From 60a412b35eb96441c4c93b58eff2f48e8ce87fbc Mon Sep 17 00:00:00 2001
From: David Young <davidy@funkypenguin.co.nz>
Date: Tue, 23 Nov 2021 09:52:34 +1300
Subject: [PATCH] Add value to skip init containers

Signed-off-by: David Young <davidy@funkypenguin.co.nz>
---
 charts/keycloak/README.md                  | 1 +
 charts/keycloak/templates/statefulset.yaml | 2 ++
 charts/keycloak/values.yaml                | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
index 37d7b339..1506b840 100644
--- a/charts/keycloak/README.md
+++ b/charts/keycloak/README.md
@@ -65,6 +65,7 @@ The following table lists the configurable parameters of the Keycloak chart and
 | `podSecurityContext` | SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this) | `{"fsGroup":1000}` |
 | `securityContext` | SecurityContext for the Keycloak container | `{"runAsNonRoot":true,"runAsUser":1000}` |
 | `extraInitContainers` | Additional init containers, e. g. for providing custom themes | `[]` |
+| `skipInitContainers` | Skip all init containers (to avoid issues with service meshes which require sidecar proxies for connectivity) | `false`
 | `extraContainers` | Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy | `[]` |
 | `lifecycleHooks` | Lifecycle hooks for the Keycloak container | `{}` |
 | `terminationGracePeriodSeconds` | Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance | `60` |
diff --git a/charts/keycloak/templates/statefulset.yaml b/charts/keycloak/templates/statefulset.yaml
index 25d4aa64..3cfd451c 100644
--- a/charts/keycloak/templates/statefulset.yaml
+++ b/charts/keycloak/templates/statefulset.yaml
@@ -41,6 +41,7 @@ spec:
         {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 8 }}
         {{- end }}
     spec:
+    {{- if not .Values.skipInitContainers }}
       {{- if or .Values.postgresql.enabled .Values.extraInitContainers }}
       initContainers:
         {{- if .Values.postgresql.enabled }}
@@ -67,6 +68,7 @@ spec:
         {{- tpl . $ | nindent 8 }}
         {{- end }}
       {{- end }}
+    {{- end }}
       containers:
         - name: keycloak
           securityContext:
diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
index 1042d1f6..8cc981fb 100644
--- a/charts/keycloak/values.yaml
+++ b/charts/keycloak/values.yaml
@@ -71,6 +71,12 @@ securityContext:
 # Additional init containers, e. g. for providing custom themes
 extraInitContainers: ""
 
+# When using service meshes which rely on a sidecar, it may be necessary to skip init containers altogether, 
+# since the sidecar doesn't start until the init containers are done, and the sidecar may be required 
+# for network access.
+# For example, Istio in strict mTLS mode prevents the pgchecker init container from ever completing
+skipInitContainers: false
+
 # Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
 extraContainers: ""