diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
index d26737bb125cfa16cf706e3521a998931b3ef9d7..3481cd75bdc5526727927b957b34990a0ee38b37 100644
--- a/charts/keycloak/Chart.yaml
+++ b/charts/keycloak/Chart.yaml
@@ -1,13 +1,15 @@
apiVersion: v2
name: keycloak
-description: (Alpha) A Helm chart for Keycloak on Kubernetes
+description: A Helm chart for Keycloak on Kubernetes
+annotations:
+ artifacthub.io/category: security
type: application
home: https://www.keycloak.org/
icon: https://www.keycloak.org/resources/images/keycloak_icon_512px.svg
sources:
- https://git.shivering-isles.com/shivering-isles/infrastructure-gitops
- https://github.com/keycloak/keycloak
-version: 0.7.2
+version: 0.7.3
# renovate: image=quay.io/keycloak/keycloak
appVersion: "22.0.3"
maintainers:
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
index f8f3c9907b773364b375b54ded2a3a19ac1afc81..d1247b84814429b4a268d6e3dc32ff069dc0813f 100644
--- a/charts/keycloak/README.md
+++ b/charts/keycloak/README.md
@@ -1,8 +1,8 @@
# keycloak
-  
+  
-(Alpha) A Helm chart for Keycloak on Kubernetes
+A Helm chart for Keycloak on Kubernetes
**Homepage:** <https://www.keycloak.org/>
@@ -60,7 +60,8 @@
| networkPolicy.create | bool | `false` | Creates a network policy for inifispan communication, does **not** take care of database or ingress communication |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
-| podSecurityContext | object | `{}` | |
+| podSecurityContext.runAsNonRoot | bool | `true` | |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| replicaCount | int | `1` | |
| resources.limits.cpu | string | `"1"` | |
| resources.limits.memory | string | `"1.5Gi"` | |
@@ -68,7 +69,6 @@
| resources.requests.memory | string | `"1Gi"` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
-| securityContext.runAsNonRoot | bool | `true` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
diff --git a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
index 4c87dd93c1389b251f7ad8949e8464748f8143e0..20716378b734e7c8d6fc8c1cd32953e283f4a716 100644
--- a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
+++ b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
@@ -90,14 +90,16 @@ should match basic snapshot:
capabilities:
drop:
- ALL
- runAsNonRoot: true
startupProbe:
failureThreshold: 30
httpGet:
path: /health/live
port: http
periodSeconds: 10
- securityContext: {}
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
serviceAccountName: RELEASE-NAME-keycloak
2: |
apiVersion: v1
@@ -262,14 +264,16 @@ should match full snapshot:
capabilities:
drop:
- ALL
- runAsNonRoot: true
startupProbe:
failureThreshold: 30
httpGet:
path: /health/live
port: http
periodSeconds: 10
- securityContext: {}
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
serviceAccountName: RELEASE-NAME-keycloak
2: |
apiVersion: v1
diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
index 37627d5d200d8c85aede41b9d9b49ccccb095174..7bcbf25e7ccf38cab885a2e5070ef45ace1799ab 100644
--- a/charts/keycloak/values.yaml
+++ b/charts/keycloak/values.yaml
@@ -47,15 +47,17 @@ serviceAccount:
podAnnotations: {}
-podSecurityContext: {}
+podSecurityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
# fsGroup: 2000
securityContext:
+ allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- allowPrivilegeEscalation: false
- runAsNonRoot: true
service:
type: ClusterIP