feat: Implement a shared Keycloak deployment and support modular auth configurations

package.json

@@ -35,14 +35,18 @@
     "./pages": {
       "types": "./dist/playwright/pages/index.d.ts",
       "default": "./dist/playwright/pages/index.js"
+    },
+    "./keycloak": {
+      "types": "./dist/deployment/keycloak/index.d.ts",
+      "default": "./dist/deployment/keycloak/index.js"
     }
   },
   "files": [
     "dist",
     "tsconfig.base.json"
   ],
   "scripts": {
-    "build": "yarn clean && tsc -p tsconfig.build.json && cp -r src/deployment/rhdh/config src/deployment/rhdh/helm src/deployment/rhdh/operator dist/deployment/rhdh/",
+    "build": "yarn clean && tsc -p tsconfig.build.json && cp -r src/deployment/rhdh/config dist/deployment/rhdh/ && cp -r src/deployment/keycloak/config dist/deployment/keycloak/",
     "check": "yarn typecheck && yarn lint:check && yarn prettier:check",
     "clean": "rm -rf dist",
     "lint:check": "eslint . --ignore-pattern dist --ignore-pattern README.md",
@@ -76,6 +80,7 @@
   "dependencies": {
     "@axe-core/playwright": "^4.11.0",
     "@eslint/js": "^9.39.1",
+    "@keycloak/keycloak-admin-client": "^26.0.0",
     "@kubernetes/client-node": "^1.4.0",
     "boxen": "^8.0.1",
     "eslint": "^9.39.1",

src/deployment/keycloak/config/keycloak-values.yaml

@@ -0,0 +1,94 @@
+global:
+  security:
+    allowInsecureImages: true
+
+replicaCount: 1
+
+# Use Bitnami legacy repository (Bitnami images moved to bitnamilegacy as of Aug 2025)
+# Note: Legacy images are not updated/maintained. Consider migrating to official Keycloak image for long-term.
+image:
+  registry: docker.io
+  repository: bitnamilegacy/keycloak
+  tag: "26.3.3-debian-12-r0"
+  pullPolicy: IfNotPresent
+
+auth:
+  adminUser: admin
+  adminPassword: admin123
+
+service:
+  type: ClusterIP
+  port: 8080
+
+# OpenShift Route configuration
+route:
+  enabled: true
+  host: "" # Will be auto-generated by OpenShift
+  tls:
+    enabled: false
+
+ingress:
+  enabled: false
+
+postgresql:
+  enabled: true
+  image:
+    registry: docker.io
+    repository: bitnamilegacy/postgresql
+    tag: "17.6.0-debian-12-r4"
+    pullPolicy: IfNotPresent
+  auth:
+    postgresPassword: postgres123
+    username: keycloak
+    password: keycloak123
+    database: keycloak
+  primary:
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+    persistence:
+      enabled: true
+      size: 1Gi
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+
+extraEnvVars:
+  - name: KEYCLOAK_ADMIN
+    value: admin
+  - name: KEYCLOAK_ADMIN_PASSWORD
+    value: admin123
+  - name: KC_HTTP_ENABLED
+    value: "true"
+  - name: KC_PROXY_HEADERS
+    value: "xforwarded"
+  - name: KC_HOSTNAME_STRICT
+    value: "false"
+  - name: JAVA_OPTS_APPEND
+    value: "-Djava.net.preferIPv4Stack=true -Xms256m -Xmx512m"
+
+# Increase probe timeouts for slower startup on resource-constrained clusters
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 120
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1

src/deployment/keycloak/constants.ts

@@ -0,0 +1,87 @@
+import path from "path";
+import type { KeycloakClientConfig } from "./types.js";
+
+// Navigate from dist/deployment/keycloak/ to package root
+const PACKAGE_ROOT = path.resolve(import.meta.dirname, "../../..");
+
+export const DEFAULT_KEYCLOAK_CONFIG = {
+  namespace: "rhdh-keycloak",
+  releaseName: "keycloak",
+  adminUser: "admin",
+  adminPassword: "admin123",
+  realm: "rhdh",
+};
+
+export const DEFAULT_CONFIG_PATHS = {
+  valuesFile: path.join(
+    PACKAGE_ROOT,
+    "dist/deployment/keycloak/config/keycloak-values.yaml",
+  ),
+};
+
+export const BITNAMI_CHART_REPO = "https://charts.bitnami.com/bitnami";
+export const BITNAMI_CHART_NAME = "bitnami/keycloak";
+
+export const DEFAULT_RHDH_CLIENT: KeycloakClientConfig = {
+  clientId: "rhdh-client",
+  clientSecret: "rhdh-client-secret",
+  name: "RHDH Client",
+  redirectUris: ["*"],
+  webOrigins: ["*"],
+  standardFlowEnabled: true,
+  implicitFlowEnabled: true,
+  directAccessGrantsEnabled: true,
+  serviceAccountsEnabled: true,
+  authorizationServicesEnabled: true,
+  publicClient: false,
+  defaultClientScopes: [
+    "service_account",
+    "web-origins",
+    "roles",
+    "profile",
+    "basic",
+    "email",
+  ],
+  optionalClientScopes: [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt",
+  ],
+};
+
+export const DEFAULT_GROUPS = [
+  { name: "developers" },
+  { name: "admins" },
+  { name: "viewers" },
+];
+
+export const DEFAULT_USERS = [
+  {
+    username: "test1",
+    email: "test1@example.com",
+    firstName: "Test",
+    lastName: "User1",
+    enabled: true,
+    emailVerified: true,
+    password: "test1@123",
+    groups: ["developers"],
+  },
+  {
+    username: "test2",
+    email: "test2@example.com",
+    firstName: "Test",
+    lastName: "User2",
+    enabled: true,
+    emailVerified: true,
+    password: "test2@123",
+    groups: ["developers"],
+  },
+];
+
+// Service account roles required for RHDH integration
+export const SERVICE_ACCOUNT_ROLES = [
+  "view-authorization",
+  "manage-authorization",
+  "view-users",
+];