feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets#137
Open
minmzzhang wants to merge 4 commits into
Open
feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets#137minmzzhang wants to merge 4 commits into
minmzzhang wants to merge 4 commits into
Conversation
minmzzhang
requested review from
mlorenzofr,
p-rog and
sabre1041
and removed request for
sabre1041
mlorenzofr
requested changes
May 25, 2026
Collaborator
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
We need to rebase after merge #135
- Add
extraValueFiles...tovalues-hub.yaml - Add
rhbk:to the beginning ofoverrides/values-keycloak-network-policy.yamland fix the indentation
Apart from that, everything else has worked correctly
Add a wrapper chart (charts/rh-keycloak) that consumes the rhbk chart as a dependency and adds a PostSync cleanup job for one-shot ExternalSecret provisioning. The PostSync job: 1. Waits for labeled ExternalSecrets to sync 2. Deletes them with --cascade=orphan (Secrets survive) 3. Cleans up ephemeral Secrets labeled for deletion (keycloak-users) Switch values-hub.yaml from the remote rhbk chart to the local rh-keycloak wrapper chart path. Requires rhbk-chart >= 0.0.9 with externalSecrets.oneShot support. Commented-out overrides updated with rhbk. prefix to match the wrapper chart structure. Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
one-shot-keycloak-users
branch
from
64360bb to
2d728b4
Compare
Collaborator
Author
rebased the latest main and force pushed. |
Bump rhbk dependency to >=0.0.10 which carries the renamed label. Signed-off-by: Min Zhang <minzhang@redhat.com>
Collaborator
|
Depends on validatedpatterns/rhbk-chart#15 |
ArgoCD's HookSucceeded policy already removes the ExternalSecret, so the PostSync Job no longer needs ExternalSecret RBAC or the one-shot label lookup. Signed-off-by: Min Zhang <minzhang@redhat.com>
When default-deny NetworkPolicies are enabled in keycloak-system, the cleanup Job cannot reach the API server. Add a PostSync NetworkPolicy allowing DNS and port 6443 egress, and label the Job pod so it matches. Signed-off-by: Min Zhang <minzhang@redhat.com>
mlorenzofr
approved these changes
May 27, 2026
Collaborator
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
Tested and everything is fine
Once we have the merged validatedpatterns/rhbk-chart#15, we could also merge this PR
LGTM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
charts/rh-keycloak) that consumes therhbkchart as a dependency and adds a PostSync cleanup job for one-shot ExternalSecret provisioningvalues-hub.yamlfrom the remoterhbkchart to the localrh-keycloakwrapper chart pathrhbk.prefix to match the wrapper chart structureHow it works
When
externalSecrets.oneShotis enabled (set by the wrapper chart), thekeycloak-usersExternalSecret usesBeforeHookCreationand setsdeletionPolicy: Retain. The PostSync job then:--cascade=orphan(Secrets survive because Kubernetes GC is told to orphan dependents)ztvp.io/cleanup=delete(thekeycloak-usersSecret)This prevents ESO from continuously overwriting the
keycloak-usersSecret after Keycloak has consumed it during realm import.Dependencies
rhbk >= 0.0.10withexternalSecrets.oneShotsupport. That PR must be merged and published before this one can be deployed.