feat(RHIDP-9113): add custom PostgreSQL StatefulSet for Keycloak

skestwal · skestwal · commit 1ca39bc198a0 · 2025-10-15T13:26:13.000+05:30
- Add dedicated PostgreSQL StatefulSet/Service/Secret for Keycloak

- Update deploy.sh to generate password and apply DB resources

- Prepare Keycloak to use external PostgreSQL instead of in-memory DB

Signed-off-by: skestwal &lt;skestwal@redhat.com&gt;
diff --git a/ci-scripts/rhdh-setup/deploy.sh b/ci-scripts/rhdh-setup/deploy.sh
@@ -188,8 +188,26 @@ keycloak_install() {
     envsubst <template/backstage/perf-test-secrets.yaml | $clin apply -f -
     grep -m 1 "rhbk-operator" <($clin get pods -w)
     wait_to_start deployment rhbk-operator 300 300
+
+    export KEYCLOAK_DB_PASSWORD
+    KEYCLOAK_DB_PASSWORD=$(mktemp -u XXXXXXXXXX)
+    export KEYCLOAK_DB_STORAGE
+    KEYCLOAK_DB_STORAGE=${KEYCLOAK_DB_STORAGE:-${RHDH_DB_STORAGE:-1Gi}}
+
+    log_info "Creating Keycloak PostgreSQL database with storage: $KEYCLOAK_DB_STORAGE"
+    envsubst <template/keycloak/keycloak-postgresql.yaml | $clin apply -f -
+    wait_to_start statefulset keycloak-postgresql 300 300
+
+    $clin create secret generic keycloak-db-user --from-literal=keycloak-db-user=keycloak --dry-run=client -o yaml | $clin apply -f -
+
     envsubst <template/keycloak/keycloak.yaml | $clin apply -f -
     wait_to_start statefulset rhdh-keycloak 450 600
+
+    $clin create route edge keycloak \
+        --service=rhdh-keycloak-service \
+        --port=8080 \
+        --dry-run=client -o yaml | $clin apply -f -
+
     if [ "$INSTALL_METHOD" == "helm" ]; then
         export OAUTH2_REDIRECT_URI=https://${RHDH_HELM_RELEASE_NAME}-${RHDH_HELM_CHART}-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/oauth2/callback
     elif [ "$INSTALL_METHOD" == "olm" ]; then
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+type: Opaque
+stringData:
+  postgres-password: ${KEYCLOAK_DB_PASSWORD}
+  password: ${KEYCLOAK_DB_PASSWORD}
+  replication-password: ${KEYCLOAK_DB_PASSWORD}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  type: ClusterIP
+  ports:
+    - name: tcp-postgresql
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app: keycloak-postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  serviceName: keycloak-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak-postgresql
+  template:
+    metadata:
+      labels:
+        app: keycloak-postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: registry.redhat.io/rhel9/postgresql-15:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: tcp-postgresql
+              containerPort: 5432
+          env:
+            - name: POSTGRESQL_USER
+              value: keycloak
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: password
+            - name: POSTGRESQL_DATABASE
+              value: keycloak
+            - name: POSTGRESQL_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: postgres-password
+            - name: PGDATA
+              value: /var/lib/pgsql/data/userdata
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/pgsql/data
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: ${KEYCLOAK_DB_STORAGE}
