feat(keycloak): migrate to keycloak helm chart

platform-apps/charts/backstage/values-demo-metalstack.yaml

@@ -150,7 +150,7 @@ backstage:
               # real metadataUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" - #24935
               #metadataUrl: https://keycloak.lab.suxessit.k8s.cloud.uibk.ac.at/realms/kubrix #.well-known/openid-configuration can be ommited
               # workaround -> also set frontendUrl in keycloak realm
-              metadataUrl: http://keycloak-service.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited
+              metadataUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited
               callbackUrl: https://backstage.demo.kubrix.cloud/api/auth/oidc/handler/frame
               clientId: backstage
               clientSecret: demosecret
@@ -240,7 +240,7 @@ backstage:
               # real baseUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443"
               #baseUrl: https://keycloak.lab.suxessit.k8s.cloud.uibk.ac.at
               # workaround
-              baseUrl: http://keycloak-service.keycloak.svc.cluster.local:8080
+              baseUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080
               loginRealm: kubrix
               realm: kubrix
               clientId: backstage

platform-apps/charts/backstage/values-k3d.yaml

@@ -140,7 +140,7 @@ backstage:
               # real metadataUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" - #24935
               #metadataUrl: https://keycloak-127-0-0-1.nip.io/realms/kubrix #.well-known/openid-configuration can be ommited
               # workaround -> also set frontendUrl in keycloak realm
-              metadataUrl: http://keycloak-service.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited
+              metadataUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited
               callbackUrl: https://backstage-127-0-0-1.nip.io/api/auth/oidc/handler/frame
               clientId: backstage
               clientSecret: demosecret
@@ -230,7 +230,7 @@ backstage:
               # real baseUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443"
               #baseUrl: https://keycloak-127-0-0-1.nip.io
               # workaround
-              baseUrl: http://keycloak-service.keycloak.svc.cluster.local:8080
+              baseUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080
               loginRealm: kubrix
               realm: kubrix
               clientId: backstage
@@ -365,4 +365,4 @@ backstage:
             enabled: true
 ## pgdb
 cluster:
-  enabled: false
+  enabled: false

platform-apps/charts/image-list.json

@@ -196,18 +196,13 @@
   },
   {
     "chart": "keycloak",
-    "image": "busybox",
-    "id": "keycloak_busybox"
-  },
-  {
-    "chart": "keycloak",
-    "image": "postgres:latest",
-    "id": "keycloak_postgres_latest"
+    "image": "docker.io/bitnami/keycloak:26.1.2-debian-12-r0",
+    "id": "keycloak_keycloak_26.1.2-debian-12-r0"
   },
   {
     "chart": "keycloak",
-    "image": "quay.io/keycloak/keycloak:25.0.2",
-    "id": "keycloak_keycloak_25.0.2"
+    "image": "docker.io/bitnami/postgresql:17.4.0-debian-12-r2",
+    "id": "keycloak_postgresql_17.4.0-debian-12-r2"
   },
   {
     "chart": "komoplane",

platform-apps/charts/image-list.md

@@ -52,9 +52,8 @@
 ## kargo
 * ghcr.io/akuity/kargo:v1.2.3
 ## keycloak
-* busybox
-* postgres:latest
-* quay.io/keycloak/keycloak:25.0.2
+* docker.io/bitnami/keycloak:26.1.2-debian-12-r0
+* docker.io/bitnami/postgresql:17.4.0-debian-12-r2
 ## komoplane
 * busybox
 * komodorio/komoplane:0.1.6

platform-apps/charts/keycloak/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: keycloak
+  repository: https://charts.bitnami.com/bitnami
+  version: 24.4.10
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.4.14
+- name: cluster
+  repository: https://cloudnative-pg.github.io/charts
+  version: 0.2.1
+digest: sha256:bc4114d4fde2bad2e72d93cc3de6322c1cc252c200d8dfa1bf6531de6281ddf5
+generated: "2025-03-03T14:53:56.140641+01:00"

platform-apps/charts/keycloak/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sx-keycloak
-description: A local k8s keycloak with postgres db
+description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -23,3 +23,17 @@ version: 0.1.0
 # It is recommended to use it with quotes.
 appVersion: "1.0.0"
 
+dependencies:
+  - name: keycloak
+    alias: keycloak
+    version: 24.4.10
+    repository: https://charts.bitnami.com/bitnami
+  - name: postgresql
+    alias: postgresql
+    version: 16.4.14
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+  - name: cluster
+    version: 0.2.1
+    repository: https://cloudnative-pg.github.io/charts
+    condition: cluster.enabled

platform-apps/charts/keycloak/templates/2faflow.yaml

@@ -1,21 +1,21 @@
-{{- if .Values.deployments.keycloak.mfa.enabled }}
+{{- if .Values.kubrix.keycloak.mfa.enabled }}
 apiVersion: role.keycloak.crossplane.io/v1alpha1
 kind: Role
 metadata:
   name: 2faotprole
   labels:
     platform-engineer.cloud/role: 2faotprole
   annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "6"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   deletionPolicy: Delete
   forProvider:
-    description: "${role_{{ .Values.deployments.keycloak.realm.realmid }}_otprole}"
-    name: {{ .Values.deployments.keycloak.realm.realmid }}_otprole
+    description: "${role_{{ .Values.kubrix.keycloak.realm.realmid }}_otprole}"
+    name: {{ .Values.kubrix.keycloak.realm.realmid }}_otprole
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
 ---
@@ -26,14 +26,14 @@ metadata:
   labels:
     platform-engineer.cloud/flow: 2faflow
   annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "6"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   deletionPolicy: Delete
   forProvider:
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
     alias: browser 2 FA
     description: browser based authentication
     providerId: basic-flow
@@ -45,7 +45,7 @@ kind: Execution
 metadata:
   name: 2fa-ex1
   annotations:
-    argocd.argoproj.io/sync-wave: "3"
+    argocd.argoproj.io/sync-wave: "7"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
@@ -57,7 +57,7 @@ spec:
     requirement: ALTERNATIVE
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
 ---
@@ -66,7 +66,7 @@ kind: Execution
 metadata:
   name: 2fa-ex2
   annotations:
-    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/sync-wave: "8"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
@@ -77,7 +77,7 @@ spec:
         platform-engineer.cloud/flow: 2faflow
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
     requirement: ALTERNATIVE
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
@@ -87,7 +87,7 @@ kind: Execution
 metadata:
   name: 2fa-ex3
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "9"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
@@ -98,7 +98,7 @@ spec:
         platform-engineer.cloud/flow: 2faflow
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
     requirement: REQUIRED
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
@@ -110,7 +110,7 @@ metadata:
   labels:
     platform-engineer.cloud/execution: 2fa-ex4
   annotations:
-    argocd.argoproj.io/sync-wave: "6"
+    argocd.argoproj.io/sync-wave: "10"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
@@ -121,7 +121,7 @@ spec:
         platform-engineer.cloud/flow: 2faflow
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
     requirement: REQUIRED
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
@@ -131,20 +131,20 @@ kind: ExecutionConfig
 metadata:
   name: 2fa-ex4-conf
   annotations:
-    argocd.argoproj.io/sync-wave: "7"
+    argocd.argoproj.io/sync-wave: "11"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
     alias: conditional otp form
     config:
       defaultOtpOutcome: skip
-      forceOtpRole: {{ .Values.deployments.keycloak.realm.realmid }}_otprole
+      forceOtpRole: {{ .Values.kubrix.keycloak.realm.realmid }}_otprole
     executionIdSelector:
       matchLabels:
         platform-engineer.cloud/execution: 2fa-ex4  
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
 ---
@@ -153,7 +153,7 @@ kind: Bindings
 metadata:
   name: 2fa-browser-flow-binding
   annotations:
-    argocd.argoproj.io/sync-wave: "8"
+    argocd.argoproj.io/sync-wave: "12"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   forProvider:
@@ -162,20 +162,20 @@ spec:
         platform-engineer.cloud/flow: 2faflow
     realmIdSelector:
       matchLabels:
-        platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }}
+        platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }}
   providerConfigRef:
     name: "{{ .Release.Name }}-config"
 {{- end }}
 ---
-{{- range $group := .Values.deployments.keycloak.realm.groups }}
+{{- range $group := .Values.kubrix.keycloak.realm.groups }}
 {{- if $group.mfa }}
 apiVersion: group.keycloak.crossplane.io/v1alpha1
 kind: Roles
 metadata:
-  name: {{ $.Values.deployments.keycloak.backstageclient.config.clientID }}-{{ $group.name }}-2fa-roles
+  name: backstage-{{ $group.name }}-2fa-roles
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "7"
 spec:
   forProvider:
     exhaustive: false
@@ -184,7 +184,7 @@ spec:
     roleIdsSelector:
       matchLabels: 
         platform-engineer.cloud/role: 2faotprole    
-    realmId: {{ $.Values.deployments.keycloak.realm.realmid }}
+    realmId: {{ $.Values.kubrix.keycloak.realm.realmid }}
   providerConfigRef:
     name: "{{ $.Release.Name }}-config"  
 ---

platform-apps/charts/keycloak/templates/comp.yaml

@@ -3,7 +3,7 @@ kind: Composition
 metadata:
   name: keycloak-builtin-objects
   annotations:
-    argocd.argoproj.io/sync-wave: "-1"
+    argocd.argoproj.io/sync-wave: "1"
 spec:
   compositeTypeRef:
     apiVersion: keycloak.crossplane.io/v1alpha1

platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml

@@ -1,37 +1,28 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.backstageclient.config.clientID }}-password"
-type: Opaque
-stringData:
-  {{ .Values.deployments.keycloak.backstageclient.config.clientID }}: {{ .Values.deployments.keycloak.backstageclient.config.clientSecret }}
-
 ---
 apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
 kind: Client
 metadata:
-  name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}
+  name: backstage
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "5"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   deletionPolicy: Delete
   forProvider:
     accessType: CONFIDENTIAL 
-    clientId: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}
-    name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}
-    realmId: {{ .Values.deployments.keycloak.realm.realmid }}
+    clientId: backstage
+    name: backstage
+    realmId: {{ .Values.kubrix.keycloak.realm.realmid }}
     directAccessGrantsEnabled: false
     standardFlowEnabled: true
     serviceAccountsEnabled: true
 #    managementPolicies: ["Observe"]
     validRedirectUris:
       - "http://localhost:7007/api/auth/oidc/handler/frame"
-      - "https://backstage{{ .Values.deployments.ingress.fqdn }}/api/auth/oidc/handler/frame"
+      - "https://backstage{{ .Values.kubrix.keycloak.fqdn }}/api/auth/oidc/handler/frame"
     clientSecretSecretRef:
-      key: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}
-      name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.backstageclient.config.clientID }}-password"
+      key: backstage
+      name: keycloak-client-credentials
       namespace: {{ .Release.Namespace }}
     loginTheme: keycloak
   providerConfigRef: