2023-11-23 12:27:47 +00:00
---
# Source: keycloak/templates/infinispan/remote-store-secret.yaml
# tag::keycloak-ispn-secret[]
apiVersion : v1
kind : Secret
metadata :
name : remote-store-secret
namespace : keycloak
type : Opaque
data :
username : ZGV2ZWxvcGVy # base64 encoding for 'developer'
password : c2VjdXJlX3Bhc3N3b3Jk # base64 encoding for 'secure_password'
# end::keycloak-ispn-secret[]
---
# Source: keycloak/templates/keycloak-db-secret.yaml
apiVersion : v1
kind : Secret
metadata :
name : keycloak-db-secret
namespace : keycloak
type : Opaque
data :
username : a2V5Y2xvYWs= # keycloak
password : c2VjcmV0OTk= # secret99
---
# Source: keycloak/templates/keycloak-initial-admin-secret.yaml
apiVersion : v1
kind : Secret
metadata :
labels :
app : keycloak
name : keycloak-preconfigured-admin
namespace : keycloak
type : kubernetes.io/basic-auth
data :
password : YWRtaW4= # admin by default
username : YWRtaW4= # admin
---
# Source: keycloak/templates/keycloak-tls-secret.yaml
apiVersion : v1
data :
2024-02-19 09:41:49 +00:00
tls.crt : ...
tls.key : ...
2023-11-23 12:27:47 +00:00
kind : Secret
metadata :
name : keycloak-tls-secret
namespace : keycloak
type : kubernetes.io/tls
---
# Source: keycloak/templates/keycloak-providers-configmap.yaml
apiVersion : v1
kind : ConfigMap
metadata :
name : keycloak-providers
namespace : keycloak
binaryData :
2024-02-19 09:41:49 +00:00
keycloak-benchmark-dataset-0.12-SNAPSHOT.jar : ...
2023-11-23 12:27:47 +00:00
---
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
apiVersion : v1
kind : ConfigMap
metadata :
name : postgres-exporter
namespace : keycloak
data :
pgexporter-queries.yaml : |
# This is configuration file for postgres_exporter.
# Add custom metrics via SQL statements here as described here: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file
# See https://github.com/prometheus-community/postgres_exporter/blob/master/queries.yaml for examples.
pg_locks_waiting :
# language=SQL
query : |
WITH q_locks AS (select * from pg_locks where granted = false and pid != pg_backend_pid())
SELECT (select current_database()) as datname, lower(lockmodes) AS mode, coalesce((select count(*) FROM q_locks WHERE mode = lockmodes), 0) AS count FROM
unnest('{AccessShareLock, ExclusiveLock, RowShareLock, RowExclusiveLock, ShareLock, ShareRowExclusiveLock, AccessExclusiveLock, ShareUpdateExclusiveLock}'::text[]) lockmodes;
metrics :
- datname :
usage : "LABEL"
description : "Database name"
- mode :
usage : "LABEL"
description : "Lock type"
- count :
usage : "GAUGE"
description : "Number of locks"
---
# Source: keycloak/templates/keycloak-jvmdebug-service.yaml
apiVersion : v1
kind : Service
metadata :
labels :
app : keycloak
name : keycloak-jvmdebug
namespace : keycloak
spec :
type : NodePort
ports :
- name : jvmdebug
port : 8787
protocol : TCP
nodePort : 30012
selector :
app : keycloak
sessionAffinity : None
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion : v1
kind : Service
metadata :
labels :
app : postgres-exporter
name : postgres-exporter
namespace : keycloak
spec :
ports :
- port : 9187
name : metrics
protocol : TCP
targetPort : 9187
selector :
app : postgres-exporter
sessionAffinity : None
type : ClusterIP
---
# Source: keycloak/templates/postgres/postgres-nodeport.yaml
apiVersion : v1
kind : Service
metadata :
name : postgres-nodeport
namespace : keycloak
labels :
app : postgres
spec :
type : NodePort
ports :
- protocol : TCP
port : 5432
nodePort : 30009
selector :
app : postgres
---
# Source: keycloak/templates/postgres/postgres-service.yaml
apiVersion : v1
kind : Service
metadata :
labels :
app : postgres
name : postgres
namespace : keycloak
spec :
ports :
- port : 5432
protocol : TCP
targetPort : 5432
selector :
app : postgres
sessionAffinity : None
type : ClusterIP
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion : v1
kind : Service
metadata :
labels :
app : sqlpad
name : sqlpad
namespace : keycloak
spec :
ports :
- port : 3000
protocol : TCP
targetPort : 3000
selector :
app : sqlpad
sessionAffinity : None
type : ClusterIP
---
# Source: keycloak/templates/postgres/postgres-deployment.yaml
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
app : postgres
name : postgres
namespace : keycloak
spec :
progressDeadlineSeconds : 600
replicas : 1
revisionHistoryLimit : 10
selector :
matchLabels :
app : postgres
strategy :
type : Recreate
template :
metadata :
labels :
app : postgres
spec :
containers :
- imagePullPolicy : Always
env :
- name : POSTGRES_PASSWORD
value : secret99
- name : POSTGRES_USER
value : keycloak
- name : POSTGRES_DB
value : keycloak
image : postgres:13.2
args :
# default of max_prepared_transactions is 0, and this setting should match the number of active connections
# so that running Quarkus with JTA and more than one data store can prepare transactions.
- -c
- max_prepared_transactions=100
resources :
requests :
cpu : "0"
startupProbe :
tcpSocket :
port : 5432
failureThreshold : 20
initialDelaySeconds : 10
periodSeconds : 2
readinessProbe :
tcpSocket :
port : 5432
failureThreshold : 10
periodSeconds : 10
livenessProbe :
tcpSocket :
port : 5432
failureThreshold : 10
periodSeconds : 10
name : postgres
ports :
- containerPort : 5432
protocol : TCP
restartPolicy : Always
# The rhel9/postgresql-13 is known to take ~30 seconds to shut down
# As this is a deployment with ephemeral storage, there is no need to wait as the data will be gone anyway
terminationGracePeriodSeconds : 0
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
app : postgres-exporter
name : postgres-exporter
namespace : keycloak
spec :
replicas : 1
revisionHistoryLimit : 10
selector :
matchLabels :
app : postgres-exporter
strategy :
type : Recreate
template :
metadata :
labels :
app : postgres-exporter
annotations :
checksum : ea6be7f450cc15ae55e469caf5a789a1cfd67ff8612d737ec5d85c83d528ee52
spec :
containers :
- env :
- name : DATA_SOURCE_NAME
value : postgresql://keycloak:secret99@postgres:5432/keycloak?sslmode=disable
- name : PG_EXPORTER_EXTEND_QUERY_PATH
value : /conf/pgexporter-queries.yaml
image : quay.io/prometheuscommunity/postgres-exporter:v0.10.1
imagePullPolicy : Always
startupProbe :
httpGet :
path : /metrics
port : 9187
failureThreshold : 20
initialDelaySeconds : 10
periodSeconds : 2
readinessProbe :
httpGet :
path : /metrics
port : 9187
failureThreshold : 10
periodSeconds : 10
livenessProbe :
httpGet :
path : /metrics
port : 9187
failureThreshold : 10
periodSeconds : 10
name : postgres-exporter
ports :
- containerPort : 9187
name : metrics
protocol : TCP
volumeMounts :
- mountPath : /conf
name : config
restartPolicy : Always
volumes :
- name : config
configMap :
name : postgres-exporter
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
app : sqlpad
name : sqlpad
namespace : keycloak
spec :
progressDeadlineSeconds : 600
replicas : 1
revisionHistoryLimit : 10
selector :
matchLabels :
app : sqlpad
strategy :
type : Recreate
template :
metadata :
labels :
app : sqlpad
spec :
containers :
- env :
- name : SQLPAD_ADMIN
value : 'admin'
- name : SQLPAD_ADMIN_PASSWORD
value : 'admin'
- name : SQLPAD_PORT
value : '3000'
- name : SQLPAD_APP_LOG_LEVEL
value : debug
- name : SQLPAD_WEB_LOG_LEVEL
value : warn
- name : SQLPAD_SEED_DATA_PATH
value : /etc/sqlpad/seed-data
- name : SQLPAD_CONNECTIONS__pgdemo__name
value : PostgresSQL Keycloak
- name : SQLPAD_CONNECTIONS__pgdemo__port
value : '5432'
- name : SQLPAD_CONNECTIONS__pgdemo__host
value : postgres
- name : SQLPAD_CONNECTIONS__pgdemo__username
value : keycloak
- name : SQLPAD_CONNECTIONS__pgdemo__password
value : pass
- name : SQLPAD_CONNECTIONS__pgdemo__database
value : keycloak
- name : SQLPAD_CONNECTIONS__pgdemo__driver
value : postgres
- name : SQLPAD_CONNECTIONS__pgdemo__multiStatementTransactionEnabled
value : 'true'
- name : SQLPAD_CONNECTIONS__pgdemo__idleTimeoutSeconds
value : '86400'
- name : SQLPAD_QUERY_RESULT_MAX_ROWS
value : '100000'
image : sqlpad/sqlpad:6.11.0
imagePullPolicy : Always
startupProbe :
httpGet :
path : /
port : 3000
failureThreshold : 20
initialDelaySeconds : 10
periodSeconds : 2
readinessProbe :
httpGet :
path : /
port : 3000
failureThreshold : 10
periodSeconds : 10
livenessProbe :
httpGet :
path : /
port : 3000
failureThreshold : 10
periodSeconds : 10
name : sqlpad
ports :
- containerPort : 3000
protocol : TCP
restartPolicy : Always
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion : networking.k8s.io/v1
kind : Ingress
metadata :
labels :
app : sqlpad
name : sqlpad
namespace : keycloak
spec :
defaultBackend :
service :
name : sqlpad
port :
number : 3000
rules :
- host : sqlpad.minikube.nip.io
http :
paths :
- backend :
service :
name : sqlpad
port :
number : 3000
path : /
pathType : ImplementationSpecific
---
# Source: keycloak/templates/keycloak.yaml
# There are several callouts in this YAML marked with `# <1>' etc. See 'running/keycloak-deployment.adoc` for the details.
# tag::keycloak[]
# tag::keycloak-ispn[]
apiVersion : k8s.keycloak.org/v2alpha1
kind : Keycloak
metadata :
labels :
app : keycloak
name : keycloak
namespace : keycloak
spec :
# end::keycloak-ispn[]
hostname :
2024-02-26 12:15:04 +00:00
hostname : <KEYCLOAK_URL_HERE>
2024-02-19 09:41:49 +00:00
resources :
requests :
memory : "1024M"
limits :
memory : "1024M"
2023-11-23 12:27:47 +00:00
db :
vendor : postgres
2024-02-26 12:15:04 +00:00
url : jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
2023-11-23 12:27:47 +00:00
poolMinSize : 15 # <1>
poolInitialSize : 15
poolMaxSize : 15
usernameSecret :
name : keycloak-db-secret
key : username
passwordSecret :
name : keycloak-db-secret
key : password
2024-02-26 12:15:04 +00:00
image : <KEYCLOAK_IMAGE_HERE> # <2>
startOptimized : false # <2>
2023-11-30 12:47:06 +00:00
features :
enabled :
2024-02-26 12:15:04 +00:00
- multi-site # <3>
transaction :
xaEnabled : false # <4>
2024-02-05 10:19:30 +00:00
# tag::keycloak-ispn[]
2023-11-23 12:27:47 +00:00
additionalOptions :
2024-02-05 10:19:30 +00:00
# end::keycloak-ispn[]
2024-01-17 14:44:08 +00:00
# tag::keycloak-queue-size[]
- name : http-max-queued-requests
value : "1000"
# end::keycloak-queue-size[]
- name : log-console-output
2023-11-23 12:27:47 +00:00
value : json
2024-02-26 12:15:04 +00:00
- name : metrics-enabled # <5>
2023-11-23 12:27:47 +00:00
value : 'true'
2024-02-26 12:15:04 +00:00
- name : http-pool-max-threads # <6>
2024-02-13 10:01:59 +00:00
value : "200"
2023-11-23 12:27:47 +00:00
# tag::keycloak-ispn[]
2024-03-14 11:47:35 +00:00
- name : cache-remote-host # <1>
2023-11-23 12:27:47 +00:00
value : "infinispan.keycloak.svc"
2024-03-14 11:47:35 +00:00
- name : cache-remote-port # <2>
2023-11-23 12:27:47 +00:00
value : "11222"
2024-03-14 11:47:35 +00:00
- name : cache-remote-username # <3>
2023-11-23 12:27:47 +00:00
secret :
name : remote-store-secret
key : username
2024-03-14 11:47:35 +00:00
- name : cache-remote-password # <4>
2023-11-23 12:27:47 +00:00
secret :
name : remote-store-secret
key : password
2024-03-14 11:47:35 +00:00
- name : spi-connections-infinispan-quarkus-site-name # <5>
2024-02-05 10:19:30 +00:00
value : keycloak
2024-02-26 12:15:04 +00:00
# end::keycloak-ispn[]
- name : db-driver
value : software.amazon.jdbc.Driver
2023-11-23 12:27:47 +00:00
http :
tlsSecret : keycloak-tls-secret
instances : 1
2024-02-19 09:41:49 +00:00
# end::keycloak[]
2023-11-23 12:27:47 +00:00
unsupported :
podTemplate :
metadata :
annotations :
2024-03-14 11:47:35 +00:00
checksum/config : 385f54cb8e4bf326f6970aa2a0c8e573d35d9071e69ab2baee252728748bca76-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
2023-11-23 12:27:47 +00:00
spec :
containers :
- env :
# We want to have an externally provided username and password, therefore, we override those two environment variables
- name : KEYCLOAK_ADMIN
valueFrom :
secretKeyRef :
name : keycloak-preconfigured-admin
key : username
optional : false
- name : KEYCLOAK_ADMIN_PASSWORD
valueFrom :
secretKeyRef :
name : keycloak-preconfigured-admin
key : password
optional : false
2023-11-30 12:47:06 +00:00
- name : JAVA_OPTS_APPEND # <5>
2024-02-05 10:19:30 +00:00
value : ""
2023-11-23 12:27:47 +00:00
ports :
2024-02-26 12:15:04 +00:00
# end::keycloak[]
# readinessProbe:
# exec:
# command:
# - 'true'
# livenessProbe:
# exec:
# command:
# - 'true'
2023-11-23 12:27:47 +00:00
volumeMounts :
- name : keycloak-providers
2024-02-26 12:15:04 +00:00
mountPath : /opt/keycloak/providers/keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
subPath : keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
2023-11-23 12:27:47 +00:00
readOnly : true
volumes :
- name : keycloak-providers
configMap :
name : keycloak-providers
---
# Source: keycloak/templates/keycloak-monitor.yaml
apiVersion : monitoring.coreos.com/v1
kind : PodMonitor
metadata :
name : keycloak-metrics
namespace : keycloak
spec :
selector :
matchLabels :
app : keycloak
podMetricsEndpoints :
# todo: targetPort is deprecated, ask the operator to specify a name instead
- targetPort : 8443
scheme : https
tlsConfig :
insecureSkipVerify : true
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion : monitoring.coreos.com/v1
kind : ServiceMonitor
metadata :
labels :
app : postgres-exporter
name : postgres-exporter
namespace : keycloak
spec :
endpoints :
- port : metrics
jobLabel : jobLabel
selector :
matchLabels :
app : postgres-exporter