keycloak values.yaml
📜
domain📜
Type: string
"dev.bigbang.mil"
Description: The base domain for all Big Bang components. Keycloak will be available at keycloak.%domain%
istio.enabled📜
Type: bool
false
Description: Enable or disable Istio
istio.hardened.enabled📜
Type: bool
false
Description: Enable or disable istio’s hardened mode
istio.hardened.customAuthorizationPolicies📜
Type: list
[]
Description: Custom authorization policies to be applied to the keycloak namespace
istio.hardened.outboundTrafficPolicyMode📜
Type: string
"REGISTRY_ONLY"
Description: Specify the Istio outbound traffic policy mode
istio.hardened.customServiceEntries📜
Type: list
[]
Description: Custom service entries to be applied to the keycloak namespace
istio.mtls.mode📜
Type: string
"STRICT"
Description: PERMISSIVE = Allow both plain text and mutual TLS traffic
istio.keycloak.enabled📜
Type: bool
false
Description: Enable or disable the istio virtual service for keycloak
istio.keycloak.annotations📜
Type: object
{}
Description: Additional annotations to be added to the istio virtual service
istio.keycloak.labels📜
Type: object
{}
Description: Additional labels to be added to the istio virtual service
istio.keycloak.gateways📜
Type: list
- istio-system/main
Description: Specify the istio gateways to be used for keycloak
istio.keycloak.hosts📜
Type: list
- keycloak.{{ .Values.domain }}
Description: Specify the hostnames from which keycloak will be accessible
networkPolicies.enabled📜
Type: bool
false
Description: Enable or disable the bundled network policies
networkPolicies.externalServices📜
Type: object
{}
Description: Configure external services that keycloak needs to access
networkPolicies.ingressLabels📜
Type: object
app: istio-ingressgateway
istio: ingressgateway
Description: Configures labelSelectors for network policies allowing ingress from istio gateways
networkPolicies.additionalPolicies📜
Type: list
[]
Description: Configures additional network policies beyond the ones bundled with the chart
bbtests.enabled📜
Type: bool
false
Description: Enables the Big Bang test hooks
bbtests.image📜
Type: string
"registry1.dso.mil/ironbank/big-bang/base:2.1.0"
bbtests.cypress.artifacts📜
Type: bool
true
bbtests.cypress.envs.cypress_url📜
Type: string
"http://keycloak-upstream-http.keycloak.svc.cluster.local"
bbtests.cypress.envs.cypress_username📜
Type: string
"admin"
bbtests.cypress.envs.cypress_password📜
Type: string
"password"
bbtests.cypress.envs.cypress_tnr_username📜
Type: string
"cypress"
bbtests.cypress.envs.cypress_tnr_password📜
Type: string
"tnr_w!G33ZyAt@C8"
bbtests.cypress.envs.tnr_username📜
Type: string
"cypress"
bbtests.cypress.envs.tnr_password📜
Type: string
"tnr_w!G33ZyAt@C8"
bbtests.cypress.envs.tnr_firstName📜
Type: string
"Cypress"
bbtests.cypress.envs.tnr_lastName📜
Type: string
"TNR"
bbtests.cypress.envs.tnr_email📜
Type: string
"cypress@tnr.mil"
upstream.podAnnotations.”proxy.istio.io/config”📜
Type: string
"proxyMetadata:\n ISTIO_META_DNS_CAPTURE: \"true\"\n"
upstream.replicas📜
Type: int
1
upstream.image.repository📜
Type: string
"registry1.dso.mil/ironbank/opensource/keycloak/keycloak"
Description: The Keycloak image repository
upstream.image.tag📜
Type: string
"26.1.4"
upstream.podSecurityContext📜
Type: object
fsGroup: 2000
runAsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
Description: SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
upstream.securityContext📜
Type: object
capabilities:
drop:
- ALL
runAsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
Description: SecurityContext for the Keycloak container
upstream.args📜
Type: list
- start
Description: Overrides the default args for the Keycloak container arg: “start” needs to be set for the container to start up properly
upstream.extraEnvFrom📜
Type: string
"- secretRef:\n name: '{{ include \"keycloak.fullname\" . }}-env'\n"
Description: Additional environment variables for Keycloak mapped from Secret or ConfigMap
upstream.resources📜
Type: object
limits:
memory: 1Gi
requests:
cpu: '1'
memory: 1Gi
Description: Pod resource requests and limits
upstream.secrets📜
Type: object
env:
stringData:
JAVA_OPTS_APPEND: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false
KC_HOSTNAME: keycloak.{{ .Values.domain }}
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
Description: Configuration for secrets that should be created The secrets can also be independently created separate from this helm chart. for example with a gitops tool like flux with a kustomize overlay. NOTE: Secret values can be templated
upstream.secrets.env📜
Type: object
stringData:
JAVA_OPTS_APPEND: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false
KC_HOSTNAME: keycloak.{{ .Values.domain }}
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
Description: Environmental variables
upstream.secrets.env.stringData.JAVA_TOOL_OPTIONS📜
Type: string
"-Dcom.redhat.fips=false"
Description: https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index
upstream.secrets.env.stringData.KEYCLOAK_ADMIN📜
Type: string
"admin"
Description: default admin credentials. Override them for production deployments
upstream.secrets.env.stringData.JAVA_OPTS_APPEND📜
Type: string
"-Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless"
Description: https://www.keycloak.org/server/caching
upstream.dbchecker.enabled📜
Type: bool
false
Description: If true
, the dbchecker init container is enabled; this is incompatible with Big Bang and so is disabled by default.
upstream.database📜
Type: object
database: keycloak
existingSecret: keycloak-postgresql
existingSecretKey: password
hostname: keycloak-postgresql
port: 5432
username: keycloak
vendor: postgres
Description: Configures the database connection; can be configured here and/or via environment variables with upstream.secrets.env
upstream.database.hostname📜
Type: string
"keycloak-postgresql"
Description: you will need to change the hostname to match the release name: %release-name%-postgresql
postgresql.enabled📜
Type: bool
true
Description: If true
, the Postgresql dependency is enabled
postgresql.image.registry📜
Type: string
"registry1.dso.mil"
postgresql.image.repository📜
Type: string
"ironbank/bitnami/postgres"
postgresql.image.tag📜
Type: string
"17.4.0"
postgresql.global.security.allowInsecureImages📜
Type: bool
true
Description: Allow registry1.dso.mil in lieu of the default bitnami registry
postgresql.global.postgresql.auth.username📜
Type: string
"keycloak"
Description: PostgreSQL User to create
postgresql.global.postgresql.auth.password📜
Type: string
"keycloak"
Description: PostgreSQL Password for the new user
postgresql.global.postgresql.auth.database📜
Type: string
"keycloak"
Description: PostgreSQL Database to create