Skip to content

Latest commit

 

History

History
164 lines (135 loc) · 10.9 KB

README.md

File metadata and controls

164 lines (135 loc) · 10.9 KB

FMJ Studios - Keycloak Operator Helm Chart Keycloak Operator Logo

Keycloak is an open source software product to allow single sign-on with identity and access management aimed at modern applications and services. It supports various protocols such as OpenID, OAuth version 2.0 and SAML and provides features such as user management, two-factor authentication, permissions and roles management, creating token services, etc. The Keycloak Operator will allow you to deploy dedicated instances of Keycloak at will using the newly registered Keycloak CustomResourceDefinition. Unfortunately the Keycloak Project does not provide a way to install the Operator via a Helm Chart, thus making it challenging to manage. This Helm Chart is built from the official upstream sources and closely tracks these for changes. It delivers all of these features within a single Docker image available on quay.io.

Head to the Keycloak GitHub Repository for in-depth documentation.

✨ TL;DR

Helm Repository Installation

helm repo add fmjstudios https://fmjstudios.github.io/helm
helm install vaultwarden fmjstudios/keycloak-operator --version X.Y.Z

OCI Installation

helm install oci://ghcr.io/fmjstudios/helm/keycloak-operator:X.Y.Z

Introduction

This chart bootstraps a Keycloak Operator Deployment on a Kubernetes cluster using the Helm package manager. For cluster networking a Service manifest is also created. The chart creates the RBAC roles (ClusterRoles) keycloakrealmimportcontroller-cluster-role, keycloakcontroller-cluster-role and (Roles) keycloak-operator-role. These are enabled by default.

The chart supports configuring the Kubernetes manifests created for the Operator, however modifications are somewhat discouraged, since the official release for vanilla Kubernetes uses static manifests. The Operator itself does not offer any sort of configuration (to my knowledge). I will try to ensure the chart always matches the upstream deployment at the given versions.

After deployment the Operator gives you access to the Keycloak CR making the deployment of Keycloak (even as a cluster) as simple as:

kubectl apply -f - <<EOF
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  instances: 1
  db:
    vendor: postgres
    host: postgres-db
    usernameSecret:
      name: keycloak-db-secret
      key: username
    passwordSecret:
      name: keycloak-db-secret
      key: password
  http:
    tlsSecret: example-tls-secret
  hostname:
    hostname: test.keycloak.org
  proxy:
    headers: xforwarded
EOF

Parameters

Image parameters

Name Description Value
image.registry The Docker registry to pull the image from quay.io
image.repository The registry repository to pull the image from keycloak/keycloak-operator
image.tag The image tag to pull 26.0.6
image.digest The image digest to pull ""
image.pullPolicy The Kubernetes image pull policy IfNotPresent
image.pullSecrets A list of secrets to use for pulling images from private registries []

Name overrides

Name Description Value
nameOverride String to partially override kcOperator.fullname ""
fullnameOverride String to fully override kcOperator.fullname ""

Service parameters

Name Description Value
service.type The type of service to create ClusterIP
service.port The port to use on the service 80
service.nodePort The Node port to use on the service 30080
service.annotations Annotations for the service resource {}
service.labels Labels for the service resource {}
service.externalTrafficPolicy The external traffic policy for the service Cluster
service.internalTrafficPolicy The internal traffic policy for the service Cluster
service.clusterIP Define a static cluster IP for the service ""
service.loadBalancerIP Set the Load Balancer IP ""
service.loadBalancerClass Define Load Balancer class if service type is LoadBalancer (optional, cloud specific) ""
service.loadBalancerSourceRanges Service Load Balancer source ranges []
service.externalIPs Service External IPs []
service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" None
service.sessionAffinityConfig Additional settings for the sessionAffinity {}
service.ipFamilyPolicy The ipFamilyPolicy {}

RBAC parameters

Name Description Value
rbac.create Whether to create RBAC resources true

Service Account parameters

Name Description Value
serviceAccount.create Whether a service account should be created true
serviceAccount.automount Whether to automount the service account token true
serviceAccount.annotations Annotations to add to the service account {}
serviceAccount.name A custom name for the service account, otherwise kcOperator.fullname is used ""

Liveness Probe parameters

Name Description Value
livenessProbe.enabled Enable or disable the use of liveness probes true
livenessProbe.initialDelaySeconds Configure the initial delay seconds for the liveness probe 5
livenessProbe.timeoutSeconds Configure the initial delay seconds for the liveness probe 10
livenessProbe.periodSeconds Configure the seconds for each period of the liveness probe 10
livenessProbe.successThreshold Configure the success threshold for the liveness probe 1
livenessProbe.failureThreshold Configure the failure threshold for the liveness probe 3

Readiness Probe parameters

Name Description Value
readinessProbe.enabled Enable or disable the use of readiness probes true
readinessProbe.initialDelaySeconds Configure the initial delay seconds for the readiness probe 5
readinessProbe.timeoutSeconds Configure the initial delay seconds for the readiness probe 10
readinessProbe.periodSeconds Configure the seconds for each period of the readiness probe 10
readinessProbe.successThreshold Configure the success threshold for the readiness probe 1
readinessProbe.failureThreshold Configure the failure threshold for the readiness probe 3

Startup Probe parameters

Name Description Value
startupProbe.enabled Enable or disable the use of readiness probes true
startupProbe.initialDelaySeconds Configure the initial delay seconds for the startup probe 5
startupProbe.timeoutSeconds Configure the initial delay seconds for the startup probe 10
startupProbe.periodSeconds Configure the seconds for each period of the startup probe 10
startupProbe.successThreshold Configure the success threshold for the startup probe 1
startupProbe.failureThreshold Configure the failure threshold for the startup probe 3