diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 332e6e1197..aaeed7f3c9 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -36,7 +36,7 @@ dependencies: version: 2.46.0 repository: https://jaegertracing.github.io/helm-charts - name: keycloak - version: 24.5.7 + version: 24.6.4 repository: https://charts.bitnami.com/bitnami - name: kiali-operator version: 1.86.1 diff --git a/charts/keycloak/Chart.lock b/charts/keycloak/Chart.lock index 72680855fa..989052c250 100644 --- a/charts/keycloak/Chart.lock +++ b/charts/keycloak/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 16.6.3 + version: 16.6.6 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.30.0 -digest: sha256:9f428f6c079442ac569b85245ad650220ed825b232790ae5831792d713051d23 -generated: "2025-04-11T09:28:30.981251837Z" + version: 2.30.1 +digest: sha256:deba14fbcd2d4eb0c0be80c607c84a020a1ed7329cbd6fa4a81c13272ed7a3c4 +generated: "2025-04-30T08:21:53.697644937Z" diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml index 738378abc5..899ab412a1 100644 --- a/charts/keycloak/Chart.yaml +++ b/charts/keycloak/Chart.yaml @@ -2,13 +2,13 @@ annotations: category: DeveloperTools images: | - name: keycloak - image: docker.io/bitnami/keycloak:26.2.0-debian-12-r2 + image: docker.io/bitnami/keycloak:26.2.3-debian-12-r0 - name: keycloak-config-cli - image: docker.io/bitnami/keycloak-config-cli:6.4.0-debian-12-r3 + image: docker.io/bitnami/keycloak-config-cli:6.4.0-debian-12-r5 licenses: Apache-2.0 tanzuCategory: application apiVersion: v2 -appVersion: 26.2.0 +appVersion: 26.2.3 dependencies: - condition: postgresql.enabled name: postgresql @@ -33,4 +33,4 @@ maintainers: name: keycloak sources: - https://github.com/bitnami/charts/tree/main/bitnami/keycloak -version: 24.5.7 +version: 24.6.4 diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md index 847b256925..da2182150c 100644 --- a/charts/keycloak/README.md +++ b/charts/keycloak/README.md @@ -647,6 +647,8 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `keycloakConfigCli.podAnnotations` | Annotations for job pod | `{}` | | `keycloakConfigCli.nodeSelector` | Node labels for pod assignment | `{}` | | `keycloakConfigCli.podTolerations` | Tolerations for job pod assignment | `[]` | +| `keycloakConfigCli.availabilityCheck.enabled` | Whether to wait until Keycloak is available | `true` | +| `keycloakConfigCli.availabilityCheck.timeout` | Timeout for the availability check (Default is 120s) | `""` | | `keycloakConfigCli.extraEnvVars` | Additional environment variables to set | `[]` | | `keycloakConfigCli.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | | `keycloakConfigCli.extraEnvVarsSecret` | Secret with extra environment variables | `""` | diff --git a/charts/keycloak/charts/common/Chart.yaml b/charts/keycloak/charts/common/Chart.yaml index 10fc86a4e8..1df26ae412 100644 --- a/charts/keycloak/charts/common/Chart.yaml +++ b/charts/keycloak/charts/common/Chart.yaml @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.30.0 +version: 2.30.1 diff --git a/charts/keycloak/charts/common/README.md b/charts/keycloak/charts/common/README.md index 0e5f649928..b84bbbabfc 100644 --- a/charts/keycloak/charts/common/README.md +++ b/charts/keycloak/charts/common/README.md @@ -39,6 +39,152 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Parameters +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ | +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- | +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` | +| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context | +| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | +| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context | +| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context | +| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context | + +### Compatibility + +| Helper identifier | Description | Expected Input | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | +| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context | +| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` | + +### Errors + +| Helper identifier | Description | Expected Input | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | +| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | +| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. | + +### Ingress + +| Helper identifier | Description | Expected Input | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +| --------------------------- | --------------------------------------------------------------------------- | ----------------- | +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | +| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` | + +### Resources + +| Helper identifier | Description | Expected Input | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` | + +### Secrets + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | +| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- | +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | +| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | +| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | + +### Utils + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | +| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- | +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` | + ## Special input schemas ### ImageRoot diff --git a/charts/keycloak/charts/common/templates/_errors.tpl b/charts/keycloak/charts/common/templates/_errors.tpl index 93f3ffc9be..95b8b8e292 100644 --- a/charts/keycloak/charts/common/templates/_errors.tpl +++ b/charts/keycloak/charts/common/templates/_errors.tpl @@ -82,4 +82,4 @@ Usage: {{- end -}} {{- print $warnString -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/keycloak/charts/common/templates/_secrets.tpl b/charts/keycloak/charts/common/templates/_secrets.tpl index bfef46978d..7868c00ac0 100644 --- a/charts/keycloak/charts/common/templates/_secrets.tpl +++ b/charts/keycloak/charts/common/templates/_secrets.tpl @@ -110,12 +110,12 @@ The order in which this function returns a secret password: {{- end }} {{- if and $providedPasswordValue .honorProvidedValues }} - {{- $password = $providedPasswordValue | toString }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} {{- end }} {{- if not $password }} {{- if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} {{- else }} {{- if .context.Values.enabled }} {{- $subchart = $chartName }} diff --git a/charts/keycloak/charts/postgresql/Chart.yaml b/charts/keycloak/charts/postgresql/Chart.yaml index a666c140c5..abb77bdc80 100644 --- a/charts/keycloak/charts/postgresql/Chart.yaml +++ b/charts/keycloak/charts/postgresql/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r42 + image: docker.io/bitnami/os-shell:12-debian-12-r43 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.17.1-debian-12-r5 + image: docker.io/bitnami/postgres-exporter:0.17.1-debian-12-r6 - name: postgresql - image: docker.io/bitnami/postgresql:17.4.0-debian-12-r15 + image: docker.io/bitnami/postgresql:17.4.0-debian-12-r17 licenses: Apache-2.0 tanzuCategory: service apiVersion: v2 @@ -35,4 +35,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 16.6.3 +version: 16.6.6 diff --git a/charts/keycloak/charts/postgresql/README.md b/charts/keycloak/charts/postgresql/README.md index 76dab00f38..41534bf9c0 100644 --- a/charts/keycloak/charts/postgresql/README.md +++ b/charts/keycloak/charts/postgresql/README.md @@ -691,52 +691,52 @@ If you already have data in it, you will fail to sync to standby nodes for all c ### Backup parameters -| Name | Description | Value | -| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | -| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | -| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | -| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | -| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | -| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | -| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | -| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | -| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | -| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | -| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | -| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | -| `backup.cronjob.labels` | Set the cronjob labels | `{}` | -| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | -| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.tolerations` | Tolerations for PostgreSQL backup CronJob pods assignment | `[]` | -| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | -| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | -| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `backup.cronjob.storage.enabled` | Enable using a `PersistentVolumeClaim` as backup data volume | `true` | -| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | -| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | -| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | -| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | -| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | -| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | -| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` | -| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` | +| Name | Description | Value | +| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `["/bin/bash","-c","PGPASSWORD=\"${PGPASSWORD:-$(< \"$PGPASSWORD_FILE\")}\" pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=\"${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump\""]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | +| `backup.cronjob.tolerations` | Tolerations for PostgreSQL backup CronJob pods assignment | `[]` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `backup.cronjob.storage.enabled` | Enable using a `PersistentVolumeClaim` as backup data volume | `true` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` | +| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` | ### Password update job diff --git a/charts/keycloak/charts/postgresql/templates/backup/cronjob.yaml b/charts/keycloak/charts/postgresql/templates/backup/cronjob.yaml index c5fd9f757c..5a6711db95 100644 --- a/charts/keycloak/charts/postgresql/templates/backup/cronjob.yaml +++ b/charts/keycloak/charts/postgresql/templates/backup/cronjob.yaml @@ -60,7 +60,7 @@ spec: value: {{ $customUser | quote }} {{- end }} {{- if .Values.auth.usePasswordFiles }} - - name: PGPASSFILE + - name: PGPASSWORD_FILE value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} {{- else }} - name: PGPASSWORD @@ -97,6 +97,10 @@ spec: - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} {{- if .Values.backup.cronjob.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }} {{- end }} @@ -132,6 +136,11 @@ spec: {{- end }} - name: empty-dir emptyDir: {} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.v1.secretName" . }} + {{- end }} {{- if .Values.backup.cronjob.extraVolumes }} {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }} {{- end }} diff --git a/charts/keycloak/charts/postgresql/templates/update-password/job.yaml b/charts/keycloak/charts/postgresql/templates/update-password/job.yaml index 9eaba871dd..b140a23e08 100644 --- a/charts/keycloak/charts/postgresql/templates/update-password/job.yaml +++ b/charts/keycloak/charts/postgresql/templates/update-password/job.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/part-of: postgresql app.kubernetes.io/component: update-job {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.annotations .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} spec: backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }} diff --git a/charts/keycloak/charts/postgresql/values.yaml b/charts/keycloak/charts/postgresql/values.yaml index 04d3400d26..27dd2ae635 100644 --- a/charts/keycloak/charts/postgresql/values.yaml +++ b/charts/keycloak/charts/postgresql/values.yaml @@ -118,7 +118,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 17.4.0-debian-12-r15 + tag: 17.4.0-debian-12-r17 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1357,9 +1357,9 @@ backup: type: "RuntimeDefault" ## @param backup.cronjob.command Set backup container's command to run command: - - /bin/sh + - /bin/bash - -c - - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" + - PGPASSWORD="${PGPASSWORD:-$(< "$PGPASSWORD_FILE")}" pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file="${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" ## @param backup.cronjob.labels Set the cronjob labels labels: {} ## @param backup.cronjob.annotations Set the cronjob annotations @@ -1596,7 +1596,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r42 + tag: 12-debian-12-r43 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1705,7 +1705,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.17.1-debian-12-r5 + tag: 0.17.1-debian-12-r6 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/keycloak/templates/_helpers.tpl b/charts/keycloak/templates/_helpers.tpl index fba3e50830..fa11d5b7ea 100644 --- a/charts/keycloak/templates/_helpers.tpl +++ b/charts/keycloak/templates/_helpers.tpl @@ -126,7 +126,7 @@ Return the Database database name {{- .Values.postgresql.auth.database -}} {{- end -}} {{- else -}} - {{- .Values.externalDatabase.database -}} + {{- tpl .Values.externalDatabase.database $ -}} {{- end -}} {{- end -}} @@ -145,7 +145,7 @@ Return the Database user {{- .Values.postgresql.auth.username -}} {{- end -}} {{- else -}} - {{- .Values.externalDatabase.user -}} + {{- tpl .Values.externalDatabase.user $ -}} {{- end -}} {{- end -}} diff --git a/charts/keycloak/templates/keycloak-config-cli-job.yaml b/charts/keycloak/templates/keycloak-config-cli-job.yaml index 3a7885405d..6939d3dfdb 100644 --- a/charts/keycloak/templates/keycloak-config-cli-job.yaml +++ b/charts/keycloak/templates/keycloak-config-cli-job.yaml @@ -86,7 +86,11 @@ spec: value: /config/* {{- end }} - name: KEYCLOAK_AVAILABILITYCHECK_ENABLED - value: "true" + value: {{ .Values.keycloakConfigCli.availabilityCheck.enabled | quote }} + {{- if and .Values.keycloakConfigCli.availabilityCheck.enabled .Values.keycloakConfigCli.availabilityCheck.timeout }} + - name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT + value: {{ .Values.keycloakConfigCli.availabilityCheck.timeout }} + {{- end }} {{- if .Values.keycloakConfigCli.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/keycloak/templates/statefulset.yaml b/charts/keycloak/templates/statefulset.yaml index 0f05140b5e..ad9734be04 100644 --- a/charts/keycloak/templates/statefulset.yaml +++ b/charts/keycloak/templates/statefulset.yaml @@ -398,15 +398,15 @@ spec: path: {{ printf "db-%s" (include "keycloak.databaseSecretHostKey" .) }} {{- end }} {{- if .Values.externalDatabase.existingSecretPortKey }} - - key: {{ include "keycloak.databaseSecretHostKey" . }} + - key: {{ include "keycloak.databaseSecretPortKey" . }} path: {{ printf "db-%s" (include "keycloak.databaseSecretPortKey" .) }} {{- end }} {{- if .Values.externalDatabase.existingSecretUserKey }} - - key: {{ include "keycloak.databaseSecretHostKey" . }} + - key: {{ include "keycloak.databaseSecretUserKey" . }} path: {{ printf "db-%s" (include "keycloak.databaseSecretUserKey" .) }} {{- end }} {{- if .Values.externalDatabase.existingSecretDatabaseKey }} - - key: {{ include "keycloak.databaseSecretHostKey" . }} + - key: {{ include "keycloak.databaseSecretDatabaseKey" . }} path: {{ printf "db-%s" (include "keycloak.databaseSecretDatabaseKey" .) }} {{- end }} {{- if and .Values.tls.enabled (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.passwordsSecret) }} diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml index 838b7bcd81..cfcb03f284 100644 --- a/charts/keycloak/values.yaml +++ b/charts/keycloak/values.yaml @@ -111,7 +111,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/keycloak - tag: 26.2.0-debian-12-r2 + tag: 26.2.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1135,7 +1135,7 @@ keycloakConfigCli: image: registry: docker.io repository: bitnami/keycloak-config-cli - tag: 6.4.0-debian-12-r3 + tag: 6.4.0-debian-12-r5 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1247,6 +1247,14 @@ keycloakConfigCli: ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## podTolerations: [] + ## keycloak-config-cli availability-check configuration + ## ref: https://github.com/adorsys/keycloak-config-cli#Configuration + ## @param keycloakConfigCli.availabilityCheck.enabled Whether to wait until Keycloak is available + ## @param keycloakConfigCli.availabilityCheck.timeout Timeout for the availability check (Default is 120s) + ## + availabilityCheck: + enabled: true + timeout: "" ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set ## Example: ## extraEnvVars: