chore: replace bitnami/keycloak with custom template

Author: vincentchalamon

compose.e2e.yaml

@@ -1,12 +1,10 @@
 services:
   keycloak:
+    command: start-dev --import-realm
     environment:
-      KEYCLOAK_ENABLE_HTTPS: "true"
-      KEYCLOAK_HTTPS_USE_PEM: "true"
-      KEYCLOAK_HTTPS_CERTIFICATE_FILE: /opt/bitnami/keycloak/certs/tls.crt
-      KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: /opt/bitnami/keycloak/certs/tls.key
-      KEYCLOAK_EXTRA_ARGS: "--import-realm"
+      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/tls.crt
+      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/tls.key
     volumes:
-      - ./helm/api-platform/keycloak/certs/tls.crt:/opt/bitnami/keycloak/certs/tls.crt:ro
-      - ./helm/api-platform/keycloak/certs/tls.pem:/opt/bitnami/keycloak/certs/tls.key:ro
-      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
+      - ./helm/api-platform/keycloak/certs/tls.crt:/opt/keycloak/certs/tls.crt:ro
+      - ./helm/api-platform/keycloak/certs/tls.pem:/opt/keycloak/certs/tls.key:ro
+      - ./helm/api-platform/keycloak/config:/opt/keycloak/data/import

compose.override.yaml

@@ -57,8 +57,7 @@ services:
     build:
       context: ./helm/api-platform/keycloak/
       target: keycloak
-    environment:
-      KEYCLOAK_EXTRA_ARGS: "--import-realm"
+    command: start-dev --import-realm
     volumes:
-      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/bitnami/keycloak/themes/api-platform-demo
-      - ./helm/api-platform/keycloak/config:/opt/bitnami/keycloak/data/import
+      - ./helm/api-platform/keycloak/themes/api-platform-demo:/opt/keycloak/themes/api-platform-demo
+      - ./helm/api-platform/keycloak/config:/opt/keycloak/data/import

compose.prod.yaml

@@ -43,5 +43,5 @@ services:
       context: ./helm/api-platform/keycloak/
       target: keycloak
     environment:
-      KEYCLOAK_PRODUCTION: "true"
+      KC_PRODUCTION: "true"
       KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}

compose.yaml

@@ -104,20 +104,20 @@ services:
   keycloak:
     image: app_keycloak
     environment:
-      KEYCLOAK_DATABASE_HOST: keycloak-database
-      KEYCLOAK_DATABASE_NAME: ${KEYCLOAK_POSTGRES_DB:-keycloak}
-      KEYCLOAK_DATABASE_USER: ${KEYCLOAK_POSTGRES_USER:-keycloak}
-      KEYCLOAK_DATABASE_PASSWORD: ${KEYCLOAK_POSTGRES_PASSWORD:-!ChangeMe!}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloak-database:5432/${KEYCLOAK_POSTGRES_DB:-keycloak}
+      KC_DB_USERNAME: ${KEYCLOAK_POSTGRES_USER:-keycloak}
+      KC_DB_PASSWORD: ${KEYCLOAK_POSTGRES_PASSWORD:-!ChangeMe!}
       KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME:-admin}
       KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD:-!ChangeMe!}
-      # Must finish with a trailing slash (https://github.com/bitnami/charts/issues/10885#issuecomment-1414279144)
-      KEYCLOAK_HTTP_RELATIVE_PATH: /oidc/
-      KEYCLOAK_HOSTNAME: https://${SERVER_NAME:-localhost}/oidc/
-      KEYCLOAK_HOSTNAME_ADMIN: https://${SERVER_NAME:-localhost}/oidc/
-      KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: "true"
-    # https://www.keycloak.org/server/all-config#category-health
+      # Must finish with a trailing slash
+      KC_HTTP_RELATIVE_PATH: /oidc/
+      KC_HOSTNAME: https://${SERVER_NAME:-localhost}/oidc/
+      KC_HOSTNAME_ADMIN: https://${SERVER_NAME:-localhost}/oidc/
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
     healthcheck:
-      test: [ "CMD-SHELL", "curl http://127.0.0.1:8080/oidc/health || exit 1"]
+      test: ["CMD-SHELL", "bash -c ':> /dev/tcp/localhost/8080'"]
       start_period: 15s
       interval: 5s
       timeout: 3s

helm/api-platform/Chart.lock

@@ -1,9 +1,6 @@
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami/
-  version: 7.5.6
-- name: keycloak
-  repository: https://charts.bitnami.com/bitnami/
-  version: 21.4.2
-digest: sha256:2eeb31600fc84010057a78979e8f015a3dc5ac27cd6f17e615e6e500668ecebe
-generated: "2025-11-03T15:07:19.08338873+01:00"
+  version: 9.0.3
+digest: sha256:3b0229942127a01c02f151e18b739c39b68e6458c6b865e3a3dd90fcfe198c99
+generated: "2026-02-04T16:01:05.816182082+01:00"

helm/api-platform/Chart.yaml

@@ -26,10 +26,6 @@ appVersion: 4.2.15
 
 dependencies:
   - name: external-dns
-    version: 7.5.6
+    version: 9.0.3
     repository: https://charts.bitnami.com/bitnami/
     condition: external-dns.enabled
-  - name: keycloak
-    version: 21.4.2
-    repository: https://charts.bitnami.com/bitnami/
-    condition: keycloak.enabled

helm/api-platform/keycloak/Dockerfile

@@ -4,16 +4,26 @@
 
 
 # Versions
-FROM docker.io/bitnamilegacy/keycloak:26-debian-12 AS keycloak_upstream
-
+FROM quay.io/keycloak/keycloak:26.4 AS keycloak_upstream
 
 # The different stages of this Dockerfile are meant to be built into separate images
 # https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
 # https://docs.docker.com/compose/compose-file/#target
 
 
+# Builder
+FROM keycloak_upstream AS keycloak_builder
+
+WORKDIR /opt/keycloak
+
+RUN /opt/keycloak/bin/kc.sh build
+
 # Keycloak image
 FROM keycloak_upstream AS keycloak
 
-COPY --link themes/api-platform-demo /opt/bitnami/keycloak/themes/api-platform-demo
-COPY --link providers/owner-policy.jar /opt/bitnami/keycloak/providers/owner-policy.jar
+COPY --from=keycloak_builder /opt/keycloak/ /opt/keycloak/
+
+COPY --link --chown=keycloak:keycloak --chmod=644 themes/api-platform-demo /opt/keycloak/themes/api-platform-demo
+COPY --link --chown=keycloak:keycloak --chmod=644 providers/owner-policy.jar /opt/keycloak/providers/owner-policy.jar
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

helm/api-platform/templates/_helpers.tpl

@@ -54,6 +54,18 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{/*
+Common labels Keycloak
+*/}}
+{{- define "api-platform.labelsKeycloak" -}}
+helm.sh/chart: {{ include "api-platform.chart" . }}
+{{ include "api-platform.selectorLabelsKeycloak" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
 {{/*
 Selector labels
 */}}
@@ -72,6 +84,15 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ include "api-platform.name" . }}
 {{- end }}
 
+{{/*
+Selector labels Keycloak
+*/}}
+{{- define "api-platform.selectorLabelsKeycloak" -}}
+app.kubernetes.io/name: {{ include "api-platform.name" . }}-keycloak
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ include "api-platform.name" . }}
+{{- end }}
+
 {{/*
 Selector labels Fixtures
 */}}

helm/api-platform/templates/configmap.yaml

@@ -19,12 +19,22 @@ data:
   next-auth-url: "https://{{ (first .Values.ingress.hosts).host }}/api/auth"
   pwa-client-id: {{ .Values.pwa.oidcClientId | quote }}
   pwa-authorization-client-id: {{ .Values.php.oidcClientId | quote }}
+  {{- if .Values.keycloak.postgresql.enabled }}
+  keycloak-database-url: {{ printf "jdbc:postgresql://%s:%s/%s" .Release.Name .Values.keycloak.postgresql.global.postgresql.auth.database | b64enc | quote }}
+  {{- else }}
+  keycloak-database-url: {{ .Values.keycloak.postgresql.url | b64enc | quote }}
+  {{- end }}
 
 ---
 
+{{- if .Values.keycloak.importRealm.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: keycloak-realm
+  name: {{ include "api-platform.fullname" . }}-keycloak-realm
+  labels:
+    {{- include "api-platform.labelsKeycloak" . | nindent 4 }}
 data:
-{{ (.Files.Glob "keycloak/config/*").AsConfig | indent 2 }}
+  realm.json: |
+    {{ (.Files.Glob .Values.keycloak.importRealm.path).AsConfig | indent 2 }}
+{{- end }}

helm/api-platform/templates/keycloak-deployment.yaml

@@ -0,0 +1,162 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "api-platform.fullname" . }}-keycloak
+  labels:
+    {{- include "api-platform.labelsKeycloak" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "api-platform.selectorLabelsKeycloak" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "api-platform.selectorLabelsKeycloak" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "api-platform.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}-keycloak
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
+          {{- if .Values.keycloak.importRealm.enabled }}
+          args: ['--import-realm']
+          volumeMounts:
+            - name: keycloak-realm
+              mountPath: /opt/keycloak/data/import
+              readOnly: true
+          {{- end }}
+          env:
+            - name: KC_PRODUCTION
+              value: "true"
+            - name: KC_HTTP_RELATIVE_PATH
+              value: "/oidc/"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_DB
+              value: "postgres"
+            - name: KC_DB_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-url
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-username
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-password
+            - name: KC_BOOTSTRAP_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-password
+            {{- if .Values.keycloak.auth.createAdminUser }}
+            - name: KC_BOOTSTRAP_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-admin-username
+            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-admin-password
+            {{- end }}
+            {{- toYaml .Values.keycloak.extraEnvVars | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+            - name: api
+              containerPort: 9000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.keycloak.resources | nindent 12 }}
+        {{- if .Values.keycloak.postgresql.enabled }}
+        - name: {{ .Chart.Name }}-keycloak-postgresql
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.keycloak.postgresql.image.repository }}:{{ .Values.keycloak.postgresql.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.keycloak.postgresql.image.pullPolicy | default "IfNotPresent" }}
+          env:
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-name
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-username
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-platform.fullname" . }}
+                  key: keycloak-database-password
+            {{- toYaml .Values.keycloak.postgresql.extraEnvVars | nindent 12 }}
+          ports:
+            - name: main
+              containerPort: 5432
+              protocol: UDP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: main
+          readinessProbe:
+            httpGet:
+              path: /
+              port: main
+          resources:
+            {{- toYaml .Values.keycloak.postgresql.resources | nindent 12 }}
+        {{- end }}
+      {{- if .Values.keycloak.importRealm.enabled }}
+      volumes:
+        - name: keycloak-realm
+          configMap:
+            name: {{ include "api-platform.fullname" . }}-keycloak-realm
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}