Skip to content

keycloak values.yaml📜

domain📜

Type: string

Default value
"dev.bigbang.mil"

Description: The base domain for all Big Bang components. Keycloak will be available at keycloak.%domain%

istio.enabled📜

Type: bool

Default value
false

Description: Enable or disable Istio

istio.hardened.enabled📜

Type: bool

Default value
false

Description: Enable or disable istio’s hardened mode

istio.hardened.customAuthorizationPolicies📜

Type: list

Default value
[]

Description: Custom authorization policies to be applied to the keycloak namespace

istio.hardened.outboundTrafficPolicyMode📜

Type: string

Default value
"REGISTRY_ONLY"

Description: Specify the Istio outbound traffic policy mode

istio.hardened.customServiceEntries📜

Type: list

Default value
[]

Description: Custom service entries to be applied to the keycloak namespace

istio.mtls.mode📜

Type: string

Default value
"STRICT"

Description: PERMISSIVE = Allow both plain text and mutual TLS traffic

istio.keycloak.enabled📜

Type: bool

Default value
false

Description: Enable or disable the istio virtual service for keycloak

istio.keycloak.annotations📜

Type: object

Default value
{}

Description: Additional annotations to be added to the istio virtual service

istio.keycloak.labels📜

Type: object

Default value
{}

Description: Additional labels to be added to the istio virtual service

istio.keycloak.gateways📜

Type: list

Default value
- istio-system/main

Description: Specify the istio gateways to be used for keycloak

istio.keycloak.hosts📜

Type: list

Default value
- keycloak.{{ .Values.domain }}

Description: Specify the hostnames from which keycloak will be accessible

networkPolicies.enabled📜

Type: bool

Default value
false

Description: Enable or disable the bundled network policies

networkPolicies.externalServices📜

Type: object

Default value
{}

Description: Configure external services that keycloak needs to access

networkPolicies.ingressLabels📜

Type: object

Default value
app: istio-ingressgateway
istio: ingressgateway

Description: Configures labelSelectors for network policies allowing ingress from istio gateways

networkPolicies.additionalPolicies📜

Type: list

Default value
[]

Description: Configures additional network policies beyond the ones bundled with the chart

bbtests.enabled📜

Type: bool

Default value
false

Description: Enables the Big Bang test hooks

bbtests.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base:2.1.0"

bbtests.cypress.artifacts📜

Type: bool

Default value
true

bbtests.cypress.envs.cypress_url📜

Type: string

Default value
"http://keycloak-upstream-http.keycloak.svc.cluster.local"

bbtests.cypress.envs.cypress_username📜

Type: string

Default value
"admin"

bbtests.cypress.envs.cypress_password📜

Type: string

Default value
"password"

bbtests.cypress.envs.cypress_tnr_username📜

Type: string

Default value
"cypress"

bbtests.cypress.envs.cypress_tnr_password📜

Type: string

Default value
"tnr_w!G33ZyAt@C8"

bbtests.cypress.envs.tnr_username📜

Type: string

Default value
"cypress"

bbtests.cypress.envs.tnr_password📜

Type: string

Default value
"tnr_w!G33ZyAt@C8"

bbtests.cypress.envs.tnr_firstName📜

Type: string

Default value
"Cypress"

bbtests.cypress.envs.tnr_lastName📜

Type: string

Default value
"TNR"

bbtests.cypress.envs.tnr_email📜

Type: string

Default value
"cypress@tnr.mil"

upstream.podAnnotations.”proxy.istio.io/config”📜

Type: string

Default value
"proxyMetadata:\n  ISTIO_META_DNS_CAPTURE: \"true\"\n"

upstream.replicas📜

Type: int

Default value
1

upstream.image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/keycloak/keycloak"

Description: The Keycloak image repository

upstream.image.tag📜

Type: string

Default value
"26.1.4"

upstream.podSecurityContext📜

Type: object

Default value
fsGroup: 2000
runAsGroup: 2000
runAsNonRoot: true
runAsUser: 2000

Description: SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)

upstream.securityContext📜

Type: object

Default value
capabilities:
  drop:
  - ALL
runAsGroup: 2000
runAsNonRoot: true
runAsUser: 2000

Description: SecurityContext for the Keycloak container

upstream.args📜

Type: list

Default value
- start

Description: Overrides the default args for the Keycloak container arg: “start” needs to be set for the container to start up properly

upstream.extraEnvFrom📜

Type: string

Default value
"- secretRef:\n    name: '{{ include \"keycloak.fullname\" . }}-env'\n"

Description: Additional environment variables for Keycloak mapped from Secret or ConfigMap

upstream.resources📜

Type: object

Default value
limits:
  memory: 1Gi
requests:
  cpu: '1'
  memory: 1Gi

Description: Pod resource requests and limits

upstream.secrets📜

Type: object

Default value
env:
  stringData:
    JAVA_OPTS_APPEND: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
    JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false
    KC_HOSTNAME: keycloak.{{ .Values.domain }}
    KEYCLOAK_ADMIN: admin
    KEYCLOAK_ADMIN_PASSWORD: password

Description: Configuration for secrets that should be created The secrets can also be independently created separate from this helm chart. for example with a gitops tool like flux with a kustomize overlay. NOTE: Secret values can be templated

upstream.secrets.env📜

Type: object

Default value
stringData:
  JAVA_OPTS_APPEND: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
  JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false
  KC_HOSTNAME: keycloak.{{ .Values.domain }}
  KEYCLOAK_ADMIN: admin
  KEYCLOAK_ADMIN_PASSWORD: password

Description: Environmental variables

upstream.secrets.env.stringData.JAVA_TOOL_OPTIONS📜

Type: string

Default value
"-Dcom.redhat.fips=false"

Description: https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index

upstream.secrets.env.stringData.KEYCLOAK_ADMIN📜

Type: string

Default value
"admin"

Description: default admin credentials. Override them for production deployments

upstream.secrets.env.stringData.JAVA_OPTS_APPEND📜

Type: string

Default value
"-Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless"

Description: https://www.keycloak.org/server/caching

upstream.dbchecker.enabled📜

Type: bool

Default value
false

Description: If true, the dbchecker init container is enabled; this is incompatible with Big Bang and so is disabled by default.

upstream.database📜

Type: object

Default value
database: keycloak
existingSecret: keycloak-postgresql
existingSecretKey: password
hostname: keycloak-postgresql
port: 5432
username: keycloak
vendor: postgres

Description: Configures the database connection; can be configured here and/or via environment variables with upstream.secrets.env

upstream.database.hostname📜

Type: string

Default value
"keycloak-postgresql"

Description: you will need to change the hostname to match the release name: %release-name%-postgresql

postgresql.enabled📜

Type: bool

Default value
true

Description: If true, the Postgresql dependency is enabled

postgresql.image.registry📜

Type: string

Default value
"registry1.dso.mil"

postgresql.image.repository📜

Type: string

Default value
"ironbank/bitnami/postgres"

postgresql.image.tag📜

Type: string

Default value
"17.4.0"

postgresql.global.security.allowInsecureImages📜

Type: bool

Default value
true

Description: Allow registry1.dso.mil in lieu of the default bitnami registry

postgresql.global.postgresql.auth.username📜

Type: string

Default value
"keycloak"

Description: PostgreSQL User to create

postgresql.global.postgresql.auth.password📜

Type: string

Default value
"keycloak"

Description: PostgreSQL Password for the new user

postgresql.global.postgresql.auth.database📜

Type: string

Default value
"keycloak"

Description: PostgreSQL Database to create