feat(RHIDP-9113): Update Keycloak configuration for Red Hat Build of Keycloak (RHBK):

- Remove /auth prefix from KEYCLOAK_BASE_URL endpoints
- Update OIDC issuer URLs: /auth/realms/ → /realms/
- Add PostgreSQL database configuration to Keycloak CR
- Configure bootstrap admin credentials and proxy headers

Author: skestwal

ci-scripts/rhdh-setup/create_resource.sh

@@ -195,7 +195,7 @@ get_group_path_by_name() {
   local group_name="$input"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
 
@@ -221,7 +221,7 @@ get_group_id_by_name() {
   group_name="$1"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
 
@@ -269,7 +269,7 @@ assign_parent_group() {
   attempt=1
   while (( attempt <= max_attempts )); do
     token=$(get_token)
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups/${parent_id}/children" \
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups/${parent_id}/children" \
       -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
       --data-raw '{"name":"'"${child_name}"'"}' 2>&1)"
     if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -296,7 +296,7 @@ create_group() {
       groupname="g${idx}"
       while ((attempt <= max_attempts)); do
         token=$(get_token)
-        response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+        response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
           -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
           --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
         if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -319,7 +319,7 @@ create_group() {
     groupname="g${idx}"
     while ((attempt <= max_attempts)); do
       token=$(get_token)
-      response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+      response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
         -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
         --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
       if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -444,7 +444,7 @@ create_user() {
   while ((attempt <= max_attempts)); do
     token=$(get_token)
     username="t${0}"
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/users" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
       --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com","emailVerified":"true", "enabled":"true", "username":"'"${username}"'","groups":'"$groups"',"credentials":[{"type":"password","value":"'"${KEYCLOAK_USER_PASS}"'","temporary":false}]}' 2>&1)"
@@ -499,7 +499,7 @@ log_token_err() {
 }
 
 keycloak_token() {
-  curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=$1" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
+  curl -s -k "$(keycloak_url)/realms/master/protocol/openid-connect/token" -d username=admin -d "password=$1" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
 }
 
 rhdh_token() {
@@ -526,7 +526,7 @@ rhdh_token() {
     --data-urlencode "redirect_uri=${REDIRECT_URL}" \
     --data-urlencode "scope=openid email profile" \
     --data-urlencode "response_type=code" \
-    "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+    "$(keycloak_url)/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
 
   execution=$(echo "$AUTH_URL" | grep -oE 'execution=[^&]+' | grep -oE '[^=]+$')
   tab_id=$(echo "$AUTH_URL" | grep -oE 'tab_id=[^&]+' | grep -oE '[^=]+$')

ci-scripts/rhdh-setup/deploy.sh

@@ -251,6 +251,10 @@ keycloak_install() {
     envsubst <template/keycloak/keycloak.yaml | $clin apply -f -
     wait_to_start statefulset rhdh-keycloak 450 600
 
+    $clin create secret generic credential-rhdh-keycloak \
+        --from-literal=ADMIN_PASSWORD=admin \
+        --dry-run=client -o yaml | $clin apply -f -
+
     $clin create route edge keycloak \
         --service=rhdh-keycloak-service \
         --port=8080 \

ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml

@@ -57,7 +57,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml

@@ -57,7 +57,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml

@@ -18,7 +18,7 @@ extraContainers:
             key: keycloak_cookie_secret
             name: perf-test-secrets
       - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
       - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
         value: "true"
       - name: OAUTH2_PROXY_LOGGING_LEVEL

ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml

@@ -18,7 +18,7 @@ spec:
     extraEnvs:
       envs:
         - name: KEYCLOAK_BASE_URL
-          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
         - name: KEYCLOAK_LOGIN_REALM
           value: "backstage"
         - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml

@@ -40,7 +40,7 @@ spec:
                   key: keycloak_cookie_secret
                   name: perf-test-secrets
             - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
             - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
               value: "true"
           image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0

ci-scripts/rhdh-setup/template/keycloak/keycloak.yaml

@@ -6,14 +6,27 @@ metadata:
     app: keycloak
 spec:
   instances: ${RHDH_KEYCLOAK_REPLICAS}
+  db:
+    vendor: postgres
+    host: keycloak-postgresql
+    port: 5432
+    database: keycloak
+    usernameSecret:
+      name: keycloak-db-user
+      key: keycloak-db-user
+    passwordSecret:
+      name: keycloak-postgresql
+      key: password
   hostname:
     strict: false
   http:
     httpEnabled: true
   ingress:
     enabled: true
   additionalOptions:
-    - name: hostname-strict
-      value: "false"
-    - name: http-enabled
-      value: "true"
+    - name: bootstrap-admin-username
+      value: admin
+    - name: bootstrap-admin-password
+      value: admin
+    - name: proxy-headers
+      value: forwarded