Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bitnami/keycloak same FQDN for both ingresses #24320

Closed
busyboy77 opened this issue Mar 10, 2024 · 4 comments
Closed

bitnami/keycloak same FQDN for both ingresses #24320

busyboy77 opened this issue Mar 10, 2024 · 4 comments
Assignees
@carrodher
Labels
solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@busyboy77
Copy link

busyboy77 commented Mar 10, 2024
edited
Loading

Name and Version

bitnami/keycloak:19.3.0

What architecture are you using?

amd64

What steps will reproduce the bug?

I'm trying to configure and setup keycloak using bitnami/keycloak:19.3.0 helm chart with below given command

helm upgrade --install=true --namespace ef-external --values ./values.yaml --debug --render-subchart-notes  keycloak .

and trying to setup ingresses for both normal ingress and adminIngress using same FQDN. However, it seems to loop forever or does not work completely.

Background:

We use bitnami/keycloak for on-prem based deployments where using 2 different FQDNs is completely NOT an option and routing using same FQDN is mandatory requirement.

Are you using any custom parameters or values?

auth:
  adminUser: admin
  adminPassword: "admin"
httpRelativePath: "/auth/"
extraEnvVars:
     - name: KC_LOG_LEVEL
       value: "DEBUG"
     - name: KEYCLOAK_LOGLEVEL
       value: "DEBUG"
     - name: ROOT_LOGLEVEL
       value: "DEBUG"
     - name:  KEYCLOAK_ADMIN_URL
       value: https://devops218.ef.com/keyadmin
     - name: KEYCLOAK_EXTRA_ARGS
       value:  "-Dkeycloak.frontendUrl=https://devops218.ef.com/keyadmin  -Dkeycloak.profile.feature.upload_scripts=enabled"
     - name:  KEYCLOAK_FRONTEND_URL
       value: https://devpos218.ef.com/keyadmin
     - name: KEYCLOAK_LOGLEVEL
       value:  DEBUG
     - name: KEYCLOAK_PASSWORD
       value: admin
     - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
       value: "true"
     - name: KEYCLOAK_USER
       value: admin
     - name: NODE_ENV
       value: development
ingress:
  enabled: true
  ingressClassName: "nginx"
  pathType: ImplementationSpecific
  apiVersion: ""
  hostname: devops218.ef.com
  path: "{{ .Values.httpRelativePath }}"
  servicePort: http
  annotations:
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.org/server-snippets: |
         location / {
            proxy_set_header X-Forwarded-For $host;
            proxy_set_header X-Forwarded-Proto $scheme;
           }
  labels: {}
  tls: true
  selfSigned: false
  extraHosts: []
  extraPaths: []
  extraTls:
    - hosts:
       - devops218.ef.com
      secretName: ef-ingress-tls-secret
  secrets: []
  extraRules: []
adminIngress:
  enabled: true
  ingressClassName: "nginx"
  pathType: ImplementationSpecific
  apiVersion: ""
  hostname: devops218.ef.com
  path: "/keyadmin"
  servicePort: http
  annotations:
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.org/server-snippets: |
         location / {
            proxy_set_header X-Forwarded-For $host;
            proxy_set_header X-Forwarded-Proto $scheme;
           }
  labels: {}
  tls: true
  selfSigned: false
  extraHosts: []
  extraPaths: []
  extraTls:
    - hosts:
        - devops218.ef.com
      secretName: ef-ingress-tls-secret
  secrets: []
  extraRules: []

What is the expected behavior?

the adminIngress never works.

What do you see instead?

Ideally, the requirement of separate FQDN should not block using same FQDN but with different ingress routes.

Additional information

No response
@busyboy77 busyboy77 added the tech-issues The user has a technical issue about an application label Mar 10, 2024
@github-actions github-actions bot added the triage Triage is needed label Mar 10, 2024
@busyboy77
Copy link
Author

busyboy77 commented Mar 10, 2024
edited
Loading

addming full --debug output here

root@devops218:/tmp/keycloak# helm upgrade --install=true --namespace ef-external --values ./values.yaml --debug --render-subchart-notes  keycloak .
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/rancher/rke2/rke2.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /etc/rancher/rke2/rke2.yaml
history.go:56: [debug] getting history for release keycloak
Release "keycloak" does not exist. Installing it now.
install.go:214: [debug] Original chart version: ""
install.go:231: [debug] CHART PATH: /tmp/keycloak

client.go:142: [debug] creating 10 resource(s)
W0310 14:09:55.618977 3895208 warnings.go:70] spec.template.spec.containers[0].env[12].name: duplicate name "KEYCLOAK_LOGLEVEL"
NAME: keycloak
LAST DEPLOYED: Sun Mar 10 14:09:53 2024
NAMESPACE: ef-external
STATUS: deployed
REVISION: 1
TEST SUITE: None
USER-SUPPLIED VALUES:
adminIngress:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
  apiVersion: ""
  enabled: true
  extraHosts: []
  extraPaths: []
  extraRules: []
  extraTls:
  - hosts:
    - devops218.ef.com
    secretName: ef-ingress-tls-secret
  hostname: devops218.ef.com
  ingressClassName: nginx
  labels: {}
  path: /keyadmin
  pathType: ImplementationSpecific
  secrets: []
  selfSigned: false
  servicePort: http
  tls: true
affinity: {}
args: []
auth:
  adminPassword: admin
  adminUser: admin
  annotations: {}
  existingSecret: ""
  passwordSecretKey: ""
automountServiceAccountToken: true
autoscaling:
  enabled: false
  maxReplicas: 11
  minReplicas: 1
  targetCPU: ""
  targetMemory: ""
cache:
  enabled: true
  stackFile: ""
  stackName: kubernetes
clusterDomain: cluster.local
command: []
commonAnnotations: {}
commonLabels: {}
configuration: ""
containerPorts:
  http: 8080
  https: 8443
  infinispan: 7800
containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  enabled: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsGroup: 0
  runAsNonRoot: true
  runAsUser: 1001
  seLinuxOptions: null
  seccompProfile:
    type: RuntimeDefault
customLivenessProbe: {}
customReadinessProbe: {}
customStartupProbe: {}
diagnosticMode:
  args:
  - infinity
  command:
  - sleep
  enabled: false
dnsConfig: {}
dnsPolicy: ""
enableServiceLinks: true
existingConfigmap: ""
externalDatabase:
  annotations: {}
  database: keycloak_db
  existingSecret: ""
  existingSecretDatabaseKey: ""
  existingSecretHostKey: ""
  existingSecretPasswordKey: ""
  existingSecretPortKey: ""
  existingSecretUserKey: ""
  host: ef-cx-postgresql.ef-external.svc.cluster.local
  password: Expertflow123
  port: 5432
  user: sa
extraContainerPorts: []
extraDeploy: []
extraEnvVars:
- name: KC_LOG_LEVEL
  value: DEBUG
- name: KEYCLOAK_LOGLEVEL
  value: DEBUG
- name: ROOT_LOGLEVEL
  value: DEBUG
- name: KEYCLOAK_ADMIN_URL
  value: https://devops218.ef.com/keyadmin
- name: KEYCLOAK_EXTRA_ARGS
  value: -Dkeycloak.frontendUrl=https://devops218.ef.com/keyadmin  -Dkeycloak.profile.feature.upload_scripts=enabled
- name: KEYCLOAK_FRONTEND_URL
  value: https://devpos218.ef.com/keyadmin
- name: KEYCLOAK_LOGLEVEL
  value: DEBUG
- name: KEYCLOAK_PASSWORD
  value: admin
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
  value: "true"
- name: KEYCLOAK_USER
  value: admin
- name: NODE_ENV
  value: development
extraEnvVarsCM: ""
extraEnvVarsSecret: ""
extraStartupArgs: ""
extraVolumeMounts: []
extraVolumes: []
fullnameOverride: ""
global:
  compatibility:
    openshift:
      adaptSecurityContext: disabled
  imagePullSecrets: []
  imageRegistry: ""
  storageClass: ""
hostAliases: []
httpRelativePath: /auth/
image:
  debug: false
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []
  registry: docker.io
  repository: bitnami/keycloak
  tag: 23.0.7-debian-12-r1
ingress:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
  apiVersion: ""
  enabled: true
  extraHosts: []
  extraPaths: []
  extraRules: []
  extraTls:
  - hosts:
    - devops218.ef.com
    secretName: ef-ingress-tls-secret
  hostname: devops218.ef.com
  ingressClassName: nginx
  labels: {}
  path: '{{ .Values.httpRelativePath }}'
  pathType: ImplementationSpecific
  secrets: []
  selfSigned: false
  servicePort: http
  tls: true
initContainers: []
initdbScripts: {}
initdbScriptsConfigMap: ""
keycloakConfigCli:
  annotations:
    helm.sh/hook: post-install,post-upgrade,post-rollback
    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
    helm.sh/hook-weight: "5"
  args: []
  automountServiceAccountToken: true
  backoffLimit: 1
  cleanupAfterFinished:
    enabled: false
    seconds: 600
  command: []
  configuration: {}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    enabled: true
    privileged: false
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: true
    runAsUser: 1001
    seLinuxOptions: null
    seccompProfile:
      type: RuntimeDefault
  enabled: false
  existingConfigmap: ""
  extraEnvVars: []
  extraEnvVarsCM: ""
  extraEnvVarsSecret: ""
  extraVolumeMounts: []
  extraVolumes: []
  hostAliases: []
  image:
    digest: ""
    pullPolicy: IfNotPresent
    pullSecrets: []
    registry: docker.io
    repository: bitnami/keycloak-config-cli
    tag: 5.10.0-debian-12-r9
  initContainers: []
  nodeSelector: {}
  podAnnotations: {}
  podLabels: {}
  podSecurityContext:
    enabled: true
    fsGroup: 1001
    fsGroupChangePolicy: Always
    supplementalGroups: []
    sysctls: []
  podTolerations: []
  resources: {}
  resourcesPreset: none
  sidecars: []
kubeVersion: ""
lifecycleHooks: {}
livenessProbe:
  enabled: true
  failureThreshold: 3
  initialDelaySeconds: 300
  periodSeconds: 1
  successThreshold: 1
  timeoutSeconds: 5
logging:
  level: INFO
  output: default
metrics:
  enabled: false
  prometheusRule:
    enabled: false
    groups: []
    labels: {}
    namespace: ""
  service:
    annotations:
      prometheus.io/port: '{{ .Values.metrics.service.ports.http }}'
      prometheus.io/scrape: "true"
    extraPorts: []
    ports:
      http: 8080
  serviceMonitor:
    enabled: false
    endpoints:
    - path: '{{ include "keycloak.httpPath" . }}metrics'
    - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics'
    honorLabels: false
    interval: 30s
    jobLabel: ""
    labels: {}
    metricRelabelings: []
    namespace: ""
    path: ""
    port: http
    relabelings: []
    scrapeTimeout: ""
    selector: {}
nameOverride: ""
namespaceOverride: ""
networkPolicy:
  allowExternal: true
  allowExternalEgress: true
  enabled: true
  extraEgress: []
  extraIngress: []
  ingressNSMatchLabels: {}
  ingressNSPodMatchLabels: {}
  kubeAPIServerPorts:
  - 443
  - 6443
  - 8443
nodeAffinityPreset:
  key: ""
  type: ""
  values: []
nodeSelector: {}
pdb:
  create: false
  maxUnavailable: ""
  minAvailable: 1
podAffinityPreset: ""
podAnnotations: {}
podAntiAffinityPreset: soft
podLabels: {}
podManagementPolicy: Parallel
podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: Always
  supplementalGroups: []
  sysctls: []
postgresql:
  architecture: standalone
  auth:
    database: bitnami_keycloak
    existingSecret: ""
    password: Expertflow123$
    postgresPassword: Expertflow123$
    username: bn_keycloak
  enabled: false
priorityClassName: ""
production: false
proxy: passthrough
rbac:
  create: false
  rules: []
readinessProbe:
  enabled: true
  failureThreshold: 3
  initialDelaySeconds: 30
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 1
replicaCount: 1
resources: {}
resourcesPreset: none
revisionHistoryLimitCount: 10
schedulerName: ""
service:
  annotations: {}
  clusterIP: ""
  externalTrafficPolicy: Cluster
  extraHeadlessPorts: []
  extraPorts: []
  headless:
    annotations: {}
    extraPorts: []
  http:
    enabled: true
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  nodePorts:
    http: ""
    https: ""
  ports:
    http: 80
    https: 443
  sessionAffinity: None
  sessionAffinityConfig: {}
  type: ClusterIP
serviceAccount:
  annotations: {}
  automountServiceAccountToken: false
  create: true
  extraLabels: {}
  name: ""
sidecars: []
spi:
  existingSecret: ""
  hostnameVerificationPolicy: ""
  passwordsSecret: ""
  truststoreFilename: keycloak-spi.truststore.jks
  truststorePassword: ""
startupProbe:
  enabled: false
  failureThreshold: 60
  initialDelaySeconds: 30
  periodSeconds: 5
  successThreshold: 1
  timeoutSeconds: 1
statefulsetAnnotations: {}
terminationGracePeriodSeconds: ""
tls:
  autoGenerated: false
  enabled: false
  existingSecret: ""
  keystoreFilename: keycloak.keystore.jks
  keystorePassword: ""
  passwordsSecret: ""
  truststoreFilename: keycloak.truststore.jks
  truststorePassword: ""
  usePem: false
tolerations: []
topologySpreadConstraints: []
updateStrategy:
  rollingUpdate: {}
  type: RollingUpdate

COMPUTED VALUES:
adminIngress:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
  apiVersion: ""
  enabled: true
  extraHosts: []
  extraPaths: []
  extraRules: []
  extraTls:
  - hosts:
    - devops218.ef.com
    secretName: ef-ingress-tls-secret
  hostname: devops218.ef.com
  ingressClassName: nginx
  labels: {}
  path: /keyadmin
  pathType: ImplementationSpecific
  secrets: []
  selfSigned: false
  servicePort: http
  tls: true
affinity: {}
args: []
auth:
  adminPassword: admin
  adminUser: admin
  annotations: {}
  existingSecret: ""
  passwordSecretKey: ""
automountServiceAccountToken: true
autoscaling:
  enabled: false
  maxReplicas: 11
  minReplicas: 1
  targetCPU: ""
  targetMemory: ""
cache:
  enabled: true
  stackFile: ""
  stackName: kubernetes
clusterDomain: cluster.local
command: []
common:
  exampleValue: common-chart
  global:
    compatibility:
      openshift:
        adaptSecurityContext: disabled
    imagePullSecrets: []
    imageRegistry: ""
    storageClass: ""
commonAnnotations: {}
commonLabels: {}
configuration: ""
containerPorts:
  http: 8080
  https: 8443
  infinispan: 7800
containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  enabled: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsGroup: 0
  runAsNonRoot: true
  runAsUser: 1001
  seccompProfile:
    type: RuntimeDefault
customLivenessProbe: {}
customReadinessProbe: {}
customStartupProbe: {}
diagnosticMode:
  args:
  - infinity
  command:
  - sleep
  enabled: false
dnsConfig: {}
dnsPolicy: ""
enableServiceLinks: true
existingConfigmap: ""
externalDatabase:
  annotations: {}
  database: keycloak_db
  existingSecret: ""
  existingSecretDatabaseKey: ""
  existingSecretHostKey: ""
  existingSecretPasswordKey: ""
  existingSecretPortKey: ""
  existingSecretUserKey: ""
  host: postgresql
  password:  SamplePassword123$
  port: 5432
  user: sa
extraContainerPorts: []
extraDeploy: []
extraEnvVars:
- name: KC_LOG_LEVEL
  value: DEBUG
- name: KEYCLOAK_LOGLEVEL
  value: DEBUG
- name: ROOT_LOGLEVEL
  value: DEBUG
- name: KEYCLOAK_ADMIN_URL
  value: https://devops218.ef.com/keyadmin
- name: KEYCLOAK_EXTRA_ARGS
  value: -Dkeycloak.frontendUrl=https://devops218.ef.com/keyadmin  -Dkeycloak.profile.feature.upload_scripts=enabled
- name: KEYCLOAK_FRONTEND_URL
  value: https://devpos218.ef.com/keyadmin
- name: KEYCLOAK_LOGLEVEL
  value: DEBUG
- name: KEYCLOAK_PASSWORD
  value: admin
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
  value: "true"
- name: KEYCLOAK_USER
  value: admin
- name: NODE_ENV
  value: development
extraEnvVarsCM: ""
extraEnvVarsSecret: ""
extraStartupArgs: ""
extraVolumeMounts: []
extraVolumes: []
fullnameOverride: ""
global:
  compatibility:
    openshift:
      adaptSecurityContext: disabled
  imagePullSecrets: []
  imageRegistry: ""
  storageClass: ""
hostAliases: []
httpRelativePath: /auth
image:
  debug: false
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []
  registry: docker.io
  repository: bitnami/keycloak
  tag: 23.0.7-debian-12-r1
ingress:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
  apiVersion: ""
  enabled: true
  extraHosts: []
  extraPaths: []
  extraRules: []
  extraTls:
  - hosts:
    - devops218.ef.com
    secretName: ef-ingress-tls-secret
  hostname: devops218.ef.com
  ingressClassName: nginx
  labels: {}
  path: '{{ .Values.httpRelativePath }}'
  pathType: ImplementationSpecific
  secrets: []
  selfSigned: false
  servicePort: http
  tls: true
initContainers: []
initdbScripts: {}
initdbScriptsConfigMap: ""
keycloakConfigCli:
  annotations:
    helm.sh/hook: post-install,post-upgrade,post-rollback
    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
    helm.sh/hook-weight: "5"
  args: []
  automountServiceAccountToken: true
  backoffLimit: 1
  cleanupAfterFinished:
    enabled: false
    seconds: 600
  command: []
  configuration: {}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    enabled: true
    privileged: false
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: true
    runAsUser: 1001
    seccompProfile:
      type: RuntimeDefault
  enabled: false
  existingConfigmap: ""
  extraEnvVars: []
  extraEnvVarsCM: ""
  extraEnvVarsSecret: ""
  extraVolumeMounts: []
  extraVolumes: []
  hostAliases: []
  image:
    digest: ""
    pullPolicy: IfNotPresent
    pullSecrets: []
    registry: docker.io
    repository: bitnami/keycloak-config-cli
    tag: 5.10.0-debian-12-r9
  initContainers: []
  nodeSelector: {}
  podAnnotations: {}
  podLabels: {}
  podSecurityContext:
    enabled: true
    fsGroup: 1001
    fsGroupChangePolicy: Always
    supplementalGroups: []
    sysctls: []
  podTolerations: []
  resources: {}
  resourcesPreset: none
  sidecars: []
kubeVersion: ""
lifecycleHooks: {}
livenessProbe:
  enabled: true
  failureThreshold: 3
  initialDelaySeconds: 300
  periodSeconds: 1
  successThreshold: 1
  timeoutSeconds: 5
logging:
  level: INFO
  output: default
metrics:
  enabled: false
  prometheusRule:
    enabled: false
    groups: []
    labels: {}
    namespace: ""
  service:
    annotations:
      prometheus.io/port: '{{ .Values.metrics.service.ports.http }}'
      prometheus.io/scrape: "true"
    extraPorts: []
    ports:
      http: 8080
  serviceMonitor:
    enabled: false
    endpoints:
    - path: '{{ include "keycloak.httpPath" . }}metrics'
    - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics'
    honorLabels: false
    interval: 30s
    jobLabel: ""
    labels: {}
    metricRelabelings: []
    namespace: ""
    path: ""
    port: http
    relabelings: []
    scrapeTimeout: ""
    selector: {}
nameOverride: ""
namespaceOverride: ""
networkPolicy:
  allowExternal: true
  allowExternalEgress: true
  enabled: true
  extraEgress: []
  extraIngress: []
  ingressNSMatchLabels: {}
  ingressNSPodMatchLabels: {}
  kubeAPIServerPorts:
  - 443
  - 6443
  - 8443
nodeAffinityPreset:
  key: ""
  type: ""
  values: []
nodeSelector: {}
pdb:
  create: false
  maxUnavailable: ""
  minAvailable: 1
podAffinityPreset: ""
podAnnotations: {}
podAntiAffinityPreset: soft
podLabels: {}
podManagementPolicy: Parallel
podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: Always
  supplementalGroups: []
  sysctls: []
postgresql:
  architecture: standalone
  auth:
    database: bitnami_keycloak
    existingSecret: ""
    password: samplePassword
    postgresPassword: SamplePassword$
    username: bn_keycloak
  enabled: false
priorityClassName: ""
production: false
proxy: passthrough
rbac:
  create: false
  rules: []
readinessProbe:
  enabled: true
  failureThreshold: 3
  initialDelaySeconds: 30
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 1
replicaCount: 1
resources: {}
resourcesPreset: none
revisionHistoryLimitCount: 10
schedulerName: ""
service:
  annotations: {}
  clusterIP: ""
  externalTrafficPolicy: Cluster
  extraHeadlessPorts: []
  extraPorts: []
  headless:
    annotations: {}
    extraPorts: []
  http:
    enabled: true
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  nodePorts:
    http: ""
    https: ""
  ports:
    http: 80
    https: 443
  sessionAffinity: None
  sessionAffinityConfig: {}
  type: ClusterIP
serviceAccount:
  annotations: {}
  automountServiceAccountToken: false
  create: true
  extraLabels: {}
  name: ""
sidecars: []
spi:
  existingSecret: ""
  hostnameVerificationPolicy: ""
  passwordsSecret: ""
  truststoreFilename: keycloak-spi.truststore.jks
  truststorePassword: ""
startupProbe:
  enabled: false
  failureThreshold: 60
  initialDelaySeconds: 30
  periodSeconds: 5
  successThreshold: 1
  timeoutSeconds: 1
statefulsetAnnotations: {}
terminationGracePeriodSeconds: ""
tls:
  autoGenerated: false
  enabled: false
  existingSecret: ""
  keystoreFilename: keycloak.keystore.jks
  keystorePassword: ""
  passwordsSecret: ""
  truststoreFilename: keycloak.truststore.jks
  truststorePassword: ""
  usePem: false
tolerations: []
topologySpreadConstraints: []
updateStrategy:
  rollingUpdate: {}
  type: RollingUpdate

HOOKS:
MANIFEST:
---
# Source: keycloak/templates/networkpolicy.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: keycloak
      app.kubernetes.io/name: keycloak
      app.kubernetes.io/component: keycloak
  policyTypes:
    - Ingress
    - Egress
  egress:
    - {}
  ingress:
    - ports:
        - port: 7800
        - port: 8080
---
# Source: keycloak/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
automountServiceAccountToken: false
---
# Source: keycloak/templates/secret-external-db.yaml
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-externaldb
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
type: Opaque
data:
  db-password: "ripped"
---
# Source: keycloak/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
type: Opaque
data:
  admin-password: "YWRtaW4="
---
# Source: keycloak/templates/configmap-env-vars.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: keycloak-env-vars
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
data:
  KEYCLOAK_ADMIN: "admin"
  KEYCLOAK_HTTP_PORT: "8080"
  KEYCLOAK_PROXY: "passthrough"
  KEYCLOAK_ENABLE_STATISTICS: "false"
  KEYCLOAK_DATABASE_HOST: "postgresql"
  KEYCLOAK_DATABASE_PORT: "5432"
  KEYCLOAK_DATABASE_NAME: "keycloak_db"
  KEYCLOAK_DATABASE_USER: "sa"
  KEYCLOAK_PRODUCTION:  "false"
  KEYCLOAK_ENABLE_HTTPS: "false"
  KEYCLOAK_CACHE_TYPE: "ispn"
  KEYCLOAK_CACHE_STACK: "kubernetes"
  JAVA_OPTS_APPEND: "-Djgroups.dns.query=keycloak-headless.ef-external.svc.cluster.local"
  KEYCLOAK_LOG_OUTPUT: "default"
  KEYCLOAK_LOG_LEVEL: "INFO"
---
# Source: keycloak/templates/headless-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: keycloak-headless
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
spec:
  type: ClusterIP
  clusterIP: None
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
  publishNotReadyAddresses: true
  selector:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/component: keycloak
---
# Source: keycloak/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
spec:
  type: ClusterIP
  sessionAffinity: None
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      nodePort: null
  selector:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/component: keycloak
---
# Source: keycloak/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
spec:
  replicas: 1
  revisionHistoryLimit: 10
  podManagementPolicy: Parallel
  serviceName: keycloak-headless
  updateStrategy:
    rollingUpdate: {}
    type: RollingUpdate
  selector:
    matchLabels:
      app.kubernetes.io/instance: keycloak
      app.kubernetes.io/name: keycloak
      app.kubernetes.io/component: keycloak
  template:
    metadata:
      annotations:
        checksum/configmap-env-vars: 105b6b62fde9660ef97d33b13a25ebbc2f6178f6abc8c5acd3eb05205a3ea1ed
        checksum/secrets: 18571c8b2f020072e18478074f3a619490440d8b8e21688490a528f57f2b1edd
      labels:
        app.kubernetes.io/instance: keycloak
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: keycloak
        app.kubernetes.io/version: 23.0.7
        helm.sh/chart: keycloak-19.3.0
        app.kubernetes.io/component: keycloak
    spec:
      serviceAccountName: keycloak

      automountServiceAccountToken: true
      affinity:
        podAffinity:

        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/instance: keycloak
                    app.kubernetes.io/name: keycloak
                topologyKey: kubernetes.io/hostname
              weight: 1
        nodeAffinity:

      securityContext:
        fsGroup: 1001
        fsGroupChangePolicy: Always
        supplementalGroups: []
        sysctls: []
      enableServiceLinks: true
      initContainers:
        - name: init-quarkus-directory
          image: docker.io/bitnami/keycloak:23.0.7-debian-12-r1
          imagePullPolicy: IfNotPresent
          command:
            - /bin/bash
          args:
            - -ec
            - |
              #!/bin/bash
              cp -r /opt/bitnami/keycloak/lib/quarkus/* /quarkus
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1001
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /quarkus
              subPath: app-quarkus-dir
      containers:
        - name: keycloak
          image: docker.io/bitnami/keycloak:23.0.7-debian-12-r1
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1001
            seccompProfile:
              type: RuntimeDefault
          env:
            - name: KUBERNETES_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: BITNAMI_DEBUG
              value: "false"
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak
                  key: admin-password
            - name: KEYCLOAK_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-externaldb
                  key: db-password
            - name: KEYCLOAK_HTTP_RELATIVE_PATH
              value: "/auth"
            - name: KC_HOSTNAME_ADMIN
              value: devops218.ef.com
            - name: KC_LOG_LEVEL
              value: DEBUG
            - name: KEYCLOAK_LOGLEVEL
              value: DEBUG
            - name: ROOT_LOGLEVEL
              value: DEBUG
            - name: KEYCLOAK_ADMIN_URL
              value: https://devops218.ef.com/keyadmin
            - name: KEYCLOAK_EXTRA_ARGS
              value: -Dkeycloak.frontendUrl=https://devops218.ef.com/keyadmin  -Dkeycloak.profile.feature.upload_scripts=enabled
            - name: KEYCLOAK_FRONTEND_URL
              value: https://devpos218.ef.com/keyadmin
            - name: KEYCLOAK_LOGLEVEL
              value: DEBUG
            - name: KEYCLOAK_PASSWORD
              value: admin
            - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
              value: "true"
            - name: KEYCLOAK_USER
              value: admin
            - name: NODE_ENV
              value: development
          envFrom:
            - configMapRef:
                name: keycloak-env-vars
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
            - name: infinispan
              containerPort: 7800
              protocol: TCP
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 300
            periodSeconds: 1
            successThreshold: 1
            timeoutSeconds: 5
            httpGet:
              path: /auth
              port: http
          readinessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
            httpGet:
              path: /authrealms/master
              port: http
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/keycloak/conf
              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /opt/bitnami/keycloak/lib/quarkus
              subPath: app-quarkus-dir
      volumes:
        - name: empty-dir
          emptyDir: {}
---
# Source: keycloak/templates/admin-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-admin
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |-
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
spec:
  ingressClassName: "nginx"
  rules:
    - host: "devops218.ef.com"
      http:
        paths:
          - path: /keyadmin
            pathType: ImplementationSpecific
            backend:
              service:
                name: keycloak
                port:
                  name: http
  tls:
    - hosts:
      - devops218.ef.com
      secretName: ef-ingress-tls-secret
---
# Source: keycloak/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: "ef-external"
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    app.kubernetes.io/version: 23.0.7
    helm.sh/chart: keycloak-19.3.0
    app.kubernetes.io/component: keycloak
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.org/server-snippets: |-
      location / {
         proxy_set_header X-Forwarded-For $host;
         proxy_set_header X-Forwarded-Proto $scheme;
        }
spec:
  ingressClassName: "nginx"
  rules:
    - host: "devops218.ef.com"
      http:
        paths:
          - path: /auth
            pathType: ImplementationSpecific
            backend:
              service:
                name: keycloak
                port:
                  name: http
  tls:
    - hosts:
      - devops218.ef.com
      secretName: ef-ingress-tls-secret

NOTES:
CHART NAME: keycloak
CHART VERSION: 19.3.0
APP VERSION: 23.0.7

** Please be patient while the chart is being deployed **

Keycloak can be accessed through the following DNS name from within your cluster:

    keycloak.ef-external.svc.cluster.local (port 80)

To access Keycloak from outside the cluster execute the following commands:

1. Get the Keycloak URL and associate its hostname to your cluster external IP:

   export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
   echo "Keycloak URL: https://devops218.ef.com/"
   echo "$CLUSTER_IP  devops218.ef.com" | sudo tee -a /etc/hosts
The admin area of Keycloak has been configured to point to a different domain (devops218.ef.com). Please remember to update the `frontendUrl` property of the `master` (or any other) realm for it to work properly (see README for an example) :

   echo "Keycloak admin URL: https://devops218.ef.com/"
   echo "$CLUSTER_IP  devops218.ef.com" | sudo tee -a /etc/hosts

2. Access Keycloak using the obtained URL.
3. Access the Administration Console using the following credentials:

  echo Username: admin
  echo Password: $(kubectl get secret --namespace ef-external keycloak -o jsonpath="{.data.admin-password}" | base64 -d)

WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
  - resources
+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

@carrodher
Copy link
Member

Thank you for bringing this issue to our attention. We appreciate your involvement! If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

@github-actions GitHub Actions
Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Mar 26, 2024
@github-actions GitHub Actions
Copy link

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@bitnami-bot bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bitnami-bot @carrodher @busyboy77