# services/keycloak

Keycloak is deployed via raw manifests and backed by the shared Postgres (`postgres-service.postgres.svc.cluster.local:5432`). Create these secrets before applying:

```bash
# DB creds (per-service DB/user in shared Postgres)
kubectl -n sso create secret generic keycloak-db \
  --from-literal=username=keycloak \
  --from-literal=password='<DB_PASSWORD>' \
  --from-literal=database=keycloak

# Admin console creds (maps to KC admin user)
kubectl -n sso create secret generic keycloak-admin \
  --from-literal=username=brad@bstein.dev \
  --from-literal=password='<ADMIN_PASSWORD>'
```

Apply:

```bash
kubectl apply -k services/keycloak
```

Notes
- Service: `keycloak.sso.svc:80` (Ingress `sso.bstein.dev`, TLS via cert-manager).
- Uses Postgres schema `public`; DB/user should be provisioned in the shared Postgres instance.
- Health endpoints on :9000 are wired for probes.