bea/infra-prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update keycloak for HA

Browse Source
This commit is contained in:
Beatrice Dellacà
2025-03-30 18:14:34 +02:00
parent af5f476974
commit 47ecde29fd
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
deploy/keycloak/keycloak.yaml
View File

@@ -53,7 +53,7 @@ spec:
- "start" - "start"
- "--cache=ispn" # Enable distributed Infinispan cache (HA mode) [oai_citation_attribution:0‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=When%20you%20start%20Keycloak%20in,in%20your%20network%20are%20discovered) - "--cache=ispn" # Enable distributed Infinispan cache (HA mode) [oai_citation_attribution:0‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=When%20you%20start%20Keycloak%20in,in%20your%20network%20are%20discovered)
- "--cache-stack=kubernetes" # Use built-in Kubernetes stack for clustering (DNS_PING) - "--cache-stack=kubernetes" # Use built-in Kubernetes stack for clustering (DNS_PING)
- "--hostname=https://sso.panic.haus" # External URL for Keycloak (use HTTPS for TLS offload) # - "--hostname=https://sso.panic.haus" # External URL for Keycloak (use HTTPS for TLS offload)
- "--http-enabled=true" # Allow Keycloak to listen on HTTP (for edge TLS termination) [oai_citation_attribution:1‡keycloak.org](https://www.keycloak.org/server/hostname#:~:text=provides%20the%20flexibility%20for%20users,start%20the%20server%20as%20follows) - "--http-enabled=true" # Allow Keycloak to listen on HTTP (for edge TLS termination) [oai_citation_attribution:1‡keycloak.org](https://www.keycloak.org/server/hostname#:~:text=provides%20the%20flexibility%20for%20users,start%20the%20server%20as%20follows)
- "-Djgroups.dns.query=keycloak-headless" - "-Djgroups.dns.query=keycloak-headless"
env: env:
@@ -61,8 +61,10 @@ spec:
value: "admin" value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD - name: KEYCLOAK_ADMIN_PASSWORD
value: "admin" value: "admin"
- name: KC_HOSTNAME # - name: KC_PROXY_HEADERS
value: "sso.panic.haus" # value: "xforwarded"
# - name: KC_HOSTNAME
# value: "sso.panic.haus"
- name: KC_HTTP_ENABLED - name: KC_HTTP_ENABLED
value: "true" value: "true"
- name: KC_HEALTH_ENABLED - name: KC_HEALTH_ENABLED
@@ -91,6 +93,8 @@ spec:
# Enable proxy address forwarding since Keycloak is behind an NGINX proxy # Enable proxy address forwarding since Keycloak is behind an NGINX proxy
- name: PROXY_ADDRESS_FORWARDING - name: PROXY_ADDRESS_FORWARDING
value: "true" # Trust X-Forwarded-* headers [oai_citation_attribution:3‡github.com](https://github.com/codecentric/helm-charts/issues/325#:~:text=extraEnv%3A%20%7C%20,name%3A%20CACHE_OWNERS_AUTH_SESSIONS_COUNT) value: "true" # Trust X-Forwarded-* headers [oai_citation_attribution:3‡github.com](https://github.com/codecentric/helm-charts/issues/325#:~:text=extraEnv%3A%20%7C%20,name%3A%20CACHE_OWNERS_AUTH_SESSIONS_COUNT)
# - name: KC_PROXY
# value: "edge" # Keycloak is behind an edge (TLS termination) proxy
- name: KC_HOSTNAME_STRICT - name: KC_HOSTNAME_STRICT
value: "false" # Disable strict host check (allow internal/external host differences) value: "false" # Disable strict host check (allow internal/external host differences)
# (Optional) Enable health and metrics endpoints for monitoring: # (Optional) Enable health and metrics endpoints for monitoring:
@@ -108,13 +112,13 @@ spec:
httpGet: httpGet:
path: /health/live path: /health/live
port: 8080 port: 8080
initialDelaySeconds: 60 initialDelaySeconds: 90
periodSeconds: 30 periodSeconds: 30
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /health/ready path: /health/ready
port: 8080 port: 8080
initialDelaySeconds: 30 initialDelaySeconds: 60
periodSeconds: 15 periodSeconds: 15
affinity: affinity:
# Spread pods across different nodes for higher availability # Spread pods across different nodes for higher availability