keycloak-scim/docs/guides/high-availability/examples/generated/keycloak.yaml
Michal Hajas 709165a90a
High availability guide updates (#32093)
* Remove connecting Infinispan to Keycloak building block
* Rephrase two sites restriction limitation
* Update the KCB generated yaml files for HA guide
* Remove setting number of owners to 1 for session caches as it is no longer necessary
* Add multi-site feature
* Remove histrograms and slos
* Replace stonith with fencing
* Switch for DG in community and product

Closes #31029

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-08-19 13:29:11 +02:00

562 lines
15 KiB
YAML

---
# Source: keycloak/templates/keycloak-db-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: keycloak-db-secret
namespace: keycloak
type: Opaque
data:
username: a2V5Y2xvYWs= # keycloak
password: c2VjcmV0OTk= # secret99
---
# Source: keycloak/templates/keycloak-initial-admin-secret.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
app: keycloak
name: keycloak-preconfigured-admin
namespace: keycloak
type: kubernetes.io/basic-auth
data:
password: YWRtaW4= # admin by default
username: YWRtaW4= # admin
---
# Source: keycloak/templates/keycloak-tls-secret.yaml
apiVersion: v1
data:
tls.crt: ...
tls.key: ...
kind: Secret
metadata:
name: keycloak-tls-secret
namespace: keycloak
type: kubernetes.io/tls
---
# Source: keycloak/templates/keycloak-providers-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-providers
namespace: keycloak
binaryData:
keycloak-benchmark-dataset-0.13-SNAPSHOT.jar: ...
---
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-exporter
namespace: keycloak
data:
pgexporter-queries.yaml: |
# This is configuration file for postgres_exporter.
# Add custom metrics via SQL statements here as described here: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file
# See https://github.com/prometheus-community/postgres_exporter/blob/master/queries.yaml for examples.
pg_locks_waiting:
# language=SQL
query: |
WITH q_locks AS (select * from pg_locks where granted = false and pid != pg_backend_pid())
SELECT (select current_database()) as datname, lower(lockmodes) AS mode, coalesce((select count(*) FROM q_locks WHERE mode = lockmodes), 0) AS count FROM
unnest('{AccessShareLock, ExclusiveLock, RowShareLock, RowExclusiveLock, ShareLock, ShareRowExclusiveLock, AccessExclusiveLock, ShareUpdateExclusiveLock}'::text[]) lockmodes;
metrics:
- datname:
usage: "LABEL"
description: "Database name"
- mode:
usage: "LABEL"
description: "Lock type"
- count:
usage: "GAUGE"
description: "Number of locks"
---
# Source: keycloak/templates/keycloak-jvmdebug-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: keycloak
name: keycloak-jvmdebug
namespace: keycloak
spec:
type: NodePort
ports:
- name: jvmdebug
port: 8787
protocol: TCP
nodePort: 30012
selector:
app: keycloak
sessionAffinity: None
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
ports:
- port: 9187
name: metrics
protocol: TCP
targetPort: 9187
selector:
app: postgres-exporter
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/postgres/postgres-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: postgres-nodeport
namespace: keycloak
labels:
app: postgres
spec:
type: NodePort
ports:
- protocol: TCP
port: 5432
nodePort: 30009
selector:
app: postgres
---
# Source: keycloak/templates/postgres/postgres-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: postgres
name: postgres
namespace: keycloak
spec:
ports:
- port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
ports:
- port: 3000
protocol: TCP
targetPort: 3000
selector:
app: sqlpad
sessionAffinity: None
type: ClusterIP
---
# Source: keycloak/templates/postgres/postgres-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: postgres
name: postgres
namespace: keycloak
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: postgres
strategy:
type: Recreate
template:
metadata:
labels:
app: postgres
spec:
containers:
- imagePullPolicy: Always
env:
- name: POSTGRES_PASSWORD
value: secret99
- name: POSTGRES_USER
value: keycloak
- name: POSTGRES_DB
value: keycloak
image: postgres:15
volumeMounts:
# Using volume mount for PostgreSQL's data folder as it is otherwise not writable
- mountPath: /var/lib/postgresql
name: cache-volume
resources:
requests:
cpu: "2"
startupProbe:
tcpSocket:
port: 5432
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
tcpSocket:
port: 5432
failureThreshold: 10
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 5432
failureThreshold: 10
periodSeconds: 10
name: postgres
ports:
- containerPort: 5432
protocol: TCP
volumes:
- name: cache-volume
emptyDir: {}
restartPolicy: Always
# The rhel9/postgresql-13 is known to take ~30 seconds to shut down
# As this is a deployment with ephemeral storage, there is no need to wait as the data will be gone anyway
terminationGracePeriodSeconds: 0
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: postgres-exporter
strategy:
type: Recreate
template:
metadata:
labels:
app: postgres-exporter
annotations:
checksum: ea6be7f450cc15ae55e469caf5a789a1cfd67ff8612d737ec5d85c83d528ee52
spec:
containers:
- env:
- name: DATA_SOURCE_NAME
value: postgresql://keycloak:secret99@postgres:5432/keycloak?sslmode=disable
- name: PG_EXPORTER_EXTEND_QUERY_PATH
value: /conf/pgexporter-queries.yaml
image: quay.io/prometheuscommunity/postgres-exporter:v0.10.1
imagePullPolicy: Always
startupProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /metrics
port: 9187
failureThreshold: 10
periodSeconds: 10
name: postgres-exporter
ports:
- containerPort: 9187
name: metrics
protocol: TCP
volumeMounts:
- mountPath: /conf
name: config
restartPolicy: Always
volumes:
- name: config
configMap:
name: postgres-exporter
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: sqlpad
strategy:
type: Recreate
template:
metadata:
labels:
app: sqlpad
spec:
containers:
- env:
- name: SQLPAD_ADMIN
value: 'admin'
- name: SQLPAD_ADMIN_PASSWORD
value: 'admin'
- name: SQLPAD_PORT
value: '3000'
- name: SQLPAD_APP_LOG_LEVEL
value: debug
- name: SQLPAD_WEB_LOG_LEVEL
value: warn
- name: SQLPAD_SEED_DATA_PATH
value: /etc/sqlpad/seed-data
- name: SQLPAD_CONNECTIONS__pgdemo__name
value: PostgreSQL Keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__port
value: '5432'
- name: SQLPAD_CONNECTIONS__pgdemo__host
value: postgres
- name: SQLPAD_CONNECTIONS__pgdemo__username
value: keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__password
value: pass
- name: SQLPAD_CONNECTIONS__pgdemo__database
value: keycloak
- name: SQLPAD_CONNECTIONS__pgdemo__driver
value: postgres
- name: SQLPAD_CONNECTIONS__pgdemo__multiStatementTransactionEnabled
value: 'true'
- name: SQLPAD_CONNECTIONS__pgdemo__idleTimeoutSeconds
value: '86400'
- name: SQLPAD_QUERY_RESULT_MAX_ROWS
value: '100000'
image: sqlpad/sqlpad:6.11.0
imagePullPolicy: Always
startupProbe:
httpGet:
path: /
port: 3000
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 2
readinessProbe:
httpGet:
path: /
port: 3000
failureThreshold: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /
port: 3000
failureThreshold: 10
periodSeconds: 10
name: sqlpad
ports:
- containerPort: 3000
protocol: TCP
restartPolicy: Always
---
# Source: keycloak/templates/sqlpad.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app: sqlpad
name: sqlpad
namespace: keycloak
spec:
defaultBackend:
service:
name: sqlpad
port:
number: 3000
rules:
- host: sqlpad.minikube.nip.io
http:
paths:
- backend:
service:
name: sqlpad
port:
number: 3000
path: /
pathType: ImplementationSpecific
---
# Source: keycloak/templates/keycloak.yaml
# There are several callouts in this YAML marked with `# <1>' etc. See 'running/keycloak-deployment.adoc` for the details.
# tag::keycloak[]
# tag::keycloak-ispn[]
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
labels:
app: keycloak
name: keycloak
namespace: keycloak
spec:
# end::keycloak-ispn[]
hostname:
hostname: <KEYCLOAK_URL_HERE>
resources:
requests:
cpu: "2"
memory: "1250M"
limits:
cpu: "6"
memory: "2250M"
db:
vendor: postgres
url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
poolMinSize: 30 # <1>
poolInitialSize: 30
poolMaxSize: 30
usernameSecret:
name: keycloak-db-secret
key: username
passwordSecret:
name: keycloak-db-secret
key: password
image: <KEYCLOAK_IMAGE_HERE> # <2>
startOptimized: false # <2>
features:
enabled:
- multi-site # <3>
transaction:
xaEnabled: false # <4>
# tag::keycloak-ispn[]
additionalOptions:
# end::keycloak-ispn[]
# end::keycloak[]
- name: http-metrics-histograms-enabled
value: 'true'
- name: http-metrics-slos
value: '5,10,25,50,250,500'
# tag::keycloak[]
# tag::keycloak-queue-size[]
- name: http-max-queued-requests
value: "1000"
# end::keycloak-queue-size[]
- name: log-console-output
value: json
- name: metrics-enabled # <5>
value: 'true'
- name: http-pool-max-threads # <6>
value: "66"
# end::keycloak[]
# This block is just for documentation purposes as we need both versions of Infinispan config, with and without numbers to corresponding options
# tag::keycloak[]
- name: cache-remote-host
value: "infinispan.keycloak.svc"
- name: cache-remote-port
value: "11222"
- name: cache-remote-username
secret:
name: remote-store-secret
key: username
- name: cache-remote-password
secret:
name: remote-store-secret
key: password
- name: spi-connections-infinispan-quarkus-site-name
value: keycloak
- name: db-driver
value: software.amazon.jdbc.Driver
http:
tlsSecret: keycloak-tls-secret
instances: 3
# end::keycloak[]
unsupported:
podTemplate:
metadata:
annotations:
checksum/config: d0810a69cecfbd99a7527cb6d30decb179d7a7ee548119fc19d34f3ce2a777a7-9af6f9e8393229798cfb789798e36f84e39803616fe3e51b2a38e3ce05830565-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
spec:
containers:
- env:
# We want to have an externally provided username and password, therefore, we override those two environment variables
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-preconfigured-admin
key: username
optional: false
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-preconfigured-admin
key: password
optional: false
# JMX is disabled as it breaks Quarkus configuration. Issue is tracked in https://github.com/keycloak/keycloak-benchmark/issues/840
- name: JAVA_OPTS_APPEND # <5>
value: ""
ports:
# end::keycloak[]
# readinessProbe:
# exec:
# command:
# - 'true'
# livenessProbe:
# exec:
# command:
# - 'true'
volumeMounts:
- name: keycloak-providers
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.13-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.13-SNAPSHOT.jar
readOnly: true
volumes:
- name: keycloak-providers
configMap:
name: keycloak-providers
---
# Source: keycloak/templates/keycloak-monitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: keycloak-metrics
namespace: keycloak
spec:
selector:
matchLabels:
app: keycloak
podMetricsEndpoints:
- port: management
scheme: https
tlsConfig:
insecureSkipVerify: true
---
# Source: keycloak/templates/postgres/postgres-exporter.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app: postgres-exporter
name: postgres-exporter
namespace: keycloak
spec:
endpoints:
- port: metrics
jobLabel: jobLabel
selector:
matchLabels:
app: postgres-exporter