chore: replace bitnami/keycloak with custom template

Author: vincentchalamon

compose.e2e.yaml

@@ -1,12 +1,10 @@
 services:
   keycloak:
+    command: start-dev --import-realm
     environment:
-      KEYCLOAK_ENABLE_HTTPS: "true"
-      KEYCLOAK_HTTPS_USE_PEM: "true"
-      KEYCLOAK_HTTPS_CERTIFICATE_FILE: /opt/bitnami/keycloak/certs/tls.crt
-      KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: /opt/bitnami/keycloak/certs/tls.key
-      KEYCLOAK_EXTRA_ARGS: "--import-realm"
+      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/tls.crt
+      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/tls.key
     volumes:
-      - ./helm/api-platform/keycloak/certs/tls.crt:/opt/bitnami/keycloak/certs/tls.crt:ro
-      - ./helm/api-platform/keycloak/certs/tls.pem:/opt/bitnami/keycloak/certs/tls.key:ro
-      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
+      - ./helm/api-platform/keycloak/certs/tls.crt:/opt/keycloak/certs/tls.crt:ro
+      - ./helm/api-platform/keycloak/certs/tls.pem:/opt/keycloak/certs/tls.key:ro
+      - ./helm/api-platform/keycloak/config:/opt/keycloak/data/import

compose.override.yaml

@@ -57,8 +57,7 @@ services:
     build:
       context: ./helm/api-platform/keycloak/
       target: keycloak
-    environment:
-      KEYCLOAK_EXTRA_ARGS: "--import-realm"
+    command: start-dev --import-realm
     volumes:
-      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/bitnami/keycloak/themes/api-platform-demo
-      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
+      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/keycloak/themes/api-platform-demo
+      - ./helm/api-platform/keycloak/config:/opt/keycloak/data/import

compose.prod.yaml

@@ -43,5 +43,5 @@ services:
       context: ./helm/api-platform/keycloak/
       target: keycloak
     environment:
-      KEYCLOAK_PRODUCTION: "true"
+      KC_PRODUCTION: "true"
       KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}

compose.yaml

@@ -104,17 +104,18 @@ services:
   keycloak:
     image: app_keycloak
     environment:
-      KEYCLOAK_DATABASE_HOST: keycloak-database
-      KEYCLOAK_DATABASE_NAME: ${KEYCLOAK_POSTGRES_DB:-keycloak}
-      KEYCLOAK_DATABASE_USER: ${KEYCLOAK_POSTGRES_USER:-keycloak}
-      KEYCLOAK_DATABASE_PASSWORD: ${KEYCLOAK_POSTGRES_PASSWORD:-!ChangeMe!}
+      KC_DB_URL: keycloak-database
+      KC_DB: ${KEYCLOAK_POSTGRES_DB:-keycloak}
+      KC_DB_USERNAME: ${KEYCLOAK_POSTGRES_USER:-keycloak}
+      KC_DB_PASSWORD: ${KEYCLOAK_POSTGRES_PASSWORD:-!ChangeMe!}
       KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME:-admin}
       KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD:-!ChangeMe!}
-      # Must finish with a trailing slash (https://github.com/bitnami/charts/issues/10885#issuecomment-1414279144)
-      KEYCLOAK_HTTP_RELATIVE_PATH: /oidc/
-      KEYCLOAK_HOSTNAME: https://${SERVER_NAME:-localhost}/oidc/
-      KEYCLOAK_HOSTNAME_ADMIN: https://${SERVER_NAME:-localhost}/oidc/
-      KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: "true"
+      # Must finish with a trailing slash
+      KC_HTTP_RELATIVE_PATH: /oidc/
+      KC_HOSTNAME: https://${SERVER_NAME:-localhost}/oidc/
+      KC_HOSTNAME_ADMIN: https://${SERVER_NAME:-localhost}/oidc/
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
     # https://www.keycloak.org/server/all-config#category-health
     healthcheck:
       test: [ "CMD-SHELL", "curl http://127.0.0.1:8080/oidc/health || exit 1"]

helm/api-platform/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami/
   version: 7.5.6
-- name: keycloak
-  repository: https://charts.bitnami.com/bitnami/
-  version: 21.4.2
-digest: sha256:2eeb31600fc84010057a78979e8f015a3dc5ac27cd6f17e615e6e500668ecebe
-generated: "2025-11-03T15:07:19.08338873+01:00"
+digest: sha256:1b0ed6d57df24428dfcbae42030351c6a7f64c7c828ecefa81a73fc2f8cbb82b
+generated: "2025-11-03T15:52:10.914118585+01:00"

helm/api-platform/Chart.yaml

@@ -29,7 +29,3 @@ dependencies:
     version: 7.5.6
     repository: https://charts.bitnami.com/bitnami/
     condition: external-dns.enabled
-  - name: keycloak
-    version: 21.4.2
-    repository: https://charts.bitnami.com/bitnami/
-    condition: keycloak.enabled

helm/api-platform/keycloak/Dockerfile

@@ -4,16 +4,26 @@
 
 
 # Versions
-FROM docker.io/bitnamilegacy/keycloak:26-debian-12 AS keycloak_upstream
-
+FROM quay.io/keycloak/keycloak:26.4 AS keycloak_upstream
 
 # The different stages of this Dockerfile are meant to be built into separate images
 # https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
 # https://docs.docker.com/compose/compose-file/#target
 
 
+# Builder
+FROM keycloak_upstream AS keycloak_builder
+
+WORKDIR /opt/keycloak
+
+RUN /opt/keycloak/bin/kc.sh build
+
 # Keycloak image
 FROM keycloak_upstream AS keycloak
 
-COPY --link themes/api-platform-demo /opt/bitnami/keycloak/themes/api-platform-demo
-COPY --link providers/owner-policy.jar /opt/bitnami/keycloak/providers/owner-policy.jar
+COPY --from=keycloak_builder /opt/keycloak/ /opt/keycloak/
+
+COPY --link --chown=keycloak:keycloak --chmod=644 themes/api-platform-demo /opt/keycloak/themes/api-platform-demo
+COPY --link --chown=keycloak:keycloak --chmod=644 providers/owner-policy.jar /opt/keycloak/providers/owner-policy.jar
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

helm/api-platform/templates/_helpers.tpl

@@ -54,6 +54,18 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{/*
+Common labels Keycloak
+*/}}
+{{- define "api-platform.labelsKeycloak" -}}
+helm.sh/chart: {{ include "api-platform.chart" . }}
+{{ include "api-platform.selectorLabelsKeycloak" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
 {{/*
 Selector labels
 */}}
@@ -72,6 +84,15 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ include "api-platform.name" . }}
 {{- end }}
 
+{{/*
+Selector labels Keycloak
+*/}}
+{{- define "api-platform.selectorLabelsKeycloak" -}}
+app.kubernetes.io/name: {{ include "api-platform.name" . }}-keycloak
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ include "api-platform.name" . }}
+{{- end }}
+
 {{/*
 Selector labels Fixtures
 */}}

helm/api-platform/templates/keycloak-deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "api-platform.fullname" . }}-keycloak
+  labels:
+    {{- include "api-platform.labelsKeycloak" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "api-platform.selectorLabelsKeycloak" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "api-platform.selectorLabelsKeycloak" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "api-platform.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}-keycloak
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
+          env:
+            - name: KC_PRODUCTION
+              value: true
+            {{- toYaml .Values.extraEnvVars | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.keycloak.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

helm/api-platform/values.yaml

@@ -89,7 +89,6 @@ postgresql:
         memory: 50Mi
         cpu: 1m
 
-# Full configuration: https://github.com/bitnami/charts/tree/master/bitnami/keycloak
 keycloak:
   enabled: true
   image:
@@ -107,15 +106,13 @@ keycloak:
   service:
     type: ClusterIP
   extraEnvVars:
-    # Must set KEYCLOAK_HOSTNAME to force https + relative path
-    - name: KEYCLOAK_HOSTNAME
+    # Must set KC_HOSTNAME to force https + relative path
+    - name: KC_HOSTNAME
       value: "https://chart-example.local/oidc/"
-    # Must set KEYCLOAK_HOSTNAME_ADMIN because of relative path
-    - name: KEYCLOAK_HOSTNAME_ADMIN
+    # Must set KC_HOSTNAME_ADMIN because of relative path
+    - name: KC_HOSTNAME_ADMIN
       value: "https://chart-example.local/oidc/"
-    - name: KEYCLOAK_PRODUCTION
-      value: "true"
-  # must finish with a trailing slash (https://github.com/bitnami/charts/issues/10885#issuecomment-1414279144)
+  # must finish with a trailing slash
   httpRelativePath: /oidc/
   proxy: edge
   tls:
@@ -130,7 +127,6 @@ keycloak:
   keycloakConfigCli:
     enabled: true
     existingConfigmap: "keycloak-realm"
-    # https://github.com/bitnami/charts/issues/14279
     command:
       - java
       - -jar