feat(kubernetes): allow external keycloak DB configuration (#1368)

.gitignore

@@ -18,3 +18,4 @@ node_modules/
 
 temp/
 
+.aider*

kubernetes/loculus/templates/externaldb-sealed-secret.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.externalDatabase.urlSealedSecret }}
+{{- if or .Values.externalDatabase.urlSealedSecret .Values.keycloakDatabase.addrSealedSecret }}
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
@@ -7,7 +7,16 @@ metadata:
     sealedsecrets.bitnami.com/cluster-wide: "true"
 spec:
   encryptedData:
+    {{- if .Values.externalDatabase.urlSealedSecret }}
     url: {{ .Values.externalDatabase.urlSealedSecret | quote }}
     username: {{ .Values.externalDatabase.usernameSealedSecret | quote }}
     password: {{ .Values.externalDatabase.passwordSealedSecret | quote }}
-{{ end }}
+    {{- end }}
+    {{- if .Values.keycloakDatabase.addrSealedSecret }}
+    keycloak-db-addr: {{ .Values.keycloakDatabase.addrSealedSecret | quote }}
+    keycloak-db-port: {{ .Values.keycloakDatabase.portSealedSecret | quote }}
+    keycloak-db-database: {{ .Values.keycloakDatabase.databaseSealedSecret | quote }}
+    keycloak-db-username: {{ .Values.keycloakDatabase.usernameSealedSecret | quote }}
+    keycloak-db-password: {{ .Values.keycloakDatabase.passwordSealedSecret | quote }}
+    {{- end }}
+{{ end }}

kubernetes/loculus/templates/keycloak-database-deployment.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.keycloakDatabase.addrSealedSecret }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -29,3 +30,4 @@ spec:
               value: "unsecure"
             - name: POSTGRES_DB
               value: "keycloak"
+{{- end }}

kubernetes/loculus/templates/keycloak-database-service.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.keycloakDatabase.addrSealedSecret }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -9,3 +10,4 @@ spec:
     component: keycloak-database
   ports:
     - port: 5432
+{{- end }}

kubernetes/loculus/templates/keycloak-deployment.yaml

@@ -41,8 +41,33 @@ spec:
           # TODO #1221
           image: quay.io/keycloak/keycloak:23.0
           env:
-            - name: DB_VENDOR
-              value: "postgres"
+            {{- if .Values.keycloakDatabase.addrSealedSecret }}
+            - name: DB_ADDR
+              valueFrom:
+                secretKeyRef:
+                  name: externaldb-credentials
+                  key: keycloak-db-addr
+            - name: KC_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: externaldb-credentials
+                  key: keycloak-db-port            
+            - name: DB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: externaldb-credentials
+                  key: keycloak-db-database
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: externaldb-credentials
+                  key: keycloak-db-username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: externaldb-credentials
+                  key: keycloak-db-password
+            {{- else }}
             - name: DB_ADDR
               value: "loculus-keycloak-database-service"
             - name: DB_DATABASE
@@ -51,6 +76,9 @@ spec:
               value: "postgres"
             - name: DB_PASSWORD
               value: "unsecure"
+            {{- end }}
+            - name: DB_VENDOR
+              value: "postgres"
             - name: KEYCLOAK_ADMIN
               value: "admin"
             - name: KEYCLOAK_ADMIN_PASSWORD

kubernetes/loculus/values.yaml

@@ -3,6 +3,12 @@ externalDatabase:
   urlSealedSecret: ""
   usernameSealedSecret: ""
   passwordSealedSecret: ""
+keycloakDatabase:
+  addrSealedSecret: ""
+  databaseSealedSecret: ""
+  usernameSealedSecret: ""
+  passwordSealedSecret: ""
+  portSealedSecret: ""
 disableWebsite: false
 disableBackend: false
 disablePreprocessing: false