Keycloak is deployed via raw manifests and backed by the shared Postgres (postgres-service.postgres.svc.cluster.local:5432). Create these secrets before applying:

# DB creds (per-service DB/user in shared Postgres)
kubectl -n sso create secret generic keycloak-db \
  --from-literal=username=keycloak \
  --from-literal=password='<DB_PASSWORD>' \
  --from-literal=database=keycloak

# Admin console creds (maps to KC admin user)
kubectl -n sso create secret generic keycloak-admin \
  --from-literal=username=brad@bstein.dev \
  --from-literal=password='<ADMIN_PASSWORD>'

Apply:

kubectl apply -k services/keycloak

Notes

Service: keycloak.sso.svc:80 (Ingress sso.bstein.dev, TLS via cert-manager).
Uses Postgres schema public; DB/user should be provisioned in the shared Postgres instance.
Health endpoints on :9000 are wired for probes.