apiVersion: apps/v1 kind: StatefulSet metadata: annotations: meta.helm.sh/release-name: keycloak meta.helm.sh/release-namespace: auth-system creationTimestamp: "2026-03-04T12:57:02Z" generation: 1 labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/version: 24.0.5 helm.sh/chart: keycloak-21.4.1 name: keycloak namespace: auth-system resourceVersion: "3142" uid: 5e353b23-8124-4e26-8bc1-aa93fb4d4d0d spec: persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain podManagementPolicy: Parallel replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak serviceName: keycloak-headless template: metadata: annotations: checksum/configmap-env-vars: 5725d51a3ce4dc8f1207b43b33d37b63e19b8ce676cf98cc2e21826fc8ec8494 checksum/secrets: 9155ad7fc047fc66b3124e441d7c815ee8726fbe6847c30853fc64e14cc6845a creationTimestamp: null labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/version: 24.0.5 helm.sh/chart: keycloak-21.4.1 spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak topologyKey: kubernetes.io/hostname weight: 1 automountServiceAccountToken: true containers: - command: - /opt/keycloak/bin/kc.sh - --verbose - start - --health-enabled=true - --http-enabled=true - --http-port=8080 - --hostname-strict=false - --spi-events-listener-jboss-logging-success-level=info - --spi-events-listener-jboss-logging-error-level=warn - --transaction-xa-enabled=false - --metrics-enabled=true env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: BITNAMI_DEBUG value: "false" - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: key: admin-password name: keycloak - name: KEYCLOAK_DATABASE_PASSWORD valueFrom: secretKeyRef: key: db-password name: keycloak-externaldb - name: KEYCLOAK_HTTP_RELATIVE_PATH value: / - name: KC_FEATURES value: token-exchange,admin-fine-grained-authz - name: KC_PROXY value: edge - name: KC_DB value: mysql - name: KC_DB_URL value: jdbc:mysql://percona-xtradb-haproxy.openstack:3306/keycloak - name: KC_DB_USERNAME value: keycloak - name: KC_DB_PASSWORD valueFrom: secretKeyRef: key: db-password name: keycloak-externaldb envFrom: - configMapRef: name: keycloak-env-vars image: harbor.atmosphere.dev/quay.io/keycloak/keycloak:24.0.5-0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 300 periodSeconds: 1 successThreshold: 1 tcpSocket: port: http timeoutSeconds: 5 name: keycloak ports: - containerPort: 8080 name: http protocol: TCP - containerPort: 7800 name: discovery protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /realms/master port: http scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 750m ephemeral-storage: 1Gi memory: 768Mi requests: cpu: 500m ephemeral-storage: 50Mi memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: false runAsGroup: 1001 runAsNonRoot: true runAsUser: 1000 seLinuxOptions: {} seccompProfile: type: RuntimeDefault startupProbe: failureThreshold: 120 httpGet: path: / port: http scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: empty-dir subPath: tmp-dir - mountPath: /opt/bitnami/keycloak/conf name: empty-dir subPath: app-conf-dir - mountPath: /opt/bitnami/keycloak/lib/quarkus name: empty-dir subPath: app-quarkus-dir - mountPath: /opt/bitnami/keycloak/data name: empty-dir subPath: app-data-dir dnsPolicy: ClusterFirst enableServiceLinks: true nodeSelector: openstack-control-plane: enabled restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1001 fsGroupChangePolicy: Always serviceAccount: keycloak serviceAccountName: keycloak terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: empty-dir updateStrategy: rollingUpdate: partition: 0 type: RollingUpdate status: availableReplicas: 1 collisionCount: 0 currentReplicas: 1 currentRevision: keycloak-68dcff8f69 observedGeneration: 1 readyReplicas: 1 replicas: 1 updateRevision: keycloak-68dcff8f69 updatedReplicas: 1