Default features

Many Helm Charts in the Kubernetes community have advanced features disabled by default in order to ease installations without configuring much. This is also the case with the Keycloak Helm chart this component depends upon. However, this component aims to provision Keycloak secure by default, so a lot of defaults have activated advanced features. This page gives an overview over the defaults.

Enabled features

  • Installs single-node PostgreSQL as the built-in database provider

  • Encrypted connection to database

  • Enabled network policy for database to protect from unexpected connections

  • Prometheus ServiceMonitor to scrape metrics

  • 2 replicas of Keycloak, with anti-affinity

  • Enabled Ingress with re-encryption

  • Configured requests and limits for CPU and memory resources

Disabled features

Network policy for Keycloak

This component also supports installing a network policy to better control which pods can connect to Keycloak. The network policy is disabled by default since it depends on the cluster setup whether they work correctly or not.

Don’t enable network policy if your cluster has an ingress controller installed where its pods are using the host network (hostNetwork: true). At least with the Calico network plugin, network policy label selectors targeting the host networked ingress pods don’t work. We recommend to keep this feature disabled in that case.

However, if you don’t need an ingress controller to connect to Keycloak, or using an ingress controller that doesn’t use host network, network policy might be enabled.

The network policy for the built-in database isn’t affected and is enabled by default (if using the built-in database).