Skip to content

feat(keycloak): add Keycloak Helm chart using upstream image#40

Merged
mikkeldamsgaard merged 12 commits intomainfrom
feat/39-keycloak-chart
Mar 14, 2026
Merged

feat(keycloak): add Keycloak Helm chart using upstream image#40
mikkeldamsgaard merged 12 commits intomainfrom
feat/39-keycloak-chart

Conversation

@mikkeldamsgaard
Copy link
Contributor

@mikkeldamsgaard mikkeldamsgaard commented Mar 14, 2026

Summary

  • Add a production-grade Keycloak Helm chart deploying the upstream quay.io/keycloak/keycloak image with native KC_* environment variable configuration
  • Support PostgreSQL, MySQL, MSSQL, and dev (H2) databases with structured configuration (host/port/user/name/secretRef)
  • Include jdbc-ping (default) and kubernetes (dns-ping) clustering with auto-configured JGroups DNS query via headless service
  • Expose all standard Kubernetes deployment knobs: resources, nodeSelector, tolerations, affinity, imagePullSecrets, podAnnotations, podLabels, securityContext, podSecurityContext, serviceAccount
  • Add optional build optimization init container (kc.sh build), TLS passthrough, Prometheus ServiceMonitor, extraEnvVars/Volumes, and persistent storage for themes/providers
  • Include 8 unit test suites (100 tests) covering all major template branches

Closes #39

Test plan

  • helm lint passes
  • helm template renders correctly for default (dev), PostgreSQL, and full-feature configurations
  • 100 helm-unittest tests pass across 8 suites (deployment, configmap, services, ingress, serviceaccount, pvc, servicemonitor)
  • Existing NetBird chart tests (193 tests) still pass
  • E2E: deploy with dev database in kind cluster and verify health endpoint

🤖 Generated with Claude Code

mikkeldamsgaard and others added 12 commits March 14, 2026 19:30
@mikkeldamsgaard @claude
feat(keycloak): add Keycloak Helm chart using upstream image
806f0c0 
Add a production-grade Keycloak chart that deploys the upstream
quay.io/keycloak/keycloak image with native KC_* environment variable
configuration. Supports PostgreSQL, MySQL, MSSQL, and dev (H2)
databases, jdbc-ping and kubernetes (dns-ping) clustering, optional
build optimization init container, TLS passthrough, Prometheus
ServiceMonitor, and all standard Kubernetes deployment knobs.

Closes #39

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
feat(keycloak): add E2E tests and improve admin credential docs
543a7f4 
Add comprehensive E2E test infrastructure for the Keycloak chart:
- ci/scripts/e2e-keycloak.sh with dev, postgres, and replicas scenarios
- E2E value files for each scenario (dev H2, PostgreSQL, multi-replica)
- Tests verify health, metrics, OIDC discovery, admin token acquisition,
  realm/client/user creation via REST API, and multi-replica clustering
- Makefile targets: e2e-keycloak-dev, e2e-keycloak-postgres,
  e2e-keycloak-replicas, e2e-keycloak (all three)

Improve NOTES.txt with detailed admin credential setup instructions,
REST API quick start guide, and production database guidance.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
ci: add path-based filtering for chart E2E tests
f287639 
Use dorny/paths-filter to detect which charts changed and only run
the relevant E2E test jobs. NetBird E2E tests only run when
charts/netbird/** or its CI scripts change; Keycloak E2E tests only
run when charts/keycloak/** or its CI scripts change. Changes to
CI config files (workflow, Makefile, dprint, helmfmt) trigger all
E2E tests. Format-check and lint+unittest always run.

Adds three new Keycloak E2E jobs: dev, postgres, and replicas.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
refactor: reorganize ci/scripts into chart-specific subdirectories
ded3206 
Move E2E and utility scripts into per-chart directories:
- ci/scripts/netbird/ — e2e.sh, e2e-oidc.sh, compat-matrix.sh
- ci/scripts/keycloak/ — e2e.sh
- ci/scripts/upstream-check.sh stays at root (repo-level)

Update all references in CI workflow, Makefile, and script headers.
Update paths-filter to use glob patterns for the new directory structure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
refactor: move compatibility.md into charts/netbird/docs
6145e02 
Move docs/compatibility.md to charts/netbird/docs/compatibility.md
so it lives alongside the chart it documents. Add .helmignore to
exclude docs/, tests/, ci/, and README.md from the packaged chart.

Update compat-matrix.sh and release skill references.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
fix: correct Keycloak deployment name in E2E scripts
e3fe558 
The keycloak.fullname helper returns "keycloak-e2e" (not
"keycloak-e2e-keycloak") because the chart name is contained in
the release name. Fix all references in the E2E script and CI
workflow debug steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
chore: add .helmignore for keycloak chart
ead5ca9 
Exclude docs/, tests/, ci/, and README.md from the packaged chart,
matching the netbird chart convention.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
chore(keycloak): sync chart version with appVersion (26.5.0)
99aea73 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
chore: add keycloak to upstream monitor and update release skill
719b5d4 
Add keycloak/keycloak to .upstream-monitor.yaml with both version
and appVersion as targets (they are kept in sync).

Update release skill to document that the keycloak chart version
is synced with the upstream Keycloak appVersion.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
fix(keycloak): use local cache in dev mode and fix empty template fields
018cf0f 
Dev mode (H2 embedded DB) was forcing KC_CACHE=ispn with jdbc-ping,
which requires a shared database for cluster discovery. Use local cache
instead, matching Keycloak's default for start-dev.

Also fix deployment template rendering empty volumeMounts: and volumes:
fields when no volumes are configured, and improve e2e script to capture
debug info (pod status, logs, events) before cleanup on failure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
fix(keycloak): fix hostname-strict default breaking Keycloak 26.5 sta…
dd86f48 
…rtup

Keycloak 26.5 requires either KC_HOSTNAME to be set or
KC_HOSTNAME_STRICT=false. The chart defaulted hostnameStrict to true
without a hostname, causing Keycloak to crash on startup with:
"hostname is not configured; either configure hostname, or set
hostname-strict to false"

Change the default to false so Keycloak starts without requiring a
hostname. Users setting a hostname should also set hostnameStrict: true.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard @claude
docs(keycloak): add comprehensive README with values reference
ad42737 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikkeldamsgaard mikkeldamsgaard force-pushed the feat/39-keycloak-chart branch from ee43f9c to ad42737 Compare March 14, 2026 18:30
@mikkeldamsgaard mikkeldamsgaard merged commit 4353c2b into main Mar 14, 2026
12 checks passed
@mikkeldamsgaard mikkeldamsgaard deleted the feat/39-keycloak-chart branch March 14, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add Keycloak Helm chart using upstream image

1 participant

@mikkeldamsgaard