Identity & secrets

Keycloak

DCDR

Central OIDC identity provider for the platform — Vault, Argo CD, AWX, Terrakube, GitLab, Jenkins, Nexus all federate here.

Quick facts

Chart
codecentric/keycloakx 7.0.0
Version
Keycloak 26.3.5
Realm
comptech (pre-imported)
Hostname
auth.apps.sub.comptech-lab.com
Issuer
https://auth.apps.sub.comptech-lab.com/realms/comptech
Failover (DC→DR)
~13 s
Failover (DR→DC)
~18 s
Healthcheck
/realms/master/.well-known/openid-configuration

What it is

Single-replica StatefulSet per cluster with its own Postgres StatefulSet. Realm is defined declaratively and loaded at startup. The codecentric chart's extraEnv is used to set KC_HOSTNAME to the public HTTPS URL and to drop the /auth URL prefix so the issuer lives at the root.

OIDC clients for the platform tools are pre-registered in the realm config; a few still hold placeholder secrets pending rotation.

Architecture

Add diagrams or topology notes here — how this component sits relative to DC/DR, what replicates, and what speaks to it. Mermaid blocks render as plain text today; embed images under /assets/ when needed.

Configuration

Add chart values overrides, important env vars, OIDC client config, secret references. Link to the source files in infra/gitops-rke2 rather than copying YAML wholesale — the repo is the source of truth.

Operations

Add runbook notes: backup, restore, common troubleshooting, dashboards, on-call cheatsheet entries.

Failover

Add DC/DR cutover/cutback notes: edge HAProxy backend name, healthcheck path, measured cutover/cutback times, smoke-test commands.

References