diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6f3a9e570..f63b6f53c 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -28,7 +28,7 @@ spec: {{- end }} {{- if not .Values.devMode }} annotations: - postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} + postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }} {{- end }} spec: securityContext: @@ -52,13 +52,16 @@ spec: mountPath: /opt/keycloak/themes - name: conf mountPath: /opt/keycloak/conf + envFrom: + - secretRef: + name: {{ include "keycloak.fullname" . }}-realm-env containers: - name: keycloak image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - command: + command: - "/opt/keycloak/bin/kc.sh" args: {{- if .Values.devMode }} @@ -128,14 +131,13 @@ spec: - name: KC_CACHE_STACK value: kubernetes - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE - value: "false" + value: "false" # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack. # https://www.keycloak.org/server/caching - name: JAVA_OPTS_APPEND value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local - # Postgres database configuration - - name: KC_DB + - name: KC_DB value: postgres - name: KC_DB_URL_HOST valueFrom: diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7f61f9012..dd9334787 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -27,17 +27,26 @@ realm: uds # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values realmInitEnv: GOOGLE_IDP_ENABLED: false -# GOOGLE_IDP_ID: "" -# GOOGLE_IDP_SIGNING_CERT: "" -# GOOGLE_IDP_NAME_ID_FORMAT: "" -# GOOGLE_IDP_CORE_ENTITY_ID: "" -# GOOGLE_IDP_ADMIN_GROUP: "" -# GOOGLE_IDP_AUDITOR_GROUP: "" -# PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" -# EMAIL_VERIFICATION_ENABLED: true -# OTP_ENABLED: true -# TERMS_AND_CONDITIONS_ENABLED: true -# REALM_X509_OCSP_FAIL_OPEN: true + # GOOGLE_IDP_ID: "" + # GOOGLE_IDP_SIGNING_CERT: "" + # GOOGLE_IDP_NAME_ID_FORMAT: "" + # GOOGLE_IDP_CORE_ENTITY_ID: "" + # GOOGLE_IDP_ADMIN_GROUP: "" + # GOOGLE_IDP_AUDITOR_GROUP: "" + # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)" + # EMAIL_VERIFICATION_ENABLED: true + # OTP_ENABLED: true + # TERMS_AND_CONDITIONS_ENABLED: true + # X509_OCSP_FAIL_OPEN: true + # ENABLE_SOCIAL_LOGIN: false + # ENABLE_X509_LOGIN: false + # ENABLE_USERNAME_PASSWORD_AUTH: false + # ENABLE_REGISTER_BUTTON: false + # ENABLE_REGISTRATION_FIELDS: false + # deny_username_password: "DISABLED" + # reset_credential_flow: "REQUIRED" + # registration_form: "REQUIRED" + # otp_enabled: true # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login