charts/keycloak/values.yaml

# @section Global parameters

# @param global.storageClass Global StorageClass for Persistent Volume(s)

global:
  storageClass: ''

# @section Docker Registry settings

# @param dgctlDockerRegistry Docker Registry endpoint where On-Premise services' images reside. Format: `host:port`.

dgctlDockerRegistry: ''

# @section Common parameters

# @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
# @param nameOverride String to partially override common.names.fullname
# @param fullnameOverride String to fully override common.names.fullname
# @param namespaceOverride String to fully override common.names.namespace
# @param enableServiceLinks If set to false, disable Kubernetes [service links](https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service) in the pod spec
# @param dnsPolicy DNS Policy for pod
# E.g.
# dnsPolicy: ClusterFirst
# @param dnsConfig DNS Configuration pod
# E.g.
# dnsConfig:
#   options:
#   - name: ndots
#     value: "4"
# @param extraDeploy Array of extra objects to deploy with the release
# @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
# @param diagnosticMode.command Command to override all containers in the the statefulset
# @param diagnosticMode.args Args to override all containers in the the statefulset

kubeVersion: ''
nameOverride: ''
fullnameOverride: ''
namespaceOverride: ''
enableServiceLinks: true
dnsPolicy: ''
dnsConfig: {}
extraDeploy: []
diagnosticMode:
  enabled: false
  command:
  - sleep
  args:
  - infinity

# @section Keycloak parameters

# @param image.repository Keycloak image repository
# @param image.tag Keycloak image tag (immutable tags are recommended)
# @param image.pullPolicy Keycloak image pull policy
# @param image.pullSecrets Specify docker-registry secret names as an array
# @param image.debug Specify if debug logs should be enabled

image:
  repository: 2gis-on-premise/keycloak
  tag: 21.1.1-debian-11-r4
  pullPolicy: IfNotPresent
  pullSecrets: []
  debug: false

# Keycloak [authentication](https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials) parameters
# @param auth.adminUser Keycloak administrator user
# @param auth.adminPassword Keycloak administrator password for the new user
# @param auth.existingSecret Existing secret containing Keycloak admin password
# @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.


auth:
  adminUser: user
  adminPassword: ''
  existingSecret: ''
  passwordSecretKey: ''

# HTTPS settings
# @param tls.enabled Enable [TLS encryption](https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption). Required for HTTPs traffic.
# @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
# @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
# Create this secret following the steps below:
# 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
# 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'.
# 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'.
# 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
#       kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
# NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
# @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
# If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
# @param tls.truststoreFilename Truststore filename inside the existing secret
# @param tls.keystoreFilename Keystore filename inside the existing secret
# @param tls.keystorePassword Password to access the keystore when it's password-protected
# @param tls.truststorePassword Password to access the truststore when it's password-protected
# @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.

tls:
  enabled: true
  autoGenerated: true
  existingSecret: ''
  usePem: false
  truststoreFilename: keycloak.truststore.jks
  keystoreFilename: keycloak.keystore.jks
  keystorePassword: ''
  truststorePassword: ''
  passwordsSecret: ''

# SPI TLS settings
# @param spi.existingSecret Existing secret containing the Keycloak [truststore](https://www.keycloak.org/server/keycloak-truststore) for SPI connection over HTTPS/TLS
# Create this secret following the steps below:
# 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'.
# 2) Run the command below where SECRET_NAME is the name of the secret you want to create:
#       kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
# @param spi.truststorePassword Password to access the truststore when it's password-protected
# @param spi.truststoreFilename Truststore filename inside the existing secret
# @param spi.passwordsSecret Secret containing the SPI Truststore passwords.
# @param spi.hostnameVerificationPolicy Verify the hostname of the server’s certificate. Allowed values: "ANY", "WILDCARD", "STRICT".

spi:
  existingSecret: ''
  truststorePassword: ''
  truststoreFilename: keycloak-spi.truststore.jks
  passwordsSecret: ''
  hostnameVerificationPolicy: ''

# @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
# @param proxy reverse [Proxy](https://www.keycloak.org/server/reverseproxy) mode edge, reencrypt, passthrough or none
# @param httpRelativePath Set the [path](https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed) relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'

production: true
proxy: passthrough
httpRelativePath: /

# Keycloak Service Discovery settings
# ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration

# @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
# Specify content for keycloak.conf
# NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
# The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
# Example:
# configuration: |-
#    foo: bar
#    baz:
# @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
# NOTE: When it's set the configuration parameter is ignored
# @param extraStartupArgs Extra default startup args
# @param initdbScripts Dictionary of initdb scripts
# Specify dictionary of scripts to be run at first boot
# ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
# Example:
# initdbScripts:
#   my_init_script.sh: |
#      #!/bin/bash
#      echo "Do something."
# @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
# @param command Override default container command (useful when using custom images)
# @param args Override default container args (useful when using custom images)
# @param extraEnvVars Extra environment variables to be set on Keycloak container
# Example:
# extraEnvVars:
#   - name: FOO
#     value: "bar"
# @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
# @param extraEnvVarsSecret Name of existing Secret containing extra env vars

configuration: ''
existingConfigmap: ''
extraStartupArgs: ''
initdbScripts: {}
initdbScriptsConfigMap: ''
command: []
args: []
extraEnvVars: []
# - name: JAVA_OPTS
#   value: -server -Xms64m -Xmx1024m
extraEnvVarsCM: ''
extraEnvVarsSecret: ''

# @section Keycloak statefulset parameters

# @param replicaCount Number of Keycloak replicas to deploy
# @param containerPorts.http Keycloak HTTP container port
# @param containerPorts.https Keycloak HTTPS container port
# @param containerPorts.infinispan Keycloak infinispan container port
# @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
# Keycloak pods' SecurityContext
# @param podSecurityContext.enabled Enabled Keycloak pods' [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
# Keycloak containers' Security Context
# @param containerSecurityContext.enabled Enabled Keycloak containers' [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# @param containerSecurityContext.runAsUser Set Keycloak container's Security Context runAsUser
# @param containerSecurityContext.runAsNonRoot Set Keycloak container's Security Context runAsNonRoot
# Keycloak resource requests and limits
# @param resources.requests.cpu A CPU request.
# @param resources.requests.memory A memory request.
# @param resources.limits.cpu A CPU limit.
# @param resources.limits.memory A memory limit.
# Configure extra options for Keycloak containers' liveness, readiness and startup probes
# @param livenessProbe.enabled Enable [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) on Keycloak containers
# @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
# @param livenessProbe.periodSeconds Period seconds for livenessProbe
# @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
# @param livenessProbe.failureThreshold Failure threshold for livenessProbe
# @param livenessProbe.successThreshold Success threshold for livenessProbe
# @param readinessProbe.enabled Enable [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) on Keycloak containers
# @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
# @param readinessProbe.periodSeconds Period seconds for readinessProbe
# @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
# @param readinessProbe.failureThreshold Failure threshold for readinessProbe
# @param readinessProbe.successThreshold Success threshold for readinessProbe
# When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
# @param startupProbe.enabled Enable [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) on Keycloak containers
# @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
# @param startupProbe.periodSeconds Period seconds for startupProbe
# @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
# @param startupProbe.failureThreshold Failure threshold for startupProbe
# @param startupProbe.successThreshold Success threshold for startupProbe
# @param customLivenessProbe Custom Liveness probes for Keycloak
# @param customReadinessProbe Custom Rediness probes Keycloak
# @param customStartupProbe Custom Startup probes for Keycloak
# @param lifecycleHooks LifecycleHooks to set additional configuration at startup
# @param hostAliases Deployment pod [host aliases](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)
# @param podLabels Extra [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) for Keycloak pods
# @param podAnnotations Annotations for Keycloak pods
# @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
# @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
# Node affinity preset
# @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
# @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
# E.g.
# key: "kubernetes.io/e2e-az-name"
# @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
# E.g.
# values:
#   - e2e-az1
#   - e2e-az2
# @param affinity Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# @param imagePullSecrets Kubernetes image pull secrets.
# @param nodeSelector Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
# @param tolerations Tolerations for pod assignment
# @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
# @param podManagementPolicy Pod management policy for the Keycloak statefulset
# @param priorityClassName Keycloak pods' [Priority Class Name](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/)
# @param schedulerName Use an alternate [scheduler](https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/), e.g. "stork".
# @param terminationGracePeriodSeconds Seconds Keycloak pod needs to [terminate](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) gracefully
# @param updateStrategy.type Keycloak statefulset strategy type
# @param updateStrategy.rollingUpdate Keycloak statefulset [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) configuration parameters
# @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
# @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
# @param initContainers Add additional init containers to the Keycloak pods
# Example:
# initContainers:
#   - name: your-image-name
#     image: your-image
#     imagePullPolicy: Always
#     ports:
#       - name: portname
#         containerPort: 1234
# @param sidecars Add additional sidecar containers to the Keycloak pods
# Example:
# sidecars:
#   - name: your-image-name
#     image: your-image
#     imagePullPolicy: Always
#     ports:
#       - name: portname
#         containerPort: 1234

replicaCount: 1
containerPorts:
  http: 8080
  https: 8443
  infinispan: 7800
extraContainerPorts: []
podSecurityContext:
  enabled: true
  fsGroup: 1001
containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsNonRoot: true

resources:
  limits:
    cpu: 4
    memory: 4000Mi
  requests:
    cpu: 2
    memory: 2000Mi

livenessProbe:
  enabled: true
  initialDelaySeconds: 300
  periodSeconds: 1
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1

readinessProbe:
  enabled: true
  initialDelaySeconds: 30
  periodSeconds: 10
  timeoutSeconds: 1
  failureThreshold: 3
  successThreshold: 1

startupProbe:
  enabled: false
  initialDelaySeconds: 30
  periodSeconds: 5
  timeoutSeconds: 1
  failureThreshold: 60
  successThreshold: 1

customLivenessProbe: {}
customReadinessProbe: {}
customStartupProbe: {}
lifecycleHooks: {}
hostAliases: []
podLabels: {}
podAnnotations: {}
podAffinityPreset: ''
podAntiAffinityPreset: soft

nodeAffinityPreset:
  type: ''
  key: ''
  values: []

affinity: {}
imagePullSecrets: []
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
podManagementPolicy: Parallel
priorityClassName: ''
schedulerName: ''
terminationGracePeriodSeconds: ''
updateStrategy:
  type: RollingUpdate
  rollingUpdate: {}
extraVolumes: []
extraVolumeMounts: []
initContainers: []
sidecars: []

# @section Exposure parameters

# Service configuration
# @param service.type Kubernetes service type
# @param service.http.enabled Enable http port on service
# @param service.ports.http Keycloak service HTTP port
# @param service.ports.https Keycloak service HTTPS port
# @param service.nodePorts [object] Specify the [nodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) values for the LoadBalancer and NodePort service types.
# @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
# Values: ClientIP or None
# ref: https://kubernetes.io/docs/user-guide/services/
# @param service.sessionAffinityConfig Additional settings for the sessionAffinity
# sessionAffinityConfig:
#   clientIP:
#     timeoutSeconds: 300
# @param service.clusterIP Keycloak service clusterIP IP
# e.g:
# clusterIP: None
# @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
# @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
# https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
# Example:
# loadBalancerSourceRanges:
#   - 10.10.10.0/24
# @param service.externalTrafficPolicy Enable client source IP preservation
# ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# @param service.annotations Additional custom annotations for Keycloak service
# @param service.extraPorts Extra port to expose on Keycloak service
# DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
# @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
# Headless service properties
# @param service.headless.annotations Annotations for the headless service.
# @param service.headless.extraPorts Extra ports to expose on Keycloak headless service

service:
  type: ClusterIP
  http:
    enabled: true
  ports:
    http: 80
    https: 443
  nodePorts:
    http: ''
    https: ''
  sessionAffinity: None
  sessionAffinityConfig: {}
  clusterIP: ''
  loadBalancerIP: ''
  loadBalancerSourceRanges: []
  externalTrafficPolicy: Cluster
  annotations: {}
  extraPorts: []
  extraHeadlessPorts: []
  headless:
    annotations: {}
    extraPorts: []

# @section Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) settings

# @param ingress.enabled If Ingress is enabled for the service.
# @param ingress.className Name of the Ingress controller class.
# @param ingress.hosts[0].host Hostname for the Ingress service.
# @param ingress.hosts[0].paths[0].path Path of the host for the Ingress service.
# @param ingress.hosts[0].paths[0].pathType Type of the path for the Ingress service.
# @param ingress.tls TLS configuration

ingress:
  enabled: false
  className: nginx
  hosts:
  - host: keycloak.example.com
    paths:
    - path: /
      pathType: Prefix
  tls: []
  # - hosts:
  #   - keycloak.example.com
  #   secretName: secret.tls

# @section [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) configuration
# @param networkPolicy.enabled Enable the default NetworkPolicy policy
# @param networkPolicy.allowExternal Don't require client label for connections
# The Policy model to apply. When set to false, only pods with the correct
# client label will have network access to the ports Keycloak is listening
# on. When true, Keycloak will accept connections from any source
# (with the correct destination port).
# @param networkPolicy.additionalRules Additional NetworkPolicy rules
# Note that all rules are OR-ed.
# Example:
# additionalRules:
#   - matchLabels:
#       - role: frontend
#   - matchExpressions:
#       - key: role
#         operator: In
#         values:
#           - frontend

networkPolicy:
  enabled: false
  allowExternal: true
  additionalRules: {}

# @section serviceAccount parameter

# @param serviceAccountOverride A custom service account. If not defined it will be created automatically.
# Specifies whether RBAC resources should be created
# @param rbac.create Whether to create and use RBAC resources or not
# @param rbac.rules Custom RBAC rules
# Example:
# rules:
#   - apiGroups:
#       - ""
#     resources:
#       - pods
#     verbs:
#       - get
#       - list

serviceAccountOverride: ''
rbac:
  create: false
  rules: []

# @section Other parameters

# Keycloak Pod Disruption Budget configuration
# @param pdb.create Enable/disable a [Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) creation
# @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
# @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
# Keycloak Autoscaling configuration
# @param hpa.enabled Enable hpa for Keycloak
# @param hpa.minReplicas Minimum number of Keycloak replicas
# @param hpa.maxReplicas Maximum number of Keycloak replicas
# @param hpa.targetCPU Target CPU utilization percentage
# @param hpa.targetMemory Target Memory utilization percentage

pdb:
  create: true
  minAvailable: ''
  maxUnavailable: 1

hpa:
  enabled: false
  minReplicas: 1
  maxReplicas: 11
  targetCPU: ''
  targetMemory: ''

# @section Metrics parameters

# Metrics configuration
# @param metrics.enabled Enable exposing [Keycloak statistics](https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics)
# Keycloak metrics service parameters
# @param metrics.service.ports.http Metrics service HTTP port
# @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
# Prometheus Operator ServiceMonitor configuration
# @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
# @param metrics.serviceMonitor.port Metrics service HTTP port
# @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten.
# @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead
# @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
# @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
# @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
# e.g:
#   scrapeTimeout: 30s
# @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
# @param metrics.serviceMonitor.selector Prometheus instance selector labels
# @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
# @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
# @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
# @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
# Prometheus Operator alert rules configuration
# @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
# @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
# @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
# @param metrics.prometheusRule.groups Groups, containing the alert rules.
# Example:
#   groups:
#     - name: Keycloak
#       rules:
#         - alert: KeycloakInstanceNotAvailable
#           annotations:
#             message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
#           expr: |
#             absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
#           for: 5m
#           labels:
#             severity: critical

metrics:
  enabled: false
  service:
    ports:
      http: 8080
    annotations:
      prometheus.io/scrape: 'true'
      prometheus.io/port: '{{ .Values.metrics.service.ports.http }}'
  serviceMonitor:
    enabled: false
    port: http
    endpoints:
    - path: '{{ include "keycloak.httpPath" . }}metrics'
    - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics'
    path: ''
    namespace: ''
    interval: 30s
    scrapeTimeout: ''
    labels: {}
    selector: {}
    relabelings: []
    metricRelabelings: []
    honorLabels: false
    jobLabel: ''
  prometheusRule:
    enabled: false
    namespace: ''
    labels: {}
    groups: []

# @section keycloak-config-cli parameters

# Configuration for keycloak-config-cli
# @param keycloakConfigCli.enabled Whether to enable [keycloak-config-cli](https://github.com/adorsys/keycloak-config-cli) job
# keycloak-config-cli image
# ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
# @param keycloakConfigCli.image.repository keycloak-config-cli container image repository
# @param keycloakConfigCli.image.tag keycloak-config-cli container image tag
# @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container [image pull policy](https://kubernetes.io/docs/user-guide/images/#pre-pulling-images)
# @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container [image pull secrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
# Specify a imagePullPolicy
# Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
# Optionally specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
# e.g:
# pullSecrets:
#   - myRegistryKeySecretName
# @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
# @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
# @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
# @param keycloakConfigCli.hostAliases Job pod host aliases
# https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
# Keycloak config CLI resource requests and limits
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
# keycloakConfigCli resource requests and limits
# @param keycloakConfigCli.resources.requests.cpu A CPU request.
# @param keycloakConfigCli.resources.requests.memory A memory request.
# @param keycloakConfigCli.resources.limits.cpu A CPU limit.
# @param keycloakConfigCli.resources.limits.memory A memory limit.
# keycloak-config-cli containers' Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
# @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli containers' Security Context
# @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli container's Security Context runAsUser
# @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli container's Security Context runAsNonRoot
# keycloak-config-cli pods' Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
# @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
# @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
# @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
# @param keycloakConfigCli.podLabels Pod extra labels
# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
# @param keycloakConfigCli.podAnnotations Annotations for job pod
# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
# @param keycloakConfigCli.extraEnvVars Additional environment variables to set
# Example:
# extraEnvVars:
#   - name: FOO
#     value: "bar"
#
# @param keycloakConfigCli.nodeSelector Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
# @param keycloakConfigCli.podTolerations Tolerations for job pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
# @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
# @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
# @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
# @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
# Example:
# initContainers:
#   - name: your-image-name
#     image: your-image
#     imagePullPolicy: Always
#     ports:
#       - name: portname
#         containerPort: 1234
# @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
# Example:
# sidecars:
#   - name: your-image-name
#     image: your-image
#     imagePullPolicy: Always
#     ports:
#       - name: portname
#         containerPort: 1234
# Automatic Cleanup for Finished Jobs
# @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
# @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/


keycloakConfigCli:
  enabled: true
  image:
    repository: 2gis-on-premise/keycloak-config-cli
    tag: 5.6.1-debian-11-r18
    pullPolicy: IfNotPresent
    pullSecrets: []
  annotations:
    helm.sh/hook: post-install,post-upgrade,post-rollback
    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
    helm.sh/hook-weight: '5'
  command: []
  args: []
  hostAliases: []

  resources:
    requests:
      cpu: 500m
      memory: 256M
    limits:
      cpu: 1
      memory: 512M

  containerSecurityContext:
    enabled: true
    runAsUser: 1001
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 1001
  backoffLimit: 1
  podLabels: {}
  podAnnotations: {}
  nodeSelector: {}
  podTolerations: []
  extraEnvVars: []
  extraEnvVarsCM: ''
  extraEnvVarsSecret: ''
  extraVolumes: []
  extraVolumeMounts: []
  initContainers: []
  sidecars: []
  cleanupAfterFinished:
    enabled: false
    seconds: 600

# @section Database settings

# @param postgres.host PostgreSQL rw/ro hostname or IP. **Required**
# @param postgres.port PostgreSQL port
# @param postgres.name PostgreSQL database name. **Required**
# @param postgres.username PostgreSQL username. **Required**
# @param postgres.password PostgreSQL password. **Required**

postgres:
  host: ''
  port: 5432
  name: ''
  username: ''
  password: ''

# @section Keycloak Cache parameters

# Keycloak cache configuration
# @param cache.enabled Switch to enable or disable the keycloak distributed [cache](https://www.keycloak.org/server/caching) for kubernetes.
# NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
# @param cache.stackName Set infinispan cache stack to use
# @param cache.stackFile Set infinispan cache stack filename to use

cache:
  enabled: true
  stackName: kubernetes
  stackFile: ''

# @section Keycloak Logging parameters

# Keycloak logging configuration
# @param logging.output Alternates between the default [log](https://www.keycloak.org/server/logging) output format or json format
# @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF

logging:
  output: default
  level: INFO

# Configuration for keycloak themes
# keycloakThemes image
# @param keycloakThemes.image.repository keycloak-themes container image repository
# @param keycloakThemes.image.tag keycloak-themes container image tag
# @param keycloakThemes.image.pullPolicy keycloak-themes container [image pull policy](https://kubernetes.io/docs/user-guide/images/#pre-pulling-images)
keycloakThemes:
  image:
    repository: 2gis-on-premise/keycloak-themes
    tag: 0.0.8
    pullPolicy: IfNotPresent

# @section Keycloak default user for access on-premise services
# @param defaultUser.enabled Switch to enable or disable the defaultUser
# @param defaultUser.name User name
# @param defaultUser.email User email
# @param defaultUser.password User password
defaultUser:
  enabled: false
  name: ''
  email: ''
  password: ''