Add value to skip init containers

Signed-off-by: David Young <[email protected]>
codecentric · Dec 10, 2021 · 60a412b · 60a412b
1 parent 6817019
commit 60a412b
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
@@ -65,6 +65,7 @@ The following table lists the configurable parameters of the Keycloak chart and
 | `podSecurityContext` | SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this) | `{"fsGroup":1000}` |
 | `securityContext` | SecurityContext for the Keycloak container | `{"runAsNonRoot":true,"runAsUser":1000}` |
 | `extraInitContainers` | Additional init containers, e. g. for providing custom themes | `[]` |
+| `skipInitContainers` | Skip all init containers (to avoid issues with service meshes which require sidecar proxies for connectivity) | `false`
 | `extraContainers` | Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy | `[]` |
 | `lifecycleHooks` | Lifecycle hooks for the Keycloak container | `{}` |
 | `terminationGracePeriodSeconds` | Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance | `60` |

diff --git a/charts/keycloak/templates/statefulset.yaml b/charts/keycloak/templates/statefulset.yaml
@@ -41,6 +41,7 @@ spec:
         {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 8 }}
         {{- end }}
     spec:
+    {{- if not .Values.skipInitContainers }}
       {{- if or .Values.postgresql.enabled .Values.extraInitContainers }}
       initContainers:
         {{- if .Values.postgresql.enabled }}
@@ -67,6 +68,7 @@ spec:
         {{- tpl . $ | nindent 8 }}
         {{- end }}
       {{- end }}
+    {{- end }}
       containers:
         - name: keycloak
           securityContext:

diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
@@ -71,6 +71,12 @@ securityContext:
 # Additional init containers, e. g. for providing custom themes
 extraInitContainers: ""
 
+# When using service meshes which rely on a sidecar, it may be necessary to skip init containers altogether, 
+# since the sidecar doesn't start until the init containers are done, and the sidecar may be required 
+# for network access.
+# For example, Istio in strict mTLS mode prevents the pgchecker init container from ever completing
+skipInitContainers: false
+
 # Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
 extraContainers: ""