commit ce8bd8d64ea2728dd97d903c43b3e3c659fc1d0e
Author: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date:   Mon Jan 19 16:24:02 2026 +0100

    initial

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..012e0c3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+secrets.txt
+
diff --git a/ENVDB b/ENVDB
new file mode 100644
index 0000000..0e71642
--- /dev/null
+++ b/ENVDB
@@ -0,0 +1,7 @@
+DBNAMESPACE=database1
+DEPLOYNAME=database
+PGUSER=`kubectl get secret -n $DBNAMESPACE $DEPLOYNAME -o jsonpath="{.data.superuser-username}" | base64 --decode`
+PGHOST=`kubectl get services $DEPLOYNAME -n $DBNAMESPACE -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
+PGPASSWORD=`kubectl get secret -n $DBNAMESPACE $DEPLOYNAME -o jsonpath="{.data.superuser-password}" | base64 --decode`
+PGSSLMODE=require
+export PGUSER PGHOST PGPASSWORD PGSSLMODE
diff --git a/encrypt-secrets.sh b/encrypt-secrets.sh
new file mode 100755
index 0000000..c3e991c
--- /dev/null
+++ b/encrypt-secrets.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+
diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..ee803e0
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+
+VERSION=0.13.0
+NAMESPACE=$(cat namespace)
+
+. ./ENVDB
+
+kubectl create namespace $NAMESPACE || echo "namespace already exists"
+
+SECRETS_PLAINTEXT=$(mktemp)
+gpg --pinentry-mode=loopback --decrypt --output $SECRETS_PLAINTEXT secrets.asc
+kubectl create secret generic keycloak-secrets \
+  --from-env-file=$SECRETS_PLAINTEXT \
+  --dry-run=client -o yaml | \
+  kubectl apply -f - -n $NAMESPACE
+rm $SECRETS_PLAINTEXT
+
+
+./roll-db-credential.sh
+
+
+helm upgrade --install keycloak2 -f values.yml oci://registry-1.docker.io/cloudpirates/keycloak --version $VERSION --namespace=$NAMESPACE
+
+
diff --git a/namespace b/namespace
new file mode 100644
index 0000000..ddb9ebf
--- /dev/null
+++ b/namespace
@@ -0,0 +1 @@
+keycloak2
diff --git a/roll-db-credential.sh b/roll-db-credential.sh
new file mode 100755
index 0000000..7c6814a
--- /dev/null
+++ b/roll-db-credential.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+
+
+DBNAMESPACE=database1
+DEPLOYNAME=database
+PGUSER=`kubectl get secret -n $DBNAMESPACE $DEPLOYNAME -o jsonpath="{.data.superuser-username}" | base64 --decode`
+PGHOST=`kubectl get services $DEPLOYNAME -n $DBNAMESPACE -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
+PGPASSWORD=`kubectl get secret -n $DBNAMESPACE $DEPLOYNAME -o jsonpath="{.data.superuser-password}" | base64 --decode`
+PGSSLMODE=require
+export PGUSER PGHOST PGPASSWORD PGSSLMODE
+
+DB_USER=keycloak2
+DB_PASSWD=$(openssl rand -base64 24)
+
+NAMESPACE=$(cat namespace)
+
+psql <<EOF
+ALTER USER $DB_USER WITH PASSWORD '$DB_PASSWD';
+COMMIT;
+EOF
+
+kubectl create secret generic keycloak-database-secrets \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=DB_USER="$DB_USER" \
+  --from-literal=DB_PASSWD="$DB_PASSWD" | \
+  kubectl apply -f - -n $NAMESPACE
+
+
+
diff --git a/secrets.asc b/secrets.asc
new file mode 100644
index 0000000..eb0489a
--- /dev/null
+++ b/secrets.asc
@@ -0,0 +1,8 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMI/JoRd9hK84Py0pABGay2SogOsfkuNf8tcVVrP+ububBWB/ecdrmfHwQ0
+PhXDzjgDwW8kCWuXYyGlp6aQ4vmcHvAt0mJDLrCfoS118S9SLEhJVbwlttrVCfEv
+45AlaI6pn+xtd+Qw4icqI+13L4v5D36H4ZI9qybU5eELZm5dqcoedt5oGrm+jESr
+kNTGwdeywqWDRczw/p60nWg=
+=u8NB
+-----END PGP MESSAGE-----
diff --git a/values.yml b/values.yml
new file mode 100644
index 0000000..1ac2cde
--- /dev/null
+++ b/values.yml
@@ -0,0 +1,51 @@
+database:
+  type: postgres
+  host: database.database1.svc.cluster.local
+  name: keycloak2
+  existingSecret: keycloak-database-secrets
+  secretKeys:
+    passwordKey: DB_PASSWD
+    usernameKey: DB_USER
+
+keycloak:
+  production: true
+  hostname: auth.hottis.de
+  adminUser: admin
+  existingSecret: keycloak-secrets
+  secretKeys:
+    adminPasswordKey: ADMIN_PASSWORD
+  httpEnabled: true
+  httpsEnabled: false
+  proxyHeaders: xforwarded
+
+
+commonAnnotations:
+  secret.reloader.stakater.com/reload: "keycloak-secrets, keycloak-database-secrets"
+
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-staging-http"
+  hosts:
+    - host: auth.hottis.de
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: keycloak-tls
+      hosts:
+        - auth.hottis.de
+
+persistence:
+  enabled: true
+  storageClass: nfs-client
+
+tls:
+  enabled: false
+
+postgres:
+  enabled: false
+
+
+