openova/clusters/_template/bootstrap-kit/09-keycloak.yaml

# bp-keycloak — Catalyst bootstrap-kit Blueprint. User identity. Topology decided by Sovereign CRD spec.keycloakTopology.
#
# Wrapper chart: platform/keycloak/chart/
# Catalyst-curated values: platform/keycloak/chart/values.yaml
# Reconciled by: Flux on the new Sovereign's k3s control plane.

---
apiVersion: v1
kind: Namespace
metadata:
  name: keycloak
  labels:
    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bp-keycloak
  namespace: flux-system
spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: bp-keycloak
  namespace: flux-system
spec:
  interval: 15m
  releaseName: keycloak
  targetNamespace: keycloak
  dependsOn:
    - name: bp-cert-manager
    # bp-gateway-api (issue #503): chart ships an HTTPRoute template;
    # gateway.networking.k8s.io/v1 CRDs must be registered first.
    - name: bp-gateway-api
  chart:
    spec:
      chart: bp-keycloak
      # 1.5.0 (qa-loop iter-12 Fix #53A): adds .Values.sovereignRealm.name
      # parameter so each Sovereign owns its KC realm named after the tenant
      # short-name (omantel chroot → "omantel"). Default `sovereign` is kept
      # in the chart for backward compat with overlays not yet migrated.
      version: 1.4.1
      sourceRef:
        kind: HelmRepository
        name: bp-keycloak
        namespace: flux-system
  # Event-driven install: Keycloak DB schema migration + realm import is
  # legitimately multi-minute on first install (PostgreSQL backend +
  # 100+ Liquibase changesets). Helm install completes when manifests
  # apply; downstream dependsOn checks Ready=True independently.
  # Replaces PR #221 spec.timeout: 15m.
  install:
    disableWait: true
    timeout: 15m
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    timeout: 15m
    remediation:
      retries: 3
  # Per-Sovereign overrides — issue #387 + #604 + qa-loop iter-12 Fix #53A:
  # Wire the per-Sovereign hostname into the HTTPRoute template and
  # sovereign realm ConfigMap (catalyst-ui redirect URIs). The HTTPRoute
  # attaches to cilium-gateway/kube-system installed by 01-cilium.yaml.
  #
  # sovereignRealm.name: per `feedback_no_mvp_no_workarounds.md` target-state
  # rule, each Sovereign owns its KC realm named after the tenant short-name.
  # The bootstrap-kit Kustomization's postBuild.substitute supplies
  # SOVEREIGN_REALM_NAME (canonical: first label of SOVEREIGN_FQDN, e.g.
  # `omantel` for omantel.biz). When unset the envsubst rule
  # ${VAR:=default} resolves to "sovereign" — backward-compat with
  # overlays that haven't been migrated.
  values:
    sovereignFQDN: ${SOVEREIGN_FQDN}
    sovereignRealm:
      name: ${SOVEREIGN_REALM_NAME:=sovereign}
    gateway:
      host: auth.${SOVEREIGN_FQDN}