diff --git a/helm/cosmo/CHART.md b/helm/cosmo/CHART.md
index 4e5697f07d..444684f038 100644
--- a/helm/cosmo/CHART.md
+++ b/helm/cosmo/CHART.md
@@ -11,6 +11,7 @@ This is the official Helm Chart for WunderGraph Cosmo - The Full Lifecycle Graph
 | Name | Email | Url |
 | ---- | ------ | --- |
 | Dustin Deus | <dustin@wundergraph.com> | <https://github.com/StarpTech> |
+| Peter Polacik | <peter@wundergraph.com> | <https://github.com/pepol> |
 
 ## Requirements
 
@@ -23,7 +24,7 @@ This is the official Helm Chart for WunderGraph Cosmo - The Full Lifecycle Graph
 |  | router | ^0 |
 |  | studio | ^0 |
 | https://charts.bitnami.com/bitnami | clickhouse | ^5.0.2 |
-| https://charts.bitnami.com/bitnami | keycloak | ^17.3.1 |
+| https://codecentric.github.io/helm-charts | keycloakx | ^7.1.8 |
 | https://charts.bitnami.com/bitnami | minio | 12.10.0 |
 | https://charts.bitnami.com/bitnami | postgresql | 12.8.0 |
 | https://charts.bitnami.com/bitnami | redis | 18.9.1 |
diff --git a/helm/cosmo/Chart.lock b/helm/cosmo/Chart.lock
index 2331aa84ee..85583306f0 100644
--- a/helm/cosmo/Chart.lock
+++ b/helm/cosmo/Chart.lock
@@ -20,9 +20,9 @@ dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 12.12.10
-- name: keycloak
-  repository: https://charts.bitnami.com/bitnami
-  version: 22.0.0
+- name: keycloakx
+  repository: https://codecentric.github.io/helm-charts
+  version: 7.1.8
 - name: clickhouse
   repository: https://charts.bitnami.com/bitnami
   version: 6.2.14
@@ -32,5 +32,5 @@ dependencies:
 - name: redis
   repository: https://charts.bitnami.com/bitnami
   version: 19.3.3
-digest: sha256:ca5d96eb18eb17314f0ca5048a25b9050942c17c9bdae669134e7ebf11fb3ecf
-generated: "2024-09-23T15:19:35.81985+05:30"
+digest: sha256:c5d01848a4217b447e1e5c7501f8899188fbce7c80ad2698174f1d078c6de311
+generated: "2026-02-27T17:47:35.700464+01:00"
diff --git a/helm/cosmo/Chart.yaml b/helm/cosmo/Chart.yaml
index d64376133c..2b64c261e9 100644
--- a/helm/cosmo/Chart.yaml
+++ b/helm/cosmo/Chart.yaml
@@ -68,10 +68,11 @@ dependencies:
     version: '12.12.10'
     condition: global.postgresql.enabled
     repository: 'https://charts.bitnami.com/bitnami'
-  - name: keycloak
-    version: '22.0.0'
-    repository: 'https://charts.bitnami.com/bitnami'
+  - name: keycloakx
+    version: '7.1.8'
+    repository: 'https://codecentric.github.io/helm-charts'
     condition: global.keycloak.enabled
+    alias: keycloak
   - name: clickhouse
     version: '6.2.14'
     condition: global.clickhouse.enabled
diff --git a/helm/cosmo/README.md b/helm/cosmo/README.md
index d32067d007..56fdee4377 100644
--- a/helm/cosmo/README.md
+++ b/helm/cosmo/README.md
@@ -25,10 +25,10 @@ This is the official Helm Chart for WunderGraph Cosmo - The Full Lifecycle Graph
 |  | router | ^0 |
 |  | studio | ^0 |
 | https://charts.bitnami.com/bitnami | clickhouse | 6.2.14 |
-| https://charts.bitnami.com/bitnami | keycloak | 22.0.0 |
 | https://charts.bitnami.com/bitnami | minio | 14.6.25 |
 | https://charts.bitnami.com/bitnami | postgresql | 12.12.10 |
 | https://charts.bitnami.com/bitnami | redis | 19.3.3 |
+| https://codecentric.github.io/helm-charts | keycloak(keycloakx) | 7.1.8 |
 
 ## Values
 
@@ -122,7 +122,7 @@ This is the official Helm Chart for WunderGraph Cosmo - The Full Lifecycle Graph
 | global.helmTests.enabled | bool | `false` |  |
 | global.keycloak.adminPassword | string | `"changeme"` |  |
 | global.keycloak.adminUser | string | `"admin"` |  |
-| global.keycloak.apiUrl | string | `"http://cosmo-keycloak:8080"` |  |
+| global.keycloak.apiUrl | string | `"http://cosmo-keycloak-http:8080"` |  |
 | global.keycloak.clientId | string | `"studio"` |  |
 | global.keycloak.database | string | `"keycloak"` |  |
 | global.keycloak.databasePassword | string | `"changeme"` |  |
@@ -168,38 +168,32 @@ This is the official Helm Chart for WunderGraph Cosmo - The Full Lifecycle Graph
 | graphqlmetrics.configuration.prometheus.port | int | `8088` | The port where metrics are exposed. Default is port 8088. |
 | ingress.annotations | object | `{}` |  |
 | ingress.enabled | bool | `true` |  |
-| keycloak.auth.adminPassword | string | `"changeme"` |  |
-| keycloak.auth.adminUser | string | `"admin"` |  |
-| keycloak.cache.enabled | bool | `false` |  |
-| keycloak.externalDatabase.database | string | `"keycloak"` |  |
-| keycloak.externalDatabase.host | string | `"cosmo-postgresql"` |  |
-| keycloak.externalDatabase.port | int | `5432` |  |
-| keycloak.externalDatabase.user | string | `"postgres"` |  |
-| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` |  |
-| keycloak.extraEnvVars[0].value | string | `"--import-realm --optimized"` |  |
-| keycloak.extraEnvVars[1].name | string | `"KEYCLOAK_ENABLE_HEALTH_ENDPOINTS"` |  |
-| keycloak.extraEnvVars[1].value | string | `"true"` |  |
-| keycloak.extraEnvVars[2].name | string | `"KEYCLOAK_DATABASE_PASSWORD"` |  |
-| keycloak.extraEnvVars[2].value | string | `"changeme"` |  |
-| keycloak.extraVolumeMounts[0].mountPath | string | `"/opt/bitnami/keycloak/data/import/realm.json"` |  |
-| keycloak.extraVolumeMounts[0].name | string | `"realm-config-volume"` |  |
-| keycloak.extraVolumeMounts[0].readOnly | bool | `true` |  |
-| keycloak.extraVolumeMounts[0].subPath | string | `"realm.json"` |  |
-| keycloak.extraVolumes[0].configMap.name | string | `"keycloak-realm"` |  |
-| keycloak.extraVolumes[0].name | string | `"realm-config-volume"` |  |
+| keycloak.args[0] | string | `"start"` |  |
+| keycloak.args[1] | string | `"--import-realm"` |  |
+| keycloak.args[2] | string | `"--optimized"` |  |
+| keycloak.cache.stack | string | `"custom"` |  |
+| keycloak.database.database | string | `"keycloak"` |  |
+| keycloak.database.hostname | string | `"cosmo-postgresql"` |  |
+| keycloak.database.password | string | `"changeme"` |  |
+| keycloak.database.port | int | `5432` |  |
+| keycloak.database.username | string | `"postgres"` |  |
+| keycloak.database.vendor | string | `"postgres"` |  |
+| keycloak.extraEnv | string | `"- name: KC_BOOTSTRAP_ADMIN_USERNAME\n  valueFrom:\n    secretKeyRef:\n      name: {{ include \"keycloak.fullname\" . }}-bootstrap\n      key: adminUser\n- name: KC_BOOTSTRAP_ADMIN_PASSWORD\n  valueFrom:\n    secretKeyRef:\n      name: {{ include \"keycloak.fullname\" . }}-bootstrap\n      key: adminPassword\n- name: KC_HOSTNAME_STRICT\n  value: 'false'\n"` |  |
+| keycloak.extraVolumeMounts | string | `"- mountPath: /opt/keycloak/data/import/realm.json\n  name: realm-config-volume\n  readOnly: true\n  subPath: realm.json\n"` |  |
+| keycloak.extraVolumes | string | `"- name: realm-config-volume\n  configMap:\n    name: keycloak-realm\n"` |  |
+| keycloak.health.enabled | bool | `true` |  |
+| keycloak.http.relativePath | string | `"/"` |  |
 | keycloak.image.pullPolicy | string | `"IfNotPresent"` |  |
-| keycloak.image.registry | string | `"ghcr.io"` |  |
-| keycloak.image.repository | string | `"wundergraph/cosmo/keycloak"` |  |
-| keycloak.image.tag | string | `"0.10.4"` |  |
+| keycloak.image.repository | string | `"ghcr.io/wundergraph/cosmo/keycloak"` |  |
+| keycloak.image.tag | string | `"0.13.0"` |  |
 | keycloak.metrics.enabled | bool | `true` |  |
 | keycloak.podAnnotations."kapp.k14s.io/change-group" | string | `"cosmo.apps.keycloak.wundergraph.com/deployment"` | Support for k14s.io. This annotation will form a group to coordinate deployments with kapp. |
 | keycloak.podAnnotations."kapp.k14s.io/change-rule.postgresql" | string | `"upsert after upserting cosmo.apps.postgresql.wundergraph.com/deployment"` | Support for k14s.io. This annotation will wait for the postgresql deployments to be ready before deploying. |
-| keycloak.postgresql.enabled | bool | `false` |  |
-| keycloak.production | bool | `false` |  |
-| keycloak.replicaCount | int | `1` |  |
-| keycloak.resourcesPreset | string | `"none"` | Is set to 'small' by default which is too small and runs in OOMKilled |
-| keycloak.service.ports.http | int | `8080` |  |
-| keycloak.startupProbe.enabled | bool | `true` |  |
+| keycloak.replicas | int | `1` |  |
+| keycloak.secrets.bootstrap.stringData.adminPassword | string | `"{{ .Values.global.keycloak.adminPassword }}"` |  |
+| keycloak.secrets.bootstrap.stringData.adminUser | string | `"{{ .Values.global.keycloak.adminUser }}"` |  |
+| keycloak.service.httpPort | int | `8080` |  |
+| keycloak.statefulsetAnnotations."kapp.k14s.io/update-strategy" | string | `"fallback-on-replace"` |  |
 | minio.auth.rootPassword | string | `"changeme"` |  |
 | minio.auth.rootUser | string | `"minio"` |  |
 | minio.commonAnnotations."kapp.k14s.io/change-group" | string | `"cosmo.apps.minio.wundergraph.com/deployment"` |  |
diff --git a/helm/cosmo/charts/keycloak-22.0.0.tgz b/helm/cosmo/charts/keycloak-22.0.0.tgz
deleted file mode 100644
index 1fcaa5af8a..0000000000
Binary files a/helm/cosmo/charts/keycloak-22.0.0.tgz and /dev/null differ
diff --git a/helm/cosmo/charts/keycloakx-7.1.8.tgz b/helm/cosmo/charts/keycloakx-7.1.8.tgz
new file mode 100644
index 0000000000..d0c7a168bb
Binary files /dev/null and b/helm/cosmo/charts/keycloakx-7.1.8.tgz differ
diff --git a/helm/cosmo/templates/ingress.yaml b/helm/cosmo/templates/ingress.yaml
index 913be1417f..d18f28830b 100644
--- a/helm/cosmo/templates/ingress.yaml
+++ b/helm/cosmo/templates/ingress.yaml
@@ -70,7 +70,7 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: {{ include "keycloak.fullname" . }}
+                name: {{ include "keycloak.fullname" . }}-http
                 port:
                   number: {{ .Values.global.keycloak.port }}
     {{- end }}
diff --git a/helm/cosmo/values.yaml b/helm/cosmo/values.yaml
index 4758ac5044..2ec0f3193f 100644
--- a/helm/cosmo/values.yaml
+++ b/helm/cosmo/values.yaml
@@ -61,7 +61,7 @@ global:
     loginRealm: 'master'
     webUrl: 'http://keycloak.wundergraph.local'
     # Use internal DNS name to access Keycloak
-    apiUrl: 'http://cosmo-keycloak:8080'
+    apiUrl: 'http://cosmo-keycloak-http:8080'
     clientId: 'studio'
     adminUser: 'admin'
     adminPassword: 'changeme'
@@ -349,59 +349,69 @@ graphqlmetrics:
 # It is highly recommended to use a managed service in production environments or use our cloud offering https://cosmo.wundergraph.com
 
 # Keycloak for the Cosmo Controlplane & Studio
-# https://artifacthub.io/packages/helm/bitnami/keycloak
-# TODO(pepol): Move to 'codecentric/keycloakx' chart once new keycloak image is built and released
+# https://artifacthub.io/packages/helm/codecentric/keycloakx
 keycloak:
-  # Production requires TLS
-  production: false
+  statefulsetAnnotations:
+    kapp.k14s.io/update-strategy: fallback-on-replace
+  replicas: 1
   image:
-    repository: wundergraph/cosmo/keycloak
-    registry: ghcr.io
+    repository: ghcr.io/wundergraph/cosmo/keycloak
+    tag: '0.13.0'
     pullPolicy: IfNotPresent
-    tag: '0.10.4'
+  args:
+    - 'start'
+    - '--import-realm'
+    - '--optimized'
   service:
-    ports:
-      http: 8080
-  replicaCount: 1
+    httpPort: 8080
   podAnnotations:
     # -- Support for k14s.io. This annotation will form a group to coordinate deployments with kapp.
     kapp.k14s.io/change-group: 'cosmo.apps.keycloak.wundergraph.com/deployment'
     # -- Support for k14s.io. This annotation will wait for the postgresql deployments to be ready before deploying.
     kapp.k14s.io/change-rule.postgresql: 'upsert after upserting cosmo.apps.postgresql.wundergraph.com/deployment'
-  auth:
-    adminUser: 'admin'
-    adminPassword: 'changeme'
-  startupProbe:
-    enabled: true
   cache:
-    enabled: false
-  # -- Is set to 'small' by default which is too small and runs in OOMKilled
-  resourcesPreset: none
+    stack: custom  # Disables automatic cache configuration.
+  health:
+    enabled: true
   metrics:
     enabled: true
-  postgresql:
-    enabled: false
-  extraEnvVars:
-    - name: KEYCLOAK_EXTRA_ARGS
-      value: '--import-realm --optimized'
-    - name: KEYCLOAK_ENABLE_HEALTH_ENDPOINTS
-      value: 'true'
-    - name: KEYCLOAK_DATABASE_PASSWORD
-      value: 'changeme'
-  extraVolumeMounts:
-    - mountPath: /opt/bitnami/keycloak/data/import/realm.json
-      name: realm-config-volume
-      readOnly: true
-      subPath: realm.json
-  extraVolumes:
+  database:
+    vendor: postgres
+    hostname: cosmo-postgresql
+    port: 5432
+    database: keycloak
+    username: postgres
+    password: changeme
+  http:
+    relativePath: "/"
+  # NOTE: The following 3 values are expected by the subchart to be STRINGs, not arrays, which is why the multiline string escape (`|`) is here.
+  extraVolumes: |
     - name: realm-config-volume
       configMap:
         name: keycloak-realm
-  externalDatabase:
-    host: 'cosmo-postgresql'
-    port: 5432
-    user: 'postgres'
-    database: keycloak
+  extraVolumeMounts: |
+    - mountPath: /opt/keycloak/data/import/realm.json
+      name: realm-config-volume
+      readOnly: true
+      subPath: realm.json
+  extraEnv: |
+    - name: KC_BOOTSTRAP_ADMIN_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-bootstrap
+          key: adminUser
+    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-bootstrap
+          key: adminPassword
+    - name: KC_HOSTNAME_STRICT
+      value: 'false'
+  secrets:
+    bootstrap:
+      stringData:
+        adminUser: "{{ .Values.global.keycloak.adminUser }}"
+        adminPassword: "{{ .Values.global.keycloak.adminPassword }}"
 
 # ClickHouse for the Cosmo Controlplane & Collectors
 # https://artifacthub.io/packages/helm/bitnami/clickhouse