fix: replace Bitnami dependencies with official upstream charts#593
Merged
vincentchalamon merged 16 commits intochore/bitnamifrom Mar 16, 2026
Merged
fix: replace Bitnami dependencies with official upstream charts#593vincentchalamon merged 16 commits intochore/bitnamifrom
vincentchalamon merged 16 commits intochore/bitnamifrom
Conversation
3 tasks
This comment was marked as outdated.
This comment was marked as outdated.
Copilot
AI
changed the title
[WIP] Fix invalid Helm chart and replace external DNS dependency
Replace bitnami Helm chart dependencies with upstream alternatives
Feb 5, 2026
vincentchalamon
force-pushed
the
chore/bitnami
branch
from
acd0b26 to
b465368
Compare
vincentchalamon
force-pushed
the
copilot/sub-pr-553
branch
from
a7cbb87 to
d98e96f
Compare
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Error
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
slim
suggested changes
Feb 17, 2026
vincentchalamon
force-pushed
the
chore/bitnami
branch
from
b465368 to
1c26425
Compare
# Conflicts: # helm/api-platform/Chart.lock # helm/api-platform/Chart.yaml
Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com>
Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com>
Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com>
vincentchalamon
force-pushed
the
copilot/sub-pr-553
branch
from
de40a44 to
7bef2ef
Compare
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
vincentchalamon
changed the title
- Add missing 'start' subcommand to Keycloak args (kc.sh requires it) - Replace CNPG PostgreSQL image with standalone postgres:16-alpine for sidecar - Fix E2E password selector for Keycloak 26.4 (getByRole instead of getByLabel) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
…smatch - Guard KC_BOOTSTRAP_ADMIN_* env vars on non-empty adminPassword to prevent crash when keycloak-admin-password secret is not set in PR environments - Add --optimized flag to skip rebuild check on every start - Add build-time options to Dockerfile (--db, --http-relative-path, --health-enabled, --metrics-enabled) to match runtime config - Remove redundant build-time env vars from deployment template Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
…p failure Keycloak with --optimized checks that no provider JARs changed after the build. The JAR was copied after the build step, making its timestamp newer than the build artifacts and causing Keycloak to refuse startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
…nv vars KC_PRODUCTION=true is a Bitnami-specific env var ignored by the official image. Keycloak start (production mode) requires TLS or http-enabled=true. Since TLS is terminated at the nginx ingress, enable HTTP and configure the proxy headers to trust X-Forwarded-* headers from the ingress. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vincentchalamon
had a problem deploying
to
pr-593
GitHub Actions
Failure
…ment port The --http-relative-path build option also affects the management interface (port 9000). Health endpoints are at /<relative-path>/health/* not /health/*. Confirmed: /oidc/health/started returns 200, /health/started returns 404. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The k6 post-deploy check verifies that http:// redirects to https:// with a 301. ssl-redirect was set to false, preventing nginx from issuing the redirect. cert-manager provisions a valid TLS certificate on GKE so the redirect is safe. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…t trailing slash nginx-ingress uses 308 (not 301) for ssl-redirect to preserve HTTP method. The Location header for root path omits the trailing slash. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
vincentchalamon
added a commit
that referenced
this pull request
Mar 16, 2026
* chore: replace bitnami/postgresql with custom template # Conflicts: # helm/api-platform/Chart.lock # helm/api-platform/Chart.yaml * chore: replace bitnami/keycloak with custom template * Initial plan * fix: replace bitnami/external-dns and fix Helm template issues Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: resolve Helm chart YAML parsing issues Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: correct PostgreSQL sidecar container probes and port protocol Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: fix deploy * fix: fix by @claude * fix: fix Keycloak deployment crash and E2E login selector - Add missing 'start' subcommand to Keycloak args (kc.sh requires it) - Replace CNPG PostgreSQL image with standalone postgres:16-alpine for sidecar - Fix E2E password selector for Keycloak 26.4 (getByRole instead of getByLabel) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: fix Keycloak startup crash on empty admin password and config mismatch - Guard KC_BOOTSTRAP_ADMIN_* env vars on non-empty adminPassword to prevent crash when keycloak-admin-password secret is not set in PR environments - Add --optimized flag to skip rebuild check on every start - Add build-time options to Dockerfile (--db, --http-relative-path, --health-enabled, --metrics-enabled) to match runtime config - Remove redundant build-time env vars from deployment template Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: copy provider JAR before kc.sh build to avoid --optimized startup failure Keycloak with --optimized checks that no provider JARs changed after the build. The JAR was copied after the build step, making its timestamp newer than the build artifacts and causing Keycloak to refuse startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace Bitnami KC_PRODUCTION with correct Keycloak HTTP/proxy env vars KC_PRODUCTION=true is a Bitnami-specific env var ignored by the official image. Keycloak start (production mode) requires TLS or http-enabled=true. Since TLS is terminated at the nginx ingress, enable HTTP and configure the proxy headers to trust X-Forwarded-* headers from the ingress. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: use httpRelativePath prefix for Keycloak health probes on management port The --http-relative-path build option also affects the management interface (port 9000). Health endpoints are at /<relative-path>/health/* not /health/*. Confirmed: /oidc/health/started returns 200, /health/started returns 404. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: enable nginx SSL redirect for HTTP→HTTPS 301 The k6 post-deploy check verifies that http:// redirects to https:// with a 301. ssl-redirect was set to false, preventing nginx from issuing the redirect. cert-manager provisions a valid TLS certificate on GKE so the redirect is safe. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: configure Claude Code * fix: update k6 check to accept nginx 308 redirect and location without trailing slash nginx-ingress uses 308 (not 301) for ssl-redirect to preserve HTTP method. The Location header for root path omits the trailing slash. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Vincent Chalamon <407859+vincentchalamon@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
vincentchalamon
added a commit
that referenced
this pull request
Mar 16, 2026
* chore: replace bitnami/postgresql with custom template * chore: replace bitnami/keycloak with custom template * fix: replace Bitnami dependencies with official upstream charts (#593) * chore: replace bitnami/postgresql with custom template # Conflicts: # helm/api-platform/Chart.lock # helm/api-platform/Chart.yaml * chore: replace bitnami/keycloak with custom template * Initial plan * fix: replace bitnami/external-dns and fix Helm template issues Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: resolve Helm chart YAML parsing issues Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: correct PostgreSQL sidecar container probes and port protocol Co-authored-by: vincentchalamon <407859+vincentchalamon@users.noreply.github.com> * fix: fix deploy * fix: fix by @claude * fix: fix Keycloak deployment crash and E2E login selector - Add missing 'start' subcommand to Keycloak args (kc.sh requires it) - Replace CNPG PostgreSQL image with standalone postgres:16-alpine for sidecar - Fix E2E password selector for Keycloak 26.4 (getByRole instead of getByLabel) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: fix Keycloak startup crash on empty admin password and config mismatch - Guard KC_BOOTSTRAP_ADMIN_* env vars on non-empty adminPassword to prevent crash when keycloak-admin-password secret is not set in PR environments - Add --optimized flag to skip rebuild check on every start - Add build-time options to Dockerfile (--db, --http-relative-path, --health-enabled, --metrics-enabled) to match runtime config - Remove redundant build-time env vars from deployment template Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: copy provider JAR before kc.sh build to avoid --optimized startup failure Keycloak with --optimized checks that no provider JARs changed after the build. The JAR was copied after the build step, making its timestamp newer than the build artifacts and causing Keycloak to refuse startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: replace Bitnami KC_PRODUCTION with correct Keycloak HTTP/proxy env vars KC_PRODUCTION=true is a Bitnami-specific env var ignored by the official image. Keycloak start (production mode) requires TLS or http-enabled=true. Since TLS is terminated at the nginx ingress, enable HTTP and configure the proxy headers to trust X-Forwarded-* headers from the ingress. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: use httpRelativePath prefix for Keycloak health probes on management port The --http-relative-path build option also affects the management interface (port 9000). Health endpoints are at /<relative-path>/health/* not /health/*. Confirmed: /oidc/health/started returns 200, /health/started returns 404. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: enable nginx SSL redirect for HTTP→HTTPS 301 The k6 post-deploy check verifies that http:// redirects to https:// with a 301. ssl-redirect was set to false, preventing nginx from issuing the redirect. cert-manager provisions a valid TLS certificate on GKE so the redirect is safe. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: configure Claude Code * fix: update k6 check to accept nginx 308 redirect and location without trailing slash nginx-ingress uses 308 (not 301) for ssl-redirect to preserve HTTP method. The Location header for root path omits the trailing slash. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Vincent Chalamon <407859+vincentchalamon@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(helm): address PR review comments - Fix serverVersion in database-url secret: use 16 to match values.yaml - Remove KC_PRODUCTION from compose.prod.yaml (not a valid Keycloak env var) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(helm): remove obsolete Bitnami values Remove values.yaml keys that were consumed by bitnami/keycloak and bitnami/postgresql Helm charts but are never read by the custom templates: - postgresPassword (superuser password, unused by CloudNative PG and postgres sidecar) - keycloak.proxy (hardcoded as KC_PROXY_HEADERS in keycloak-deployment.yaml) - keycloak.tls (not wired in the custom template) - keycloak.startupProbe / readinessProbe / livenessProbe (hardcoded in template) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
❓ Why
Bitnami Helm charts now sit behind a paywall (OCI registry requiring a subscription). This blocks CI/CD pipelines and prevents fresh
helm dependency buildfrom completing without paid credentials.This PR finishes the work started in #553 to make the Helm chart 100% independent of Bitnami, using only free, upstream alternatives.
📝 Changes
external-dns: custom template → official chart
external-dns-deployment.yaml(Deployment, ServiceAccount, RBAC, Secret)external-dnschart1.20.0fromkubernetes-sigsas a subchart dependency inChart.yamlvalues.yamlexternal-dns:section to match the official chart schema (provider.name,env,sources,policy, etc.)deploy.ymlandci.ymlworkflows: replacedhelm repo add stable https://charts.helm.sh/stable/with the external-dns repo, and updated--setflags to match the official chart's values schemaKeycloak deployment: 5 bug fixes
KC_BOOTSTRAP_ADMIN_USERNAME: removed the unconditional block that incorrectly pointed to thekeycloak-database-passwordsecret; the conditional block (whencreateAdminUseris true) is the correct oneextraEnvVarsnil guard: wrapped with{{- with }}to avoid rendering errors whenextraEnvVarsis not setkeycloak.image.registryin values.yaml: removed (deploy.yml passes the full path via--set keycloak.image.repository=...)GET /on porthttp(8080) to Keycloak's management endpoints on portapi(9000):/health/live,/health/ready,/health/started(startup probe)replicas: 1(see note below)ConfigMap fix
| b64encfrom theelsebranch ofkeycloak-database-url— a ConfigMap must not contain base64-encoded valuesChart version
versionandappVersionto4.3.0(was incorrectly downgraded to4.2.15)Keycloak replicas are hardcoded to
1. This is intentional and required by the current architecture:PostgreSQL runs as a sidecar container inside the Keycloak pod (not as a shared external database). The
KC_DB_URLpoints tolocalhost:5432. Scaling to 2+ replicas would create separate isolated PostgreSQL instances per pod — users, sessions, and realms would diverge immediately, causing data corruption.Keycloak's embedded Infinispan can form a cluster between nodes, but it only replicates in-memory caches, not database writes. Without a shared database, multi-replica Keycloak is broken by design.
To enable HA Keycloak (2+ replicas), the prerequisite is to externalize PostgreSQL (dedicated StatefulSet, CloudSQL, etc.) so all Keycloak pods share a single database. This is out of scope for this PR.
Note from @vincentchalamon: additionally, this project is a simple demo, there is no need to override its architecture and infrastructure. A single Keycloak replica with a single database is more than enough for a demo!