feat: use native bitnami-keycloak chart

root/values.yaml

@@ -33,6 +33,7 @@ enabledApps:
   - cluster-auth
   - cluster-auth-config
   - keycloak
+  - keycloak-config
   - kyverno
   - kyverno-config
   - amd-gpu-operator
@@ -197,7 +198,16 @@ apps:
           - ".spec.data[].remoteRef.decodingStrategy"
           - ".spec.data[].remoteRef.metadataPolicy"
   keycloak:
-    path: keycloak-old
+    path: keycloak/25.2.0
+    namespace: keycloak
+    valuesFile: ../values_cf.yaml
+    helmParameters:
+      - name: domain
+        value: "{{ .Values.global.domain }}"
+    syncWave: -1
+
+  keycloak-config:
+    path: keycloak-config
     namespace: keycloak
     valuesFile: values.yaml
     helmParameters:

root/values_cf.yaml

@@ -31,6 +31,7 @@ enabledApps:
   - cluster-auth
   - cluster-auth-config
   - keycloak
+  - keycloak-config
   - kyverno
   - kyverno-config
   - amd-gpu-operator

root/values_dev.yaml

@@ -17,8 +17,6 @@ enabledApps:
   - openbao-config
   - external-secrets
   - external-secrets-config
-  - gitea
-  - gitea-config
   - gateway-api
   - metallb
   - kgateway-crds
@@ -31,6 +29,7 @@ enabledApps:
   - cluster-auth
   - cluster-auth-config
   - keycloak
+  - keycloak-config
   - kyverno
   - kyverno-config
   - amd-gpu-operator

root/values_ha.yaml

@@ -31,6 +31,7 @@ enabledApps:
   - cluster-auth
   - cluster-auth-config
   - keycloak
+  - keycloak-config
   - kyverno
   - kyverno-config
   - amd-gpu-operator

sbom/components.yaml

@@ -99,9 +99,9 @@ components:
     license: Apache License 2.0
     licenseUrl: https://github.com/silogen/cluster-forge/blob/main/LICENSE
   keycloak:
-    path: keycloak-old
-    valuesFile: values.yaml
-    sourceUrl: https://codecentric.github.io/helm-charts
+    path: keycloak/25.2.0
+    valuesFile: ../values_cf.yaml
+    sourceUrl: oci://registry-1.docker.io/bitnamicharts/keycloak
     projectUrl: https://github.com/keycloak/keycloak
     license: Apache License 2.0
     licenseUrl: https://github.com/keycloak/keycloak/blob/main/LICENSE.txt

scripts/bootstrap.md

@@ -90,6 +90,16 @@ Creates three namespaces for core components:
    kubectl -n cf-openbao get secret openbao-keys -o jsonpath='{.data.root_token}' | base64 -d
    ```
 
+4. **Devuser:**
+   ```bash   
+   kubectl -n airm get secret airm-devuser-credentials -o jsonpath="{.data.KEYCLOAK_INITIAL_DEVUSER_PASSWORD}"| base64 -d
+   ```
+
+5. **Keycloak admin:**
+   ```bash
+   kubectl -n keycloak get secret keycloak-credentials -o jsonpath="{.data.KEYCLOAK_INITIAL_ADMIN_PASSWORD}"| base64 -d
+   ```
+
 ## Development
 
 For development purposes there is a way to sync all apps directly from cluster-forge GitHub repo bypassing gitea. Here is the possible development flow: 

scripts/init-openbao-job/templates/cf-init-openbao-cm.yaml

@@ -139,8 +139,9 @@ data:
 
     bao kv put secrets/airm-keycloak-admin-client-id value="admin-client-id-value"
     bao kv put secrets/airm-keycloak-admin-client-secret value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
-
-    bao kv put secrets/keycloak-initial-admin-password value=admin;
+
+    bao kv put secrets/keycloak-initial-admin-password value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
+    bao kv put secrets/keycloak-initial-devuser-password value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
     bao kv put secrets/keycloak-cnpg-user-username value=keycloak;
     bao kv put secrets/keycloak-cnpg-user-password value=keycloak;
     bao kv put secrets/keycloak-cnpg-superuser-username value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";

sources/airm/0.3.1/charts/airm-api/files/configure.sh

@@ -53,9 +53,10 @@ check_env_variable "KEYCLOAK_CLIENT_SECRET"
 check_env_variable "KEYCLOAK_CLIENT_ID"
 check_env_variable "KEYCLOAK_ADMIN_CLIENT_ID"
 check_env_variable "KEYCLOAK_ADMIN_CLIENT_SECRET"
+check_env_variable "INITIAL_USER_PASSWORD"
 
 function refresh_token() {
-    TOKEN=$(curl -s -d "client_id=${KEYCLOAK_CLIENT_ID}" -d "username=${USER_EMAIL}" -d 'password=password' -d 'grant_type=password' -d "client_secret=${KEYCLOAK_CLIENT_SECRET}" "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" | jq -r '.access_token')
+    TOKEN=$(curl -s -d "client_id=${KEYCLOAK_CLIENT_ID}" -d "username=${USER_EMAIL}" -d "password=${INITIAL_USER_PASSWORD}" -d 'grant_type=password' -d "client_secret=${KEYCLOAK_CLIENT_SECRET}" "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" | jq -r '.access_token')
     if [ -z "$TOKEN" ] || [ "$TOKEN" == "null" ]; then
         echo "ERROR: Failed to obtain access token from Keycloak."
         exit 1

sources/airm/0.3.1/charts/airm-api/templates/airm-configure-job.yaml

@@ -137,6 +137,11 @@ spec:
                 secretKeyRef:
                   key: client-secret
                   name: "{{ .Release.Name }}-keycloak-admin-client"
+            - name: INITIAL_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
+                  name: "{{ .Release.Name }}-devuser-credentials"
             - name: AIRM_API_URL
               value: "http://{{ .Release.Name }}-api.{{ .Release.Namespace }}.svc.cluster.local"
           volumeMounts:

sources/airm/0.3.1/charts/airm-api/templates/airm-es.yaml

@@ -192,3 +192,24 @@ spec:
       remoteRef:
         key: cluster-auth-admin-token
         property: value
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "{{ .Release.Name }}-devuser-credentials"
+  namespace: "{{ .Release.Namespace }}"
+  annotations:
+    helm.sh/hook: pre-install
+spec:
+  data:
+    - remoteRef:
+        key: keycloak-initial-devuser-password
+        property: value
+      secretKey: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao-secret-store
+  target:
+    creationPolicy: Owner
+    name: airm-devuser-credentials

sources/keycloak-config/templates/keycloak-secrets.yaml → sources/keycloak-config/templates/keycloak-airm-realm-secrets.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: airm-realm-credentials
@@ -24,31 +24,30 @@ spec:
         key: airm-ci-client-secret
         property: value
       secretKey: CI_CLIENT_SECRET
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao-secret-store
-  target:
-    creationPolicy: Owner
-    name: airm-realm-credentials
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: keycloak-credentials
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-spec:
-  data:
     - remoteRef:
-        key: keycloak-initial-admin-password
+        key: k8s-client-secret
         property: value
-      secretKey: KEYCLOAK_INITIAL_ADMIN_PASSWORD
+      secretKey: K8S_CLIENT_SECRET
+    - remoteRef:
+        key: minio-client-secret
+        property: value
+      secretKey: MINIO_CLIENT_SECRET
+    - remoteRef:
+        key: gitea-client-secret
+        property: value
+      secretKey: GITEA_CLIENT_SECRET
+    - remoteRef:
+        key: argocd-client-secret
+        property: value
+      secretKey: ARGOCD_CLIENT_SECRET
+    - remoteRef:
+        key: keycloak-initial-devuser-password
+        property: value
+      secretKey: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
     name: openbao-secret-store
   target:
     creationPolicy: Owner
-    name: keycloak-credentials
+    name: airm-realm-credentials

sources/keycloak-config/templates/keycloak-cnpg-cluster.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: keycloak-cnpg
+  namespace: keycloak
+spec:
+  affinity:
+    enablePodAntiAffinity: true
+    topologyKey: topology.kubernetes.io/zone
+  bootstrap:
+    initdb:
+      database: keycloak
+      owner: keycloak
+      postInitSQL:
+        - GRANT CREATE ON SCHEMA public TO keycloak
+      secret:
+        name: keycloak-cnpg-user
+  imageName: ghcr.io/cloudnative-pg/postgresql:17
+  instances: 1
+  nodeMaintenanceWindow:
+    inProgress: false
+    reusePVC: true
+  postgresql:
+    parameters:
+      auto_explain.log_min_duration: 10s
+      pg_stat_statements.max: "10000"
+      pg_stat_statements.track: all
+      shared_buffers: 256MB
+    pg_hba:
+      - host all all 10.244.0.0/16 md5
+  primaryUpdateStrategy: unsupervised
+  resources:
+    limits:
+      cpu: "2"
+      memory: 1Gi
+    requests:
+      cpu: "1"
+      memory: 512Mi
+  startDelay: 300
+  stopDelay: 300
+  storage:
+    size: 50Gi
+    storageClass: default
+  superuserSecret:
+    name: keycloak-cnpg-superuser
+  walStorage:
+    size: 50Gi
+    storageClass: default