Helm Configuration

.Values.global.modules.macma.keycloakBCIMasterdataClientId

The environment’s MACMA client id.

No

-

.Values.global.modules.macma.keycloakBCIMasterdataClientSecret

The environment’s MACMA client secret.

Yes

-

.Values.global.nexeedMacmaTenant0Id

The ID of the root tenant. Default realm for registration at portal and login.

Yes

-

.Values.global.modules.macma.tenant0InitialName

The initial name of the root tenant. After the initial setup, changing this value will have no effect.

No (but highly recommended to set the correct value for the initial setup)

first customer tenant

.Values.global.modules.macma.keycloakClientSecret

Client secret of the admin client in the master realm, which is required by MACMA to control Keycloak.

Yes

-

.Values.global.modules.portal.macmaPortalAdminUser

Name of the admin user created on bootstrapping.

No, but if not provided no admin user will be created.

-

.Values.global.modules.portal.macmaPortalAdminPassword

Password of the admin user created on bootstrapping. Has to be changed on first login.

No, but required if .Values.global.modules.portal.macmaPortalAdminUser is set.

-

.Values.local.tokenIntrospection.recommendedUserTokenTrustInSeconds

Maximum recommended cache time (in s) for introspection results sent by MACMA for user tokens (should be small).

No

5

.Values.local.tokenIntrospection.recommendedClientTokenTrustInSeconds

Maximum recommended cache time (in s) for introspection results sent by MACMA for client tokens.

No

150

.Values.local.fileUploadMaxSizeInMB

Maximum allowed filesize for file upload e.g. for configuration file. Increasing the value can cause OutOfMemory errors. The value for defaultMaxBodySizeInMB has to be larger or equal to fileUploadMaxSizeInMB.

No

8

.Values.local.defaultMaxBodySizeInMB

Maximum allowed request body size.

No

8

.Values.global.logging.default or .Values.local.logging.default

Default loglevel except for the following explicit settings.

No

WARN

.Values.local.logging.spring.default

Loglevel for everything Spring (but not Spring Boot).

No

WARN

.Values.local.logging.spring.boot

Loglevel for everything Spring Boot.

No

WARN

.Values.local.logging.spring.security

Loglevel for everything Spring SECURITY.

No

WARN

.Values.global.logging.application or .Values.local.logging.application

Loglevel for Bosch Components.

No

WARN

.Values.local.logging.netty

Loglevel for Netty.

No

WARN

.Values.local.logging.hibernate

Loglevel for Hibernate.

No

WARN

.Values.local.logging.liquibase

Loglevel for Liquibase.

No

INFO

.Values.local.logging.security

Loglevel for security logger.

No

INFO

.Values.local.logging.activityLogsRetentionTimeInDays

Activity Logs Retention time in days

No

90

.Values.local.activityLogsCleanupInitialDelayInMinutes

Delay (in minutes) after application startup when the Activity Logs Clean-up task is started

No

1

.Values.local.activityLogsCleanupFixedDelayInHours

Scheduled period (in hours) when the Activity Logs Clean-up task is executed

No

24

.Values.local.keycloakDatabaseBackgroundValidationDuration

Specify the Duration between liveness-checks for pooled DB connections (optional, default is '55S' as it should not be the same value as idle-timeout(minutes)); the format for durations uses the standard java.time.Duration format. You can learn more about it in the [Duration#parse() javadoc](https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-). Influences failover behavior.

No

55S

.Values.global.modules.macma.keycloakUser

Admin user for Keycloak.

Yes

-

.Values.global.modules.macma.keycloakPassword

Password for admin user for Keycloak.

Yes

-

.Values.global.modules.macma.contextPath

Context path "in between" the origin and specific paths offered by Keycloak. If MACMA is offered under a sub-path (e.g. `https://testSystemA.de.bosch.com:8088/iam/`) (instead of a sub-domain like `https://iam.testSystemA.de.bosch.com:8088/`) this should be set to the sub-path (here `iam`).

No

"iam"

.Values.local.keycloak.macmaMigrationsTimeoutSeconds

Sets the timeout in seconds for MACMA’s Keycloak migrations that run during startup.

No

3600

.Values.local.keycloak.quarkus.transactionManager.defaultTransactionTimeout

Sets the timeout that applies to all Keycloak transactions managed by the transaction manager; the format for durations uses the standard java.time.Duration format (https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/time/Duration.html#parse(java.lang.CharSequence))

No

PT3600S

.Values.local.keycloakSocketTimeout

Socket inactivity timeout in milliseconds. Can be increased if you have integrated slow IDPs and get sporadic `Unexpected error when authenticating with identity provider` while authenticating with an identity provider _and_ you have ruled out other possibilities.

No

15000

.Values.local.logging.keycloak

Loglevel for everything Keycloak

No

INFO

.Values.local.logging.keycloak.security

Loglevel for keycloak security logger.

No

INFO

.Values.local.logging.keycloak.infinispan

Loglevel for keycloak infinispan cache logger.

No

INFO

.Values.local.logging.keycloak.jGroups

Loglevel for JGroups

No

INFO

.Values.local.infinispan.enableStatistics

Enable cache statistics on the /metrics endpoint.

No

false

.Values.local.infinispan.realmCacheSize

Size of cache persisted realm data.

No

10000

.Values.local.infinispan.realmCacheMaxIdle

Specifies the maximum amount of time, in milliseconds, that realm data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

.Values.local.infinispan.usersCacheSize

Size of cache persisted users data

No

10000

.Values.local.infinispan.usersCacheMaxIdle

Specifies the maximum amount of time, in milliseconds, that users data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

.Values.local.infinispan.authorizationCacheSize

Size of cache persisted authorization data.

No

10000

.Values.local.infinispan.authorizationCacheMaxIdle

Specifies the maximum amount of time, in milliseconds, that authorization data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

.Values.local.infinispan.keysCacheSize

Size of cache persisted external public keys.

No

1000

.Values.local.infinispan.keysMaxIdle

Specifies the maximum amount of time, in milliseconds, that keys data cache entries can remain idle. Can be disabled with a value of -1.

No

3600000

.Values.local.infinispan.remoteTimeout

The timeout (in ms) used to wait for an acknowledgment when making a remote call to another keycloak instance, after which the call is aborted and an exception is thrown.

No

15000

.Values.local.infinispan.lockAcquisitionTimeout

Maximum time to attempt a particular lock acquisition.

No

10000

.Values.local.infinispan.sessionsCacheSize

Size of cache persisted user session data.

No

10000

.Values.local.infinispan.clientSessionsCacheSize

Size of cache persisted client session data.

No

10000

.Values.local.infinispan.offlineSessionsCacheSize

Size of cache persisted offline user session data.

No

10000

.Values.local.infinispan.offlineClientSessionsCacheSize

Size of cache persisted offline client session data.

No

10000

.Values.local.infinispan.lockingType

The locking mode for all keycloak infinispan cache, one of OPTIMISTIC or PESSIMISTIC.

No

OPTIMISTIC

.Values.local.keycloak.initialRamPercentage

Specify the initial Java heap size percentage from the containers limit (optional, default is `20`)

No

20

.Values.local.keycloak.maxRamPercentage

Specify the maximum Java heap size percentage from the containers limit (optional, default is `80`)

No

80

.Values.local.keycloak.liquibase.defaultIndexCreationThreshold

If the number of records in a database table exceeds this threshold, the index is not created. Instead, you will find a warning in the server logs with the SQL commands that you can apply manually. To disable this threshold set a value ≤ 0. (optional, default is `0`)

No

0

.Values.global.modules.macma.portalName

Name of the portal module. For registration the id of the portal’s client is searched by this name to get a proper token.

No

0

.Values.local.observability.otelAutoInjectEnvParams

Whether the standardized Open Telemetry environment variables should be automatically injected into the pods. See the general Nexeed IAS operations manual 'Open Telemetry integration' chapter for more details.

No

true