claude/k8s-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
k8s-apps/argocd-apps/keycloak.yaml
root 65930ceb1e
All checks were successful
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / Validate & Security Scan (pull_request) Successful in 10s
Details
sec: remove plaintext passwords from realm ConfigMap 
Use keycloak-config-cli env var substitution $(env:VAR_NAME) to inject
user passwords from K8s Secret instead of hardcoding them in ConfigMap.

- realm-configmap.yaml: passwords replaced with $(env:KC_INFRA_ADMIN_PASSWORD)
  and $(env:KC_INFRA_CLAUDE_PASSWORD)
- keycloak ArgoCD app: added keycloakConfigCli.extraEnvVarsSecret
- Secrets sourced from OpenBao via create-keycloak-secrets.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 13:24:44 +01:00

93 lines
2.5 KiB
YAML
Raw Permalink Blame History

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: keycloak
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: keycloak
repoURL: registry-1.docker.io/bitnamicharts
targetRevision: "25.2.0"
helm:
values: |
image:
registry: docker.io
repository: bitnamilegacy/keycloak
tag: 26.3.3-debian-12-r0
auth:
adminUser: admin
existingSecret: keycloak-secrets
passwordSecretKey: admin-password
production: false
httpRelativePath: "/"
replicaCount: 1
extraEnvVars:
- name: KC_HOSTNAME
value: ""
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_PROXY_HEADERS
value: "xforwarded"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: "1"
memory: 2Gi
keycloakConfigCli:
enabled: true
existingConfigmap: keycloak-realm-config
image:
registry: docker.io
repository: bitnamilegacy/keycloak-config-cli
tag: 6.4.0-debian-12-r11
extraEnvVarsSecret: keycloak-configcli-secrets
postgresql:
enabled: true
image:
registry: docker.io
repository: bitnamilegacy/postgresql
tag: 17.6.0-debian-12-r0
auth:
existingSecret: keycloak-secrets
secretKeys:
adminPasswordKey: password
userPasswordKey: password
primary:
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: 500m
memory: 1Gi
persistence:
enabled: true
storageClass: longhorn
size: 8Gi
volumePermissions:
image:
registry: docker.io
repository: bitnamilegacy/os-shell
tag: 12-debian-12-r50
ingress:
enabled: true
ingressClassName: nginx
hostname: keycloak.georgepet.duckdns.org
tls: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
destination:
server: https://kubernetes.default.svc
namespace: keycloak
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
Reference in New Issue View Git Blame Copy Permalink