id.token.claim": "true",
	"access.token.claim": "true",
	"claim.name": "clientAddress",
	"jsonType.label": "String",
	},
	},
	],
	"defaultClientScopes":
	["web-origins", "acr", "roles", "profile", "email"],
	"optionalClientScopes":
	["address", "phone", "offline_access", "microprofile-jwt"],
	},
	],
	"users":
	[
	{
	"username": "service-account-svc-application",
	"enabled": true,
	"serviceAccountClientId": "svc-application",
	"realmRoles": ["default-roles-development"],
	"clientRoles": { "svc-application": ["uma_protection"] },
	"notBefore": 0,
	},
	{
	"username": "user",
	"email": "user@keycloak.local",
	"enabled": true,
	"firstName": "user first name",
	"lastName": "user last name",
	"credentials": [{ "type": "password", "value": "password" }],
	"groups": ["/svc-application-group/svc-application-user"],
	},
	{
	"username": "admin",
	"email": "admin@keycloak.local",
	"enabled": true,
	"firstName": "admin first name",
	"lastName": "admin last name",
	"credentials": [{ "type": "password", "value": "password" }],
	"groups": ["/svc-application-group/svc-application-admin"],
	},
	{
	"username": "guest",
	"email": "guest@keycloak.local",
	"enabled": true,
	"firstName": "guest first name",
	"lastName": "guest last name",
	"credentials": [{ "type": "password", "value": "password" }],
	},
	],
	}