From da6c6c3d717d11be5035d25d94befd16e522e37e Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Thu, 5 Feb 2026 11:57:02 +0000
Subject: [PATCH 1/8] Configure CoreDNS to resolve keycloak hostname internally

---
 .../keycloak-coredns-config-clusterrole.yaml  | 25 +++++++++++++
 .../templates/keycloak-coredns-config-cm.yaml | 35 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
 create mode 100644 sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml

diff --git a/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml b/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
new file mode 100644
index 00000000..0feb2b2e
--- /dev/null
+++ b/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: keycloak-coredns-manager
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["coredns"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: keycloak-coredns-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: keycloak-coredns-manager
+subjects:
+  - kind: ServiceAccount
+    name: keycloak-application-controller
+    namespace: keycloak
\ No newline at end of file
diff --git a/sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml b/sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml
new file mode 100644
index 00000000..6a65c426
--- /dev/null
+++ b/sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        log
+        health {
+            lameduck 10s
+        }
+        ready
+
+        {{- $service := lookup "v1" "Service" "kgateway-system" "https" }}
+        {{- if $service }}
+        hosts {
+          {{ $service.spec.clusterIP }} kc.{{ .Values.domain }}
+          fallthrough
+        }
+        {{- end }}
+
+        kubernetes  cluster.local  cluster.local in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        prometheus  0.0.0.0:9153
+        forward  . /etc/resolv.conf
+        cache  30
+        loop
+        reload
+        loadbalance
+    }
\ No newline at end of file

From be47042b624069aff81c79e3930506d827efc9bd Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Thu, 5 Feb 2026 13:07:48 +0000
Subject: [PATCH 2/8] Fix wrong namespace in the clusterrole

---
 .../templates/keycloak-coredns-config-clusterrole.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml b/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
index 0feb2b2e..cfdde4b4 100644
--- a/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
+++ b/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: keycloak-coredns-manager
+  name: argocd-coredns-manager
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]
@@ -14,12 +14,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: keycloak-coredns-manager
+  name: argocd-coredns-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: keycloak-coredns-manager
+  name: argocd-coredns-manager
 subjects:
   - kind: ServiceAccount
-    name: keycloak-application-controller
-    namespace: keycloak
\ No newline at end of file
+    name: argocd-application-controller
+    namespace: argocd
\ No newline at end of file

From c4bf571bf8a5033c226c4d37f8bd77e38ee0096e Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Thu, 5 Feb 2026 13:41:04 +0000
Subject: [PATCH 3/8] Keycloak coredns config moved to correct sources folder

---
 .../templates/keycloak-coredns-config-clusterrole.yaml            | 0
 .../templates/keycloak-coredns-config-cm.yaml                     | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename sources/{keycloak-config => keycloak-old}/templates/keycloak-coredns-config-clusterrole.yaml (100%)
 rename sources/{keycloak-config => keycloak-old}/templates/keycloak-coredns-config-cm.yaml (100%)

diff --git a/sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
similarity index 100%
rename from sources/keycloak-config/templates/keycloak-coredns-config-clusterrole.yaml
rename to sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
diff --git a/sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml
similarity index 100%
rename from sources/keycloak-config/templates/keycloak-coredns-config-cm.yaml
rename to sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml

From 32a4bdd05f1ec2e7ec439ff328716823bc9863d8 Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Mon, 9 Feb 2026 12:38:59 +0000
Subject: [PATCH 4/8] Allow argocd app controller to read svc (for lookups)

---
 .../templates/keycloak-coredns-config-clusterrole.yaml         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
index cfdde4b4..233e6984 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
@@ -10,6 +10,9 @@ rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

From 1084922a93d57b537713b6a0c90a77f98fe20909 Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Tue, 10 Feb 2026 11:23:26 +0000
Subject: [PATCH 5/8] Replace use of helm lookup with an argocd sync job

---
 .../templates/keycloak-coredns-config-cm.yaml | 35 --------
 .../keycloak-coredns-config-job.yaml          | 80 +++++++++++++++++++
 ...yaml => keycloak-coredns-config-rbac.yaml} | 27 ++++---
 3 files changed, 97 insertions(+), 45 deletions(-)
 delete mode 100644 sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml
 create mode 100644 sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
 rename sources/keycloak-old/templates/{keycloak-coredns-config-clusterrole.yaml => keycloak-coredns-config-rbac.yaml} (53%)

diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml
deleted file mode 100644
index 6a65c426..00000000
--- a/sources/keycloak-old/templates/keycloak-coredns-config-cm.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns
-  namespace: kube-system
-data:
-  Corefile: |
-    .:53 {
-        errors
-        log
-        health {
-            lameduck 10s
-        }
-        ready
-
-        {{- $service := lookup "v1" "Service" "kgateway-system" "https" }}
-        {{- if $service }}
-        hosts {
-          {{ $service.spec.clusterIP }} kc.{{ .Values.domain }}
-          fallthrough
-        }
-        {{- end }}
-
-        kubernetes  cluster.local  cluster.local in-addr.arpa ip6.arpa {
-            pods insecure
-            fallthrough in-addr.arpa ip6.arpa
-            ttl 30
-        }
-        prometheus  0.0.0.0:9153
-        forward  . /etc/resolv.conf
-        cache  30
-        loop
-        reload
-        loadbalance
-    }
\ No newline at end of file
diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
new file mode 100644
index 00000000..6d0a69ab
--- /dev/null
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
@@ -0,0 +1,80 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-coredns-config-{{ .Release.Revision }}
+  namespace: kube-system
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: keycloak-coredns-config
+    spec:
+      serviceAccountName: coredns-config-job
+      restartPolicy: Never
+      containers:
+      - name: update-coredns
+        image: bitnami/kubectl:latest
+        command: ["/bin/sh", "-c"]
+        args:
+          - |
+            set -e
+            
+            # Get the kgateway service IP
+            SERVICE_IP=$(kubectl get service https -n kgateway-system -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "")
+            DOMAIN=$(kubectl get cm -n default cluster-domain -o jsonpath='{.data.DOMAIN}' 2>/dev/null || echo "")
+
+            if [ -z "$SERVICE_IP" ] || [ -z "$DOMAIN" ]; then
+              echo "Warning: Service 'https' not found in kgateway-system namespace or DOMAIN not found in cluster-domain ConfigMap"
+              exit 0
+            fi
+            
+            echo "Found kgateway service IP: $SERVICE_IP"
+            echo "Found cluster domain: $DOMAIN"
+            
+            # Get current CoreDNS ConfigMap
+            kubectl get configmap coredns -n kube-system -o yaml > /tmp/coredns.yaml
+            
+            # Create the new Corefile with the service IP
+            cat > /tmp/corefile << 'EOF'
+            .:53 {
+                errors
+                log
+                health {
+                    lameduck 10s
+                }
+                ready
+
+                hosts {
+                  SERVICE_IP_PLACEHOLDER kc.DOMAIN_PLACEHOLDER
+                  fallthrough
+                }
+
+                kubernetes  cluster.local  cluster.local in-addr.arpa ip6.arpa {
+                    pods insecure
+                    fallthrough in-addr.arpa ip6.arpa
+                    ttl 30
+                }
+                prometheus  0.0.0.0:9153
+                forward  . /etc/resolv.conf
+                cache  30
+                loop
+                reload
+                loadbalance
+            }
+            EOF
+            
+            # Replace placeholders with actual values
+            sed -i "s/SERVICE_IP_PLACEHOLDER/$SERVICE_IP/g" /tmp/corefile
+            sed -i "s/DOMAIN_PLACEHOLDER/$DOMAIN/g" /tmp/corefile
+            
+            # Patch the ConfigMap
+            kubectl create configmap coredns \
+              --from-file=Corefile=/tmp/corefile \
+              --dry-run=client -o yaml | \
+              kubectl apply -f - -n kube-system
+            
+            echo "CoreDNS ConfigMap updated successfully"
diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
similarity index 53%
rename from sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
rename to sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
index 233e6984..68730c6d 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-clusterrole.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
@@ -1,28 +1,35 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns-config-job
+  namespace: kube-system
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: argocd-coredns-manager
+  name: coredns-config-job
 rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list"]
   - apiGroups: [""]
     resources: ["configmaps"]
     resourceNames: ["coredns"]
-    verbs: ["get", "list", "watch", "update", "patch"]
+    verbs: ["get", "update", "patch"]
   - apiGroups: [""]
     resources: ["configmaps"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["get", "list", "create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: argocd-coredns-manager
+  name: coredns-config-job
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: argocd-coredns-manager
+  name: coredns-config-job
 subjects:
   - kind: ServiceAccount
-    name: argocd-application-controller
-    namespace: argocd
\ No newline at end of file
+    name: coredns-config-job
+    namespace: kube-system

From 4a76e5ddf6be7ad5c224c168a5031f0ca1d791f9 Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Tue, 10 Feb 2026 11:55:09 +0000
Subject: [PATCH 6/8] Remove unnecessary kubectl call

---
 .../keycloak-old/templates/keycloak-coredns-config-job.yaml    | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
index 6d0a69ab..04d524a9 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
@@ -35,9 +35,6 @@ spec:
             echo "Found kgateway service IP: $SERVICE_IP"
             echo "Found cluster domain: $DOMAIN"
             
-            # Get current CoreDNS ConfigMap
-            kubectl get configmap coredns -n kube-system -o yaml > /tmp/coredns.yaml
-            
             # Create the new Corefile with the service IP
             cat > /tmp/corefile << 'EOF'
             .:53 {

From d3eea1353624e74c6ff2ec0644696ae67965ab0c Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Tue, 10 Feb 2026 12:14:51 +0000
Subject: [PATCH 7/8] Move the coredns config job to the keycloak namespace

---
 .../keycloak-old/templates/keycloak-coredns-config-job.yaml | 6 +++---
 .../templates/keycloak-coredns-config-rbac.yaml             | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
index 04d524a9..2de39c11 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-job.yaml
@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: keycloak-coredns-config-{{ .Release.Revision }}
-  namespace: kube-system
+  namespace: keycloak
   annotations:
     argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
@@ -69,9 +69,9 @@ spec:
             sed -i "s/DOMAIN_PLACEHOLDER/$DOMAIN/g" /tmp/corefile
             
             # Patch the ConfigMap
-            kubectl create configmap coredns \
+            kubectl create configmap rke2-coredns-rke2-coredns \
               --from-file=Corefile=/tmp/corefile \
               --dry-run=client -o yaml | \
               kubectl apply -f - -n kube-system
             
-            echo "CoreDNS ConfigMap updated successfully"
+            echo "RKE2 CoreDNS ConfigMap updated successfully"
diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
index 68730c6d..65253fbf 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: coredns-config-job
-  namespace: kube-system
+  namespace: keycloak
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -32,4 +32,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: coredns-config-job
-    namespace: kube-system
+    namespace: keycloak
\ No newline at end of file

From 415eefb963caeb14a9240c9a42b6bf28785239ef Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Tue, 10 Feb 2026 12:42:49 +0000
Subject: [PATCH 8/8] Add missing patch role to the coredns job sa

---
 .../templates/keycloak-coredns-config-rbac.yaml             | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
index 65253fbf..487d3bfa 100644
--- a/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
+++ b/sources/keycloak-old/templates/keycloak-coredns-config-rbac.yaml
@@ -15,11 +15,7 @@ rules:
     verbs: ["get", "list"]
   - apiGroups: [""]
     resources: ["configmaps"]
-    resourceNames: ["coredns"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "create"]
+    verbs: ["get", "list", "update", "create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding