OTC 127 Bitnami Keycloak chart migration

charts/keycloak/Changelog.md

@@ -0,0 +1,7 @@
+# Changelog
+
+## Chart Versions
+
+### 7.1.5
+
+Initial Release.

charts/keycloak/Chart.yaml

@@ -0,0 +1,34 @@
+apiVersion: v2
+name: keycloak
+description: |
+  This chart is an umbrella Helm chart to apply customized values to the Keycloakx chart by Codecentric as default.
+
+  To deploy it, you must provide two secrets of Type `Opaque` in the Kubernetes namespace of Keycloak that the chart will read from.
+
+  - `keycloak-root-creds`, with the keys
+    - `KC_BOOTSTRAP_ADMIN_USERNAME`: The Keycloak admin username
+    - `KC_BOOTSTRAP_ADMIN_PASSWORD`: The Keycloak admin password
+  - `keycloak-psql-creds`, with the keys
+    - `KC_DB_URL_HOST`: Address of the postgres instance
+    - `KC_DB_URL_PORT`: Port of the postgres instance
+    - `KC_DB_URL_DATABASE`: Database that Keycloak will use
+    - `KC_DB_USERNAME`: Username to authenticate on the postgres instance with
+    - `KC_DB_PASSWORD`: Password to authenticate on the postgres instance with
+home: "https://artifacthub.io/packages/helm/codecentric/keycloakx"
+maintainers:
+  - name: codecentric
+    email: info@codecentric.de
+    url: https://www.codecentric.de/
+  - name: Team KumoOps OTC
+    email: "otc-cloudops-as-a-service@iits-consulting.de"
+    url: "https://iits-consulting.slack.com/archives/C08JUM3F7JL"
+kubeVersion: ">=1.29.0"
+type: application
+# `version` and `appVersion` must always reflect the respective settings of the upstream Keycloakx chart.
+version: 7.1.5
+appVersion: "26.4.5"
+dependencies:
+  - name: keycloakx
+    alias: keycloak
+    repository: "https://codecentric.github.io/helm-charts"
+    version: 7.1.5

charts/keycloak/README.md

@@ -0,0 +1,78 @@
+# keycloak
+
+![Version: 7.1.5](https://img.shields.io/badge/Version-7.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 26.4.5](https://img.shields.io/badge/AppVersion-26.4.5-informational?style=flat-square)
+
+This chart is an umbrella Helm chart to apply customized values to the Keycloakx chart by Codecentric as default.
+
+To deploy it, you must provide two secrets of Type `Opaque` in the Kubernetes namespace of Keycloak that the chart will read from.
+
+- `keycloak-root-creds`, with the keys
+  - `KC_BOOTSTRAP_ADMIN_USERNAME`: The Keycloak admin username
+  - `KC_BOOTSTRAP_ADMIN_PASSWORD`: The Keycloak admin password
+- `keycloak-psql-creds`, with the keys
+  - `KC_DB_URL_HOST`: Address of the postgres instance
+  - `KC_DB_URL_PORT`: Port of the postgres instance
+  - `KC_DB_URL_DATABASE`: Database that Keycloak will use
+  - `KC_DB_USERNAME`: Username to authenticate on the postgres instance with
+  - `KC_DB_PASSWORD`: Password to authenticate on the postgres instance with
+
+**Homepage:** <https://artifacthub.io/packages/helm/codecentric/keycloakx>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| codecentric | <info@codecentric.de> | <https://www.codecentric.de/> |
+| Team KumoOps OTC | <otc-cloudops-as-a-service@iits-consulting.de> | <https://iits-consulting.slack.com/archives/C08JUM3F7JL> |
+
+## Requirements
+
+Kubernetes: `>=1.29.0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://codecentric.github.io/helm-charts | keycloak(keycloakx) | 7.1.5 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| keycloak.command[0] | string | `"/opt/keycloak/bin/kc.sh"` |  |
+| keycloak.command[1] | string | `"start"` |  |
+| keycloak.command[2] | string | `"--http-port=8080"` |  |
+| keycloak.command[3] | string | `"--hostname-strict=false"` |  |
+| keycloak.extraEnv | string | `"- name: JAVA_OPTS_APPEND\n  value: >-\n    -Djgroups.dns.query={{ include \"keycloak.fullname\" . }}-headless\n- name: KC_METRICS_ENABLED\n  value: \"true\"\n- name: \"KC_LOG_LEVEL_ORG_KEYCLOAK_EVENTS\"\n  value: \"trace\"\n- name: \"KC_LOG_CONSOLE_LEVEL\"\n  value: \"trace\"\n- name: KC_DB\n  value: postgres\n"` | Must be specified as raw string, as it will be directly templated below the `env` key in the target YAML. |
+| keycloak.extraEnvFrom | string | `"- secretRef:\n    name: keycloak-root-creds\n- secretRef:\n    name: keycloak-psql-creds\n"` | Must be specified as raw string, as it will be directly templated below the `envFrom` key in the target YAML. |
+| keycloak.http.internalPort | string | `"http-internal"` |  |
+| keycloak.http.internalScheme | string | `"HTTP"` |  |
+| keycloak.http.relativePath | string | `"/"` |  |
+| keycloak.ingress.annotations."traefik.ingress.kubernetes.io/router.entrypoints" | string | `"websecure"` |  |
+| keycloak.ingress.annotations."traefik.ingress.kubernetes.io/router.tls" | string | `"true"` |  |
+| keycloak.ingress.enabled | bool | `true` |  |
+| keycloak.ingress.ingressClassName | string | `"traefik"` |  |
+| keycloak.ingress.rules[0].host | string | `"REPLACE_ME"` |  |
+| keycloak.ingress.rules[0].paths[0].path | string | `"/"` |  |
+| keycloak.ingress.rules[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| keycloak.ingress.servicePort | string | `"http"` |  |
+| keycloak.proxy.enabled | bool | `true` |  |
+| keycloak.proxy.http.enabled | bool | `true` |  |
+| keycloak.proxy.mode | string | `"xforwarded"` |  |
+| keycloak.replicas | int | `2` |  |
+| keycloak.resources.limits.memory | string | `"718Mi"` |  |
+| keycloak.resources.requests.cpu | string | `"100m"` |  |
+| keycloak.resources.requests.memory | string | `"718Mi"` |  |
+| keycloak.service.annotations."prometheus.io/port" | string | `"9000"` |  |
+| keycloak.service.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| keycloak.service.externalTrafficPolicy | string | `"Local"` |  |
+| keycloak.service.httpNodePort | string | `nil` |  |
+| keycloak.service.httpPort | int | `80` |  |
+| keycloak.service.httpsNodePort | string | `nil` |  |
+| keycloak.service.httpsPort | string | `nil` |  |
+| keycloak.service.loadBalancerIP | string | `nil` |  |
+| keycloak.service.sessionAffinity | string | `"ClientIP"` |  |
+| keycloak.service.sessionAffinityConfig | object | `{}` |  |
+| keycloak.service.type | string | `"ClusterIP"` |  |
+| keycloak.serviceMonitor.enabled | bool | `true` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/keycloak/values.yaml

@@ -0,0 +1,104 @@
+keycloak:
+  replicas: 2
+
+  ## Default command to start Keycloak
+  command:
+    - "/opt/keycloak/bin/kc.sh"
+    - "start"
+    - "--http-port=8080"
+    - "--hostname-strict=false"
+
+  # -- Must be specified as raw string, as it will be directly templated below the `env` key in the target YAML.
+  extraEnv: |
+    - name: JAVA_OPTS_APPEND
+      value: >-
+        -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
+    - name: KC_METRICS_ENABLED
+      value: "true"
+    - name: "KC_LOG_LEVEL_ORG_KEYCLOAK_EVENTS"
+      value: "trace"
+    - name: "KC_LOG_CONSOLE_LEVEL"
+      value: "trace"
+    - name: KC_DB
+      value: postgres
+
+  # -- Must be specified as raw string, as it will be directly templated below the `envFrom` key in the target YAML.
+  extraEnvFrom: |
+    - secretRef:
+        name: keycloak-root-creds
+    - secretRef:
+        name: keycloak-psql-creds
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 718Mi
+    limits:
+      memory: 718Mi
+
+  service:
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9000"
+    type: ClusterIP
+    loadBalancerIP: null
+    httpPort: 80
+    httpNodePort: null
+    httpsPort: null
+    httpsNodePort: null
+    # When using Service type LoadBalancer, you can preserve the source IP seen in the container
+    # by changing the default (Cluster) to be Local.
+    # See https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+    externalTrafficPolicy: "Local"
+    # Session affinity
+    # See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace
+    sessionAffinity: "ClientIP"
+    # Session affinity config, for example to set https://kubernetes.io/docs/reference/networking/virtual-ips/#session-stickiness-timeout
+    sessionAffinityConfig: {}
+
+  ingress:
+    enabled: true
+    ingressClassName: "traefik"
+    servicePort: http
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    rules:
+      # Must be provided via external values, this is just a placeholder
+      - host: "REPLACE_ME"
+        paths:
+          - path: "/"
+            pathType: ImplementationSpecific
+
+  # Example inspired by https://gitlab.iits.tech/team-otc-managed-service/projects/cognigy/cognigy-infrastructure-charts/-/blob/main/infrastructure-charts/value-files/keycloak/values.yaml?ref_type=heads#L57
+  # to show how this would translate to this chart
+  # networkPolicy:
+  #   enabled: true
+  #   extraFrom:
+  #     ingress:
+  #       - from:
+  #           - namespaceSelector:
+  #               matchLabels:
+  #                 kubernetes.io/metadata.name: monitoring
+  #             podSelector:
+  #               matchLabels:
+  #                 app.kubernetes.io/name: prometheus
+  #         ports:
+  #           - protocol: TCP
+  #             port: 9000
+
+  proxy:
+    enabled: true
+    # This ensures proper source ip propagation with Traefik.
+    mode: xforwarded
+    http:
+      enabled: true
+
+  http:
+    # Instead of being backwards-compatible, we want all paths on the Keycloak domain to be accessible without path prefix.
+    relativePath: "/"
+    internalPort: http-internal
+    internalScheme: HTTP
+
+  serviceMonitor:
+    enabled: true