validatedpatterns · sabre1041 · May 29, 2026 · minmzzhang · May 29, 2026 · minmzzhang
diff --git a/Chart.yaml b/Chart.yaml
@@ -4,7 +4,7 @@ keywords:
   - pattern
 name: rhbk
 type: application
-version: 0.0.10
+version: 0.0.11
 home: https://github.com/validatedpatterns/rhbk-chart
 maintainers:
   - name: Validated Patterns Team

diff --git a/README.md b/README.md
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -19,4 +19,30 @@ Generate the hostname for the Ingress.
 {{- else }}
 {{- print .Values.keycloak.ingress.hostname }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{/*
+Generate the metadata for the ExternalSecrets resource.
+*/}}
+{{- define "keycloak.externalSecrets.metadata" -}}
+{{- if or .annotations .labels }}
+metadata:
+  {{- if .annotations }}
+  annotations:
+    {{- toYaml .annotations | nindent 4 }}
+  {{- end }}
+  {{- if .labels }}
+  labels:
+    {{- toYaml .labels | nindent 4 }}
+  {{- end }}
+{{- end }}  
+{{- end }}
+
+{{/*
+Generate the lifecycle for the ExternalSecrets resource.
+*/}}
+{{- define "keycloak.externalSecrets.lifecycle" -}}
+creationPolicy: {{ .creationPolicy }}
+deletionPolicy: {{ .deletionPolicy }}
+refreshPolicy: {{ .refreshPolicy }}
+{{- end }}
diff --git a/templates/acs-oidc-client-secret-external-secret.yaml b/templates/acs-oidc-client-secret-external-secret.yaml
@@ -12,7 +12,9 @@ spec:
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: acs-oidc-client-secret
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.acs | nindent 4 }}
     template:
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.acs | nindent 6 }}
       type: Opaque
       data:
         client-secret: "{{ `{{ .client_secret }}` }}"

diff --git a/templates/keycloak-admin-user-external-secret.yaml b/templates/keycloak-admin-user-external-secret.yaml
@@ -11,7 +11,9 @@ spec:
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: {{ .Values.keycloak.adminUser.secretName }}
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.adminUser | nindent 4 }}
     template:
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.adminUser | nindent 6 }}
       type: Opaque
       data:
         username: "{{ .Values.keycloak.adminUser.username }}"

diff --git a/templates/keycloak-users-external-secret.yaml b/templates/keycloak-users-external-secret.yaml
@@ -4,30 +4,16 @@ kind: ExternalSecret
 metadata:
   name: keycloak-users
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.externalSecrets.oneShot }}
-  annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/hook-delete-policy: HookSucceeded
-    argocd.argoproj.io/sync-options: PrunePropagationPolicy=orphan
-  {{- end }}
 spec:
   refreshInterval: 15s
   secretStoreRef:
     name: {{ .Values.global.secretStore.name }}
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: keycloak-users
-    {{- if .Values.externalSecrets.oneShot }}
-    creationPolicy: Orphan
-    {{- else }}
-    creationPolicy: {{ .Values.externalSecrets.creationPolicy }}
-    {{- end }}
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.keycloakUsers | nindent 4 }}
     template:
-      {{- if .Values.externalSecrets.oneShot }}
-      metadata:
-        labels:
-          {{ .Values.externalSecrets.secretCleanupLabel }}: delete
-      {{- end }}
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.keycloakUsers | nindent 6 }}
       type: Opaque
       data:
         qtodo-admin-password: "{{ `{{ .qtodo_admin_password }}` }}"

diff --git a/templates/oidc-client-secret-external-secret.yaml b/templates/oidc-client-secret-external-secret.yaml
@@ -11,7 +11,9 @@ spec:
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: oidc-client-secret
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.oidcClientSecret | nindent 4 }}
     template:
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.oidcClientSecret | nindent 6 }}
       type: Opaque
       data:
         client-secret: "{{ `{{ .client_secret }}` }}"

diff --git a/templates/postgresql-db-external-secret.yaml b/templates/postgresql-db-external-secret.yaml
@@ -10,7 +10,9 @@ spec:
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: {{ .Values.keycloak.postgresqlDb.secretName }}
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.postgresqlDb | nindent 4 }}
     template:
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.postgresqlDb | nindent 6 }}
       type: Opaque
       data:
         username: {{ .Values.keycloak.postgresqlDb.username }}

diff --git a/templates/rhtpa-oidc-cli-secret-external-secret.yaml b/templates/rhtpa-oidc-cli-secret-external-secret.yaml
@@ -12,7 +12,9 @@ spec:
     kind: {{ .Values.global.secretStore.kind }}
   target:
     name: rhtpa-oidc-cli-secret
+    {{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.rhtpa | nindent 4 }}
     template:
+      {{- include "keycloak.externalSecrets.metadata" .Values.externalSecrets.rhtpa | nindent 6 }}
       type: Opaque
       data:
         client-secret: "{{ `{{ .client_secret | trim }}` }}"

diff --git a/values.yaml b/values.yaml
@@ -4,23 +4,44 @@ global:
     kind: ClusterSecretStore
     name: vault-backend
 
-# -- One-shot ExternalSecret provisioning for keycloak-users.
-# When oneShot is true, the keycloak-users ExternalSecret becomes an
-# ArgoCD Sync hook with HookSucceeded and creationPolicy: Orphan.
-# Orphan prevents ESO from setting an ownerReference on the Secret,
-# so k8s GC will not cascade-delete the Secret when ArgoCD removes
-# the ExternalSecret hook after sync.
-# A PostSync Job in the wrapper chart (e.g. rh-keycloak in
-# layered-zero-trust) then cleans up Secrets labeled
-# secretCleanupLabel=delete.
-# When oneShot is false (default), keycloak-users is a regular
-# ExternalSecret with no hook annotations — the Secret and
-# ExternalSecret persist.
-# @default -- disabled (regular ExternalSecret, no hooks)
+# -- Properties associated with ExternalSecret resources.
 externalSecrets:
-  oneShot: false
-  creationPolicy: Owner
-  secretCleanupLabel: "validatedpatterns.io/cleanup"
+  acs:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
+  adminUser:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
+  keycloakUsers:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
+  oidcClientSecret:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
+  postgresqlDb:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
+  rhtpa:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    refreshPolicy: Periodic
+    annotations: {}
+    labels: {}
 
 # -- Default-deny NetworkPolicy for the keycloak namespace.
 # When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress