gitops: reconcile the Keycloak realm via keycloak-config-cli as an Argo Job

[ausbru87]

Goal

Reconcile the Keycloak realm configuration (Keycloak Admin API state, not
Kubernetes objects) declaratively. Plan: docs/plans/gitops-adoption.md
(section 6.2).

In scope

The realm, the group tree, the group-membership protocol mapper on the coder
client, and the 8 persona users. Today these are created imperatively by
scripts/setup-keycloak-hierarchy.py, and start --import-realm only seeds the
realm on first boot (it skips an existing realm), so nothing is reconciled after
day one.

Recommendation: keycloak-config-cli as an Argo PostSync Job

• Mirror the keycloak-config-cli image into ECR; add it to scripts/images.txt.
• Commit a declarative realm config (groups, the group-membership mapper, persona users, client) with placeholders plus env-variable substitution; no secrets in git.
• Run it as an Argo PostSync Job after the keycloak Deployment is healthy; inject admin creds, the OIDC client secret, and persona passwords from ESO-synced Secrets (ASM).
• Retire scripts/setup-keycloak-hierarchy.py once the declarative config reaches parity (verify with scripts/verify-oidc-login.py).

Options rejected

• Keycloak Operator: the live Keycloak is a plain Deployment, not operator-managed; adopting the Operator means re-platforming the Keycloak instance itself, far larger than the realm-config problem. Its KeycloakRealmImport is import-shaped, not full reconcile.
• Realm import on boot: only runs on first boot and skips an existing realm, so it cannot reconcile drift or apply post-hoc groups, mappers, or users. That is exactly the current gap.

Generated by Coder Agents.