709165a90a
* Remove connecting Infinispan to Keycloak building block * Rephrase two sites restriction limitation * Update the KCB generated yaml files for HA guide * Remove setting number of owners to 1 for session caches as it is no longer necessary * Add multi-site feature * Remove histrograms and slos * Replace stonith with fencing * Switch for DG in community and product Closes #31029 Signed-off-by: Michal Hajas <mhajas@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
572 lines
15 KiB
YAML
572 lines
15 KiB
YAML
---
|
|
# Source: keycloak/templates/infinispan/remote-store-secret.yaml
|
|
# tag::keycloak-ispn-secret[]
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: remote-store-secret
|
|
namespace: keycloak
|
|
type: Opaque
|
|
data:
|
|
username: ZGV2ZWxvcGVy # base64 encoding for 'developer'
|
|
password: c2VjdXJlX3Bhc3N3b3Jk # base64 encoding for 'secure_password'
|
|
# end::keycloak-ispn-secret[]
|
|
---
|
|
# Source: keycloak/templates/keycloak-db-secret.yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-db-secret
|
|
namespace: keycloak
|
|
type: Opaque
|
|
data:
|
|
username: a2V5Y2xvYWs= # keycloak
|
|
password: c2VjcmV0OTk= # secret99
|
|
---
|
|
# Source: keycloak/templates/keycloak-initial-admin-secret.yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
app: keycloak
|
|
name: keycloak-preconfigured-admin
|
|
namespace: keycloak
|
|
type: kubernetes.io/basic-auth
|
|
data:
|
|
password: YWRtaW4= # admin by default
|
|
username: YWRtaW4= # admin
|
|
---
|
|
# Source: keycloak/templates/keycloak-tls-secret.yaml
|
|
apiVersion: v1
|
|
data:
|
|
tls.crt: ...
|
|
tls.key: ...
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-tls-secret
|
|
namespace: keycloak
|
|
type: kubernetes.io/tls
|
|
---
|
|
# Source: keycloak/templates/keycloak-providers-configmap.yaml
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: keycloak-providers
|
|
namespace: keycloak
|
|
binaryData:
|
|
keycloak-benchmark-dataset-0.13-SNAPSHOT.jar: ...
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: postgres-exporter
|
|
namespace: keycloak
|
|
data:
|
|
pgexporter-queries.yaml: |
|
|
# This is configuration file for postgres_exporter.
|
|
# Add custom metrics via SQL statements here as described here: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file
|
|
# See https://github.com/prometheus-community/postgres_exporter/blob/master/queries.yaml for examples.
|
|
pg_locks_waiting:
|
|
# language=SQL
|
|
query: |
|
|
WITH q_locks AS (select * from pg_locks where granted = false and pid != pg_backend_pid())
|
|
SELECT (select current_database()) as datname, lower(lockmodes) AS mode, coalesce((select count(*) FROM q_locks WHERE mode = lockmodes), 0) AS count FROM
|
|
unnest('{AccessShareLock, ExclusiveLock, RowShareLock, RowExclusiveLock, ShareLock, ShareRowExclusiveLock, AccessExclusiveLock, ShareUpdateExclusiveLock}'::text[]) lockmodes;
|
|
metrics:
|
|
- datname:
|
|
usage: "LABEL"
|
|
description: "Database name"
|
|
- mode:
|
|
usage: "LABEL"
|
|
description: "Lock type"
|
|
- count:
|
|
usage: "GAUGE"
|
|
description: "Number of locks"
|
|
---
|
|
# Source: keycloak/templates/keycloak-jvmdebug-service.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: keycloak
|
|
name: keycloak-jvmdebug
|
|
namespace: keycloak
|
|
spec:
|
|
type: NodePort
|
|
ports:
|
|
- name: jvmdebug
|
|
port: 8787
|
|
protocol: TCP
|
|
nodePort: 30012
|
|
selector:
|
|
app: keycloak
|
|
sessionAffinity: None
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-exporter.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: postgres-exporter
|
|
name: postgres-exporter
|
|
namespace: keycloak
|
|
spec:
|
|
ports:
|
|
- port: 9187
|
|
name: metrics
|
|
protocol: TCP
|
|
targetPort: 9187
|
|
selector:
|
|
app: postgres-exporter
|
|
sessionAffinity: None
|
|
type: ClusterIP
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-nodeport.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: postgres-nodeport
|
|
namespace: keycloak
|
|
labels:
|
|
app: postgres
|
|
spec:
|
|
type: NodePort
|
|
ports:
|
|
- protocol: TCP
|
|
port: 5432
|
|
nodePort: 30009
|
|
selector:
|
|
app: postgres
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-service.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: postgres
|
|
name: postgres
|
|
namespace: keycloak
|
|
spec:
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
targetPort: 5432
|
|
selector:
|
|
app: postgres
|
|
sessionAffinity: None
|
|
type: ClusterIP
|
|
---
|
|
# Source: keycloak/templates/sqlpad.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: sqlpad
|
|
name: sqlpad
|
|
namespace: keycloak
|
|
spec:
|
|
ports:
|
|
- port: 3000
|
|
protocol: TCP
|
|
targetPort: 3000
|
|
selector:
|
|
app: sqlpad
|
|
sessionAffinity: None
|
|
type: ClusterIP
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-deployment.yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: postgres
|
|
name: postgres
|
|
namespace: keycloak
|
|
spec:
|
|
progressDeadlineSeconds: 600
|
|
replicas: 1
|
|
revisionHistoryLimit: 10
|
|
selector:
|
|
matchLabels:
|
|
app: postgres
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: postgres
|
|
spec:
|
|
containers:
|
|
- imagePullPolicy: Always
|
|
env:
|
|
- name: POSTGRES_PASSWORD
|
|
value: secret99
|
|
- name: POSTGRES_USER
|
|
value: keycloak
|
|
- name: POSTGRES_DB
|
|
value: keycloak
|
|
image: postgres:15
|
|
volumeMounts:
|
|
# Using volume mount for PostgreSQL's data folder as it is otherwise not writable
|
|
- mountPath: /var/lib/postgresql
|
|
name: cache-volume
|
|
resources:
|
|
requests:
|
|
cpu: "0"
|
|
startupProbe:
|
|
tcpSocket:
|
|
port: 5432
|
|
failureThreshold: 20
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 2
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: 5432
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: 5432
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
name: postgres
|
|
ports:
|
|
- containerPort: 5432
|
|
protocol: TCP
|
|
volumes:
|
|
- name: cache-volume
|
|
emptyDir: {}
|
|
restartPolicy: Always
|
|
# The rhel9/postgresql-13 is known to take ~30 seconds to shut down
|
|
# As this is a deployment with ephemeral storage, there is no need to wait as the data will be gone anyway
|
|
terminationGracePeriodSeconds: 0
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-exporter.yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: postgres-exporter
|
|
name: postgres-exporter
|
|
namespace: keycloak
|
|
spec:
|
|
replicas: 1
|
|
revisionHistoryLimit: 10
|
|
selector:
|
|
matchLabels:
|
|
app: postgres-exporter
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: postgres-exporter
|
|
annotations:
|
|
checksum: ea6be7f450cc15ae55e469caf5a789a1cfd67ff8612d737ec5d85c83d528ee52
|
|
spec:
|
|
containers:
|
|
- env:
|
|
- name: DATA_SOURCE_NAME
|
|
value: postgresql://keycloak:secret99@postgres:5432/keycloak?sslmode=disable
|
|
- name: PG_EXPORTER_EXTEND_QUERY_PATH
|
|
value: /conf/pgexporter-queries.yaml
|
|
image: quay.io/prometheuscommunity/postgres-exporter:v0.10.1
|
|
imagePullPolicy: Always
|
|
startupProbe:
|
|
httpGet:
|
|
path: /metrics
|
|
port: 9187
|
|
failureThreshold: 20
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 2
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /metrics
|
|
port: 9187
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /metrics
|
|
port: 9187
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
name: postgres-exporter
|
|
ports:
|
|
- containerPort: 9187
|
|
name: metrics
|
|
protocol: TCP
|
|
volumeMounts:
|
|
- mountPath: /conf
|
|
name: config
|
|
restartPolicy: Always
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: postgres-exporter
|
|
---
|
|
# Source: keycloak/templates/sqlpad.yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: sqlpad
|
|
name: sqlpad
|
|
namespace: keycloak
|
|
spec:
|
|
progressDeadlineSeconds: 600
|
|
replicas: 1
|
|
revisionHistoryLimit: 10
|
|
selector:
|
|
matchLabels:
|
|
app: sqlpad
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: sqlpad
|
|
spec:
|
|
containers:
|
|
- env:
|
|
- name: SQLPAD_ADMIN
|
|
value: 'admin'
|
|
- name: SQLPAD_ADMIN_PASSWORD
|
|
value: 'admin'
|
|
- name: SQLPAD_PORT
|
|
value: '3000'
|
|
- name: SQLPAD_APP_LOG_LEVEL
|
|
value: debug
|
|
- name: SQLPAD_WEB_LOG_LEVEL
|
|
value: warn
|
|
- name: SQLPAD_SEED_DATA_PATH
|
|
value: /etc/sqlpad/seed-data
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__name
|
|
value: PostgreSQL Keycloak
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__port
|
|
value: '5432'
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__host
|
|
value: postgres
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__username
|
|
value: keycloak
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__password
|
|
value: pass
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__database
|
|
value: keycloak
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__driver
|
|
value: postgres
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__multiStatementTransactionEnabled
|
|
value: 'true'
|
|
- name: SQLPAD_CONNECTIONS__pgdemo__idleTimeoutSeconds
|
|
value: '86400'
|
|
- name: SQLPAD_QUERY_RESULT_MAX_ROWS
|
|
value: '100000'
|
|
image: sqlpad/sqlpad:6.11.0
|
|
imagePullPolicy: Always
|
|
startupProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 3000
|
|
failureThreshold: 20
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 2
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 3000
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 3000
|
|
failureThreshold: 10
|
|
periodSeconds: 10
|
|
name: sqlpad
|
|
ports:
|
|
- containerPort: 3000
|
|
protocol: TCP
|
|
restartPolicy: Always
|
|
---
|
|
# Source: keycloak/templates/sqlpad.yaml
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
labels:
|
|
app: sqlpad
|
|
name: sqlpad
|
|
namespace: keycloak
|
|
spec:
|
|
defaultBackend:
|
|
service:
|
|
name: sqlpad
|
|
port:
|
|
number: 3000
|
|
rules:
|
|
- host: sqlpad.minikube.nip.io
|
|
http:
|
|
paths:
|
|
- backend:
|
|
service:
|
|
name: sqlpad
|
|
port:
|
|
number: 3000
|
|
path: /
|
|
pathType: ImplementationSpecific
|
|
---
|
|
# Source: keycloak/templates/keycloak.yaml
|
|
# There are several callouts in this YAML marked with `# <1>' etc. See 'running/keycloak-deployment.adoc` for the details.
|
|
# tag::keycloak[]
|
|
# tag::keycloak-ispn[]
|
|
apiVersion: k8s.keycloak.org/v2alpha1
|
|
kind: Keycloak
|
|
metadata:
|
|
labels:
|
|
app: keycloak
|
|
name: keycloak
|
|
namespace: keycloak
|
|
spec:
|
|
# end::keycloak-ispn[]
|
|
hostname:
|
|
hostname: <KEYCLOAK_URL_HERE>
|
|
resources:
|
|
requests:
|
|
memory: "1024M"
|
|
limits:
|
|
memory: "1024M"
|
|
db:
|
|
vendor: postgres
|
|
url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
|
|
poolMinSize: 15 # <1>
|
|
poolInitialSize: 15
|
|
poolMaxSize: 15
|
|
usernameSecret:
|
|
name: keycloak-db-secret
|
|
key: username
|
|
passwordSecret:
|
|
name: keycloak-db-secret
|
|
key: password
|
|
image: <KEYCLOAK_IMAGE_HERE> # <2>
|
|
startOptimized: false # <2>
|
|
features:
|
|
enabled:
|
|
- multi-site # <3>
|
|
transaction:
|
|
xaEnabled: false # <4>
|
|
# tag::keycloak-ispn[]
|
|
additionalOptions:
|
|
# end::keycloak-ispn[]
|
|
# end::keycloak[]
|
|
- name: http-metrics-histograms-enabled
|
|
value: 'true'
|
|
- name: http-metrics-slos
|
|
value: '5,10,25,50,250,500'
|
|
# tag::keycloak[]
|
|
# tag::keycloak-queue-size[]
|
|
- name: http-max-queued-requests
|
|
value: "1000"
|
|
# end::keycloak-queue-size[]
|
|
- name: log-console-output
|
|
value: json
|
|
- name: metrics-enabled # <5>
|
|
value: 'true'
|
|
- name: http-pool-max-threads # <6>
|
|
value: "200"
|
|
# tag::keycloak-ispn[]
|
|
- name: cache-remote-host # <1>
|
|
value: "infinispan.keycloak.svc"
|
|
- name: cache-remote-port # <2>
|
|
value: "11222"
|
|
- name: cache-remote-username # <3>
|
|
secret:
|
|
name: remote-store-secret
|
|
key: username
|
|
- name: cache-remote-password # <4>
|
|
secret:
|
|
name: remote-store-secret
|
|
key: password
|
|
- name: spi-connections-infinispan-quarkus-site-name # <5>
|
|
value: keycloak
|
|
# end::keycloak-ispn[]
|
|
- name: db-driver
|
|
value: software.amazon.jdbc.Driver
|
|
http:
|
|
tlsSecret: keycloak-tls-secret
|
|
instances: 1
|
|
# end::keycloak[]
|
|
unsupported:
|
|
podTemplate:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: d0810a69cecfbd99a7527cb6d30decb179d7a7ee548119fc19d34f3ce2a777a7-9bfd430c6539df907f0421bb34c92fb32194d461565bd342f7f96ff5a5408273-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
|
|
spec:
|
|
containers:
|
|
- env:
|
|
# We want to have an externally provided username and password, therefore, we override those two environment variables
|
|
- name: KC_BOOTSTRAP_ADMIN_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-preconfigured-admin
|
|
key: username
|
|
optional: false
|
|
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-preconfigured-admin
|
|
key: password
|
|
optional: false
|
|
# JMX is disabled as it breaks Quarkus configuration. Issue is tracked in https://github.com/keycloak/keycloak-benchmark/issues/840
|
|
- name: JAVA_OPTS_APPEND # <5>
|
|
value: ""
|
|
ports:
|
|
# end::keycloak[]
|
|
# readinessProbe:
|
|
# exec:
|
|
# command:
|
|
# - 'true'
|
|
# livenessProbe:
|
|
# exec:
|
|
# command:
|
|
# - 'true'
|
|
volumeMounts:
|
|
- name: keycloak-providers
|
|
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.13-SNAPSHOT.jar
|
|
subPath: keycloak-benchmark-dataset-0.13-SNAPSHOT.jar
|
|
readOnly: true
|
|
volumes:
|
|
- name: keycloak-providers
|
|
configMap:
|
|
name: keycloak-providers
|
|
---
|
|
# Source: keycloak/templates/keycloak-monitor.yaml
|
|
apiVersion: monitoring.coreos.com/v1
|
|
kind: PodMonitor
|
|
metadata:
|
|
name: keycloak-metrics
|
|
namespace: keycloak
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: keycloak
|
|
podMetricsEndpoints:
|
|
- port: management
|
|
scheme: https
|
|
tlsConfig:
|
|
insecureSkipVerify: true
|
|
---
|
|
# Source: keycloak/templates/postgres/postgres-exporter.yaml
|
|
apiVersion: monitoring.coreos.com/v1
|
|
kind: ServiceMonitor
|
|
metadata:
|
|
labels:
|
|
app: postgres-exporter
|
|
name: postgres-exporter
|
|
namespace: keycloak
|
|
spec:
|
|
endpoints:
|
|
- port: metrics
|
|
jobLabel: jobLabel
|
|
selector:
|
|
matchLabels:
|
|
app: postgres-exporter
|