[keycloak] make keycloak run on openshift (CloudPirates-io#225)

make keycloak run on openshift

Author: mms-gianni

charts/keycloak/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 1.1.1
 - name: postgres
   repository: oci://registry-1.docker.io/cloudpirates
-  version: 0.6.1
+  version: 0.7.2
 - name: mariadb
   repository: oci://registry-1.docker.io/cloudpirates
-  version: 0.3.0
-digest: sha256:18c857c1e792fb60ef7577d542f549e8732fdcaf59caa47eb21bd75126ddc713
-generated: "2025-09-30T07:51:22.5152067+02:00"
+  version: 0.3.2
+digest: sha256:886649f9f78f7bf1f296dabcca5eb8cd0dbd9d0fdb540a327e6a299817fd4b53
+generated: "2025-10-07T21:13:04.453964+02:00"

charts/keycloak/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: keycloak
 description: Open Source Identity and Access Management Solution
 type: application
-version: 0.2.1
+version: 0.3.0
 appVersion: "26.3.4"
 keywords:
   - keycloak

charts/keycloak/README.md

@@ -114,15 +114,15 @@ The following table lists the configurable parameters of the Keycloak chart and
 
 ### Security
 
-| Parameter                                  | Description                                       | Default   |
-| ------------------------------------------ | ------------------------------------------------- | --------- |
-| `podSecurityContext.fsGroup`               | Group ID for the volumes of the pod               | `1001`    |
-| `securityContext.allowPrivilegeEscalation` | Enable container privilege escalation             | `false`   |
-| `securityContext.runAsNonRoot`             | Configure the container to run as a non-root user | `true`    |
-| `securityContext.runAsUser`                | User ID for the Keycloak container                | `1001`    |
-| `securityContext.runAsGroup`               | Group ID for the Keycloak container               | `1001`    |
-| `securityContext.readOnlyRootFilesystem`   | Mount container root filesystem as read-only      | `false`   |
-| `securityContext.capabilities.drop`        | Linux capabilities to be dropped                  | `["ALL"]` |
+| Parameter                                           | Description                                       | Default   |
+| --------------------------------------------------- | ------------------------------------------------- | --------- |
+| `podSecurityContext.fsGroup`                        | Group ID for the volumes of the pod               | `1001`    |
+| `containerSecurityContext.allowPrivilegeEscalation` | Enable container privilege escalation             | `false`   |
+| `containerSecurityContext.runAsNonRoot`             | Configure the container to run as a non-root user | `true`    |
+| `containerSecurityContext.runAsUser`                | User ID for the Keycloak container                | `1001`    |
+| `containerSecurityContext.runAsGroup`               | Group ID for the Keycloak container               | `1001`    |
+| `containerSecurityContext.readOnlyRootFilesystem`   | Mount container root filesystem as read-only      | `false`   |
+| `containerSecurityContext.capabilities.drop`        | Linux capabilities to be dropped                  | `["ALL"]` |
 
 ### Keycloak Configuration
 

charts/keycloak/templates/deployment.yaml

@@ -31,12 +31,10 @@ spec:
 {{- with (include "keycloak.imagePullSecrets" .) }}
 {{ . | nindent 6 }}
 {{- end }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      securityContext: {{ include "common.renderPodSecurityContext" . | nindent 8 }}
       initContainers:
         - name: copy-quarkus-lib
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ include "keycloak.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           command: ["sh", "-c", "cp -r /opt/keycloak/lib/quarkus/* /shared-quarkus/"]
@@ -45,10 +43,12 @@ spec:
               mountPath: /shared-quarkus
         {{- if .Values.postgres.enabled }}
         - name: wait-for-postgres
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ .Values.initContainers.waitForPostgres.image }}
           command: ["sh", "-c", "until pg_isready -h {{ .Release.Name }}-postgres -p 5432 -U postgres; do echo waiting for database; sleep 2; done;"]
         {{- else if .Values.mariadb.enabled }}
         - name: wait-for-mariadb
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ .Values.initContainers.waitForMariadb.image }}
           command: ["sh", "-c", "until mysqladmin ping -h {{ .Release.Name }}-mariadb -P 3306 --silent; do echo waiting for database; sleep 2; done;"]
         {{- end }}
@@ -57,8 +57,7 @@ spec:
         {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "common.renderContainerSecurityContext" . | nindent 12 }}
           image: {{ include "keycloak.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
           command:

charts/keycloak/values.schema.json

@@ -103,7 +103,7 @@
         }
       }
     },
-    "securityContext": {
+    "containerSecurityContext": {
       "type": "object",
       "properties": {
         "allowPrivilegeEscalation": {

charts/keycloak/values.yaml

@@ -59,18 +59,18 @@ podSecurityContext:
   ## @param podSecurityContext.fsGroup Group ID for the volumes of the pod
   fsGroup: 1001
 
-securityContext:
-  ## @param securityContext.allowPrivilegeEscalation Enable container privilege escalation
+containerSecurityContext:
+  ## @param containerSecurityContext.allowPrivilegeEscalation Enable container privilege escalation
   allowPrivilegeEscalation: false
-  ## @param securityContext.runAsNonRoot Configure the container to run as a non-root user
+  ## @param containerSecurityContext.runAsNonRoot Configure the container to run as a non-root user
   runAsNonRoot: true
-  ## @param securityContext.runAsUser User ID for the Keycloak container
+  ## @param containerSecurityContext.runAsUser User ID for the Keycloak container
   runAsUser: 1001
-  ## @param securityContext.runAsGroup Group ID for the Keycloak container
+  ## @param containerSecurityContext.runAsGroup Group ID for the Keycloak container
   runAsGroup: 1001
-  ## @param securityContext.readOnlyRootFilesystem Mount container root filesystem as read-only
+  ## @param containerSecurityContext.readOnlyRootFilesystem Mount container root filesystem as read-only
   readOnlyRootFilesystem: false
-  ## @param securityContext.capabilities.drop Linux capabilities to be dropped
+  ## @param containerSecurityContext.capabilities.drop Linux capabilities to be dropped
   capabilities:
     drop:
       - ALL