Skip to content

Keycloak migration from bitnamilegacy to official operator & chart | pr2 #1124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sandeepbh5 wants to merge 12 commits into from
Closed

Keycloak migration from bitnamilegacy to official operator & chart | pr2 #1124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8d1dc19
Keycloak migration from bitnamilegacy to official operator & chart (#…
sandeepbh5 Nov 21, 2025
863e82e
Update Makefile | new ns creation
sandeepbh5 Nov 21, 2025
a90e0c7
refactor: remove deprecated Keycloak database sync configurations and…
sandeepbh5 Nov 21, 2025
598e5e0
refactor: remove redundant comments from platform-keycloak.yaml
sandeepbh5 Nov 21, 2025
6062752
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
sandeepbh5 Nov 25, 2025
18b8abe
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
sandeepbh5 Nov 25, 2025
58e5cb8
feat: add AWS deployment configuration and Keycloak database sync
sandeepbh5 Nov 26, 2025
647c429
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
sandeepbh5 Nov 26, 2025
5537732
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
johnoloughlin Nov 26, 2025
3b3fc28
Update Makefile (#1152)
johnoloughlin Nov 26, 2025
13282aa
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
sandeepbh5 Nov 27, 2025
9acd617
Merge branch 'main' into fix-new-ns-creation-in-installer-workflow
sandeepbh5 Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/actions/collect_diagnostics/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ runs:
run: |
mkdir -p kind-diagnostics
kubectl get pods -o wide -A > kind-diagnostics/pods-list.txt
kubectl get all -A > kind-diagnostics/kubectl-get-all.txt
kubectl describe pods -A > kind-diagnostics/pods-describe.txt
mage logutils:collectArgoDiags > kind-diagnostics/argo-diag.txt
kubectl get applications -o yaml -A > kind-diagnostics/argocd-applications.yaml
Expand All @@ -23,6 +24,7 @@ runs:
name: kind-diagnostics
path: |
kind-diagnostics/pods-list.txt
kind-diagnostics/kubectl-get-all.txt
kind-diagnostics/pods-describe.txt
kind-diagnostics/argo-diag.txt
kind-diagnostics/argocd-applications.yaml
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/virtual-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -758,7 +758,7 @@ jobs:
REQUESTS_CA_BUNDLE: /usr/local/share/ca-certificates/orch-ca.crt
LIBVIRT_DEFAULT_URI: 'qemu:///system'
run: |
KC_ADMIN_PWD=$(kubectl -n orch-platform get secrets platform-keycloak -o jsonpath='{.data.admin-password}' | base64 -d)
KC_ADMIN_PWD=$(kubectl -n keycloak-system get secrets platform-keycloak -o jsonpath='{.data.password}' | base64 -d)
# Add the password to the orchestrator config
yq eval ".orchestrator.admin_password = \"${KC_ADMIN_PWD}\"" -i orchestrator-configs/on-prem.yaml

Expand Down
4 changes: 2 additions & 2 deletions argocd/applications/configs/app-deployment-manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
adm:
resources: null
catalogService: app-orch-catalog-grpc-server:8080
keycloakServerEndpoint: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakServerEndpoint: "http://platform-keycloak.keycloak-system.svc.cluster.local"
secretService:
enabled: true
endpoint: "http://vault.orch-platform.svc.cluster.local:8200"
Expand All @@ -31,7 +31,7 @@ adm:

openidc:
# -- the endpoint of a Keycloak Realm e.g. http://keycloak/realms/master
issuer: "http://platform-keycloak.orch-platform.svc/realms/master"
issuer: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
insecureSkipVerify: false

gitea:
Expand Down
2 changes: 1 addition & 1 deletion argocd/applications/configs/app-interconnect-manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ interconnect_manager:
create: false
name: orch-svc
vaultServer: "http://vault.orch-platform.svc.cluster.local:8200"
keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakServer: "http://platform-keycloak.keycloak-system.svc.cluster.local"
resources: null
2 changes: 1 addition & 1 deletion argocd/applications/configs/app-orch-catalog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ traefikReverseProxy:
enabled: true
secretName: tls-orch ## must be created in orch-gateway namespace
openidc:
issuer: http://platform-keycloak.orch-platform.svc/realms/master
issuer: http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master
storage:
size: 1Gi
postgres:
Expand Down
2 changes: 1 addition & 1 deletion argocd/applications/configs/app-orch-tenant-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ configProvisioner:
admServer: app-deployment-api-grpc-server.orch-app.svc.cluster.local:8080
namespace: orch-app
vaultServer: "http://vault.orch-platform.svc.cluster.local:8200"
keycloakServiceBase: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakServiceBase: "http://platform-keycloak.keycloak-system.svc.cluster.local"
releaseServiceBase: "rs-proxy.orch-platform.svc.cluster.local:8081"
releaseServiceProxyRootUrl: "oci://rs-proxy.orch-platform.svc.cluster.local:8443"
manifestPath: "/edge-orch/en/file/cluster-extension-manifest"
Expand Down
2 changes: 1 addition & 1 deletion argocd/applications/configs/app-resource-manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ traefikApiGroup: "traefik.io/v1alpha1"
resources: null
vncProxyResources: null
vaultServer: "http://vault.orch-platform.svc.cluster.local:8200"
keycloakServer: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakServer: "http://platform-keycloak.keycloak-system.svc.cluster.local"
defaultNamespace: "orch-app"
2 changes: 2 additions & 0 deletions argocd/applications/configs/auth-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@
# SPDX-License-Identifier: Apache-2.0

resources: null

jwksURL: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master/protocol/openid-connect/certs"
28 changes: 28 additions & 0 deletions argocd/applications/configs/copy-db-to-keycloak-ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

# Sync the Keycloak PostgreSQL database credentials from keycloak-system namespace to orch-platform
# Source: platform-keycloak-local-postgresql secret (created during bootstrap, in deploy.go)
# Target: platform-keycloak-local-postgresql secret (required by keycloak-tenant-controller init container)
# Also this source and target gets updated in customs/platform-keycloak.tpl
# Note: Syncs all PostgreSQL connection environment variables (PGDATABASE, PGHOST, PGPASSWORD, PGPORT, PGUSER)
remoteNamespace: orch-platform
refreshInterval: "0m"
targetSecretName: platform-keycloak-aurora-postgresql
sourceSecretName: platform-keycloak-aurora-postgresql
keyName:
- source: PGDATABASE
target: PGDATABASE
- source: PGHOST
target: PGHOST
- source: PGPASSWORD
target: PGPASSWORD
- source: PGPORT
target: PGPORT
- source: PGUSER
target: PGUSER
- source: password
target: password

externalSecretsApiGroup: external-secrets.io/v1
17 changes: 17 additions & 0 deletions argocd/applications/configs/copy-keycloak-admin-to-platform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

# Sync the Keycloak bootstrap admin credentials from keycloak-system namespace to orch-platform
# Source: platform-keycloak secret (created during bootstrap, in deploy.go)
# Target: platform-keycloak secret (required by keycloak-tenant-controller init container)
# Note: Maps 'password' key to 'admin-password' for keycloak-tenant-controller compatibility
remoteNamespace: keycloak-system
refreshInterval: "0m"
targetSecretName: platform-keycloak
sourceSecretName: platform-keycloak
keyName:
- source: password
target: admin-password

externalSecretsApiGroup: external-secrets.io/v1
13 changes: 9 additions & 4 deletions argocd/applications/configs/infra-core.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ credentials:
serviceAccount:
name: "orch-svc"
params:
keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakUrl: "http://platform-keycloak.keycloak-system.svc.cluster.local"
vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200"
curlImage:
name: badouralix/curl-jq@sha256
Expand All @@ -37,7 +37,7 @@ api:
oidc:
name: "keycloak-api"
oidc_env_name: "OIDC_SERVER_URL"
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY"
oidc_tls_insecure_skip_verify_value: "true"
multiTenancy:
Expand All @@ -64,7 +64,7 @@ apiv2:
oidc:
name: "keycloak-api"
oidc_env_name: "OIDC_SERVER_URL"
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY"
oidc_tls_insecure_skip_verify_value: "true"
resources: null
Expand All @@ -81,6 +81,11 @@ inventory:
tag: 16.10-bookworm
ssl: false
secrets: inventory-local-postgresql
oidc:
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
name: "keycloak-inventory"
oidc_tls_insecure_skip_verify_env_name: "OIDC_TLS_INSECURE_SKIP_VERIFY"
oidc_tls_insecure_skip_verify_value: "true"
resources: null
serviceAccount:
name: "orch-svc"
Expand All @@ -90,7 +95,7 @@ tenant-controller:
inventoryAddress: "inventory.orch-infra.svc.cluster.local:50051"
traceURL: "orchestrator-observability-opentelemetry-collector.orch-platform.svc:4318"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
resources: null
serviceAccount:
name: "orch-svc"
Expand Down
6 changes: 3 additions & 3 deletions argocd/applications/configs/infra-external.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ loca-manager:
env:
vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200"
vaultRole: "orch-svc"
keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakUrl: "http://platform-keycloak.keycloak-system.svc.cluster.local"

loca-metadata-manager:
serviceAccount:
Expand Down Expand Up @@ -78,7 +78,7 @@ loca-credentials:
serviceAccount:
name: "orch-svc"
params:
keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakUrl: "http://platform-keycloak.keycloak-system.svc.cluster.local"
vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200"
curlImage:
name: badouralix/curl-jq@sha256
Expand Down Expand Up @@ -131,7 +131,7 @@ amt:
password: ""
env:
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
oidc_tls_insecure_skip_verify_value: "true"
curlImage:
name: badouralix/curl-jq@sha256
Expand Down
10 changes: 5 additions & 5 deletions argocd/applications/configs/infra-managers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ host-manager:
secretName: "tls-orch"
tlsOption: "gateway-tls"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
multiTenancy:
enforceMultiTenancy: "true"
resources: null
Expand All @@ -36,7 +36,7 @@ maintenance-manager:
secretName: "tls-orch"
tlsOption: "gateway-tls"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
telemetryMgrArgs:
enableVal: false # disable telemetry profile validation
multiTenancy:
Expand Down Expand Up @@ -66,7 +66,7 @@ telemetry-manager:
secretName: "tls-orch"
tlsOption: "gateway-tls"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
multiTenancy:
enforceMultiTenancy: "true"
resources: null
Expand All @@ -85,7 +85,7 @@ os-resource-manager:
image:
pullPolicy: IfNotPresent
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc.cluster.local/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
autoProvision:
enabled: false # autoprovisioning disabled by default, can be enabled by enable-autoprovision profile
multiTenancy:
Expand All @@ -104,7 +104,7 @@ attestationstatus-manager:
secretName: "tls-orch"
tlsOption: "gateway-tls"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
multiTenancy:
enforceMultiTenancy: "true"
resources: null
Expand Down
6 changes: 3 additions & 3 deletions argocd/applications/configs/infra-onboarding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ onboarding-manager:
env:
tinkerActionsVersion: "1.19.9"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
# Skip AuthZ for CDN-boots
clients:
bypass:
- cdn-boots
vaultUrl: "http://vault.orch-platform.svc.cluster.local:8200"
vaultRole: "orch-svc"
keycloakUrl: "http://platform-keycloak.orch-platform.svc.cluster.local:8080"
keycloakUrl: "http://platform-keycloak.keycloak-system.svc.cluster.local"
multiTenancy:
enforceMultiTenancy: true
resources: null
Expand All @@ -55,7 +55,7 @@ dkam:
env:
rs_proxy_address: "rs-proxy.orch-platform.svc.cluster.local:8081/"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"
resources: null

infra-config:
Expand Down
2 changes: 1 addition & 1 deletion argocd/applications/configs/intel-infra-provider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ manager:
inventory:
endpoint: "inventory.orch-infra.svc.cluster.local:50051"
oidc:
oidc_server_url: "http://platform-keycloak.orch-platform.svc/realms/master"
oidc_server_url: "http://platform-keycloak.keycloak-system.svc.cluster.local/realms/master"

# https://doc.traefik.io/traefik/migrate/v2-to-v3-details/#kubernetes-crds-api-group-traefikcontainous
traefikApiGroup: "traefik.io/v1alpha1"
Loading
Loading