feat: add rh-keycloak wrapper chart with short-lived ExternalSecret lifecycle

Add a wrapper chart (charts/rh-keycloak) that consumes the rhbk chart
as a dependency and configures keycloakUsers ExternalSecret with a
short-lived ArgoCD hook lifecycle:

- ExternalSecret annotated as a Sync hook, deleted by HookSucceeded
- creationPolicy: Orphan + deletionPolicy: Retain ensures the Secret
  survives ExternalSecret deletion
- A simplified PostSync Job deletes the keycloak-users Secret by name
  after Keycloak realm import consumes it (security hygiene)
- Conditional NetworkPolicy for the cleanup Job when default-deny is enabled

Switch values-hub.yaml from the remote rhbk chart to the local
rh-keycloak wrapper chart path.

Requires rhbk-chart >= 0.0.12 (lifecycle management for ExternalSecrets).

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

charts/rh-keycloak/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: rh-keycloak
+description: ZTVP Keycloak deployment — wraps the rhbk chart with short-lived ExternalSecret lifecycle via ArgoCD hooks
+type: application
+version: 0.1.0
+dependencies:
+  - name: rhbk
+    version: ">=0.0.12"
+    repository: "oci://quay.io/validatedpatterns"
+maintainers:
+  - name: Zero Trust Validated Patterns Team
+    email: ztvp-arch-group@redhat.com
+keywords:
+  - keycloak
+  - rhbk
+  - zero-trust
+  - pattern

charts/rh-keycloak/templates/cleanup-keycloak-users.yaml

@@ -0,0 +1,70 @@
+{{- if .Values.cleanup.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cleanup-keycloak-users
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cleanup-keycloak-users
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["keycloak-users"]
+  verbs: ["get", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cleanup-keycloak-users
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cleanup-keycloak-users
+subjects:
+- kind: ServiceAccount
+  name: cleanup-keycloak-users
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cleanup-keycloak-users
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  backoffLimit: 2
+  activeDeadlineSeconds: 120
+  template:
+    metadata:
+      labels:
+        app: cleanup-keycloak-users
+    spec:
+      serviceAccountName: cleanup-keycloak-users
+      restartPolicy: Never
+      containers:
+      - name: cleanup
+        image: {{ .Values.cleanup.image }}
+        command:
+        - /bin/bash
+        - -ce
+        - |
+          oc delete secret keycloak-users -n "{{ .Release.Namespace }}" --ignore-not-found
+          echo "Cleanup complete."
+{{- end }}

charts/rh-keycloak/templates/cleanup-network-policy.yaml

@@ -0,0 +1,29 @@
+{{- if and .Values.cleanup.enabled (eq (.Values.rhbk.defaultDenyNetworkPolicy.enabled | toString) "true") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: cleanup-keycloak-users-netpol
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  podSelector:
+    matchLabels:
+      app: cleanup-keycloak-users
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - protocol: UDP
+      port: 5353
+    - protocol: TCP
+      port: 5353
+    to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+  - ports:
+    - protocol: TCP
+      port: 6443
+{{- end }}

charts/rh-keycloak/values.yaml

@@ -0,0 +1,24 @@
+# PostSync Job deletes the keycloak-users Secret after realm import consumes it.
+cleanup:
+  enabled: true
+  image: registry.redhat.io/openshift4/ose-cli-rhel9:latest
+
+# Values passed through to the rhbk subchart.
+# The keycloakUsers ExternalSecret uses a short-lived ArgoCD hook lifecycle:
+# - Created during Sync, deleted by HookSucceeded
+# - Secret survives via creationPolicy: Orphan + deletionPolicy: Retain
+# - PostSync Job removes the Secret for security hygiene
+rhbk:
+  externalSecrets:
+    keycloakUsers:
+      creationPolicy: "Orphan"
+      deletionPolicy: "Retain"
+      refreshPolicy: "OnChange"
+      metadata:
+        annotations:
+          argocd.argoproj.io/hook: Sync
+          argocd.argoproj.io/hook-delete-policy: HookSucceeded
+          argocd.argoproj.io/sync-options: PrunePropagationPolicy=orphan
+      targetMetadata:
+        labels:
+          validatedpatterns.io/cleanup: delete