Keycloak realm operator
wipA Python-based Kubernetes operator that declaratively manages Keycloak realms, OIDC clients, and the secrets that go with them.
Python Kopf Kubernetes Helm Keycloak
Configuring Keycloak realms and OIDC clients by hand gets old fast when you run a homelab with a dozen services that all need SSO. So I started writing my own operator.
It’s built on Kopf, exposes a KeycloakRealm cluster-scoped CRD and a namespaced KeycloakClient CRD, and reconciles them against the Keycloak admin API. When a client is created, it also produces a Secret in the requesting namespace so the application can use it directly without any manual copy-paste.
The full write-up — design choices, the failure modes, the way Kopf handles RBAC — lives in the devlog.