Parameters :: Commodore Hub

`namespace`

type	string
default	`syn-${_instance}`

The namespace in which to deploy this component.

When using multiple instances for this component, each instance needs its own namespace. You can’t deploy multiple instances into the same namespace.

`namespaceLabels`

type	dict
default	`{}`

Additional labels to add to the component’s namespace. Key value pairs in the dict are directly added to the generated namespace manifest.

Users must ensure that the provided key value pairs are valid Kubernetes label keys and label values. In particular, make sure to quote boolean or string label values as otherwise the namespace may get created without any labels.

`name`

type	string
default	`${_instance}`

Usually there is just one deployment and therefore no change is required.

`images.(keycloak|busybox|postgresql|bitnamishell).registry`

type	string
default	`see class/defaults.yml`

The image registry used for the container image path.

`images.(keycloak|busybox|postgresql|bitnamishell).repository`

type	string
default	`see class/defaults.yml`

The image repository used for the container image path.

`images.(keycloak|busybox|postgresql|bitnamishell).repository`

type	string
default	`see class/defaults.yml`

The image tag used for the container image path.

`charts.keycloakx.source`

type	helm chart source
default	`codecentric.github.io/helm-charts`

A specific helm chart source. See the kapitan documentation for more information.

`charts.keycloakx.version`

type	helm chart version
default	See `class/defaults.yml`

A specific helm chart version. See the kapitan documentation for more information.

`charts.postgresql.source`

type	helm chart source
default	`charts.bitnami.com/bitnami`

A specific helm chart source. See the kapitan documentation for more information.

`charts.postgresql.version`

type	helm chart version
default	See `class/defaults.yml`

A specific chart version. See the kapitan documentation for more information.

`fqdn`

type	string
default	`keycloak.example.com`

Defines the FQDN the keycloak ingress or route object is configured. FQDN should be overwritten on the cluster level.

`relativePath`

type	string
default	`/`

Defines the relative path of Keycloak. The default realtiv path of Keycloak has changed from /auth to / with the migration to Quarkus. To preserve the legacy behavior of Wildfly set the relativePath to /auth.

`hostnameStrict`

type	bool
default	`see description`

Disables dynamically resolving the hostname from request headers.

Default depending on the ingress termination mode:

reencrypt Is false because the internal TLS certificate isn’t equal to the Keycloak FQDN.
passthrough Is true because the certificate is equal to the Keycloak FQDN.

`admin.secretname`

type	string
default	`${keycloak:name}-admin-user`

`admin.username`

type	string
default	`admin`

`admin.password`

type	string
default	Vault reference

A Vault reference pointing to the Vault secret containing the Keycloak admin password.

# Adjust to your environment
instance=keycloak
key="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/${instance}"

# Query for existing secrets first
vault kv get "${key}"

# If there are existing secrets, add your instance secrets:
vault kv patch "${key}" admin-password=$(pwgen -s 32 1)

# If there is no pre-existing secret, create new:
vault kv put "${key}" admin-password=$(pwgen -s 32 1)

See Change passwords to change the password after the initial setup.

`replicas`

type	integer
default	2

The Keycloak pod replicas. Usualy two for the redundancy during the maintenance.

`tls`

This key configures encryption of internal traffic, meaning from the IngressController to Keycloak itself.

For Ingress-specific TLS configuration, see ingress.tls.

`tls.provider`

type	string
default	`certmanager`

Defines how TLS certificates for internal (ingress to pods) traffic are provisioned:

certmanager for certificates issued via cert-manager.
vault for certificates stored in Vault.
openshift for service serving certificates

Also see: ingress.tls.provider

`tls.secretName`

type	string
default	`keycloak-tls`

`tls.vault.cert`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/keycloak-cert}`

`tls.vault.cert`

type	String
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/keycloak-cert-key}`

`tls.certmanager.apiVersion`

type	string
default	`cert-manager.io/v1`

Cert-Manager v1.x is using cert-manager.io/v1 in their CRDs. Older cert-manager versions (v0.x) are using cert-manager.io/v1beta1 or other.

`tls.certmanager.issuer.name`

type	string
default	`letsencrypt-production`

Define the cert-manager issuer name. If cert-manager is managed by component cert-manager with the default configuration, this is one of letsencrypt-production or letsencrypt-staging.

`tls.certmanager.issuer.kind`

type	string
default	`ClusterIssuer`

Define the issuer kind. Can be ClusterIssuer or Issuer.

`tls.certmanager.issuer.group`

type	string
default	`cert-manager.io`

`ingress.enabled`

type	bool
default	`true`

Create an ingress object used usually for standard Kubernetes clusters.

`ingress.controller`

type	string
default	`nginx`

Does define the used ingress controller on the cluster side.

Defaults to nginx and this is currently also the only supported option.

`ingress.annotations`

type	dict
default	`{}`

By default, a set of annotations is configured depending on tls.provider and tls.termination.

The default annotations can extended with custom annotations as required.

`ingress.controllerNamespace`

type	string
default	`ingress-nginx`

The namespace where the ingress controller is running. This is only relevant when enabling the network policy with helm_values.networkPolicy.enabled.

`ingress.tls`

This key configures encryption of external traffic, meaning from the client to the ingress controller.

For internal TLS configuration, see tls above.

`ingress.tls.termination`

type	string
default	`reencrypt`

Defines the termination mode:

reencrypt TLS termination happens at the ingress or route, the traffic is re-encrypted.
passthrough TLS termination happens at Keycloak itself, ingress or route passes the traffic.

This changes the mode of the ingress annotations and the Keycloak proxy mode.

`ingress.tls.provider`

type	string
default	`certmanager`

Defines how TLS certificates for external traffic (Ingress/Route) are provisioned:

certmanager for certificates issued via cert-manager.
vault for certificates stored in Vault.

Also see: tls.provider

`ingress.tls.secretName`

type	string
default	`ingress-tls`

Allows overwriting the default secret name where the ingress controller looks for the certificates.

`ingress.tls.certmanager.issuerName`

type	string
default	`letsencrypt-production`

Name of the ClusterIssuer to use if certmanager is selected in ingress.tls.provider.

`ingress.tls.vault.cert`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/ingress-cert}`

`ingress.tls.vault.certKey`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/ingress-cert-key}`

`route.enabled`

type	bool
default	`false`

Create a route object on an OpenShift cluster.

`labels."app.kubernetes.io/name"`

type	string
default	`keycloak`

`labels."app.kubernetes.io/instance"`

type	string
default	`${_instance}`

`labels."app.kubernetes.io/version"`

type	string
default	`v11.0.0`

`labels."app.kubernetes.io/component"`

type	string
default	`keycloak`

`labels."app.kubernetes.io/managed-by"`

type	string
default	`commodore`

`resources.requests.memory`

type	string
default	`512Mi`

`resources.requests.cpu`

type	string
default	`500m`

`resources.limits.memory`

type	string
default	`1Gi`

`resources.limits.cpu`

type	string
default	`1`

`extraJavaOpts`

type	string
default	``

The extraJavaOpts can add instance specific configurations to Keycloak.

`extraEnv`

type	dict
default	{}

Extra environment variables added to the Keycloak StatefulSet. Keys in the dict are used as value for field name in the resulting environment variable configuration. Values must be valid Kubernetes environment variable configurations.

Example:

parameters:
  keycloak:
    extraEnv:
      FOO:
        value: bar

`extraVolumes`

type	dict
default	{}

Extra volumes added to the Keycloak StatefulSet. Keys in the dict are used as value for field name in the resulting volume configuration. Values must be valid Kubernetes volume configurations.

Example:

parameters:
  keycloak:
    extraVolumes:
      theme:
        emptyDir: {}

`extraVolumeMounts`

type	dict
default	{}

Extra volume mounts added to the Keycloak container. Keys in the dict are used as value for field name in the resulting volume mount configuration. Values must be valid Kubernetes volume mount configurations.

Prefer this over using helm_values.extraVolumeMounts since with the later you’ll have to make sure you don’t accidentially break stuff (for example DB TLS and internal TLS are configured via extra volumes).

Example:

parameters:
  keycloak:
    extraVolumeMounts:
      theme-vshn:
        name: theme
        readOnly: true
        mountPath: /opt/keycloak/themes/vshn

`extraInitContainers`

type	dict
default	{}

Extra init containers added to the Keycloak StatefulSet. Keys in the dict are used as value for field name in the resulting container configuration. Values must be valid Kubernetes container configurations.

Example:

parameters:
  keycloak:
    extraInitContainers:
      theme-provider:
        image: company/keycloak-theme:v1.0.0
        imagePullPolicy: IfNotPresent
        command:
          - sh
        args:
          - -c
          - |
            echo "Copying theme..."
            cp -R /theme/* /company-theme
        volumeMounts:
          - name: theme
            mountPath: /company-theme

`monitoring.enabled`

type	bool
default	`true`

Enable ServiceMonitor, PrometheusRule, and all Keycloak statistics on the metrics endpoint by default.

`monitoring.rules`

type	list
default	`[]`

`database.provider`

type	string
values	`builtin`, `external`
default	`builtin`

`database.database`

type	string
default	`keycloak`

`database.username`

type	string
default	`keycloak`

`database.jdbcParams`

type	string
default	`sslmode=verify-ca&sslrootcert=/opt/keycloak/db-certs/tls.crt`

Please note that if you need to customize JDBC parameters, copy and append them to the default with &, otherwise TLS will be disabled. For example: sslmode=verify-ca&sslrootcert=/opt/keycloak/db-certs/tls.crt&mycustomparameter=somevalue

`database.password`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/db-password}`

A Vault reference pointing to the Vault secret containing the Keycloak database password.

# Adjust to your environment
instance=keycloak
key="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/${instance}"

# Query for existing secrets first
vault kv get "${key}"

# If there are existing secrets, add your instance secrets:
vault kv patch "${key}" db-password=$(pwgen -s 32 1)

# If there is no pre-existing secret, create new:
vault kv put "${key}" db-password=$(pwgen -s 32 1)

See Change passwords to change the password after the initial setup.

`database.secretname`

type	string
default	`${keycloak:name}-postgresql`

`database.external.vendor`

type	string
default	`postgres`

`database.external.host`

type	string
default	`postgres.example.com`

`database.external.port`

type	int
default	`5432`

`database.tls.enabled`

type	bool
default	`true`

See Encrypt database connection to install Keycloak with encryption or to disable it completely.

`database.tls.verification`

type	string
values	`selfsigned`, `verify`
default	`selfsigned`

`database.tls.certSecretName`

type	string
default	`keycloak-postgresql-tls`

`database.tls.serverCert`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/server-cert}`

See Encrypt database connection to install Keycloak with encryption.

`database.tls.serverCertKey`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/server-cert-key}`

See Encrypt database connection to install Keycloak with encryption.

`k8up.enabled`

type	bool
default	`false`

Defines whether the K8up database backup is enabled or not.

`k8up.keepjobs`

type	int
default	`3`

Defines how many backup jobs are kept. It’s useful for debugging to have a few recent completed (or failed) backup jobs available in K8s. Keeping a lot of jobs may negatively impact the K8s cluster performance however.

`k8up.repo.secretName`

type	string
default	`k8up-repo`

The name of the secret containing the password for the K8up restic repository.

`k8up.repo.password`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-repo-password}`

Vault reference to the K8up restic repository password.

`k8up.s3.secretName`

type	string
default	`k8up-s3-credentials`

The name of the secret containing the credentials to access the S3 bucket holding the backups.

`k8up.s3.bucket`

type	string
default	`k8up-${cluster:name}-syn-keycloak`

The name of the S3 bucket where the backups gets stored.

`k8up.s3.accessKey`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-s3-accesskey}`

S3 access key to the bucket where the backups gets stored.

`k8up.s3.secretKey`

type	string
default	`?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-s3-secretkey}`

S3 secret key to the bucket where the backups gets stored.

`k8up.s3.customCA`

type	dict
default	`null`

Configure a custom CA for connecting to the backend.

`helm_values`

type	dict
default	see `defaults.yml`

All helm_values are passed to the helm chart. This allows to configure all keycloak helm chart values.

Note that it’s your own liability to make sure you don’t break stuff by overwriting values here!