dbildungs-iam-keycloak

automation/dbildungs-iam-keycloak/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: SPSH-1195
+appVersion: SPSH-740
 description: A Helm Chart for the dbildungs-iam-keycloak
 name: dbildungs-iam-keycloak
 type: application
-version: 0.0.0-spsh-1195-20241119-1628
+version: 0.0.0-spsh-740-20241120-0918

automation/dbildungs-iam-keycloak/dev-realm-spsh.json

@@ -418,7 +418,7 @@
     "requiredCredentials": [
       "password"
     ],
-    "passwordPolicy" : "maxAuthAge(0)",
+    "passwordPolicy": "maxAuthAge(0) and passwordHistory(3) and length(8) and digits(1) and lowerCase(1) and upperCase(1) and specialChars(1)",
     "otpPolicyType": "totp",
     "otpPolicyAlgorithm": "HmacSHA1",
     "otpPolicyInitialCounter": 0,
@@ -929,7 +929,7 @@
         "description": "",
         "rootUrl": "${KC_ROOT_URL}",
         "adminUrl": "",
-        "baseUrl": "",
+        "baseUrl": "${KC_ROOT_URL}",
         "surrogateAuthRequired": false,
         "enabled": true,
         "alwaysDisplayInConsole": false,
@@ -1983,7 +1983,6 @@
     "loginTheme": "schulportal",
     "eventsEnabled": false,
     "eventsListeners": [
-      "metrics-listener",
       "jboss-logging"
     ],
     "enabledEventTypes": [],

automation/dbildungs-iam-keycloak/prod-realm-spsh.json

@@ -416,7 +416,7 @@
     "requiredCredentials": [
       "password"
     ],
-    "passwordPolicy" : "maxAuthAge(0)",
+    "passwordPolicy": "maxAuthAge(0) and passwordHistory(3) and length(8) and digits(1) and lowerCase(1) and upperCase(1) and specialChars(1)",
     "otpPolicyType": "totp",
     "otpPolicyAlgorithm": "HmacSHA1",
     "otpPolicyInitialCounter": 0,
@@ -927,7 +927,7 @@
         "description": "",
         "rootUrl": "${KC_ROOT_URL}",
         "adminUrl": "",
-        "baseUrl": "",
+        "baseUrl": "${KC_ROOT_URL}",
         "surrogateAuthRequired": false,
         "enabled": true,
         "alwaysDisplayInConsole": false,
@@ -1820,7 +1820,6 @@
     "loginTheme": "schulportal",
     "eventsEnabled": false,
     "eventsListeners": [
-      "metrics-listener",
       "jboss-logging"
     ],
     "enabledEventTypes": [],

automation/dbildungs-iam-keycloak/templates/deployment.yaml

@@ -10,7 +10,9 @@ spec:
     matchLabels:
       app.kubernetes.io/name: {{ template "common.names.name" . }}
       app.kubernetes.io/component: keycloak
+  {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
+  {{- end }}
   template:
     metadata:
       labels:
@@ -28,8 +30,9 @@ spec:
             {{- toYaml .command | nindent 16 }}
           {{- end }}
           args:
-            - "--cache"
-            - "local"
+            # - "--cache"
+            # - "local"
+            - "--optimized"
             - "--hostname"
             - "{{ tpl .Values.keycloakHostname . }}" 
             - "--import-realm"
@@ -45,6 +48,8 @@ spec:
           livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
           readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
           env:
+            - name: JAVA_OPTS_APPEND
+              value: "-Djgroups.dns.query={{ template "common.names.name" . }}-headless.{{ template "common.names.namespace" . }}.svc.cluster.local"
             - name: KEYCLOAK_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:

automation/dbildungs-iam-keycloak/templates/headless-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.names.name" . }}-headless
+  namespace: {{ template "common.names.namespace" . }}
+  labels: 
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  selector:
+    app.kubernetes.io/name: {{ template "common.names.name" . }}
+    app.kubernetes.io/component: keycloak
+  type: {{ .Values.service.type }}
+  clusterIP: "None"
+  ports:
+    {{- if .Values.service.http.enabled }}
+    - name: http
+      port: {{  .Values.service.ports.http }}
+      targetPort: web
+    {{- end }}
+    - port: 8090
+      targetPort: 8090
+      protocol: TCP
+      name: mgmt

automation/dbildungs-iam-keycloak/templates/hpa.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "common.names.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "common.names.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "common.names.name" . }}   
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+{{- end }}

automation/dbildungs-iam-keycloak/values.yaml

@@ -110,9 +110,8 @@ service:
   ports:
     http: 80
 
-keycloak:
-  serviceMonitor:
-    enabled: true
-    path: "/realms/SPSH/metrics"
-    endpoints:
-      - port: 'http'
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 5
+  targetCPUUtilizationPercentage: 60