--- # Source: keycloak/templates/infinispan/remote-store-secret.yaml # tag::keycloak-ispn-secret[] apiVersion: v1 kind: Secret metadata: name: remote-store-secret namespace: keycloak type: Opaque data: username: ZGV2ZWxvcGVy # base64 encoding for 'developer' password: c2VjdXJlX3Bhc3N3b3Jk # base64 encoding for 'secure_password' # end::keycloak-ispn-secret[] --- # Source: keycloak/templates/keycloak-db-secret.yaml apiVersion: v1 kind: Secret metadata: name: keycloak-db-secret namespace: keycloak type: Opaque data: username: a2V5Y2xvYWs= # keycloak password: c2VjcmV0OTk= # secret99 --- # Source: keycloak/templates/keycloak-initial-admin-secret.yaml apiVersion: v1 kind: Secret metadata: labels: app: keycloak name: keycloak-preconfigured-admin namespace: keycloak type: kubernetes.io/basic-auth data: password: YWRtaW4= # admin by default username: YWRtaW4= # admin --- # Source: keycloak/templates/keycloak-tls-secret.yaml apiVersion: v1 data: tls.crt: ... tls.key: ... kind: Secret metadata: name: keycloak-tls-secret namespace: keycloak type: kubernetes.io/tls --- # Source: keycloak/templates/keycloak-providers-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: keycloak-providers namespace: keycloak binaryData: keycloak-benchmark-dataset-0.14-SNAPSHOT.jar: ... --- # Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: postgres-exporter namespace: keycloak data: pgexporter-queries.yaml: | # This is configuration file for postgres_exporter. # Add custom metrics via SQL statements here as described here: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file # See https://github.com/prometheus-community/postgres_exporter/blob/master/queries.yaml for examples. pg_locks_waiting: # language=SQL query: | WITH q_locks AS (select * from pg_locks where granted = false and pid != pg_backend_pid()) SELECT (select current_database()) as datname, lower(lockmodes) AS mode, coalesce((select count(*) FROM q_locks WHERE mode = lockmodes), 0) AS count FROM unnest('{AccessShareLock, ExclusiveLock, RowShareLock, RowExclusiveLock, ShareLock, ShareRowExclusiveLock, AccessExclusiveLock, ShareUpdateExclusiveLock}'::text[]) lockmodes; metrics: - datname: usage: "LABEL" description: "Database name" - mode: usage: "LABEL" description: "Lock type" - count: usage: "GAUGE" description: "Number of locks" --- # Source: keycloak/templates/keycloak-jvmdebug-service.yaml apiVersion: v1 kind: Service metadata: labels: app: keycloak name: keycloak-jvmdebug namespace: keycloak spec: type: NodePort ports: - name: jvmdebug port: 8787 protocol: TCP nodePort: 30012 selector: app: keycloak sessionAffinity: None --- # Source: keycloak/templates/postgres/postgres-exporter.yaml apiVersion: v1 kind: Service metadata: labels: app: postgres-exporter name: postgres-exporter namespace: keycloak spec: ports: - port: 9187 name: metrics protocol: TCP targetPort: 9187 selector: app: postgres-exporter sessionAffinity: None type: ClusterIP --- # Source: keycloak/templates/postgres/postgres-nodeport.yaml apiVersion: v1 kind: Service metadata: name: postgres-nodeport namespace: keycloak labels: app: postgres spec: type: NodePort ports: - protocol: TCP port: 5432 nodePort: 30009 selector: app: postgres --- # Source: keycloak/templates/postgres/postgres-service.yaml apiVersion: v1 kind: Service metadata: labels: app: postgres name: postgres namespace: keycloak spec: ports: - port: 5432 protocol: TCP targetPort: 5432 selector: app: postgres sessionAffinity: None type: ClusterIP --- # Source: keycloak/templates/sqlpad.yaml apiVersion: v1 kind: Service metadata: labels: app: sqlpad name: sqlpad namespace: keycloak spec: ports: - port: 3000 protocol: TCP targetPort: 3000 selector: app: sqlpad sessionAffinity: None type: ClusterIP --- # Source: keycloak/templates/postgres/postgres-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: postgres name: postgres namespace: keycloak spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: postgres strategy: type: Recreate template: metadata: labels: app: postgres spec: containers: - imagePullPolicy: Always env: - name: POSTGRES_PASSWORD value: secret99 - name: POSTGRES_USER value: keycloak - name: POSTGRES_DB value: keycloak image: postgres:15 volumeMounts: # Using volume mount for PostgreSQL's data folder as it is otherwise not writable - mountPath: /var/lib/postgresql name: cache-volume resources: requests: cpu: "0" startupProbe: tcpSocket: port: 5432 failureThreshold: 20 initialDelaySeconds: 10 periodSeconds: 2 readinessProbe: tcpSocket: port: 5432 failureThreshold: 10 periodSeconds: 10 livenessProbe: tcpSocket: port: 5432 failureThreshold: 10 periodSeconds: 10 name: postgres ports: - containerPort: 5432 protocol: TCP volumes: - name: cache-volume emptyDir: {} restartPolicy: Always # The rhel9/postgresql-13 is known to take ~30 seconds to shut down # As this is a deployment with ephemeral storage, there is no need to wait as the data will be gone anyway terminationGracePeriodSeconds: 0 --- # Source: keycloak/templates/postgres/postgres-exporter.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: postgres-exporter name: postgres-exporter namespace: keycloak spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: postgres-exporter strategy: type: Recreate template: metadata: labels: app: postgres-exporter annotations: checksum: ea6be7f450cc15ae55e469caf5a789a1cfd67ff8612d737ec5d85c83d528ee52 spec: containers: - env: - name: DATA_SOURCE_NAME value: postgresql://keycloak:secret99@postgres:5432/keycloak?sslmode=disable - name: PG_EXPORTER_EXTEND_QUERY_PATH value: /conf/pgexporter-queries.yaml image: quay.io/prometheuscommunity/postgres-exporter:v0.10.1 imagePullPolicy: Always startupProbe: httpGet: path: /metrics port: 9187 failureThreshold: 20 initialDelaySeconds: 10 periodSeconds: 2 readinessProbe: httpGet: path: /metrics port: 9187 failureThreshold: 10 periodSeconds: 10 livenessProbe: httpGet: path: /metrics port: 9187 failureThreshold: 10 periodSeconds: 10 name: postgres-exporter ports: - containerPort: 9187 name: metrics protocol: TCP volumeMounts: - mountPath: /conf name: config restartPolicy: Always volumes: - name: config configMap: name: postgres-exporter --- # Source: keycloak/templates/sqlpad.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: sqlpad name: sqlpad namespace: keycloak spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: sqlpad strategy: type: Recreate template: metadata: labels: app: sqlpad spec: containers: - env: - name: SQLPAD_ADMIN value: 'admin' - name: SQLPAD_ADMIN_PASSWORD value: 'admin' - name: SQLPAD_PORT value: '3000' - name: SQLPAD_APP_LOG_LEVEL value: debug - name: SQLPAD_WEB_LOG_LEVEL value: warn - name: SQLPAD_SEED_DATA_PATH value: /etc/sqlpad/seed-data - name: SQLPAD_CONNECTIONS__pgdemo__name value: PostgreSQL Keycloak - name: SQLPAD_CONNECTIONS__pgdemo__port value: '5432' - name: SQLPAD_CONNECTIONS__pgdemo__host value: postgres - name: SQLPAD_CONNECTIONS__pgdemo__username value: keycloak - name: SQLPAD_CONNECTIONS__pgdemo__password value: pass - name: SQLPAD_CONNECTIONS__pgdemo__database value: keycloak - name: SQLPAD_CONNECTIONS__pgdemo__driver value: postgres - name: SQLPAD_CONNECTIONS__pgdemo__multiStatementTransactionEnabled value: 'true' - name: SQLPAD_CONNECTIONS__pgdemo__idleTimeoutSeconds value: '86400' - name: SQLPAD_QUERY_RESULT_MAX_ROWS value: '100000' image: sqlpad/sqlpad:6.11.0 imagePullPolicy: Always startupProbe: httpGet: path: / port: 3000 failureThreshold: 20 initialDelaySeconds: 10 periodSeconds: 2 readinessProbe: httpGet: path: / port: 3000 failureThreshold: 10 periodSeconds: 10 livenessProbe: httpGet: path: / port: 3000 failureThreshold: 10 periodSeconds: 10 name: sqlpad ports: - containerPort: 3000 protocol: TCP restartPolicy: Always --- # Source: keycloak/templates/sqlpad.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: labels: app: sqlpad name: sqlpad namespace: keycloak spec: defaultBackend: service: name: sqlpad port: number: 3000 rules: - host: sqlpad.minikube.nip.io http: paths: - backend: service: name: sqlpad port: number: 3000 path: / pathType: ImplementationSpecific --- # Source: keycloak/templates/keycloak.yaml # There are several callouts in this YAML marked with `# <1>' etc. See 'running/keycloak-deployment.adoc` for the details. # tag::keycloak[] # tag::keycloak-ispn[] apiVersion: k8s.keycloak.org/v2alpha1 kind: Keycloak metadata: labels: app: keycloak name: keycloak namespace: keycloak spec: # end::keycloak-ispn[] hostname: hostname: resources: requests: memory: "1024M" limits: memory: "1024M" db: vendor: postgres url: jdbc:aws-wrapper:postgresql://:5432/keycloak poolMinSize: 15 # <1> poolInitialSize: 15 poolMaxSize: 15 usernameSecret: name: keycloak-db-secret key: username passwordSecret: name: keycloak-db-secret key: password image: # <2> startOptimized: false # <2> features: enabled: - multi-site # <3> transaction: xaEnabled: false # <4> # tag::keycloak-ispn[] additionalOptions: # end::keycloak-ispn[] # end::keycloak[] - name: http-metrics-histograms-enabled value: 'true' - name: http-metrics-slos value: '5,10,25,50,250,500' # tag::keycloak[] # tag::keycloak-queue-size[] - name: http-max-queued-requests value: "1000" # end::keycloak-queue-size[] - name: log-console-output value: json - name: metrics-enabled # <5> value: 'true' - name: http-pool-max-threads # <6> value: "200" # tag::keycloak-ispn[] - name: cache-remote-host # <1> value: "infinispan.keycloak.svc" - name: cache-remote-port # <2> value: "11222" - name: cache-remote-username # <3> secret: name: remote-store-secret key: username - name: cache-remote-password # <4> secret: name: remote-store-secret key: password - name: spi-connections-infinispan-quarkus-site-name # <5> value: keycloak # end::keycloak-ispn[] - name: db-driver value: software.amazon.jdbc.Driver http: tlsSecret: keycloak-tls-secret instances: 1 # end::keycloak[] unsupported: podTemplate: metadata: annotations: checksum/config: 90d2c8ddd9b32fd443c5823cee0ef790ce58657d13e9d668e48e1ad696b2403a-9bfd430c6539df907f0421bb34c92fb32194d461565bd342f7f96ff5a5408273--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b spec: containers: - env: # We want to have an externally provided username and password, therefore, we override those two environment variables - name: KC_BOOTSTRAP_ADMIN_USERNAME valueFrom: secretKeyRef: name: keycloak-preconfigured-admin key: username optional: false - name: KC_BOOTSTRAP_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-preconfigured-admin key: password optional: false - name: JAVA_OPTS_APPEND # <5> value: "" ports: # end::keycloak[] # readinessProbe: # exec: # command: # - 'true' # livenessProbe: # exec: # command: # - 'true' volumeMounts: - name: keycloak-providers mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.14-SNAPSHOT.jar subPath: keycloak-benchmark-dataset-0.14-SNAPSHOT.jar readOnly: true volumes: - name: keycloak-providers configMap: name: keycloak-providers --- # Source: keycloak/templates/keycloak-monitor.yaml apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: keycloak-metrics namespace: keycloak spec: selector: matchLabels: app: keycloak podMetricsEndpoints: - port: management scheme: https tlsConfig: insecureSkipVerify: true --- # Source: keycloak/templates/postgres/postgres-exporter.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: app: postgres-exporter name: postgres-exporter namespace: keycloak spec: endpoints: - port: metrics jobLabel: jobLabel selector: matchLabels: app: postgres-exporter