add keycloak usage guide

[yuhaosdl]

Summary by CodeRabbit

Documentation

• Added comprehensive Keycloak documentation covering system overview, typical use cases, feature comparison with alternatives, quick start setup guidance for Kubernetes environments, and migration instructions from RH-SSO.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A comprehensive Keycloak documentation guide was added covering architecture, use cases, Keycloak vs. RH-SSO comparison, Kubernetes quick-start instructions, admin console access, and migration workflows from RH-SSO to Keycloak with command examples.

Changes

Cohort / File(s)	Summary
Documentation docs/en/solutions/Keycloak_Guide.md	New guide providing Keycloak overview, deployment instructions for Kubernetes, comparison with RH-SSO, admin console setup, and step-by-step migration guidance with YAML examples and kubectl commands

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A new guide hops into view,
Keycloak secrets, both old and new,
From RH-SSO we migrate with grace,
Kubernetes pods in their perfect place,
Admin credentials safely embraced! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'add keycloak usage guide' directly and clearly describes the main change: adding documentation about Keycloak usage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@docs/en/solutions/Keycloak_Guide.md`:
- Around line 50-100: The StatefulSet's serviceName "postgresql-db-service" does
not match the Service's metadata name "postgres-db", causing the headless
service linkage to fail; update one of them so they match (either change the
StatefulSet's serviceName to "postgres-db" or rename the Service metadata.name
to "postgresql-db-service") ensuring the Service selector/ports remain correct
for the postgresql-db StatefulSet.
- Around line 86-87: The snippet defines a volume named "cache-volume" using
emptyDir which causes data loss on pod restarts; update the docs next to the
"cache-volume" entry to add a clear warning that emptyDir is unsuitable for
PostgreSQL in production and recommend using a PersistentVolumeClaim (PVC) or
other persistent storage solution instead, and include a brief note explaining
that emptyDir is acceptable for dev/test only and will lose data if the pod is
deleted, restarted, or rescheduled.

🧹 Nitpick comments (3)

docs/en/solutions/Keycloak_Guide.md (3)

17-18: Add blank line before table.

Markdown tables should be surrounded by blank lines for proper rendering and consistency.

📝 Proposed fix

 # Keycloak vs Red Hat Single Sign-On (RH-SSO)
+
 | Category               | Keycloak                                  | Red Hat Single Sign-On (RH-SSO)                          |

---

192-192: Minor: Consider hyphenating "basic-auth-type".

For consistency with Kubernetes terminology, "basic-auth type Secret" could be written as "basic-auth-type Secret."

---

216-224: Minor: Add language identifier to code block.

The fenced code block should specify a language (e.g., text) for proper syntax highlighting and linting compliance.

📝 Proposed fix

 ### Overall Migration Process
-```
+```text
 RH-SSO (OpenShift)
    ↓ Export as JSON file

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8943816 and ef47e9e.

📒 Files selected for processing (1)

• docs/en/solutions/Keycloak_Guide.md

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-13T11:25:34.596Z

Learnt from: jing2uo
Repo: alauda/knowledge PR: 104
File: docs/en/solutions/How_to_Migrate_VirtualMachine_From_VMware.md:131-172
Timestamp: 2026-01-13T11:25:34.596Z
Learning: In VMware migration documentation (docs/en/solutions), when describing the Forklift Operator workflow for VMware, specify that the VMware provider secret should set insecureSkipVerify=true to accommodate self-signed certificates commonly used in enterprise vCenter/ESXi environments. Include a note on the security trade-offs and ensure readers understand this is for internal, controlled environments.

Applied to files:

• docs/en/solutions/Keycloak_Guide.md

🪛 LanguageTool

docs/en/solutions/Keycloak_Guide.md

[style] ~2-~2: Consider using a more concise synonym.
Context: ...ons, APIs and microservices, supporting a variety of mainstream identity authentication prot...

(A_VARIETY_OF)

---

[grammar] ~192-~192: Use a hyphen to join words.
Context: ...stores these credentials as a basic-auth type Secret object, which is in the same...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

docs/en/solutions/Keycloak_Guide.md

18-18: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

---

216-216: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix service name mismatch.

The StatefulSet references serviceName: postgresql-db-service (line 56), but the actual Service is named postgres-db (line 93). This mismatch will cause the StatefulSet to fail to communicate properly with its headless service.

🔧 Proposed fix

 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: postgresql-db
 spec:
-  serviceName: postgresql-db-service
+  serviceName: postgres-db
   selector:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# PostgreSQL StatefulSet
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	name: postgresql-db
	spec:
	serviceName: postgresql-db-service
	selector:
	matchLabels:
	app: postgresql-db
	replicas: 1
	template:
	metadata:
	labels:
	app: postgresql-db
	spec:
	containers:
	- name: postgresql-db
	image: quay.io/sclorg/postgresql-15-c9s:latest
	volumeMounts:
	- mountPath: /var/lib/pgsql/data
	name: cache-volume
	env:
	- name: POSTGRESQL_USER
	valueFrom:
	secretKeyRef:
	key: username
	name: keycloak-db-secret
	- name: POSTGRESQL_PASSWORD
	valueFrom:
	secretKeyRef:
	key: password
	name: keycloak-db-secret
	- name: POSTGRESQL_DATABASE
	value: keycloak
	volumes:
	- name: cache-volume
	emptyDir: {}
	---
	# PostgreSQL StatefulSet Service
	apiVersion: v1
	kind: Service
	metadata:
	name: postgres-db
	spec:
	selector:
	app: postgresql-db
	ports:
	- port: 5432
	targetPort: 5432
	```
	# PostgreSQL StatefulSet
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	name: postgresql-db
	spec:
	serviceName: postgres-db
	selector:
	matchLabels:
	app: postgresql-db
	replicas: 1
	template:
	metadata:
	labels:
	app: postgresql-db
	spec:
	containers:
	- name: postgresql-db
	image: quay.io/sclorg/postgresql-15-c9s:latest
	volumeMounts:
	- mountPath: /var/lib/pgsql/data
	name: cache-volume
	env:
	- name: POSTGRESQL_USER
	valueFrom:
	secretKeyRef:
	key: username
	name: keycloak-db-secret
	- name: POSTGRESQL_PASSWORD
	valueFrom:
	secretKeyRef:
	key: password
	name: keycloak-db-secret
	- name: POSTGRESQL_DATABASE
	value: keycloak
	volumes:
	- name: cache-volume
	emptyDir: {}
	---
	# PostgreSQL StatefulSet Service
	apiVersion: v1
	kind: Service
	metadata:
	name: postgres-db
	spec:
	selector:
	app: postgresql-db
	ports:
	- port: 5432
	targetPort: 5432

🤖 Prompt for AI Agents

In `@docs/en/solutions/Keycloak_Guide.md` around lines 50 - 100, The StatefulSet's
serviceName "postgresql-db-service" does not match the Service's metadata name
"postgres-db", causing the headless service linkage to fail; update one of them
so they match (either change the StatefulSet's serviceName to "postgres-db" or
rename the Service metadata.name to "postgresql-db-service") ensuring the
Service selector/ports remain correct for the postgresql-db StatefulSet.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Warning: emptyDir causes data loss on pod restart.

Using emptyDir for PostgreSQL data storage means all data will be lost when the pod is deleted, restarted, or rescheduled. While this is acceptable for development/testing, consider adding an explicit warning in the comments to prevent accidental production usage.

📝 Suggested documentation improvement

       volumes:
         - name: cache-volume
+          # WARNING: emptyDir will lose all data on pod restart/deletion.
+          # For production, use a PersistentVolumeClaim instead.
           emptyDir: {}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: cache-volume
	emptyDir: {}
	- name: cache-volume
	# WARNING: emptyDir will lose all data on pod restart/deletion.
	# For production, use a PersistentVolumeClaim instead.
	emptyDir: {}

🤖 Prompt for AI Agents

In `@docs/en/solutions/Keycloak_Guide.md` around lines 86 - 87, The snippet
defines a volume named "cache-volume" using emptyDir which causes data loss on
pod restarts; update the docs next to the "cache-volume" entry to add a clear
warning that emptyDir is unsuitable for PostgreSQL in production and recommend
using a PersistentVolumeClaim (PVC) or other persistent storage solution
instead, and include a brief note explaining that emptyDir is acceptable for
dev/test only and will lose data if the pod is deleted, restarted, or
rescheduled.