Skip to content

Migrate Keycloak from Bitnami chart to Codecentric KeycloakX #520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jlav wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Migrate Keycloak from Bitnami chart to Codecentric KeycloakX #520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
425d91c
Migrate from Bitnami Keycloak chart to Codecentric KeycloakX
jlav Apr 3, 2026
39f2817
Remove duplicate KC_HTTP_ENABLED and KC_PROXY_HEADERS env vars
jlav Apr 3, 2026
8452b44
Disable keycloak dbchecker in Replicated deployments
jlav Apr 4, 2026
961a91e
Fix busybox image path for Replicated proxy
jlav Apr 4, 2026
0f3612e
Use bitnamilegacy/os-shell for keycloak dbchecker init container
jlav Apr 4, 2026
d6a371f
Replace dbchecker with pg_isready wait-for-db init container
jlav Apr 4, 2026
bb8accc
Fix dbchecker image proxy path: use index.docker.io for Docker Hub
jlav Apr 4, 2026
8ade929
Add imagePullSecrets for keycloak and fix busybox proxy path
jlav Apr 4, 2026
8ff79e2
Use bitnamilegacy/os-shell for dbchecker (already in proxy allow-list)
jlav Apr 4, 2026
4eb83b6
Fix dbchecker busybox image: use docker.io/library/busybox with pull …
jlav Apr 4, 2026
312c899
Add 'kc.sh start' command for keycloak container
jlav Apr 4, 2026
1974a69
Add KC_HOSTNAME_STRICT=false for Keycloak 26.x
jlav Apr 4, 2026
a02d2ea
Remove fullnameOverride and update service/statefulset references
jlav Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/openhands-secrets/templates/keycloak-realm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
type: Opaque
data:
realm-name: {{ .Values.config.keycloak_realm_name | b64enc | quote }}
server-url: {{ "http://keycloak" | b64enc | quote }}
server-url: {{ "http://openhands-keycloak-http" | b64enc | quote }}
client-id: {{ .Values.config.keycloak_client_id | b64enc | quote }}
client-secret: {{ .Values.config.keycloak_client_secret | b64enc | quote }}
smtp-password: {{ .Values.config.keycloak_smtp_password | b64enc | quote }}
15 changes: 9 additions & 6 deletions charts/openhands/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ dependencies:
- name: clickhouse
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.2.5
- name: keycloak
repository: oci://registry-1.docker.io/bitnamicharts
version: 24.7.5
- name: keycloakx
repository: https://codecentric.github.io/helm-charts
version: 7.1.9
- name: langfuse
repository: https://langfuse.github.io/langfuse-k8s
version: 1.2.13
Expand All @@ -25,6 +25,9 @@ dependencies:
version: 1.9.0
- name: runtime-api
repository: oci://ghcr.io/all-hands-ai/helm-charts
version: 0.1.24
digest: sha256:bca3722cdd4840a4557955ea2b80e38991cc2d0a0211855a791cf98e37410e45
generated: "2026-03-18T00:28:58.972983917-04:00"
version: 0.2.6
- name: automation
repository: oci://ghcr.io/all-hands-ai/helm-charts
version: 0.1.0
digest: sha256:9704eb8e0893624e1ab033871f04966cc9446437d785a89dce7b249de8c05ac0
generated: "2026-04-03T17:26:28.296356-04:00"
7 changes: 4 additions & 3 deletions charts/openhands/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ dependencies:
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.2.5
condition: clickhouse.enabled
- name: keycloak
version: 24.7.5
repository: oci://registry-1.docker.io/bitnamicharts
- name: keycloakx
alias: keycloak
version: 7.1.9
repository: https://codecentric.github.io/helm-charts
condition: keycloak.enabled
- name: langfuse
repository: https://langfuse.github.io/langfuse-k8s
Expand Down
10 changes: 9 additions & 1 deletion charts/openhands/example-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,18 @@ keycloak:
enabled: true
ingress:
enabled: false
hostname: "auth.app.example.com"
annotations: {}
# Value should match your Issuer/ClusterIssuer and uncomment if you're using cert-manager for certificates
# cert-manager.io/cluster-issuer: letsencrypt
rules: []
# - host: auth.app.example.com
# paths:
# - path: /
# pathType: Prefix
tls: []
# - secretName: keycloak-tls
# hosts:
# - auth.app.example.com

postgresql:
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion charts/openhands/templates/_init-containers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
done
env:
- name: DATABASES
value: "{{ .Values.keycloak.externalDatabase.database }}{{- if (index .Values "litellm-helm").enabled }} {{ (index .Values "litellm-helm").db.database }}{{- end }}{{- if .Values.langfuse.enabled }} {{ .Values.langfuse.postgresql.auth.database }}{{- end }}"
value: "{{ .Values.keycloak.database.database }}{{- if (index .Values "litellm-helm").enabled }} {{ (index .Values "litellm-helm").db.database }}{{- end }}{{- if .Values.langfuse.enabled }} {{ .Values.langfuse.postgresql.auth.database }}{{- end }}"
{{- include "openhands.env" . | nindent 4 }}
{{- end }}
{{- if .Values.databaseMigrations.migrate }}
Expand Down
4 changes: 2 additions & 2 deletions charts/openhands/templates/troubleshoot/support-bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ spec:
maxAge: 168h
{{- end }}
{{- if .Values.keycloak.enabled }}
# Keycloak logs (Bitnami chart)
# Keycloak logs (KeycloakX chart)
- logs:
name: app/{{ .Release.Name }}-keycloak/logs
namespace: {{ .Release.Namespace }}
Expand Down Expand Up @@ -243,7 +243,7 @@ spec:
{{- end }}
{{- if .Values.keycloak.enabled }}
- statefulsetStatus:
name: keycloak
name: {{ .Release.Name }}-keycloak
namespace: {{ .Release.Namespace }}
outcomes:
- fail:
Expand Down
138 changes: 68 additions & 70 deletions charts/openhands/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,85 +287,83 @@ clickhouse:

keycloak:
enabled: false
url: "http://keycloak"
fullnameOverride: keycloak
replicaCount: 1
production: true
proxyHeaders: forwarded
ingress:
enabled: false
# REQUIRED: Update to a hostname in a DNS domain you own
# hostname: auth.app.example.com
servicePort: 80
tls: true
annotations: {}
# UPDATE: if you use cert-manager, enter your clusterIssuer may not match.
# cert-manager.io/cluster-issuer: letsencrypt-production
ingressClassName: traefik
auth:
adminUser: tmpadmin
existingSecret: keycloak-admin
passwordSecretKey: admin-password
url: "http://openhands-keycloak-http"
replicas: 1

command:
- "/opt/keycloak/bin/kc.sh"
args:
- "start"

image:
repository: quay.io/keycloak/keycloak
tag: "26.5.5"
pullPolicy: IfNotPresent

database:
vendor: postgres
hostname: oh-main-postgresql
port: 5432
database: bitnami_keycloak
existingSecret: postgres-password
existingSecretKey: password

dbchecker:
enabled: true
image:
repository: docker.io/library/busybox
tag: "1.37"

proxy:
enabled: true
mode: xforwarded

http:
relativePath: "/"

service:
type: ClusterIP
httpPort: 80

serviceAccount:
create: true
name: "keycloak-sa"
postgresql:

ingress:
enabled: false
externalDatabase:
host: oh-main-postgresql
database: bitnami_keycloak
existingSecret: postgres-password
existingSecretUserKey: username
existingSecretPasswordKey: password
extraEnvVars:
ingressClassName: traefik
annotations: {}
# UPDATE: if you use cert-manager, enter your clusterIssuer may not match.
# cert-manager.io/cluster-issuer: letsencrypt-production
rules: []
# - host: auth.app.example.com
# paths:
# - path: /
# pathType: Prefix
tls: []
# - secretName: keycloak-tls
# hosts:
# - auth.app.example.com

extraEnv: |
- name: KEYCLOAK_ADMIN
value: tmpadmin
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-admin
key: admin-password
- name: KC_FEATURES
value: token-exchange,admin-fine-grained-authz
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_PROXY_HEADERS
value: "xforwarded"
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI
value: "true"
image:
repository: bitnamilegacy/keycloak
waitForDb:
image: "bitnamilegacy/postgresql:latest"
initContainers:
- name: wait-for-db
# The Bitnami Keycloak subchart renders initContainers through common.tplvalues.render,
# so this template expression is evaluated at deploy time rather than being treated as
# a literal string. This lets us override just the image (e.g. for Replicated proxy)
# without duplicating the entire init container.
image: '{{ .Values.waitForDb.image }}'
command: ['sh', '-c']
args:
- |
echo "Waiting for database \"$KEYCLOAK_DATABASE_NAME\" at $KEYCLOAK_DATABASE_HOST:$KEYCLOAK_DATABASE_PORT..."
until PGPASSWORD=$DB_PASS pg_isready -h "$KEYCLOAK_DATABASE_HOST" -p "$KEYCLOAK_DATABASE_PORT" -U "$DB_USER" -d "$KEYCLOAK_DATABASE_NAME" > /dev/null 2>&1; do
echo "PostgreSQL is unavailable - sleeping 5s"
sleep 5
done
echo "PostgreSQL is ready, checking database exists..."
until PGPASSWORD=$DB_PASS psql -h "$KEYCLOAK_DATABASE_HOST" -p "$KEYCLOAK_DATABASE_PORT" -U "$DB_USER" -d "$KEYCLOAK_DATABASE_NAME" -c "SELECT 1" > /dev/null 2>&1; do
echo "Database \"$KEYCLOAK_DATABASE_NAME\" not ready - sleeping 5s"
sleep 5
done
echo "Database \"$KEYCLOAK_DATABASE_NAME\" is ready!"
envFrom:
- configMapRef:
name: keycloak-env-vars
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgres-password
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: postgres-password
key: password
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: postgres-password
key: username

langfuse:
# Enable this if you want to use langfuse for tracing
Expand Down
4 changes: 2 additions & 2 deletions replicated/application.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ spec:
- openhands/ingress/openhands-mcp-ingress

# keycloak
- openhands/statefulset/keycloak
- openhands/service/keycloak
- openhands/statefulset/openhands-keycloak
- openhands/service/openhands-keycloak-http

# postgres
- '{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres"}}openhands/statefulset/openhands-postgresql{{repl end}}'
Expand Down
Loading
Loading