Installing on OpenShift 4

This guide describes how to install this component on OpenShift 4.

Parameters for Keycloak

You need to disable some security context fields, as OpenShift sets those automatically. Also, the sample below configures end-to-end encryption to Keycloak with OpenShift service serving certificate.

parameters:
  keycloak:
    tls:
      provider: openshift
    ingress:
      tls:
        termination: reencrypt
    extraVolumes:
      data:
        emptyDir: {}
    extraVolumeMounts:
      # Required as the OpenShift user can not create the data directory in the keycloak directory UID 1000/GID 0
      data:
        mountPath: /opt/keycloak/data

Parameters for OpenShift 4.11 and higher

OpenShift 4.11 introduces Pod Security Admission globally.

runAsUser and runAsGroup must be unset.

The pod security context can be configured like:

parameters:
  keycloak:
    helm_values:
      podSecurityContext:
        fsGroup: null
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      securityContext:
        capabilities:
          drop:
            - ALL
        runAsUser: null
      dbchecker:
        securityContext:
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true
          runAsGroup: null
          runAsUser: null

You may enforce the Pod Security Admission on a namespace level:

parameters:
  keycloak:
    namespaceLabels:
      pod-security.kubernetes.io/audit: restricted
      pod-security.kubernetes.io/enforce: restricted
      pod-security.kubernetes.io/warn: restricted
      security.openshift.io/scc.podSecurityLabelSync: "false"

Parameters for up to OpenShift 4.10

OpenShift 4.10 and below do no support pod security admission. runAsUser and runAsGroup must be unset.

parameters:
  keycloak:
    helm_values:
      podSecurityContext: null
      securityContext: null
      dbchecker:
        securityContext: null

Parameters for built-in Postgresql database on OpenShift 4.11 and higher and the Bitnami Postgres Helm Chart 12.7.0 and higher

If you are using the built-in database provider (by default unless keycloak.database.provider is overridden) you also need to adjust the following parameters.

parameters:
  keycloak:
    postgresql_helm_values:
      primary:
        podSecurityContext:
          enabled: true
          fsGroup: null
          runAsNonRoot: true
        containerSecurityContext:
          enabled: true
          runAsUser: null
          runAsGroup: null
      volumePermissions:
        enabled: false
      shmVolume:
        enabled: false

Parameters for built-in Postgresql database on OpenShift 4.11 and higher

If you are using the built-in database provider (by default unless keycloak.database.provider is overridden) you also need to adjust the following parameters.

parameters:
  keycloak:
    postgresql_helm_values:
      primary:
        podSecurityContext:
          enabled: true
          fsGroup: null
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        containerSecurityContext:
          enabled: true
          runAsUser: null
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          capabilities:
            drop:
              - ALL
      volumePermissions:
        enabled: false
      shmVolume:
        enabled: false

Parameters for built-in Postgresql database up to OpenShift 4.10

If you are using the built-in database provider (by default unless keycloak.database.provider is overridden) you also need to adjust the following parameters.

parameters:
  keycloak:
    postgresql_helm_values:
      primary:
        podSecurityContext:
          enabled: false
        containerSecurityContext:
          enabled: false
      volumePermissions:
        enabled: false
      shmVolume:
        enabled: false