silogen · woojae-siloai · Jan 16, 2026 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
@@ -90,6 +90,18 @@ Creates three namespaces for core components:
    kubectl -n cf-openbao get secret openbao-keys -o jsonpath='{.data.root_token}' | base64 -d
    ```
 
+4. **Devuser secret:**
+   ```bash
+   # Devuser secret
+   kubectl -n keycloak get secret airm-devuser-credentials -o jsonpath="{.data.KEYCLOAK_INITIAL_DEVUSER_PASSWORD}"| base64 -d
+   ```
+
+4. **Keycloak admin secret:**
+   ```bash
+   # Devuser secret
+   kubectl -n keycloak get secret keycloak-credentials -o jsonpath="{.data.KEYCLOAK_INITIAL_ADMIN_PASSWORD}"| base64 -d
+   ```
+
 ## Development
 
 For development purposes there is a way to sync all apps directly from cluster-forge GitHub repo bypassing gitea. Here is the possible development flow: 
@@ -102,4 +114,4 @@ For development purposes there is a way to sync all apps directly from cluster-f
 - Run `scripts/bootstrap_dev.sh`
 - Wait for cluster apps to be ready
 - From this point forward, any changes you push to your feature branch will be automatically synchronized to the cluster by ArgoCD.
-
+
@@ -140,7 +140,8 @@ data:
     bao kv put secrets/airm-keycloak-admin-client-id value="admin-client-id-value"
     bao kv put secrets/airm-keycloak-admin-client-secret value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
 
-    bao kv put secrets/keycloak-initial-admin-password value=admin;
+    bao kv put secrets/keycloak-initial-admin-password value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
+    bao kv put secrets/keycloak-initial-devuser-password value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";
     bao kv put secrets/keycloak-cnpg-user-username value=keycloak;
     bao kv put secrets/keycloak-cnpg-user-password value=keycloak;
     bao kv put secrets/keycloak-cnpg-superuser-username value="$(bao write -field=random_bytes sys/tools/random bytes=16 format=hex)";

@@ -545,12 +545,9 @@ data:
           "totp": false,
           "credentials": [
             {
-              "id": "596f57d5-41d0-4dd8-bd6f-bb16db235be2",
               "type": "password",
-              "userLabel": "My password",
-              "createdDate": 1746628471958,
-              "secretData": "{\"value\":\"15oUl8X/o/maH7BWBI4mGDj7WFXPXSc+BbPsIBTcqHE=\",\"salt\":\"RDnI5bojai0rUPa5j7T1rQ==\",\"additionalParameters\":{}}",
-              "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+              "value": "__DEVUSER_INITIAL_PASSWORD__",
+              "temporary": false
             }
           ],
           "disableableCredentialTypes": [],

@@ -52,3 +52,24 @@ spec:
   target:
     creationPolicy: Owner
     name: keycloak-credentials
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: airm-devuser-credentials
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+spec:
+  data:
+    - remoteRef:
+        key: keycloak-initial-devuser-password
+        property: value
+      secretKey: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao-secret-store
+  target:
+    creationPolicy: Owner
+    name: airm-devuser-credentials
@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: airm-devuser-credentials
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+spec:
+  data:
+    - remoteRef:
+        key: keycloak-initial-devuser-password
+        property: value
+      secretKey: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao-secret-store
+  target:
+    creationPolicy: Owner
+    name: airm-devuser-credentials
@@ -40,6 +40,10 @@ spec:
         key: argocd-client-secret
         property: value
       secretKey: ARGOCD_CLIENT_SECRET
+    - remoteRef:
+        key: keycloak-initial-devuser-password
+        property: value
+      secretKey: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
   refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore

@@ -18,4 +18,4 @@ spec:
     name: openbao-secret-store
   target:
     creationPolicy: Owner
-    name: keycloak-credentials
+    name: keycloak-credentials
@@ -110,6 +110,7 @@ spec:
                   sed -i -e "s/__MINIO_CLIENT_SECRET__/$MINIO_CLIENT_SECRET/g" /opt/realms/airm-realm.json
                   sed -i -e "s/__GITEA_CLIENT_SECRET__/$GITEA_CLIENT_SECRET/g" /opt/realms/airm-realm.json
                   sed -i -e "s/__ARGOCD_CLIENT_SECRET__/$ARGOCD_CLIENT_SECRET/g" /opt/realms/airm-realm.json
+                  sed -i -e "s/__DEVUSER_INITIAL_PASSWORD__/$DEVUSER_INITIAL_PASSWORD/g" /opt/realms/airm-realm.json
               else
                   echo "Warning: /opt/realm_templates/airm-realm.json not found, skipping airm realm setup"
               fi
@@ -154,6 +155,11 @@ spec:
                 secretKeyRef:
                   key: ARGOCD_CLIENT_SECRET
                   name: airm-realm-credentials
+            - name: DEVUSER_INITIAL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: KEYCLOAK_INITIAL_DEVUSER_PASSWORD
+                  name: airm-realm-credentials #double check this
           image: ghcr.io/silogen/keycloak-init:0.1
           name: init-realm-scripts
           volumeMounts:

@@ -549,12 +549,9 @@ data:
           "totp": false,
           "credentials": [
             {
-              "id": "596f57d5-41d0-4dd8-bd6f-bb16db235be2",
               "type": "password",
-              "userLabel": "My password",
-              "createdDate": 1746628471958,
-              "secretData": "{\"value\":\"15oUl8X/o/maH7BWBI4mGDj7WFXPXSc+BbPsIBTcqHE=\",\"salt\":\"RDnI5bojai0rUPa5j7T1rQ==\",\"additionalParameters\":{}}",
-              "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
+              "value": "__DEVUSER_INITIAL_PASSWORD__",
+              "temporary": false
             }
           ],
           "disableableCredentialTypes": [],