[keycloak] Add storageclass support for CNPG cluster

[BROngineer]

What this PR does

This PR adds optional storageClass with reclaimPolicy: Retain to be used for CNPG cluster to prevent PV deletion in case of CNPG cluster deletion. This is crucial to prevent data loss.

Release note

[keycloak] Add storageclass support for CNPG cluster

Summary by CodeRabbit

• New Features
  • Keycloak database now supports configurable storage classes, allowing users to define custom storage provisioners, retention policies, and volume expansion settings to meet their infrastructure requirements.

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes introduce configurable StorageClass support to the Keycloak Helm chart. A new StorageClass template is added with conditional rendering, configuration values are introduced for enabling and customizing the storage class, and the database template is updated to reference the configured storage class settings.

Changes

Cohort / File(s)

Summary

StorageClass Configuration packages/system/keycloak/templates/db.yaml, packages/system/keycloak/templates/storageclass.yaml, packages/system/keycloak/values.yaml

Adds conditional StorageClass support with configurable retention policy and binding modes. New storageclass.yaml template conditionally renders a StorageClass resource with defaults ("keycloak-db-retain", Retain policy, WaitForFirstConsumer binding). Updates db.yaml to reference the configured storage class. Introduces storageClass configuration block in values.yaml with enable, name, and provisioner fields.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A StorageClass tale, so neatly arranged,
With conditional magic, our volumes now changed,
Retain policies set, and expansions allowed,
The database now wears its configuration proud! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding storageClass support for CNPG clusters in Keycloak, which matches the PR's core objective of introducing optional storageClass configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch artem/keycloak-pvc-retention

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Keycloak deployment by introducing a mechanism to prevent data loss for its CNPG database. It achieves this by allowing the configuration of a dedicated Kubernetes StorageClass with a Retain reclaim policy, ensuring that database Persistent Volumes are not automatically deleted when the CNPG cluster is removed. This change provides a crucial safety net for data integrity.

Highlights

• CNPG StorageClass Support: Introduced optional StorageClass configuration for the CNPG cluster, specifically "keycloak-db-retain", to manage Persistent Volume (PV) retention.
• Data Loss Prevention: Configured the new StorageClass with "reclaimPolicy: Retain" to prevent the deletion of Persistent Volumes upon CNPG cluster deletion, safeguarding critical Keycloak database data.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• packages/system/keycloak/templates/db.yaml
  • Conditionally applied the "keycloak-db-retain" storage class to the CNPG cluster's storage specification when the "storageClass.enable" flag is true.
• packages/system/keycloak/templates/storageclass.yaml
  • Added a new Kubernetes StorageClass definition named "keycloak-db-retain" with "reclaimPolicy: Retain", "volumeBindingMode: WaitForFirstConsumer", and "allowVolumeExpansion: true".
• packages/system/keycloak/values.yaml
  • Introduced new "storageClass" configuration parameters, "enable" (defaulting to "false") and "provisioner" (empty string), to control the deployment and behavior of the custom StorageClass.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces optional storage class support for the CNPG cluster, specifically addressing data loss prevention by setting reclaimPolicy: Retain. However, a potential YAML injection vulnerability was identified in the new storageclass.yaml template where the provisioner field is not properly quoted, which could allow for the injection of arbitrary YAML fields. Additionally, there are opportunities to enhance the flexibility and configurability of the storage class name.

[coderabbitai]

🧹 Nitpick comments (2)

packages/system/keycloak/values.yaml (1)

14-17: Consider adding documentation comments for the storageClass block.

The ingress section above includes helpful comments explaining the configuration options. Adding similar documentation would improve discoverability for users, e.g.:

storageClass:
  # Enable creation of a dedicated StorageClass with Retain policy for CNPG cluster data.
  enable: false
  # Custom name for the StorageClass (defaults to "keycloak-db-retain" if empty).
  name: ""
  # Storage provisioner to use (required when enable is true).
  provisioner: ""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/system/keycloak/values.yaml` around lines 14 - 17, Add inline
documentation comments to the storageClass YAML block to explain each option
(storageClass.enable, storageClass.name, storageClass.provisioner): describe
that enable toggles creating a dedicated StorageClass with Retain policy for
CNPG data, name can override the default StorageClass name if empty, and
provisioner specifies the storage provisioner required when enable is true; keep
wording consistent with the existing ingress comments and place comments
directly above each key.

packages/system/keycloak/templates/storageclass.yaml (1)

4-5: Consider adding standard labels for consistency.

Other StorageClass templates in this repository include labels (e.g., packages/system/nfs-driver/charts/csi-driver-nfs/templates/storageclass.yaml). Adding labels would improve resource organization and querying.

♻️ Suggested enhancement

 metadata:
   name: {{ .Values.storageClass.name | default "keycloak-db-retain" }}
+  labels:
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/component: database
 provisioner: {{ required ".Values.storageClass.provisioner is required when storageClass.enable is true" .Values.storageClass.provisioner | quote }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/system/keycloak/templates/storageclass.yaml` around lines 4 - 5, Add
standard metadata.labels to the StorageClass manifest so resources are
consistent with other templates; update the storage class template around
metadata.name (the template using {{ .Values.storageClass.name | default
"keycloak-db-retain" }}) to include a labels block populated from values (e.g.,
.Values.storageClass.labels) or sensible defaults, and ensure the chart
values.yaml exposes storageClass.labels so callers can override them for
organization and querying.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/system/keycloak/templates/storageclass.yaml`:
- Around line 4-5: Add standard metadata.labels to the StorageClass manifest so
resources are consistent with other templates; update the storage class template
around metadata.name (the template using {{ .Values.storageClass.name | default
"keycloak-db-retain" }}) to include a labels block populated from values (e.g.,
.Values.storageClass.labels) or sensible defaults, and ensure the chart
values.yaml exposes storageClass.labels so callers can override them for
organization and querying.

In `@packages/system/keycloak/values.yaml`:
- Around line 14-17: Add inline documentation comments to the storageClass YAML
block to explain each option (storageClass.enable, storageClass.name,
storageClass.provisioner): describe that enable toggles creating a dedicated
StorageClass with Retain policy for CNPG data, name can override the default
StorageClass name if empty, and provisioner specifies the storage provisioner
required when enable is true; keep wording consistent with the existing ingress
comments and place comments directly above each key.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8dfe35fb-4782-4137-b4dd-b712d74565cd

📥 Commits

Reviewing files that changed from the base of the PR and between 9bb6625 and 702ec70.

📒 Files selected for processing (3)

• packages/system/keycloak/templates/db.yaml
• packages/system/keycloak/templates/storageclass.yaml
• packages/system/keycloak/values.yaml

[BROngineer]

Won't fix for now: CNPG cluster more likely won't be able to reuse the retained volume