forked from keycloak/keycloak-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeycloak.org_keycloaks_crd.yaml
431 lines (431 loc) · 22.3 KB
/
keycloak.org_keycloaks_crd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: keycloaks.keycloak.org
spec:
group: keycloak.org
names:
kind: Keycloak
listKind: KeycloakList
plural: keycloaks
singular: keycloak
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: Keycloak is the Schema for the keycloaks API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: KeycloakSpec defines the desired state of Keycloak.
properties:
extensions:
description: A list of extensions, where each one is a URL to a JAR
files that will be deployed in Keycloak.
items:
type: string
type: array
x-kubernetes-list-type: set
external:
description: Contains configuration for external Keycloak instances.
Unmanaged needs to be set to true to use this.
properties:
enabled:
description: If set to true, this Keycloak will be treated as an
external instance. The unmanaged field also needs to be set to
true if this field is true.
type: boolean
url:
description: The URL to use for the keycloak admin API. Needs to
be set if external is true.
type: string
type: object
externalAccess:
description: Controls external Ingress/Route settings.
properties:
enabled:
description: If set to true, the Operator will create an Ingress
or a Route pointing to Keycloak.
type: boolean
host:
description: If set, the Operator will use value of host for Ingress/Route
host instead of default value keycloak.local for ingress and automatically
chosen name for Route
type: string
tlsTermination:
description: TLS Termination type for the external access. Setting
this field to "reencrypt" will terminate TLS on the Ingress/Route
level. Setting this field to "passthrough" will send encrypted
traffic to the Pod. If unspecified, defaults to "reencrypt". Note,
that this setting has no effect on Ingress as Ingress TLS settings
are not reconciled by this operator. In other words, Ingress TLS
configuration is the same in both cases and it is up to the user
to configure TLS section of the Ingress.
type: string
type: object
externalDatabase:
description: "Controls external database settings. Using an external
database requires providing a secret containing credentials as well
as connection details. Here's an example of such secret: \n apiVersion:
v1 kind: Secret metadata: name: keycloak-db-secret
\ namespace: keycloak stringData: POSTGRES_DATABASE:
<Database Name> POSTGRES_EXTERNAL_ADDRESS: <External Database
IP or URL (resolvable by K8s)> POSTGRES_EXTERNAL_PORT: <External
Database Port> # Strongly recommended to use <'Keycloak CR
Name'-postgresql> POSTGRES_HOST: <Database Service Name> POSTGRES_PASSWORD:
<Database Password> # Required for AWS Backup functionality
\ POSTGRES_SUPERUSER: true POSTGRES_USERNAME: <Database
Username> type: Opaque \n Both POSTGRES_EXTERNAL_ADDRESS and
POSTGRES_EXTERNAL_PORT are specifically required for creating connection
to the external database. The secret name is created using the following
convention: <Custom Resource Name>-db-secret \n For more information,
please refer to the Operator documentation."
properties:
enabled:
description: If set to true, the Operator will use an external database.
pointing to Keycloak.
type: boolean
type: object
instances:
description: Number of Keycloak instances in HA mode. Default is 1.
type: integer
keycloakDeploymentSpec:
description: Resources (Requests and Limits) for KeycloakDeployment.
properties:
experimental:
description: 'Experimental section NOTE: This section might change
or get removed without any notice. It may also cause the deployment
to behave in an unpredictable fashion. Please use with care.'
properties:
args:
description: Arguments to the entrypoint. Translates into Container
CMD.
items:
type: string
type: array
command:
description: Container command. Translates into Container ENTRYPOINT.
items:
type: string
type: array
env:
description: List of environment variables to set in the container.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be
a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in
the container and any service environment variables.
If a variable cannot be resolved, the reference in the
input string will be unchanged. The $(VAR_NAME) syntax
can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
references will never be expanded, regardless of whether
the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind,
uid?'
type: string
optional:
description: Specify whether the ConfigMap or
its key must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports
metadata.name, metadata.namespace, metadata.labels,
metadata.annotations, spec.nodeName, spec.serviceAccountName,
status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container:
only resources limits and requests (limits.cpu,
limits.memory, limits.ephemeral-storage, requests.cpu,
requests.memory and requests.ephemeral-storage)
are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind,
uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
volumes:
description: Additional volume mounts
properties:
defaultMode:
description: Permissions mode.
format: int32
type: integer
items:
items:
properties:
configMap:
description: ConfigMap mount
properties:
items:
description: ConfigMap mount details
items:
description: Maps a string key to a path within
a volume.
properties:
key:
description: The key to project.
type: string
mode:
description: 'Optional: mode bits to use
on this file, must be a value between
0 and 0777. If not specified, the volume
defaultMode will be used. This might be
in conflict with other options that affect
the file mode, like fsGroup, and the result
can be other mode bits set.'
format: int32
type: integer
path:
description: The relative path of the file
to map the key to. May not be an absolute
path. May not contain the path element
'..'. May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
mountPath:
description: An absolute path where to mount it
type: string
name:
description: ConfigMap name
type: string
required:
- mountPath
type: object
type: object
type: array
type: object
type: object
resources:
description: Resources (Requests and Limits) for the Pods.
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
type: object
migration:
description: Specify Migration configuration
properties:
backups:
description: Set it to config backup policy for migration
properties:
enabled:
description: If set to true, the operator will do database backup
before doing migration
type: boolean
type: object
strategy:
description: Specify migration strategy
type: string
type: object
podDisruptionBudget:
description: Specify PodDisruptionBudget configuration.
properties:
enabled:
description: If set to true, the operator will create a PodDistruptionBudget
for the Keycloak deployment and set its `maxUnavailable` value
to 1.
type: boolean
type: object
postgresDeploymentSpec:
description: Resources (Requests and Limits) for PostgresDeployment.
properties:
resources:
description: Resources (Requests and Limits) for the Pods.
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
type: object
profile:
description: Profile used for controlling Operator behavior. Default
is empty.
type: string
storageClassName:
description: Name of the StorageClass for Postgresql Persistent Volume
Claim
type: string
unmanaged:
description: When set to true, this Keycloak will be marked as unmanaged
and will not be managed by this operator. It can then be used for
targeting purposes.
type: boolean
type: object
status:
description: KeycloakStatus defines the observed state of Keycloak.
properties:
credentialSecret:
description: The secret where the admin credentials are to be found.
type: string
internalURL:
description: Service IP and Port for in-cluster access to the keycloak
instance.
type: string
message:
description: Human-readable message indicating details about current
operator phase or error.
type: string
phase:
description: Current phase of the operator.
type: string
ready:
description: True if all resources are in a ready state and all work
is done.
type: boolean
secondaryResources:
additionalProperties:
items:
type: string
type: array
description: 'A map of all the secondary resources types and names created
for this CR. e.g "Deployment": [ "DeploymentName1", "DeploymentName2"
].'
type: object
version:
description: Version of Keycloak or RHSSO running on the cluster.
type: string
required:
- credentialSecret
- internalURL
- message
- phase
- ready
- version
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true