feat(keycloak): add Keycloak Helm chart using upstream image

.claude/skills/release/SKILL.md

@@ -31,6 +31,8 @@ Apply conventional commit rules to determine the bump:
 
 Use the highest applicable bump. Parse the current version from `charts/<chart-name>/Chart.yaml`.
 
+**Keycloak chart exception**: The keycloak chart version is synced with the upstream Keycloak appVersion (e.g. `26.5.0`). Do not bump the chart version independently — it always matches `appVersion`. When a new upstream Keycloak version is released, bump both `version` and `appVersion` together to the new upstream version.
+
 Present the proposed version bump to the user (current version -> new version) along with the commit list, and ask for confirmation before proceeding. The user may override the bump level.
 
 ## 3. Update Chart.yaml
@@ -53,7 +55,7 @@ If the version bump includes a **minor** (or major) version change, run:
 make compat-matrix
 ```
 
-This tests the chart against the last 5 NetBird server minor versions and updates `docs/compatibility.md` with a new row for the new chart minor. The updated file will be included in the release commit.
+This tests the chart against the last 5 NetBird server minor versions and updates `charts/netbird/docs/compatibility.md` with a new row for the new chart minor. The updated file will be included in the release commit.
 
 Skip this step for patch-only bumps — the existing row already covers the current chart minor.
 

.github/workflows/ci.yaml

@@ -7,6 +7,38 @@ on:
     branches: [main]
 
 jobs:
+  # ── Detect which charts changed ──────────────────────────────────────
+  detect-changes:
+    name: Detect Changes
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      netbird: ${{ steps.filter.outputs.netbird }}
+      keycloak: ${{ steps.filter.outputs.keycloak }}
+      ci: ${{ steps.filter.outputs.ci }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect changed paths
+        uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            netbird:
+              - 'charts/netbird/**'
+              - 'ci/scripts/netbird/**'
+            keycloak:
+              - 'charts/keycloak/**'
+              - 'ci/scripts/keycloak/**'
+            ci:
+              - '.github/workflows/ci.yaml'
+              - 'Makefile'
+              - 'dprint.json'
+              - '.helmfmt'
+
+  # ── Format check (always runs) ──────────────────────────────────────
   format-check:
     name: Format Check
     runs-on: ubuntu-latest
@@ -39,6 +71,7 @@ jobs:
             exit 1
           fi
 
+  # ── Lint & unit test (always runs) ──────────────────────────────────
   lint-and-unit-test:
     name: Lint & Unit Test
     runs-on: ubuntu-latest
@@ -70,10 +103,12 @@ jobs:
             fi
           done
 
+  # ── NetBird E2E tests (only when netbird chart or CI config changes) ─
   e2e-sqlite:
-    name: E2E — SQLite
+    name: "E2E — NetBird: SQLite"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -89,7 +124,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (sqlite)
-        run: ci/scripts/e2e.sh sqlite
+        run: ci/scripts/netbird/e2e.sh sqlite
 
       - name: Show debug info on failure
         if: failure()
@@ -104,9 +139,10 @@ jobs:
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
   e2e-postgres:
-    name: E2E — PostgreSQL
+    name: "E2E — NetBird: PostgreSQL"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -122,7 +158,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (postgres)
-        run: ci/scripts/e2e.sh postgres
+        run: ci/scripts/netbird/e2e.sh postgres
 
       - name: Show debug info on failure
         if: failure()
@@ -139,9 +175,10 @@ jobs:
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
   e2e-mysql:
-    name: E2E — MySQL
+    name: "E2E — NetBird: MySQL"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -157,7 +194,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (mysql)
-        run: ci/scripts/e2e.sh mysql
+        run: ci/scripts/netbird/e2e.sh mysql
 
       - name: Show debug info on failure
         if: failure()
@@ -174,9 +211,10 @@ jobs:
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
   e2e-oidc-embedded:
-    name: E2E — OIDC (Embedded IdP)
+    name: "E2E — NetBird: OIDC (Embedded IdP)"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -192,7 +230,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (oidc-embedded)
-        run: ci/scripts/e2e-oidc.sh embedded
+        run: ci/scripts/netbird/e2e-oidc.sh embedded
 
       - name: Show debug info on failure
         if: failure()
@@ -207,9 +245,10 @@ jobs:
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
   e2e-oidc-keycloak:
-    name: E2E — OIDC (Keycloak)
+    name: "E2E — NetBird: OIDC (Keycloak)"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -225,7 +264,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (oidc-keycloak)
-        run: ci/scripts/e2e-oidc.sh keycloak
+        run: ci/scripts/netbird/e2e-oidc.sh keycloak
 
       - name: Show debug info on failure
         if: failure()
@@ -242,9 +281,10 @@ jobs:
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
   e2e-oidc-zitadel:
-    name: E2E — OIDC (Zitadel)
+    name: "E2E — NetBird: OIDC (Zitadel)"
     runs-on: ubuntu-latest
-    needs: lint-and-unit-test
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -260,7 +300,7 @@ jobs:
           cluster_name: helms-e2e
 
       - name: Run e2e test (oidc-zitadel)
-        run: ci/scripts/e2e-oidc.sh zitadel
+        run: ci/scripts/netbird/e2e-oidc.sh zitadel
 
       - name: Show debug info on failure
         if: failure()
@@ -277,3 +317,104 @@ jobs:
           kubectl -n netbird-e2e logs deployment/zitadel-db --tail=50 || true
           echo "=== Events ==="
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
+
+  # ── Keycloak E2E tests (only when keycloak chart or CI config changes) ─
+  e2e-keycloak-dev:
+    name: "E2E — Keycloak: Dev"
+    runs-on: ubuntu-latest
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.keycloak == 'true' || needs.detect-changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: helms-e2e
+
+      - name: Run e2e test (keycloak dev)
+        run: ci/scripts/keycloak/e2e.sh dev
+
+      - name: Show debug info on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl -n keycloak-e2e get pods -o wide || true
+          echo "=== Keycloak logs ==="
+          kubectl -n keycloak-e2e logs deployment/keycloak-e2e --tail=100 || true
+          echo "=== Events ==="
+          kubectl -n keycloak-e2e get events --sort-by='.lastTimestamp' || true
+
+  e2e-keycloak-postgres:
+    name: "E2E — Keycloak: PostgreSQL"
+    runs-on: ubuntu-latest
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.keycloak == 'true' || needs.detect-changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: helms-e2e
+
+      - name: Run e2e test (keycloak postgres)
+        run: ci/scripts/keycloak/e2e.sh postgres
+
+      - name: Show debug info on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl -n keycloak-e2e get pods -o wide || true
+          echo "=== Keycloak logs ==="
+          kubectl -n keycloak-e2e logs deployment/keycloak-e2e --tail=100 || true
+          echo "=== PostgreSQL logs ==="
+          kubectl -n keycloak-e2e logs deployment/postgres --tail=50 || true
+          echo "=== Events ==="
+          kubectl -n keycloak-e2e get events --sort-by='.lastTimestamp' || true
+
+  e2e-keycloak-replicas:
+    name: "E2E — Keycloak: Replicas"
+    runs-on: ubuntu-latest
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.keycloak == 'true' || needs.detect-changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: helms-e2e
+
+      - name: Run e2e test (keycloak replicas)
+        run: ci/scripts/keycloak/e2e.sh replicas
+
+      - name: Show debug info on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl -n keycloak-e2e get pods -o wide || true
+          echo "=== Keycloak logs ==="
+          kubectl -n keycloak-e2e logs deployment/keycloak-e2e --tail=100 || true
+          echo "=== PostgreSQL logs ==="
+          kubectl -n keycloak-e2e logs deployment/postgres --tail=50 || true
+          echo "=== Events ==="
+          kubectl -n keycloak-e2e get events --sort-by='.lastTimestamp' || true

.upstream-monitor.yaml

@@ -29,3 +29,15 @@ charts:
         targets:
           - file: Chart.yaml
             yaml_path: .appVersion
+
+  - name: keycloak
+    path: charts/keycloak
+    sources:
+      - name: keycloak
+        github: keycloak/keycloak
+        strip_v_prefix: false
+        targets:
+          - file: Chart.yaml
+            yaml_path: .appVersion
+          - file: Chart.yaml
+            yaml_path: .version

Makefile

@@ -1,4 +1,4 @@
-.PHONY: lint unittest e2e e2e-sqlite e2e-postgres e2e-mysql e2e-oidc-keycloak e2e-oidc-zitadel e2e-setup e2e-teardown test compat-matrix
+.PHONY: lint unittest e2e e2e-netbird e2e-sqlite e2e-postgres e2e-mysql e2e-oidc-keycloak e2e-oidc-zitadel e2e-keycloak e2e-keycloak-dev e2e-keycloak-postgres e2e-keycloak-replicas e2e-setup e2e-teardown test compat-matrix
 
 CHARTS := $(wildcard charts/*)
 
@@ -26,34 +26,53 @@ e2e-setup:
 	kind create cluster --name $(E2E_CLUSTER) --wait 60s 2>/dev/null || true
 	kubectl cluster-info --context kind-$(E2E_CLUSTER)
 
+# ── NetBird E2E ─────────────────────────────────────────────────────────
 e2e-sqlite: e2e-setup
-	ci/scripts/e2e.sh sqlite
+	ci/scripts/netbird/e2e.sh sqlite
 
 e2e-postgres: e2e-setup
-	ci/scripts/e2e.sh postgres
+	ci/scripts/netbird/e2e.sh postgres
 
 e2e-mysql: e2e-setup
-	ci/scripts/e2e.sh mysql
+	ci/scripts/netbird/e2e.sh mysql
 
 e2e-oidc-keycloak: e2e-setup
-	ci/scripts/e2e-oidc.sh keycloak
+	ci/scripts/netbird/e2e-oidc.sh keycloak
 
 e2e-oidc-zitadel: e2e-setup
-	ci/scripts/e2e-oidc.sh zitadel
+	ci/scripts/netbird/e2e-oidc.sh zitadel
 
-e2e: e2e-setup
-	ci/scripts/e2e.sh sqlite
-	ci/scripts/e2e.sh postgres
-	ci/scripts/e2e.sh mysql
-	ci/scripts/e2e-oidc.sh keycloak
-	ci/scripts/e2e-oidc.sh zitadel
+e2e-netbird: e2e-setup
+	ci/scripts/netbird/e2e.sh sqlite
+	ci/scripts/netbird/e2e.sh postgres
+	ci/scripts/netbird/e2e.sh mysql
+	ci/scripts/netbird/e2e-oidc.sh keycloak
+	ci/scripts/netbird/e2e-oidc.sh zitadel
+
+# ── Keycloak E2E ────────────────────────────────────────────────────────
+e2e-keycloak-dev: e2e-setup
+	ci/scripts/keycloak/e2e.sh dev
+
+e2e-keycloak-postgres: e2e-setup
+	ci/scripts/keycloak/e2e.sh postgres
+
+e2e-keycloak-replicas: e2e-setup
+	ci/scripts/keycloak/e2e.sh replicas
+
+e2e-keycloak: e2e-setup
+	ci/scripts/keycloak/e2e.sh dev
+	ci/scripts/keycloak/e2e.sh postgres
+	ci/scripts/keycloak/e2e.sh replicas
+
+# ── All E2E ─────────────────────────────────────────────────────────────
+e2e: e2e-netbird e2e-keycloak
 
 e2e-teardown:
 	kind delete cluster --name $(E2E_CLUSTER) 2>/dev/null || true
 
 # ── Compatibility Matrix ──────────────────────────────────────────────
 compat-matrix: e2e-setup
-	ci/scripts/compat-matrix.sh
+	ci/scripts/netbird/compat-matrix.sh
 
 # ── Run all tests ──────────────────────────────────────────────────────
 test: lint unittest

charts/keycloak/.helmignore

@@ -0,0 +1,5 @@
+# Patterns to ignore when building packages.
+docs/
+tests/
+ci/
+README.md