feat(keycloak): move to official images

[pepol]

Summary by CodeRabbit

• Chores
  • Updated Keycloak deployment configuration with standardized environment variables.
  • Optimized Docker image build process using multi-stage compilation.
  • Updated Keycloak service initialization paths and commands for improved compatibility.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

This PR migrates Keycloak from the Bitnami distribution to the official Keycloak image using multi-stage Docker builds, updates environment variable prefixes from KEYCLOAK_* to KC_*, and adds startup commands to Docker Compose services.

Changes

Cohort / File(s)	Summary
Docker Compose Configuration docker-compose.yml, docker-compose.full.yml	Replaced KEYCLOAK_* environment variables with KC_* prefixes, added start-dev, --import-realm, and --optimized flags to Keycloak service startup command, and updated realm import path from Bitnami to standard Keycloak location.
Keycloak Dockerfile keycloak/Dockerfile	Converted to multi-stage build: replaced Bitnami base image with official quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}, added themebuilder and builder stages, updated work directory to /opt/keycloak, simplified build invocation, and added KC_* environment variables and explicit ENTRYPOINT.
Helm Configuration helm/cosmo/values.yaml	Added comment indicating planned migration of Keycloak chart to codecentric/keycloakx after new image release.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• wundergraph/cosmo#2171: Modifies Keycloak Dockerfile base image usage and structure.
• wundergraph/cosmo#2548: Updates Keycloak Dockerfile base image tag configuration.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(keycloak): move to official images' clearly and concisely describes the main change: migrating Keycloak from Bitnami images to official Keycloak images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

helm/cosmo/values.yaml (1)

353-405: ⚠️ Potential issue | 🔴 Critical

Helm configuration uses Bitnami-style env vars, but the image is now based on official Keycloak.

The Dockerfile builds from the official quay.io/keycloak/keycloak:26.2.5 image and uses official Keycloak environment variables (KC_DB, KC_METRICS_ENABLED, KC_HEALTH_ENABLED) and the /opt/keycloak directory structure. However, the helm chart still uses Bitnami-specific environment variables (KEYCLOAK_EXTRA_ARGS, KEYCLOAK_ENABLE_HEALTH_ENDPOINTS, KEYCLOAK_DATABASE_PASSWORD) and mount paths (/opt/bitnami/keycloak/...).

The official Keycloak image won't recognize these Bitnami env vars and may fail to import the realm config due to the incorrect mount path. The helm deployment with the new custom image will be broken until the configuration is updated to use official Keycloak patterns.

Consider updating lines 385-390 to use KC_* variables and line 392 to use /opt/keycloak/ paths instead, or defer this helm chart migration along with the image update as noted in the TODO comment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/cosmo/values.yaml` around lines 353 - 405, The Helm values are using
Bitnami-specific env vars and mount paths (KEYCLOAK_EXTRA_ARGS,
KEYCLOAK_ENABLE_HEALTH_ENDPOINTS, KEYCLOAK_DATABASE_PASSWORD and the
/opt/bitnami/keycloak/... mount) while the image is the official Keycloak;
update the env var names to official Keycloak variables (e.g., replace
KEYCLOAK_EXTRA_ARGS with KC_STARTUP_ARGS or appropriate KC_* variable,
KEYCLOAK_ENABLE_HEALTH_ENDPOINTS → KC_HEALTH_ENABLED, KEYCLOAK_DATABASE_PASSWORD
→ KC_DB_PASSWORD or set KC_DB and KC_DB_URL/credentials as required) and change
extraVolumeMounts mountPath from /opt/bitnami/keycloak/data/import/realm.json to
the official path under /opt/keycloak (e.g.,
/opt/keycloak/data/import/realm.json or the image’s expected import location),
leaving extraVolumes name (realm-config-volume) and extraEnvVars entries intact
but with the KC_* names; ensure the KEYCLOAK image repository reference
(wundergraph/cosmo/keycloak) and the TODO about migrating to
codecentric/keycloakx remain in place if you prefer deferring the migration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@helm/cosmo/values.yaml`:
- Around line 353-405: The Helm values are using Bitnami-specific env vars and
mount paths (KEYCLOAK_EXTRA_ARGS, KEYCLOAK_ENABLE_HEALTH_ENDPOINTS,
KEYCLOAK_DATABASE_PASSWORD and the /opt/bitnami/keycloak/... mount) while the
image is the official Keycloak; update the env var names to official Keycloak
variables (e.g., replace KEYCLOAK_EXTRA_ARGS with KC_STARTUP_ARGS or appropriate
KC_* variable, KEYCLOAK_ENABLE_HEALTH_ENDPOINTS → KC_HEALTH_ENABLED,
KEYCLOAK_DATABASE_PASSWORD → KC_DB_PASSWORD or set KC_DB and
KC_DB_URL/credentials as required) and change extraVolumeMounts mountPath from
/opt/bitnami/keycloak/data/import/realm.json to the official path under
/opt/keycloak (e.g., /opt/keycloak/data/import/realm.json or the image’s
expected import location), leaving extraVolumes name (realm-config-volume) and
extraEnvVars entries intact but with the KC_* names; ensure the KEYCLOAK image
repository reference (wundergraph/cosmo/keycloak) and the TODO about migrating
to codecentric/keycloakx remain in place if you prefer deferring the migration.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48a1613 and fd19840.

📒 Files selected for processing (4)

• docker-compose.full.yml
• docker-compose.yml
• helm/cosmo/values.yaml
• keycloak/Dockerfile

[StarpTech]

LGTM