Add RHBK kustomise resources and update deploy script

[JasonPowr]

Summary by Sourcery

Add Kustomize configurations for Red Hat backed Keycloak deployment and update the OpenShift deploy script to optionally install RHBK or the existing SSO setup.

New Features:

• Add Kustomize-based resources for RHBK deployment including PostgreSQL StatefulSet, Keycloak CR, realm import, secrets, service, operator subscription, and kustomization manifests under ci/rhbk

Enhancements:

• Enhance tas-keycloak-install.sh to support installing Red Hat Backed Keycloak via install_rhbk_sso_keycloak function with usage help and parameterized choice between rhbk and sso

[sourcery-ai]

Reviewer's Guide

This PR extends the Keycloak deployment by refactoring the install script to support RHBK or SSO modes and introduces kustomize-based manifests for the RHBK operator, PostgreSQL backend, Keycloak CR, and realm import.

Sequence diagram for RHBK Keycloak installation flow

sequenceDiagram
    participant Script
    participant OpenShift
    participant RHBK Operator
    participant PostgreSQL DB
    participant Keycloak
    Script->>OpenShift: Apply RHBK Operator manifests
    OpenShift->>RHBK Operator: Start operator pod
    Script->>OpenShift: Check RHBK Operator pod status
    Script->>OpenShift: Apply PostgreSQL DB manifests
    OpenShift->>PostgreSQL DB: Start DB pod
    Script->>OpenShift: Check PostgreSQL DB pod status
    Script->>OpenShift: Apply Keycloak CR manifests
    OpenShift->>Keycloak: Start Keycloak pod
    Script->>OpenShift: Check Keycloak pod status
    Script->>OpenShift: Apply Keycloak Realm Import
    OpenShift->>Keycloak: Import realm and users

Loading

Entity relationship diagram for Keycloak and PostgreSQL resources

erDiagram
    POSTGRESQL_DB_SECRET {
      string database
      string username
      string password
    }
    POSTGRESQL_DB {
      string POSTGRESQL_USER
      string POSTGRESQL_PASSWORD
      string POSTGRESQL_DATABASE
    }
    KEYCLOAK {
      string db_host
      string db_passwordSecret
      string db_usernameSecret
      string db_vendor
      string hostname_hostname
      int instances
    }
    KEYCLOAK_REALM_IMPORT {
      string keycloakCRName
      string realm_id
      string realm_realm
      string realm_displayName
      bool realm_enabled
      string realm_clients[]
      string realm_users[]
    }
    POSTGRESQL_DB_SECRET ||--o| POSTGRESQL_DB : provides_credentials
    POSTGRESQL_DB ||--o| KEYCLOAK : used_by
    KEYCLOAK ||--o| KEYCLOAK_REALM_IMPORT : imports_realm

Loading

Class diagram for new Keycloak and PostgreSQL resource definitions

classDiagram
    class Keycloak {
      +db: string
      +hostname: string
      +ingress: string
      +proxy: string
      +http: string
      +instances: int
    }
    class KeycloakRealmImport {
      +keycloakCRName: string
      +realm: string
    }
    class PostgreSQLDB {
      +env: string
      +image: string
      +livenessProbe: string
      +readinessProbe: string
      +securityContext: string
      +volumeMounts: string
    }
    class PostgreSQLDBSecret {
      +database: string
      +username: string
      +password: string
    }
    Keycloak --> PostgreSQLDB : uses
    KeycloakRealmImport --> Keycloak : imports into
    PostgreSQLDB <-- PostgreSQLDBSecret : gets credentials from

Loading

File-Level Changes

Change	Details	Files
Refactor deploy script to support RHBK and SSO installs	Added usage() and help flags Introduced install_rhbk_sso_keycloak() with hostname.env generation Updated argument parsing to invoke correct install function	ci/openshift/tas-keycloak-install.sh
Introduce RHBK operator deployment manifests	Added OperatorGroup and Subscription for RHBK operator Created kustomization for operator under ci/rhbk/operator/base	ci/rhbk/operator/base/namespace.yaml ci/rhbk/operator/base/subscription.yaml ci/rhbk/operator/base/kustomization.yaml
Add kustomize resources for PostgreSQL and Keycloak	Generated PostgreSQL secret, service, and StatefulSet Defined Keycloak CR and KeycloakRealmImport manifest Configured kustomization with hostname ConfigMapGenerator and replacements	ci/rhbk/resources/base/postgresql_db_secret.yaml ci/rhbk/resources/base/postgresql_db_service.yaml ci/rhbk/resources/base/postgresql_db.yaml ci/rhbk/resources/base/keycloak.yaml ci/rhbk/resources/base/keycloak_realm_import.yaml ci/rhbk/resources/base/kustomization.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Default weak credentials Description: The realm import defines a default user jdoe with a hardcoded password secure, which risks unauthorized access if deployed to shared or production clusters. keycloak_realm_import.yaml [56-66] Referred Code users: - username: jdoe enabled: true emailVerified: true email: [email protected] firstName: Jane lastName: Doe credentials: - type: password value: secure temporary: false
	Wildcard redirect URIs Description: The client allows wildcard redirect URIs ("*"), enabling open redirect/OAuth token leakage to arbitrary origins. keycloak_realm_import.yaml [22-25] Referred Code defaultClientScopes: ["profile","email"] redirectUris: - "*" - "urn:ietf:wg:oauth:2.0:oob"
	Hardcoded weak secrets Description: The PostgreSQL Secret uses weak, hardcoded credentials (username: keycloak, password: keycloak) committed to source, which can be easily compromised. postgresql_db_secret.yaml [5-8] Referred Code stringData: database: keycloak username: keycloak password: keycloak
⚪	Insecure transport (no SSL) Description: Realm has sslRequired: none, permitting non-TLS flows which can expose tokens and credentials over the network. keycloak_realm_import.yaml [12-12] Referred Code sslRequired: none clients:
	Unpinned container image Description: The PostgreSQL container image tag is latest, which can change unexpectedly and introduce unverified updates or vulnerabilities. postgresql_db.yaml [36-36] Referred Code image: registry.redhat.io/rhel9/postgresql-15:latest livenessProbe:
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
🔴	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Plaintext secret: The Kubernetes Secret includes plaintext credentials (username/password) committed in source, which risks exposure and violates secure logging/handling of sensitive data. Referred Code stringData: database: keycloak username: keycloak password: keycloak
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Hardcoded creds: Hardcoded database credentials are stored in versioned manifests and referenced by workloads, lacking secure secret management and risking exposure; stronger handling (sealed secrets/vault) is needed. Referred Code stringData: database: keycloak username: keycloak password: keycloak
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The deployment script and Kustomize manifests add/install Keycloak and a DB without introducing any audit logging for critical actions executed by the script (e.g., apply operations or failures), making it unclear if audit trails exist elsewhere. Referred Code oc apply --kustomize ci/rhbk/operator/base check_pod_status "keycloak-system" "rhbk-operator" if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi oc apply --kustomize ci/rhbk/resources/base check_pod_status "keycloak-system" "postgresql-db" check_pod_status "keycloak-system" "keycloak" if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi } choice="${1:-sso}" case "$choice" in rhbk) install_rhbk_sso_keycloak ;; sso) ... (clipped 6 lines)
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Limited errors: The script exits generically on pod status check failures without contextual details (e.g., which target failed or last observed state), and does not validate external command availability or handle failures from oc apply/get. Referred Code oc apply --kustomize ci/rhbk/operator/base check_pod_status "keycloak-system" "rhbk-operator" if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi oc apply --kustomize ci/rhbk/resources/base check_pod_status "keycloak-system" "postgresql-db" check_pod_status "keycloak-system" "keycloak" if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes and found some issues that need to be addressed.

• Add a default case to handle invalid arguments (e.g. print usage and exit) to avoid silent no-ops when the choice flag is mis-typed.
• Extract the repeated oc apply + check_pod_status logic into a helper function to reduce duplication and improve maintainability.
• Consider pinning the postgresql container image to a specific version instead of using 'latest' to ensure consistent deployments.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Add a default case to handle invalid arguments (e.g. print usage and exit) to avoid silent no-ops when the choice flag is mis-typed.
- Extract the repeated oc apply + check_pod_status logic into a helper function to reduce duplication and improve maintainability.
- Consider pinning the postgresql container image to a specific version instead of using 'latest' to ensure consistent deployments.

## Individual Comments

### Comment 1
<location> `ci/openshift/tas-keycloak-install.sh:79-88` </location>
<code_context>
+    fi
+}
+
+choice="${1:-sso}"
+case "$choice" in
+  rhbk)
+    install_rhbk_sso_keycloak
+    ;;
+  sso)
+    install_sso_keycloak
+    ;;
+  -h|--help|help)
+    usage
+    ;;
+esac
</code_context>

<issue_to_address>
**suggestion:** Script does not handle invalid arguments gracefully.

Add a default case to the 'case' statement to display usage information and exit with a non-zero status when an unsupported argument is given.
</issue_to_address>

### Comment 2
<location> `ci/rhbk/resources/base/postgresql_db_secret.yaml:8` </location>
<code_context>
+stringData:
+  database: keycloak
+  username: keycloak
+  password: keycloak
</code_context>

<issue_to_address>
**🚨 issue (security):** Use of static credentials for database secret poses a security risk.

Hardcoding credentials increases the risk of exposure. Use environment variables, secret management tools, or dynamic generation for production deployments.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Remove hardcoded user credentials from repository Remove the hardcoded test user and credentials from the Keycloak realm import configuration to avoid exposing secrets in the repository. ci/rhbk/resources/base/keycloak_realm_import.yaml [56-66] -users: - - username: jdoe - enabled: true - emailVerified: true - email: [email protected] - firstName: Jane - lastName: Doe - credentials: - - type: password - value: secure - temporary: false +users: [] Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability of committing hardcoded user credentials to the repository and provides a secure alternative.	High
	Avoid committing hardcoded database credentials Avoid committing hardcoded database credentials by removing the postgresql_db_secret.yaml file and instead generating the secret dynamically during deployment. ci/rhbk/resources/base/postgresql_db_secret.yaml [1-8] -apiVersion: v1 -kind: Secret -metadata: - name: postgresql-db -stringData: - database: keycloak - username: keycloak - password: keycloak +# This file should be removed. +# The secret should be created dynamically in the deployment script, for example: +# +# oc create secret generic postgresql-db \ +# --from-literal=database=keycloak \ +# --from-literal=username=keycloak \ +# --from-literal=password=$(openssl rand -hex 16) \ +# -n keycloak-system Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability by pointing out hardcoded database credentials in a version-controlled file and recommends a best-practice approach of dynamic secret generation.	High
	Avoid using a wildcard redirect URI Replace the wildcard * in redirectUris with a specific, trusted URI to prevent open redirect vulnerabilities. ci/rhbk/resources/base/keycloak_realm_import.yaml [23-25] redirectUris: - - "*" + - "https://<your-application-url>/*" - "urn:ietf:wg:oauth:2.0:oob" Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a significant security vulnerability (open redirect) by using a wildcard in redirectUris and proposes a secure alternative, which is critical for application security.	High
High-level	Avoid committing hardcoded secrets to repository The PR adds hardcoded credentials for a database and a test user in CI configuration files. This is a security risk; secrets should be managed securely, for example by dynamic generation or using a vault, instead of being committed to the repository. Examples: ci/rhbk/resources/base/postgresql_db_secret.yaml [5-8] stringData: database: keycloak username: keycloak password: keycloak ci/rhbk/resources/base/keycloak_realm_import.yaml [63-66] credentials: - type: password value: secure temporary: false Solution Walkthrough: Before: # In ci/rhbk/resources/base/postgresql_db_secret.yaml apiVersion: v1 kind: Secret stringData: username: keycloak password: keycloak # In ci/rhbk/resources/base/keycloak_realm_import.yaml ... users: - username: jdoe ... credentials: - type: password value: secure After: # In CI pipeline script # Generate secrets dynamically DB_PASSWORD=$(openssl rand -base64 12) USER_PASSWORD=$(openssl rand -base64 12) # Create Kubernetes secret from environment variables or a vault kubectl create secret generic postgresql-db \ --from-literal=username=keycloak \ --from-literal=password=$DB_PASSWORD # In ci/rhbk/resources/base/keycloak_realm_import.yaml ... users: - username: jdoe ... credentials: - type: password value: ${TEST_USER_PASSWORD} # Injected at deploy time Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical security vulnerability by pointing out hardcoded secrets (postgresql-db and jdoe user credentials) in CI configuration, which is a significant risk.	High
Update

[JasonPowr]

@osmman When you get a chance can I get you to look at this again?