libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
keycloak-scim/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml

890 lines
122 KiB
YAML
Raw Normal View History

Adding a Keycloak High Availability section to Keycloak's docs The content was moved over from the Keycloak Benchmark subproject. Closes #24844 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Kamesh Akella <kakella@redhat.com> Co-authored-by: Ryan Emerson <remerson@redhat.com> Co-authored-by: Anna Manukyan <amanukya@redhat.com> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Stian Thorgersen <stian@redhat.com> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: AndyMunro <amunro@redhat.com>
2023-11-23 12:27:47 +00:00
---
# Source: keycloak/templates/infinispan/remote-store-secret.yaml
# tag::keycloak-ispn-secret[]
apiVersion: v1
kind: Secret
metadata:
name: remote-store-secret
namespace: keycloak
type: Opaque
data:
username: ZGV2ZWxvcGVy # base64 encoding for 'developer'
password: c2VjdXJlX3Bhc3N3b3Jk # base64 encoding for 'secure_password'
# end::keycloak-ispn-secret[]
---
# Source: keycloak/templates/keycloak-db-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: keycloak-db-secret
namespace: keycloak
type: Opaque
data:
username: a2V5Y2xvYWs= # keycloak
password: c2VjcmV0OTk= # secret99
---
# Source: keycloak/templates/keycloak-initial-admin-secret.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
app: keycloak
name: keycloak-preconfigured-admin
namespace: keycloak
type: kubernetes.io/basic-auth
data:
password: YWRtaW4= # admin by default
username: YWRtaW4= # admin
---
# Source: keycloak/templates/keycloak-tls-secret.yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVmekNDQXVlZ0F3SUJBZ0lSQUlVenBxa1FoaTNKclZBcmxVNVRhVTB3RFFZSktvWklodmNOQVFFTEJRQXcKZ1lreEhqQWNCZ05WQkFvVEZXMXJZMlZ5ZENCa1pYWmxiRzl3YldWdWRDQkRRVEV2TUMwR0ExVUVDd3dtWVhCbApjblZtWm05QVlYQmxjblZtWm04dGJXRmpJQ2hCYm1SeVpXRWdVR1Z5ZFdabWJ5a3hOakEwQmdOVkJBTU1MVzFyClkyVnlkQ0JoY0dWeWRXWm1iMEJoY0dWeWRXWm1ieTF0WVdNZ0tFRnVaSEpsWVNCUVpYSjFabVp2S1RBZUZ3MHkKTWpBek1ETXhNVEExTlRWYUZ3MHlOREEyTURNeE1EQTFOVFZhTUZveEp6QWxCZ05WQkFvVEhtMXJZMlZ5ZENCawpaWFpsYkc5d2JXVnVkQ0JqWlhKMGFXWnBZMkYwWlRFdk1DMEdBMVVFQ3d3bVlYQmxjblZtWm05QVlYQmxjblZtClptOHRiV0ZqSUNoQmJtUnlaV0VnVUdWeWRXWm1ieWt3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUN5MjljQ0JrSzZNWERNbWZONy9TVmdiNXR2WXFWc01LVjhjaEwvTE5UcXVkdVA0QVBZeEtzMApQWnZBd0RRa3lGUXRxQlVvTXBhelBCaUpyREZ2eHc2VDZaeGVUOXlobCtvNWxhVmdseUdUMC9TcTBjTkg3UkZaCk5KeXpEZDdhREVjc2E0cmZmVEJPbk9UZjZ3QzhuSkNobTl4Mm9FWlU0UHRIb2tKZzcrVlFXYUdVRHg3Wm5YSlgKUXQ5SXFSb1dQWW1BWnNQc1FUNzdPeWkzUGZSa2NqZ1FTWEJsWVhNWXFZOWxMZTZpR2NldnNkdGhyOEdOZFF4dQpJV3RBOTYwdkgzSFpwRmgyRXRJbnVEOTdlWjU4STB4WXZuU2xSZGlXV1BPSTNwWDFvR0xyWDZjWGl1RlRDNUg3ClB3NnVSZUdVZ2tvR2tXS1pSU3RZdGp1dENuZHEvZ2JuQWdNQkFBR2pnWTh3Z1l3d0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQjhHQTFVZEl3UVlNQmFBRkg2Qmh5V21zVEpwMTdqSApVLzlKaDI1MUdhMTFNRVFHQTFVZEVRUTlNRHVDQzJWNFlXMXdiR1V1WTI5dGdnbHRlV0Z3Y0M1a1pYYUNDV3h2ClkyRnNhRzl6ZEljRWZ3QUFBWWNRQUFBQUFBQUFBQUFBQUFBQUFBQUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0MKQVlFQWYrazRMQW11YjlLKzM3RWo5M3RwYXhZdER2cUl4d1VpVkRHUyt6TElrd296akkyaHVTYko2N0lsdVJZaQp0SjVUU3hlM1hMTTNJM1NQU2tKNUxpY0JLRjJDRW1tdDBKRnk2WERxeU80L3NncFVDWVh6V3J1ZWU5VWM4VkhNCnljL3ZLclN3bTVDek82alIyZk0xajdCUWVJdHh6Qk1rTlJYZUUxSUVJWGtYMUFFUGRYaFBHZXFya1NqYzdGbjkKSkIzeGIvN0xvdTNxSFlBV2xyeThicWd2Z0pjZFlVWE9RWlVZSXE0ekd4bkNZRFRTblRuTG8vbW5YQ0h6MHZXRApldlpRQzhsL2t2TWRNb1RNSUxWamxObFgyeTNyekw2ak1QZTIxcGpSdFd3K0R6S1E1dkdZemMxL1hFbXJRaVJVCmxlRWE4cVp4QVkySXptMW9hTWdNa0cwZklKRkEyZk9DSGVWTnJOek93S1ZjaXFGVHpUanpZMW9HZDd5bncrQ28KaUF1Tm03TERxdzczakJYMVBBK1ZYM0pnRTVlODVnQ0FVU0UzK0Y3Z1RGb1hBS1M3T255Mk9mS0xSREw3U0NPWgp1THlub1NVeTUrcnJlUjBJNzRwTXVhRm9hUHo5U2lCNzVCNnZ4eGZWV0xLN0g3T1ZxV1YyR0Qra3dxSW1hOUVJClVmV2IKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3kyOWNDQmtLNk1YRE0KbWZONy9TVmdiNXR2WXFWc01LVjhjaEwvTE5UcXVkdVA0QVBZeEtzMFBadkF3RFFreUZRdHFCVW9NcGF6UEJpSgpyREZ2eHc2VDZaeGVUOXlobCtvNWxhVmdseUdUMC9TcTBjTkg3UkZaTkp5ekRkN2FERWNzYTRyZmZUQk9uT1RmCjZ3QzhuSkNobTl4Mm9FWlU0UHRIb2tKZzcrVlFXYUdVRHg3Wm5YSlhRdDlJcVJvV1BZbUFac1BzUVQ3N095aTMKUGZSa2NqZ1FTWEJsWVhNWXFZOWxMZTZpR2NldnNkdGhyOEdOZFF4dUlXdEE5NjB2SDNIWnBGaDJFdEludUQ5NwplWjU4STB4WXZuU2xSZGlXV1BPSTNwWDFvR0xyWDZjWGl1RlRDNUg3UHc2dVJlR1Vna29Ha1dLWlJTdFl0anV0CkNuZHEvZ2JuQWdNQkFBRUNnZ0VBWEtWSlV2QWhRa2IzMGROdzd1bXFvYkJPQ0QxRnlLdk9ISThPVGdWUDZLSUwKSEJTQ2laY2R3M3FpSWc2dE05eGMxaVY1aUEva1JjVThSSnZnSTdFdFdPcXFKNlFnZWNleCtOQU9FT0ZYOERYYgpSMXhPVmdSemR3eXNtb2IxeDJhU3UyeWRTN1NTQURaK3k0bjBJTDdNb0JtVzhnK0ZQdFFtOU8wVWl4ZllaV3lhCmVleHFOS0xLVS9neG5iZXIvQy9kVWpPS3dndmpDRHkvZjhGQ1BNcDBEZzFLdU1Uc2J5ZjRyczQvM1JkUDBtK08KdXZhTTJQaEJsNEJJQVg2NXRIc1p6TGRtZWhOdzd1RGR1eGhBenVwVkR6YlhKcGQ5cEZaWE83QzlGWXhVNFpuSgpHbnliWktQcDlrL28yVkw2OWR1d0NSdkYySlVWdEZQZ2pibG80R2o4Y1FLQmdRRFc3NXVhdGtHUmNHR1Y3QWE3CktWcXVwWXFoazlxOERvaG9CZ2xvZzZMb3REMzFxbks2b1hwM2UweS9mZElMaEFERGdCaStEYW05aGFicEV4Q3YKK29TcnVNbFJLM1EyN1ZzbFd6WVQ2K0JyZDRNS3RrNjN6TG1YS25iTWhsOE9TQ1FERmdrUXQrWExGak1FUmNmawpvb2JWem1qajdrWnh5c1hoV2xsdlFTaXkyUUtCZ1FEVkI3ZG9oNDcwZ3I2VjBvbko4VzlDazF6MTBWMEtCQ0ZjCmFkd3Z4UjBKdUhsc2ZmVVJsaU1zQ3VzQlYzWDJpb3liblNxeG14SGQ0Qm5zeWx4bFlLdEpkM2pQbE05bnVoajAKbWZwMzFIcEN6aWRZRUs5Q1RVVFBTZE5tcUlFdHJqTkppano0OHcxNWlTVFA2c2c4ZXhWVUdtTVkrUDVyeDM4SQpXSkxzU3VqdnZ3S0JnUUNrTW5QN0l4VEFHTXhVRGZXdWNZODNNSHZScC9SSUNnb20vY1dlTkVIMTZBd1ZhdHN1CnZFR2ttV3N1TnQ2SnNaUXJ4ZVlnK3FzYmY4amM4WldqK292ejY3elA1NVJtaWJsQnRvWi9mWWo2VUZpcGpGQmkKbFdHS25BUVpodVdETVpWaFRpb3F2WEl0VFk0M3kxOUR5TzJjMUl6STQ3U3BKYkU1MFIzVm9qK0hNUUtCZ0VkZwpESDJEWGN4aXVnUnN4Q25iTU5IM21kL3F3K2VGTnNCRjM3WkpyczhBOWYzNXZkQ2tveWd3aUVpc3l5Tk5qSXJlCi85ejkvZUIvSTNDSTVLZzYyV2tHRkg1SWQ2MWpWdFV0ZWhRSUp1YVhOK3R6dTZUVlNzYkJENG1IejdCRWUzNmEKU0krSXIrMFduRFRsankxa2QrTHo3RndEb1FydmpvcDNVdExFem9MMUFvR0JBTTcvWVRNWSszV1NDeENPL3NIWAo3OGZDeHhBRHFMVWMxVURYdGMzcFhKQnorL3hJeUx1Q3JQYnlsUC82L21yRjN4SENTbGg3bi9mcFovV1dRMzIxCjNyZnR5Y2czWWVzalZxdjBaZmJVb01OdFE5cGYrcFpQMGpWVEZXMlF3YTZWYURrcGdTQnB4QzlvWXlMWTRldGMKajBkWm9NeTVMYXNKcm5jUjhlTVc4NHlnCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: keycloak-tls-secret
namespace: keycloak
type: kubernetes.io/tls
---
# Source: keycloak/templates/keycloak-infinispan-configmap.yaml
# tag::keycloak-ispn-configmap[]
apiVersion: v1
kind: ConfigMap
metadata:
name: kcb-infinispan-cache-config
namespace: keycloak
data:
kcb-infinispan-cache-remote-store-config.xml: |
<?xml version="1.0" encoding="UTF-8"?>
<!-- end::keycloak-ispn-configmap[] -->
<!--
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!--tag::keycloak-ispn-configmap[] -->
<infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:14.0 https://www.infinispan.org/schemas/infinispan-config-14.0.xsd
urn:infinispan:config:store:remote:14.0 https://www.infinispan.org/schemas/infinispan-cachestore-remote-config-14.0.xsd"
xmlns="urn:infinispan:config:14.0">
<!--end::keycloak-ispn-configmap[] -->
<!-- the statistics="true" attribute is not part of the original KC config and was added by Keycloak Benchmark -->
<cache-container name="keycloak" statistics="true">
<transport lock-timeout="60000"/>
<metrics names-as-tags="true" />
<local-cache name="realms" simple-cache="true" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<local-cache name="users" simple-cache="true" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<!--tag::keycloak-ispn-remotestore[] -->
<distributed-cache name="sessions" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false"> <!--1-->
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="sessions"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/> <!--2-->
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/> <!--3-->
</authentication>
<encryption protocol="TLSv1.3"
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/> <!--4-->
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/> <!--5-->
</distributed-cache>
<!--end::keycloak-ispn-remotestore[] -->
<distributed-cache name="authenticationSessions" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="authenticationSessions"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3"
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
<distributed-cache name="offlineSessions" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineSessions"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3"
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
<distributed-cache name="clientSessions" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="clientSessions"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="offlineClientSessions"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
<distributed-cache name="loginFailures" owners="2" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="loginFailures"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
<local-cache name="authorization" simple-cache="true" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory max-count="10000"/>
</local-cache>
<!--tag::keycloak-ispn-remotestore-work[] -->
<replicated-cache name="work" statistics="true">
<expiration lifespan="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="work"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
</replicated-cache>
<!--end::keycloak-ispn-remotestore-work[] -->
<local-cache name="keys" simple-cache="true" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration max-idle="3600000"/>
<memory max-count="1000"/>
</local-cache>
<distributed-cache name="actionTokens" owners="2" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
<memory max-count="-1"/>
<persistence passivation="false">
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
cache="actionTokens"
raw-values="true"
shared="true"
segmented="false">
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
port="${env.KC_REMOTE_STORE_PORT}"/>
<connection-pool max-active="16"
exhausted-action="CREATE_NEW"/>
<security>
<authentication server-name="infinispan">
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
password="${env.KC_REMOTE_STORE_PASSWORD}"
realm="default"/>
</authentication>
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
type="pem"/>
</encryption>
</security>
</remote-store>
</persistence>
<state-transfer enabled="false"/>
</distributed-cache>
</cache-container>
</infinispan>
---
# Source: keycloak/templates/keycloak-providers-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-providers
namespace: keycloak
binaryData:
keycloak-benchmark-dataset-0.10-SNAPSHOT.jar: UEsDBAoAAAAAAONlcVcAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAAIAOJlcVdmwpOSbgAAAIMAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUbzTczLTEstLtENSy0qzszPs1Iw1DPg5XIsSs7ILEstQggH5KRWlBYrwCR4uZyLUhNLUlN0nSqtFBwLEpMzUhV8E8tS8xSM9Sz0THi5nEozc0rAsonFyRnliUUlELEUXa+UbKA15noGeka8XLxcAFBLAwQKAAAAAADhZXFXAAAAAAAAAAAAAAAAEgAAAE1FVEEtSU5GL3NlcnZpY2VzL1BLAwQKAAAAAADiZXFXAAAAAAAAAAAAAAAABAAAAG9yZy9QSwMECgAAAAAA4mVxVwAAAAAAAAAAAAAAAA0AAABvcmcva2V5Y2xvYWsvUEsDBAoAAAAAAOJlcVcAAAAAAAAAAAAAAAAXAAAAb3JnL2tleWNsb2FrL2JlbmNobWFyay9QSwMECgAAAAAA4mVxVwAAAAAAAAAAAAAAAB0AAABvcmcva2V5Y2xvYWsvYmVuY2htYXJrL2NhY2hlL1BLAwQKAAAAAADiZXFXAAAAAAAAAAAAAAAAHwAAAG9yZy9rZXljbG9hay9iZW5jaG1hcmsvZGF0YXNldC9QSwMECgAAAAAA4mVxVwAAAAAAAAAAAAAAACYAAABvcmcva2V5Y2xvYWsvYmVuY2htYXJrL2RhdGFzZXQvY29uZmlnL1BLAwQKAAAACADhZXFXQvxoziYCAACfBAAAJwAAAE1FVEEtSU5GL2pib3NzLWRlcGxveW1lbnQtc3RydWN0dXJlLnhtbJ1TwW7bMAy99yu4nDYgtoMet6xY1maosSIB4nRFj4pMO1xtSZPourns20cradqiwIbuZIt87/nxUZ6+S5ITgN9wbt3OU71lOJ2cTmCFJVwqHkNudArKlJn1QBxAVRU1pBhDpEkHLG/Rg7aGPW06tl5QAciUpAVXwmYHgoAvquOtqLCqQzqQo8AVaTRBUJ0pRWUAzpzS8jh0xvADfSBr4DSdwPsBMDq0Rh8+RY2d7aBVOzCWoQsoIhRAbCLgg0bH4kXstU58G43QE2/jhw4y0QzcHkTshpXglTCcnKrnSFB8NL5ldh+zrO/7VEXDqfV11uyBIbvKz+eLYp6I6SPl2jQYAnj81ZHfB6OcuNJqI14b1YPEo2qP0mM7uO49MZl6DMFW3CuPUaeksI/6RWyPHmX25wAJThkYzQrIixF8nRV5MY4qN/n6cnm9hpvZajVbrPN5AcsVnC8XF/k6Xy7k9A1mi1v4ni8uxoAUt4wPzg8zDLdhCBTLfXoF4gsTld2bCg41VaRlOlN3qkao7T16I0OBQ99SGFYbhnsUdRpqiRXH2qvRHm9NkpydnEx/bmwISYmusbsWDScyc6e583gmGIDpU2tfeCyi6BpNGJ7KsdXaspM9GNXi55EsM73DnW6suju+JAH9vXgJo+ztXIFgk5CpyFBwyvxb4/+wqVz1VvJ7G0dWaTjdWva2fBPTDX9nYEkUU4+tZXxOn2avA4+142am2V8W+QdQSwMECgAAAAgA4WVxV9i9aKZRAAAAtwAAAE0AAABNRVRBLUlORi9zZXJ2aWNlcy9vcmcua2V5Y2xvYWsuc2VydmljZXMucmVzb3VyY2UuUmVhbG1SZXNvdXJjZVByb3ZpZGVyRmFjdG9yeZ3LMQqAMAxG4d3D5BKKs/QGMf2xUmsgjUJvL+IqDi7vTZ/aQhlNNuVMM3ZJhS1TZOcKp+F5QNXDBJPpuUbYyOJqrdN3LSwJ1N/9JQOKOr78BVBLAwQKAAAACADiZXFX/vYjDjoCAADJBAAAPgAAAG9yZy9rZXljbG9hay9iZW5jaG1hcmsvY2FjaGUvUmVtb3RlQ2FjaGVSZXNvdXJjZVByb3ZpZGVyLmNsYXNznZNraxNBFIbfyW2bWxs1VuO1ja1uEnUFBcWIUAr5YmhLIwE/TrZDMs1eYHYTEfE/WVAKCv4Af5R4ZhJjkxZpZZk5c2bOPO85Mzs/f337AeA56jkkkLSQKiCNDEPpkI+54/Gg7+z2DoUbM2ReyUDGrxmSdq2bxRKyFnIF5FFgeBGqvjMUH1wv5EOnJwJ34HM1dFzuDoSzL/wwFtt6vC+icKRcsafCsTwQisGKRBTJMGDYbM9R/PBAeJHzZup3JmFNC8sMTy6ql0MRJV3bJYaX9rmE2n+PoBMrGfSbta6FKwzP5nZHQo2lKyJHTaVInnv+6ULt88nWugypbVpjWGnLQOyM/J5Qb3nPo5nL7dDlXpcrqf3pZCoeyIjKav/vJTQZ8n0R/5lmKNu19uIPQEElCpoDMLTsM47pwokQO2sWd7hvqjzFZKjsj4JY+qIrI0llbwVBGPOYToxKL9OGIVcxd97TPUTOHo8HtCU95t6IeEvOR0P/xFCdp+xxRYqxUHO4yhk4E6mZhqStF0Zkcx1TQUvqm1j7xyE/1jVhnd5NAlSiafR26PWlaJxGmfqr5LVoPUE2Vz8Gqze+wjoiL4FV6peRpL5KO+4hiw1cI291Eo3rqABmpKmMvhu4OWU+ND5R6p9nrIyZsQ2jMFmdMhhu4TYp6Z1bpKX5xe8ovqt/gdU4xsoi5NGJRIqzRIq4g7u0vkbjPNl1atWIMt/QijqhzcnMfTIPDEorNkwG1I4WVJ6eSJXNUrVNVO03UEsDBAoAAAAIAOJlcVcYrNW0UgcAAMUPAAA2AAAAb3JnL2tleWNsb2FrL2JlbmNobWFyay9jYWNoZS9SZW1vdGVDYWNoZVJlc291cmNlLmNsYXNzpVdpVxvXGX4uIAbE2FBsE3BsIzvYZrMnwQ52EHaMiRcaQVy2eEnTXqSLGBjNqDMjbJqme9J9T9uka7qm7fGHpk2JnZ7T9lvP6W/qafvckQQCpIaefkBzl3d93u3yj3+99xcA5/C7OOpQb6DBRAyNAm3LclVajnSz1nMLyyodCjSO2q4dXhSo7+2bN9AkcMnzs9aKWks7nlyx0p7rktD23MCy3UUSB3npWhMby/ENghu+t2pnlN+COFoMmCb2YK/AY1vk5byMcgLr2dJ+RgUBWQVasiosCxA405vaNHXckUGQ7EttkZMv0VplpmQLDLSZ+ADaBZoobVyml5RAf6WomdC33WxJVoU7EW3SwH6BoW1XaS+X085HJHR20c4WfKn9vXIvrfJ60YwOPGKg00QXDgo8vsXQBeWml3LSJ5RagjWtcl6oImnTKvAKfppGNjpeNqsdPxhZtrzgBYGlz2itlYruknHswyETh3FEIE7/JgmdzJJ5f2/fThfjSOCogWMmHkOPQGctsQIx5fsevwcqgSqmR1KnxAmB7mW5Iv1QWncDyw+sKS+86hXczAYATeglf+RTIuOpIOF6YULds4MwiOM4+nX6DWzTUA7FfByncNqAZeJxPFHCf/fpNxfajsBe4lEBrMDl3uoh3hH5tGMrN7SWvND3MpXBSTbhjMBc0anjQcmdwcRCIdz0cUmuqoQfMc2Enq8SMgw1Q+Z0YiJITF9/5lrCdkOVLSZMQrlywVGZp3VwnjQxjHMMfQT/osDJKuhUi0gTnhI4VLQ0ka6Guc7HpIlRXGBd+ZWw9O/e/RY8jUsGxkxc1q2jd7eMTKi0o6TfhGcEeraYSRSjK5VJBIV0mvm7WHCcNa3pqolrOrENBnJK5pRGaMLEBzVCMar1FtvZ0VImJjEl8EhOruhaTMvweTtc4ioIpRsGAieqVnuV6riBDxmYNjGDWYGBGhWbkaEMVGjNymCFxZqnHvq3h8rCQrBRf2M1O8wuRUZYz5t4HjcZMKZ8KG03YIusUZS347iNOwZeMPFhvLilrRfV64ai3Gy4FLX1iTg+CmlgwUQaGRZLRF5g4VhzcxOMUnzR93Jlzp7aCG6wsFMyYY9t0k04jspKZ8zPFnJMi4rGQBMevWavKjcRRLJ0EuhMlW5CS9JxXjaxEsX5rvTdRX2SM+HCE2hmNpTb1KlaI6FqsxQY6U3tYvAkq3UkgYZxUgu0pmxXTRV
---
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-exporter
namespace: keycloak
data:
pgexporter-queries.yaml: |
# This is configuration file for postgres_exporter.
# Add custom metrics via SQL statements here as described here: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file
# See https://github.com/prometheus-community/postgres_exporter/blob/master/queries.yaml for examples.
pg_locks_waiting:
# language=SQL
query: |
WITH q_locks AS (select * from pg_locks where granted = false and pid != pg_backend_pid())
SELECT (select current_database()) as datname, lower(lockmodes) AS mode, coalesce((select count(*) FROM q_locks WHERE mode = lockmodes), 0) AS count FROM
unnest('{AccessShareLock, ExclusiveLock, RowShareLock, RowExclusiveLock, ShareLock, ShareRowExclusiveLock, AccessExclusiveLock, ShareUpdateExclusiveLock}'::text[]) lockmodes;
metrics:
- datname:
usage: "LABEL"
description: "Database name"
- mode:
usage: "LABEL"
description: "Lock type"
- count:
usage: "GAUGE"
description: "Number of locks"
---
# Source: keycloak/templates/keycloak-jvmdebug-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: keycloak
name: keycloak-jvmdebug
namespace: keycloak
spec:
type: NodePort
ports:
- name: jvmdebug
port: 8787
protocol: TCP
nodePort: 30012
selector:
app: keycloak
sessionAffinity: None
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
ports:
- port: 9187
name: metrics
protocol: TCP
targetPort: 9187
selector:
app: postgres-exporter
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/postgres/postgres-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: postgres-nodeport
namespace: keycloak
labels:
app: postgres
spec:
type: NodePort
ports:
- protocol: TCP
port: 5432
nodePort: 30009
selector:
app: postgres
---
# Source: keycloak/templates/postgres/postgres-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: postgres
name: postgres
namespace: keycloak
spec:
ports:
- port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
ports:
- port: 3000
protocol: TCP
targetPort: 3000
selector:
app: sqlpad
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/postgres/postgres-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: postgres
name: postgres
namespace: keycloak
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: postgres
strategy:
type: Recreate
template:
metadata:
labels:
app: postgres
spec:
containers:
- imagePullPolicy: Always
env:
- name: POSTGRES_PASSWORD
value: secret99
- name: POSTGRES_USER
value: keycloak
- name: POSTGRES_DB
value: keycloak
image: postgres:13.2
args:
# default of max_prepared_transactions is 0, and this setting should match the number of active connections
# so that running Quarkus with JTA and more than one data store can prepare transactions.
- -c
- max_prepared_transactions=100
resources:
requests:
cpu: "0"
startupProbe:
tcpSocket:
port: 5432
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
tcpSocket:
port: 5432
failureThreshold: 10
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 5432
failureThreshold: 10
periodSeconds: 10
name: postgres
ports:
- containerPort: 5432
protocol: TCP
restartPolicy: Always
# The rhel9/postgresql-13 is known to take ~30 seconds to shut down
# As this is a deployment with ephemeral storage, there is no need to wait as the data will be gone anyway
terminationGracePeriodSeconds: 0
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: postgres-exporter
strategy:
type: Recreate
template:
metadata:
labels:
app: postgres-exporter
annotations:
checksum: ea6be7f450cc15ae55e469caf5a789a1cfd67ff8612d737ec5d85c83d528ee52
spec:
containers:
- env:
- name: DATA_SOURCE_NAME
value: postgresql://keycloak:secret99@postgres:5432/keycloak?sslmode=disable
- name: PG_EXPORTER_EXTEND_QUERY_PATH
value: /conf/pgexporter-queries.yaml
image: quay.io/prometheuscommunity/postgres-exporter:v0.10.1
imagePullPolicy: Always
startupProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 10
periodSeconds: 10
name: postgres-exporter
ports:
- containerPort: 9187
name: metrics
protocol: TCP
volumeMounts:
- mountPath: /conf
name: config
restartPolicy: Always
volumes:
- name: config
configMap:
name: postgres-exporter
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: sqlpad
strategy:
type: Recreate
template:
metadata:
labels:
app: sqlpad
spec:
containers:
- env:
- name: SQLPAD_ADMIN
value: 'admin'
- name: SQLPAD_ADMIN_PASSWORD
value: 'admin'
- name: SQLPAD_PORT
value: '3000'
- name: SQLPAD_APP_LOG_LEVEL
value: debug
- name: SQLPAD_WEB_LOG_LEVEL
value: warn
- name: SQLPAD_SEED_DATA_PATH
value: /etc/sqlpad/seed-data
- name: SQLPAD_CONNECTIONS__pgdemo__name
value: PostgresSQL Keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__port
value: '5432'
- name: SQLPAD_CONNECTIONS__pgdemo__host
value: postgres
- name: SQLPAD_CONNECTIONS__pgdemo__username
value: keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__password
value: pass
- name: SQLPAD_CONNECTIONS__pgdemo__database
value: keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__driver
value: postgres
- name: SQLPAD_CONNECTIONS__pgdemo__multiStatementTransactionEnabled
value: 'true'
- name: SQLPAD_CONNECTIONS__pgdemo__idleTimeoutSeconds
value: '86400'
- name: SQLPAD_QUERY_RESULT_MAX_ROWS
value: '100000'
image: sqlpad/sqlpad:6.11.0
imagePullPolicy: Always
startupProbe:
httpGet:
path: /
port: 3000
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
httpGet:
path: /
port: 3000
failureThreshold: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /
port: 3000
failureThreshold: 10
periodSeconds: 10
name: sqlpad
ports:
- containerPort: 3000
protocol: TCP
restartPolicy: Always
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
defaultBackend:
service:
name: sqlpad
port:
number: 3000
rules:
- host: sqlpad.minikube.nip.io
http:
paths:
- backend:
service:
name: sqlpad
port:
number: 3000
path: /
pathType: ImplementationSpecific
---
# Source: keycloak/templates/cockroach-operator/cockroach-operator.yaml
# sourced from https://raw.githubusercontent.com/cockroachdb/cockroach-operator/master/install/operator.yaml
---
# Source: keycloak/templates/keycloak.yaml
# There are several callouts in this YAML marked with `# <1>' etc. See 'running/keycloak-deployment.adoc` for the details.
# tag::keycloak[]
# tag::keycloak-ispn[]
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
labels:
app: keycloak
name: keycloak
namespace: keycloak
spec:
# end::keycloak-ispn[]
hostname:
hostname: keycloak-keycloak.minikube.nip.io
db:
vendor: postgres
url: jdbc:postgresql://postgres:5432/keycloak
poolMinSize: 15 # <1>
poolInitialSize: 15
poolMaxSize: 15
usernameSecret:
name: keycloak-db-secret
key: username
passwordSecret:
name: keycloak-db-secret
key: password
# tag::keycloak-ispn[]
additionalOptions:
- name: cache-config-file # <1>
value: kcb-infinispan-cache-remote-store-config.xml
- name: log-console-output
# end::keycloak-ispn[]
value: json
- name: metrics-enabled # <2>
value: 'true'
# tag::keycloak-ispn[]
- name: remote-store-host # <2>
value: "infinispan.keycloak.svc"
- name: remote-store-port # <2>
value: "11222"
- name: remote-store-username # <3>
secret:
name: remote-store-secret
key: username
- name: remote-store-password # <3>
secret:
name: remote-store-secret
key: password
# end::keycloak-ispn[]
http:
tlsSecret: keycloak-tls-secret
instances: 1
# tag::keycloak-ispn[]
unsupported:
podTemplate:
# end::keycloak[]
# end::keycloak-ispn[]
metadata:
annotations:
checksum/config: c6c58fd5275c8f2be97e8dd2a535901ad5f3a6ad281890361c84e3f4b36c95f8-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3--302cb302c7823761a9780d87abdb954ae8b71460dbf49779dbda7c66069b7938-v1.27.0
# tag::keycloak[]
# tag::keycloak-ispn[]
spec:
# end::keycloak-ispn[]
# tag::keycloak-ispn[]
containers:
- env:
# end::keycloak-ispn[]
- name: 'QUARKUS_THREAD_POOL_MAX_THREADS' # <3>
value: "200"
# end::keycloak[]
# tag::keycloak-queue-size[]
- name: 'QUARKUS_THREAD_POOL_QUEUE_SIZE' # <1>
value: '1000'
# end::keycloak-queue-size[]
# We want to have an externally provided username and password, therefore, we override those two environment variables
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: keycloak-preconfigured-admin
key: username
optional: false
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-preconfigured-admin
key: password
optional: false
# tag::keycloak[]
# tag::keycloak-ispn[]
- name: JAVA_OPTS_APPEND # <4>
value: >
-Djgroups.thread_dumps_threshold=1 -Djboss.site.name=keycloak
# end::keycloak[]
# end::keycloak-ispn[]
ports:
# tag::keycloak[]
resources:
requests:
memory: "1024M"
limits:
memory: "1024M"
# end::keycloak[]
# readinessProbe:
# exec:
# command:
# - 'true'
# livenessProbe:
# exec:
# command:
# - 'true'
# tag::keycloak-ispn[]
volumeMounts:
- name: kcb-infinispan-cache-config # <5>
mountPath: /opt/keycloak/conf/kcb-infinispan-cache-remote-store-config.xml
subPath: kcb-infinispan-cache-remote-store-config.xml
readOnly: true
# end::keycloak-ispn[]
- name: keycloak-providers
mountPath: /opt/keycloak/providers
readOnly: true
# tag::keycloak-ispn[]
volumes:
- name: kcb-infinispan-cache-config # <6>
configMap:
name: kcb-infinispan-cache-config
items:
- key: kcb-infinispan-cache-remote-store-config.xml
path: kcb-infinispan-cache-remote-store-config.xml
# end::keycloak-ispn[]
- name: keycloak-providers
configMap:
name: keycloak-providers
---
# Source: keycloak/templates/keycloak-monitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: keycloak-metrics
namespace: keycloak
spec:
selector:
matchLabels:
app: keycloak
podMetricsEndpoints:
# todo: targetPort is deprecated, ask the operator to specify a name instead
- targetPort: 8443
scheme: https
tlsConfig:
insecureSkipVerify: true
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
endpoints:
- port: metrics
jobLabel: jobLabel
selector:
matchLabels:
app: postgres-exporter
Reference in a new issue Copy permalink