First pass of keycloak+postgres, using operators.

+apiVersion: v1
+kind: Secret
+metadata:
+  name: kpg-keycloak-initial-admin
+stringData:
+  username: admin
+  password: admin
+---
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+  name: kpg-keycloak
+spec:
+  instances: 1
+  disableDefaultIngress: true
+  serverConfiguration:
+    - name: db
+      value: postgres
+    - name: db-url-host
+      value: kpg-postgres
+    - name: db-username
+      secret:
+        name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
+        key: username
+    - name: db-password
+      secret:
+        name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
+        key: password
+    - name: health-enabled
+      value: "true"
+    #- name: proxy
+    #  value: edge
+    #- name: http-enabled
+    #  value: "true"
+    #- name: hostname-strict-https
+    #  value: "true"
+  unsupported:
+    podTemplate:
+      spec:
+        volumes:
+          - name: keycloak-scripts
+            configMap:
+              name: kpg-keycloak-scripts
+              defaultMode: 0777
+        initContainers:
+          - name: wait-for-pg
+            image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
+            env:
+              - name: PGHOST
+                value: kpg-postgres
+              - name: PGDATABASE
+                value: keycloak
+              - name: PGUSER
+                valueFrom:
+                  secretKeyRef:
+                    name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
+                    key: username
+              - name: PGPASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
+                    key: password
+            volumeMounts:
+              - name: keycloak-scripts
+                mountPath: /keycloak-scripts
+            command: ["/keycloak-scripts/pg_isready"]
+  #hostname: auth.local
+  #tlsSecret: keycloak-crt
+  hostname: INSECURE-DISABLE
+  tlsSecret: INSECURE-DISABLE
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kpg-keycloak-crt
+spec:
+  secretName: kpg-keycloak-crt
+  dnsNames:
+  - auth.local
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: kpg-keycloak-originate-tls
+spec:
+  host: kpg-keycloak
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 8080
+        tls:
+          mode: DISABLE
+          credentialName: kpg-keycloak-crt
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: kpg-keycloak
+spec:
+  hosts:
+    - auth.local
+  gateways:
+    - istio-system/cluster-local-gateway
+  http:
+    - route:
+      - destination:
+          port:
+            number: 8080
+          host: kpg-keycloak-service.default.svc.cluster.local
+#  tls:
+#    - match:
+#        - sniHosts:
+#            - auth.local
+#      route:
+#      - destination:
+#          port:
+#            number: 8443
+#          host: kpg-keycloak-service.default.svc.cluster.local
+

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./keycloak.yaml
+
+configMapGenerator:
+  - name: kpg-keycloak-scripts
+    options:
+      disableNameSuffixHash: true
+    files:
+      - ../../scripts/pg_isready
+

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./postgresql.yaml
+

+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: kpg-postgres
+  namespace: default
+spec:
+  enableLogicalBackup: true
+  teamId: "kpg"
+  volume:
+    size: 1Gi
+  numberOfInstances: 2
+  users:
+    zalando:  # database owner
+      - superuser
+      - createdb
+    keycloak:
+      - login
+  databases:
+    keycloak: keycloak  # dbname: owner
+  postgresql:
+    version: "14"

+namespace: keycloak
+postgresql:
+  numberOfInstances: 2
+  volume:
+    size: 1Gi
+  version: "14"
+  waitForPg:
+    image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
+initialAdmin:
+  username: admin
+  password: admin
+certificate:
+  hostName: auth.local
+  issuerRef: ca-issuer
+virtualService:
+  hostName: auth.local
+  gateway: istio-system/cluster-local-gateway
+  issuerRef: ca-issuer

+bases:
+  - ../common/environments.yaml
+
+---
+
+releases:
+  - name: kpg-postgresql
+    namespace: {{ .Values.namespace }}
+    chart: charts/postgresql
+    wait: true
+    strategicMergePatches:
+      - apiVersion: acid.zalan.do/v1
+        kind: postgresql
+        metadata:
+          name: kpg-postgres
+          namespace: {{ .Values.namespace }}
+        spec:
+          volume:
+            size: {{ .Values.postgresql.volume.size | quote }}
+          postgresql:
+            version: {{ .Values.postgresql.version | quote }}
+
+  - name: kpg-keycloak
+    namespace: {{ .Values.namespace }}
+    chart: charts/keycloak
+    needs:
+    - kpg-postgresql
+    strategicMergePatches:
+      - apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: kpg-keycloak-crt
+          namespace: {{ .Values.namespace }}
+        spec:
+          dnsNames:
+            - {{ .Values.certificate.hostName }}
+          issuerRef:
+            name: {{ .Values.certificate.issuerRef }}
+      - apiVersion: networking.istio.io/v1beta1
+        kind: VirtualService
+        metadata:
+          name: kpg-keycloak
+          namespace: {{ .Values.namespace }}
+        spec:
+          hosts:
+            - {{ .Values.virtualService.hostName }}
+          gateways:
+            - {{ .Values.virtualService.gateway }}
+          http:
+            - route:
+              - destination:
+                  port:
+                    number: 8080
+                  host: kpg-keycloak-service.default.svc.cluster.local
+
+    jsonPatches:
+      - target:
+          group: k8s.keycloak.org
+          version: v2alpha1
+          kind: Keycloak
+          name: kpg-keycloak
+          namespace: {{ .Values.namespace }}
+        patch:
+          - op: replace
+            path: /spec/unsupported/podTemplate/spec/initContainers/0/image
+            value: {{ .Values.postgresql.waitForPg.image }}
+      - target:
+          kind: VirtualService
+          name: kpg-keycloak
+          namespace: {{ .Values.namespace }}
+          version: v1beta1
+          group: networking.istio.io
+        patch:
+          - op: replace
+            path: /spec/http/0/route/0/destination/host
+            value: kpg-keycloak-service.default.svc.cluster.local
+#          - op: replace
+#            path: /spec/tls/0/match/0/sniHosts/0
+#            value: {{ .Values.virtualService.hostName }}
+

+#!/bin/sh
+
+set -xe
+_msg() {
+  column_count=${#1}
+  echo "$1" 1>&2
+  _dotted=
+}
+_dot() {
+  [ "z$_dotted" = "z" ] && echo -n " " 1>&2 && _dotted=1
+  echo -n "." 1>&2
+  column_count=$(($column_count + 1))
+  if [ $column_count = 20 ]; then
+    echo
+    column_count=1
+  fi
+}
+_done() {
+  echo " done." 1>&2
+  column_count=1
+}
+_msg "Waiting for postgres to acception connections:"
+while :; do
+  tries=10
+  while [ $tries -gt 0 ]; do
+    if pg_isready -h "$PGHOST" 1>/dev/null 2>/dev/null; then break 2; fi
+    sleep 1
+    tries=$(($tries - 1))
+  done
+  _dot
+done
+_done
+_msg "Waiting for $PGUSER@$PGDATABASE to be available:"
+while :; do
+  tries=10
+  while [ $tries -gt 0 ]; do
+    if psql 1>/dev/null 2>/dev/null; then break 2; fi
+    sleep 1
+    tries=$(($tries - 1))
+  done
+  _dot
+done
+_done
+