Deploy Keycloak IdP to cluster (Phase 5a) #34

Merged

forgejo_admin merged 6 commits from 32-deploy-keycloak-idp-to-cluster-phase-5a into main 2026-03-14 14:53:51 +00:00

Conversation 1 Commits 6 Files changed 3 +254

forgejo_admin commented 2026-03-14 13:36:47 +00:00

Owner

Copy link

Summary

• Deploys Keycloak as a self-hosted identity provider on the cluster using the Bitnami Helm chart (v25.2.0) with built-in PostgreSQL
• Exposes it via Tailscale funnel at keycloak.tail5b443a.ts.net
• Infrastructure-only -- no realms, clients, or users configured (Phase 5b)

Changes

• terraform/main.tf -- Added 3 new resources: kubernetes_namespace_v1.keycloak, helm_release.keycloak (Bitnami OCI chart v25.2.0), kubernetes_ingress_v1.keycloak_funnel with Tailscale funnel annotation and depends_on for tailscale_operator + ACL
• terraform/variables.tf -- Added keycloak_admin_password variable (sensitive, type string, min 8 chars validation)
• terraform/outputs.tf -- Added keycloak_url output

Test Plan

• tofu fmt -check passes
• tofu validate passes (Success! The configuration is valid.)
• tofu plan with full secrets shows exactly 3 new resources (namespace, helm_release, ingress)
• tofu apply -- Keycloak and PostgreSQL pods start in keycloak namespace
• Visit https://keycloak.tail5b443a.ts.net -- admin console loads
• Log in with admin credentials -- master realm accessible

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related

• Closes #32
• Plan: plan-2026-03-08-tryout-prep (Phase 5a)

## Summary - Deploys Keycloak as a self-hosted identity provider on the cluster using the Bitnami Helm chart (v25.2.0) with built-in PostgreSQL - Exposes it via Tailscale funnel at `keycloak.tail5b443a.ts.net` - Infrastructure-only -- no realms, clients, or users configured (Phase 5b) ## Changes - `terraform/main.tf` -- Added 3 new resources: `kubernetes_namespace_v1.keycloak`, `helm_release.keycloak` (Bitnami OCI chart v25.2.0), `kubernetes_ingress_v1.keycloak_funnel` with Tailscale funnel annotation and depends_on for tailscale_operator + ACL - `terraform/variables.tf` -- Added `keycloak_admin_password` variable (sensitive, type string, min 8 chars validation) - `terraform/outputs.tf` -- Added `keycloak_url` output ## Test Plan - [x] `tofu fmt -check` passes - [x] `tofu validate` passes (Success! The configuration is valid.) - [ ] `tofu plan` with full secrets shows exactly 3 new resources (namespace, helm_release, ingress) - [ ] `tofu apply` -- Keycloak and PostgreSQL pods start in `keycloak` namespace - [ ] Visit `https://keycloak.tail5b443a.ts.net` -- admin console loads - [ ] Log in with admin credentials -- master realm accessible ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related - Closes #32 - Plan: `plan-2026-03-08-tryout-prep` (Phase 5a)

forgejo_admin added 1 commit 2026-03-14 13:36:47 +00:00

Deploy Keycloak IdP to cluster as platform service ... 77bf3db290

Add Bitnami Keycloak Helm chart (v25.2.0) with built-in PostgreSQL,
Tailscale funnel ingress, and sensitive admin password variable.
Three new resources: namespace, helm_release, ingress.

Closes #32

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-14 13:39:05 +00:00

Author

Owner

Copy link

PR #34 Review

BLOCKERS

None. The code is correct and follows all established patterns in the codebase.

NITS

1. Missing tofu plan output in PR body. The repo's own CLAUDE.md states: "Include tofu plan output for any Terraform changes." The .github/PULL_REQUEST_TEMPLATE.md has a dedicated section for this. The PR's Test Plan shows the tofu plan checkbox as unchecked. This is non-blocking since tofu fmt and tofu validate both passed, and the diff is straightforward (3 additive resources, 0 modifications), but the plan output should be included for completeness per repo conventions.

2. PR body deviates from repo PR template. The PR uses ## Changes / ## Test Plan / ## Related sections instead of the repo template's ## Discovered Scope / ## Terraform Changes / ## README Impact sections. This is a minor structural mismatch. The content is all present and thorough -- just organized differently than the template prescribes.

3. Built-in PostgreSQL vs. CNPG. The platform has an established pattern of using CNPG for Postgres (architectural consensus: "Apps own their postgres via CNPG Cluster CR"). The Bitnami subchart Postgres is reasonable for Phase 5a (infra-only), but Phase 5b or beyond should consider migrating to CNPG for consistency. This is a future consideration, not a blocker for this PR.

SOP COMPLIANCE

• Branch named after issue (32-deploy-keycloak-idp-to-cluster-phase-5a)
• PR body has Summary, Changes, Test Plan, Related sections
• Related section references plan slug (plan-2026-03-08-tryout-prep) and Closes #32
• No secrets, .env files, or credentials committed (.gitignore covers .tfvars, .env, secrets/)
• No unnecessary file changes (3 files, all directly scoped to Keycloak deployment)
• Commit messages are descriptive
• set_sensitive with type = "string" used for password (matches platform convention)
• Ingress pattern matches all other Tailscale funnels (annotation, class, depends_on)
• Variable has sensitive = true and length validation (matches Harbor/MinIO pattern)
• tofu plan output not included in PR body (repo convention)

VERDICT: APPROVED

## PR #34 Review ### BLOCKERS None. The code is correct and follows all established patterns in the codebase. ### NITS 1. **Missing `tofu plan` output in PR body.** The repo's own `CLAUDE.md` states: "Include `tofu plan` output for any Terraform changes." The `.github/PULL_REQUEST_TEMPLATE.md` has a dedicated section for this. The PR's Test Plan shows the `tofu plan` checkbox as unchecked. This is non-blocking since `tofu fmt` and `tofu validate` both passed, and the diff is straightforward (3 additive resources, 0 modifications), but the plan output should be included for completeness per repo conventions. 2. **PR body deviates from repo PR template.** The PR uses `## Changes` / `## Test Plan` / `## Related` sections instead of the repo template's `## Discovered Scope` / `## Terraform Changes` / `## README Impact` sections. This is a minor structural mismatch. The content is all present and thorough -- just organized differently than the template prescribes. 3. **Built-in PostgreSQL vs. CNPG.** The platform has an established pattern of using CNPG for Postgres (architectural consensus: "Apps own their postgres via CNPG Cluster CR"). The Bitnami subchart Postgres is reasonable for Phase 5a (infra-only), but Phase 5b or beyond should consider migrating to CNPG for consistency. This is a future consideration, not a blocker for this PR. ### SOP COMPLIANCE - [x] Branch named after issue (`32-deploy-keycloak-idp-to-cluster-phase-5a`) - [x] PR body has Summary, Changes, Test Plan, Related sections - [x] Related section references plan slug (`plan-2026-03-08-tryout-prep`) and `Closes #32` - [x] No secrets, .env files, or credentials committed (`.gitignore` covers `.tfvars`, `.env`, secrets/) - [x] No unnecessary file changes (3 files, all directly scoped to Keycloak deployment) - [x] Commit messages are descriptive - [x] `set_sensitive` with `type = "string"` used for password (matches platform convention) - [x] Ingress pattern matches all other Tailscale funnels (annotation, class, depends_on) - [x] Variable has `sensitive = true` and length validation (matches Harbor/MinIO pattern) - [ ] `tofu plan` output not included in PR body (repo convention) ### VERDICT: APPROVED

forgejo_admin added 1 commit 2026-03-14 14:05:44 +00:00

Replace Bitnami Helm chart with official Keycloak image ... dc8314296d

Bitnami removed all Docker Hub images (keycloak + postgresql tags
return 404). Switch to official quay.io/keycloak/keycloak:26.0.7
with raw k8s manifests (Deployment + Service + PVC + Secret).

Uses dev-file mode (H2 with file persistence on PVC) — appropriate
for <100 users. Tailscale handles TLS termination. PostgreSQL
backend is a future migration if scale demands it.

Resources: namespace, PVC (2Gi), secret, deployment, service, ingress.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin added 1 commit 2026-03-14 14:06:50 +00:00

Fix PVC timeout — wait_until_bound = false for local-path ... 0e268f2090

local-path provisioner uses WaitForFirstConsumer binding mode.
PVC stays Pending until a Pod mounts it. Terraform's default
behavior waits for Bound state, causing context deadline exceeded.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin added 1 commit 2026-03-14 14:11:04 +00:00

Bump Keycloak memory limit to 2Gi — fix OOMKilled ... 7a3a29ff55

Keycloak JVM needs ~1.5Gi during startup (schema init + class loading).
1Gi limit caused immediate OOMKilled (exit code 137). Bump to 2Gi limit
with 200m CPU request for headroom.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin added 1 commit 2026-03-14 14:17:21 +00:00

Enable Keycloak health endpoints — fix probe 404s ... dc2d42f7ef

Keycloak requires KC_HEALTH_ENABLED=true to expose /health/ready
and /health/live endpoints. Without it, probes get 404 and the
liveness probe keeps restarting the pod.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin added 1 commit 2026-03-14 14:29:43 +00:00

Fix probes: use management port 9000, add startup probe ... 29d9646da3

Keycloak 26.x serves health endpoints on a separate management
port (9000), not the main application port (8080). Probes on 8080
return 404. Added startup probe with /health/started to prevent
liveness probe from killing the pod during JVM init.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin merged commit ae92fe621c into main 2026-03-14 14:53:51 +00:00

forgejo_admin deleted branch 32-deploy-keycloak-idp-to-cluster-phase-5a 2026-03-14 14:53:51 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-14 14:53:52 +00:00

Deploy Keycloak IdP to cluster (Phase 5a) (#34)

forgejo_admin referenced this pull request 2026-03-14 15:03:40 +00:00

Onboard keycloak + paledocs secrets to Salt pillar pipeline #44

forgejo_admin referenced this pull request from a commit 2026-03-14 15:08:17 +00:00

Onboard 5 secrets to Salt pillar pipeline

forgejo_admin referenced this pull request 2026-03-14 15:08:46 +00:00

Onboard 5 secrets to Salt pillar pipeline #45

forgejo_admin referenced this pull request 2026-03-18 17:24:08 +00:00

Platform cleanup: resolve 15 active alerts + stabilize CI #109

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform!34

No description provided.