[MOSIP-39951] Updated keycloak init scripts with keycloakExternalHost…

[bhumi46]

…, keycloakInternalHost, and frontendUrl configurations. Fixed YAML indentation and removed non-existent sa_client_roles. Added helpful comments for client secrets management.

Summary by CodeRabbit

• New Features

  • Added client secret placeholders to support secret provisioning and preservation during upgrade/import.
  • Added client scope assignments for resident and management clients to enable additional capabilities.

• Bug Fixes

  • Treat empty or whitespace secrets as missing and auto-generate new secrets when needed.

• Chores

  • Restructured realm/init configuration to flatter mappings and expanded role lists across many clients.
  • Consolidated upgrade/import flow with explicit host settings, waits, and cleanup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Reformats Keycloak realm YAML from a single block into top-level mappings (introducing del_realms, expanded mosip roles, and clientSecrets), expands many client role/mapping entries and client scopes, and refactors Helm init/upgrade scripts to use KEYCLOAK_SERVICE_NAME, perform upgrade→import flows with waits and cleanup; small secret-handling robustness fix in Python init.

Changes

Cohort / File(s)	Summary
Keycloak value files deploy/import-init-values.yaml, deploy/upgrade-init-values.yaml	Replaced keycloak.realms block scalar with top-level del_realms and mosip mappings; expanded mosip.roles and many client saroles/mappers; added numerous assign_client_scopes; introduced top-level clientSecrets; broad formatting/indentation changes.
Helm deployment scripts deploy/import-init.sh, deploy/upgrade-init.sh	Added KEYCLOAK_SERVICE_NAME; switched to explicit helm upgrade/install flows that set keycloakExternalHost, keycloakInternalHost, and frontendUrl; consolidated upgrade job with --wait, cleanup uninstall, then import release with wait; quoted jsonpath expression and adjusted entrypoint to upgrade_init.
Keycloak init helper keycloak-init/keycloak_init.py	Made secret check more robust by treating missing or empty/whitespace secrets as absent and generating a new secret when needed (handles empty-string secrets).

Sequence Diagram(s)

sequenceDiagram
    participant Operator as "Operator\n(script)"
    participant Helm as "Helm"
    participant K8s as "Kubernetes API"
    participant Keycloak as "Keycloak"

    Operator->>Helm: helm upgrade/install keycloak-init-upgrade\n--values upgrade-init-values.yaml\n--set keycloakExternalHost, keycloakInternalHost, frontendUrl
    Helm->>K8s: create upgrade Job & resources
    K8s->>Keycloak: run upgrade job (perform realm/client updates)
    K8s-->>Helm: Job completes
    Helm-->>Operator: upgrade status
    Operator->>Helm: helm uninstall keycloak-init-upgrade (cleanup)
    Operator->>Helm: helm upgrade/install keycloak-init-import\n--values import-init-values.yaml\n--set keycloakExternalHost, keycloakInternalHost, frontendUrl
    Helm->>K8s: create import Job & resources
    K8s->>Keycloak: run import job (apply realms/clients/secrets)
    K8s-->>Helm: Job completes
    Helm-->>Operator: import status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇
I hopped through mappings, roles in tow,
Split realms, set scopes, let client secrets grow,
Helm leapt twice — upgrade then import tune,
Jobs waited, cleaned, beneath the moon,
A rabbit cheers — configs polished soon 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title refers to adding keycloak host and URL configurations, which aligns with the main change of updating init scripts with new environment variables (keycloakExternalHost, keycloakInternalHost, frontendUrl). However, the title is truncated and incomplete.	Complete the truncated title to fully describe the changes, e.g., 'MOSIP-39951 Updated keycloak init scripts with keycloakExternalHost, keycloakInternalHost, and frontendUrl configurations.'
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

deploy/upgrade-init.sh (1)

2-4: ⚠️ Potential issue | 🟡 Minor

Stale usage comment — still references import-init.sh.

The header says # ./import-init.sh [kube_config_file] but this file is upgrade-init.sh.

Proposed fix

-# Initialize Imported Keycloak with MOSIP base data
+# Upgrade Keycloak with MOSIP base data
 # Usage:
-# ./import-init.sh [kube_config_file]
+# ./upgrade-init.sh [kube_config_file]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/upgrade-init.sh` around lines 2 - 4, The usage comment at the top of
upgrade-init.sh is stale and still references import-init.sh; update the header
comment to reflect the correct script name and usage (e.g., change "#
./import-init.sh [kube_config_file]" to "# ./upgrade-init.sh [kube_config_file]"
or a generic "Usage: ./upgrade-init.sh [kube_config_file]") so the file-level
comment in upgrade-init.sh accurately describes how to invoke this script.

deploy/import-init-values.yaml (1)

214-223: ⚠️ Potential issue | 🟡 Minor

Duplicate mosip-creser-idpass-client definition (same issue as upgrade file).

This client appears at lines 214–223 and again at lines 383–392 with identical content. Remove one of the duplicates.

Also applies to: 383-392

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/import-init-values.yaml` around lines 214 - 223, Remove the duplicate
client definition for "mosip-creser-idpass-client" in
deploy/import-init-values.yaml by keeping a single entry with its mappers and
saroles and deleting the redundant block; ensure the remaining block preserves
the exact mappers: [] and saroles list (REGISTRATION_PROCESSOR, DATA_READ,
DOCUMENT_READ, BIOMETRIC_READ, METADATA_READ, CREATE_SHARE, CREDENTIAL_REQUEST)
and scan the file for any other identical duplicates (including the
upgrade-related section) so only one canonical definition remains.

🧹 Nitpick comments (2)

deploy/import-init.sh (1)

21-25: helm install will fail if the release already exists; consider helm upgrade --install.

upgrade-init.sh uses helm upgrade --install (idempotent), but this script uses plain helm install, which will error out if keycloak-import is already installed (e.g., a partial re-run). Using upgrade --install would make the script re-runnable.

Proposed fix

-  helm -n $NS install keycloak-import mosip/keycloak-init \
+  helm -n $NS upgrade --install keycloak-import mosip/keycloak-init \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/import-init.sh` around lines 21 - 25, The helm invocation uses a plain
"helm install keycloak-import ..." which will fail if the release already
exists; change the command to use "helm upgrade --install keycloak-import ..."
(keep the same release name "keycloak-import", chart "mosip/keycloak-init" and
all existing --set flags and -f import-init-values.yaml --version
$CHART_VERSION) so the script becomes idempotent and can be re-run safely.

deploy/upgrade-init.sh (1)

21-25: Duplicated helm command block — extract into a helper function.

The helm install invocation with keycloakExternalHost, keycloakInternalHost, and frontendUrl is repeated identically across both steps (and also in import-init.sh). A helper function would reduce duplication and the risk of the parameters drifting out of sync.

Also applies to: 34-38

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/upgrade-init.sh` around lines 21 - 25, Extract the repeated helm
upgrade/install invocation into a single helper function (e.g.,
run_keycloak_helm) that accepts no args and uses the existing variables (NS,
IAM_HOST, KEYCLOAK_SERVICE_NAME, CHART_VERSION) to run: helm -n $NS upgrade
--install keycloak-init-upgrade mosip/keycloak-init with --set
keycloakExternalHost="$IAM_HOST", --set
keycloakInternalHost="$KEYCLOAK_SERVICE_NAME.$NS", --set
keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAM_HOST/auth",
-f upgrade-init-values.yaml, --version $CHART_VERSION and --wait; then replace
the duplicated helm blocks in this file (and the copy in import-init.sh) with a
single call to run_keycloak_helm, ensuring environment variables used by the
original command remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/import-init-values.yaml`:
- Around line 3-5: The del_realms value is nested under realms_to_delete which
conflicts with the expected schema used elsewhere (see
upgrade-init-values.yaml); update the deploy/import-init-values.yaml to align
with the keycloak-init chart by making del_realms a flat list (remove the
intermediate realms_to_delete key) so the chart sees del_realms as the list of
realm names (e.g., include "preregistration" directly under del_realms) or, if
the chart actually expects the nested form, update upgrade-init-values.yaml
instead—ensure both files use the same structure for the del_realms key.
- Around line 518-572: The clientSecrets block is out of sync with the clients
list: add entries for mosip_partner_client_secret and
mosip_partnermanager_client_secret (so their secrets are present), and reconcile
mpartner_default_template_secret (either remove it from clientSecrets or ensure
a corresponding client exists) so every secret name (e.g.,
mosip_partner_client_secret, mosip_partnermanager_client_secret,
mpartner_default_template_secret) matches a defined client; update the
clientSecrets array accordingly to mirror the clients list exactly.

In `@deploy/import-init.sh`:
- Line 18: The kubectl invocation that sets IAM_HOST uses an unquoted jsonpath
expression which can be misinterpreted by the shell; update the assignment that
sets IAM_HOST (the line containing IAM_HOST and the kubectl get cm global -o
jsonpath=...) to pass the jsonpath argument in quotes (e.g., wrap the
{.data.mosip-iam-external-host} expression in single or double quotes) so the
braces are not interpreted by the shell.

In `@deploy/upgrade-init-values.yaml`:
- Around line 2-4: Both files incorrectly structure the Realm deletion settings:
replace the current del_realms list/nested mapping with a boolean flag and move
the realm names into a sibling list named realms_to_delete; specifically, set
del_realms to true and create a sibling key realms_to_delete containing the
existing realm entries (e.g., preregistration), and remove any nesting of
realms_to_delete under del_realms so del_realms and realms_to_delete are peers;
reference keys: del_realms and realms_to_delete.

In `@deploy/upgrade-init.sh`:
- Line 18: The shell assignment to IAM_HOST uses an unquoted JSONPath expression
which triggers SC1083; update the kubectl invocation that sets IAM_HOST (the
line using kubectl get cm global -o jsonpath=...) to quote the JSONPath
expression (e.g., wrap {.data.mosip-iam-external-host} in single or double
quotes) so the shell parses it correctly and avoids word-splitting or brace
interpretation errors.
- Around line 27-31: The kubectl wait command currently swallows failures via
"|| true", letting the script proceed to "helm -n $NS uninstall
keycloak-init-upgrade" and subsequent import even if the upgrade job failed;
remove the "|| true" and instead detect failure of the kubectl wait (the kubectl
wait invocation that targets the job label
app.kubernetes.io/instance=keycloak-init-upgrade) and exit non-zero (or log an
explicit error and prompt for confirmation) so the script fails fast and does
not run helm uninstall or the import when the upgrade didn't complete; ensure
the handling references the same NS variable and provides a clear log message on
failure.

---

Outside diff comments:
In `@deploy/import-init-values.yaml`:
- Around line 214-223: Remove the duplicate client definition for
"mosip-creser-idpass-client" in deploy/import-init-values.yaml by keeping a
single entry with its mappers and saroles and deleting the redundant block;
ensure the remaining block preserves the exact mappers: [] and saroles list
(REGISTRATION_PROCESSOR, DATA_READ, DOCUMENT_READ, BIOMETRIC_READ,
METADATA_READ, CREATE_SHARE, CREDENTIAL_REQUEST) and scan the file for any other
identical duplicates (including the upgrade-related section) so only one
canonical definition remains.

In `@deploy/upgrade-init.sh`:
- Around line 2-4: The usage comment at the top of upgrade-init.sh is stale and
still references import-init.sh; update the header comment to reflect the
correct script name and usage (e.g., change "# ./import-init.sh
[kube_config_file]" to "# ./upgrade-init.sh [kube_config_file]" or a generic
"Usage: ./upgrade-init.sh [kube_config_file]") so the file-level comment in
upgrade-init.sh accurately describes how to invoke this script.

---

Nitpick comments:
In `@deploy/import-init.sh`:
- Around line 21-25: The helm invocation uses a plain "helm install
keycloak-import ..." which will fail if the release already exists; change the
command to use "helm upgrade --install keycloak-import ..." (keep the same
release name "keycloak-import", chart "mosip/keycloak-init" and all existing
--set flags and -f import-init-values.yaml --version $CHART_VERSION) so the
script becomes idempotent and can be re-run safely.

In `@deploy/upgrade-init.sh`:
- Around line 21-25: Extract the repeated helm upgrade/install invocation into a
single helper function (e.g., run_keycloak_helm) that accepts no args and uses
the existing variables (NS, IAM_HOST, KEYCLOAK_SERVICE_NAME, CHART_VERSION) to
run: helm -n $NS upgrade --install keycloak-init-upgrade mosip/keycloak-init
with --set keycloakExternalHost="$IAM_HOST", --set
keycloakInternalHost="$KEYCLOAK_SERVICE_NAME.$NS", --set
keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAM_HOST/auth",
-f upgrade-init-values.yaml, --version $CHART_VERSION and --wait; then replace
the duplicated helm blocks in this file (and the copy in import-init.sh) with a
single call to run_keycloak_helm, ensuring environment variables used by the
original command remain unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and examine both files
echo "=== upgrade-init-values.yaml ===" && \
cat -n deploy/upgrade-init-values.yaml 2>/dev/null || echo "File not found"

echo -e "\n=== import-init-values.yaml ===" && \
cat -n deploy/import-init-values.yaml 2>/dev/null || echo "File not found"

echo -e "\n=== Searching for del_realms/realms_to_delete usage ===" && \
rg -rn 'del_realms|realms_to_delete' deploy/ --type yaml

Repository: mosip/keycloak

Length of output: 1727

---

🌐 Web query:

keycloak-init helm chart del_realms realms_to_delete MOSIP

💡 Result:

In MOSIP’s keycloak-init tooling, the Helm values:

• del_realms: a boolean flag that tells the keycloak_init.py logic to run the delete-realms step.
• realms_to_delete: the list of Keycloak realm names that should be deleted when del_realms: true.

This capability exists because MOSIP added methods in keycloak_init.py to delete realms (along with related cleanup actions) as part of its keycloak-init enhancements. (issues.ecosyste.ms)

A typical values snippet looks like:

del_realms: true
realms_to_delete:
  - realm1
  - realm2

Caution: deleting realms is destructive (removes realm config/users/clients under that realm). Also, MOSIP notes that keycloak-init generally adds/updates and that “cleanup” may otherwise require manual action/resetting persistence, so use realm deletion intentionally. (docs.mosip.io)

Citations:

• 1: https://issues.ecosyste.ms/hosts/GitHub/repositories/mosip%2Fkeycloak/issues?utm_source=openai
• 2: https://docs.mosip.io/platform/build-and-deploy/sandbox-installer?utm_source=openai

---

Both files have incorrect del_realms structure.

According to MOSIP keycloak-init specification, del_realms should be a boolean flag and realms_to_delete should be a sibling list:

del_realms: true
realms_to_delete:
  - preregistration

• upgrade-init-values.yaml (lines 3–4) incorrectly treats del_realms as a list.
• import-init-values.yaml (lines 3–5) incorrectly nests realms_to_delete under del_realms.

Update both files to match the specification above.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/upgrade-init-values.yaml` around lines 2 - 4, Both files incorrectly
structure the Realm deletion settings: replace the current del_realms
list/nested mapping with a boolean flag and move the realm names into a sibling
list named realms_to_delete; specifically, set del_realms to true and create a
sibling key realms_to_delete containing the existing realm entries (e.g.,
preregistration), and remove any nesting of realms_to_delete under del_realms so
del_realms and realms_to_delete are peers; reference keys: del_realms and
realms_to_delete.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/import-init-values.yaml (1)

382-391: ⚠️ Potential issue | 🟠 Major

Duplicate client definition for mosip-creser-idpass-client.

This client is already defined at lines 213-223 with identical configuration. The duplicate will either cause the init script to fail when attempting to create an already-existing client, or silently overwrite the previous definition.

Remove this duplicate block.

🐛 Proposed fix

-       - name: mosip-creser-idpass-client
-         mappers: []
-         saroles:
-           - REGISTRATION_PROCESSOR
-           - DATA_READ
-           - DOCUMENT_READ
-           - BIOMETRIC_READ
-           - METADATA_READ
-           - CREATE_SHARE
-           - CREDENTIAL_REQUEST
-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/import-init-values.yaml` around lines 382 - 391, Remove the duplicated
client block for "mosip-creser-idpass-client" found in the shown YAML snippet
(it is already declared earlier as the identical client); delete this duplicate
mapping (the entire sequence starting with "- name: mosip-creser-idpass-client"
and its nested mappers/saroles) so only the original definition remains to avoid
creation conflicts or overwrites.

♻️ Duplicate comments (1)

deploy/upgrade-init.sh (1)

18-18: ⚠️ Potential issue | 🟡 Minor

Quote the JSONPath expression to avoid shell parsing issues.

The unquoted braces trigger SC1083 warnings and may cause unexpected behavior in some shell environments.

Proposed fix

-  IAM_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-iam-external-host})
+  IAM_HOST=$(kubectl get cm global -o jsonpath='{.data.mosip-iam-external-host}')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/upgrade-init.sh` at line 18, The kubectl JSONPath expression used to
set IAM_HOST is unquoted and can trigger shell parsing issues (SC1083); update
the command that assigns IAM_HOST (the kubectl get cm global -o jsonpath=...) to
quote the JSONPath expression (e.g., wrap {.data.mosip-iam-external-host} in
single or double quotes) so the shell treats the braces as a single argument and
avoids parsing warnings or unexpected behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@deploy/import-init-values.yaml`:
- Around line 382-391: Remove the duplicated client block for
"mosip-creser-idpass-client" found in the shown YAML snippet (it is already
declared earlier as the identical client); delete this duplicate mapping (the
entire sequence starting with "- name: mosip-creser-idpass-client" and its
nested mappers/saroles) so only the original definition remains to avoid
creation conflicts or overwrites.

---

Duplicate comments:
In `@deploy/upgrade-init.sh`:
- Line 18: The kubectl JSONPath expression used to set IAM_HOST is unquoted and
can trigger shell parsing issues (SC1083); update the command that assigns
IAM_HOST (the kubectl get cm global -o jsonpath=...) to quote the JSONPath
expression (e.g., wrap {.data.mosip-iam-external-host} in single or double
quotes) so the shell treats the braces as a single argument and avoids parsing
warnings or unexpected behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e07e7110-0e09-4a58-bec5-ab8d32b04a6a

📥 Commits

Reviewing files that changed from the base of the PR and between bf7cbb5 and f956ee3.

📒 Files selected for processing (2)

• deploy/import-init-values.yaml
• deploy/upgrade-init.sh

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/import-init-values.yaml`:
- Around line 1-6: The importer currently iterates top-level keys as realm names
and will break if YAML is wrapped under keycloak; update the iteration in the
importer (the block around keycloak_init.py lines that reference values and
del_realms) to first detect and unwrap the wrapper by using
values["keycloak"]["realms"] when present (or fallback to the current top-level
structure), then proceed to read realms_to_delete/del_realms and create/delete
realms as before; alternatively, revert the YAML to the original flattened
schema so that the importer continues to iterate top-level realm names.
- Around line 513-574: The importer currently only generates a random secret
when the env var is missing; update keycloak_init.py (around the code at lines
730-740) to treat empty-string environment values as "missing" too: in the logic
that reads client secret env vars (the function/method that builds client
secrets / the code that calls os.environ.get or similar), change the check to
consider blank or whitespace-only strings equivalent to None (e.g., if not value
or value.strip() == "" then generate_random_secret()), so any explicit empty
secret in the job env triggers random generation; optionally update the
surrounding comment text if you prefer keeping current behavior instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 17bc0f20-c242-4696-b42d-bd1fdbcb681a

📥 Commits

Reviewing files that changed from the base of the PR and between 5bca376 and 744e844.

📒 Files selected for processing (1)

• deploy/import-init-values.yaml

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/import-init-values.yaml`:
- Around line 380-389: The file contains a duplicate Keycloak client definition
for mosip-creser-idpass-client with identical saroles; remove the redundant
client block so only one mosip-creser-idpass-client entry remains, ensuring YAML
structure stays valid after deletion and that saroles (REGISTRATION_PROCESSOR,
DATA_READ, DOCUMENT_READ, BIOMETRIC_READ, METADATA_READ, CREATE_SHARE,
CREDENTIAL_REQUEST) are preserved in the single remaining definition; after
removal, run a quick YAML lint or validation to confirm no syntax issues.

In `@deploy/upgrade-init-values.yaml`:
- Around line 246-255: There is a duplicate client entry for
"mosip-creser-idpass-client" defined twice; remove the redundant definition (the
second occurrence) that contains the identical saroles to avoid duplicate client
declarations—locate the second block that lists name: mosip-creser-idpass-client
with saroles REGISTRATION_PROCESSOR, DATA_READ, DOCUMENT_READ, BIOMETRIC_READ,
METADATA_READ, CREATE_SHARE, CREDENTIAL_REQUEST and delete that entire client
block so only the first definition remains.
- Around line 348-402: The clientSecrets list is out of sync: add entries for
the missing secrets mosip_partner_client_secret and
mosip_partnermanager_client_secret to match the clients mosip-partner-client and
mosip-partnermanager-client, and remove the orphaned
mpartner_default_template_secret entry (or add its missing client if intended);
update the clientSecrets block so it includes mosip_partner_client_secret and
mosip_partnermanager_client_secret and no longer contains
mpartner_default_template_secret to keep secrets aligned with client
definitions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9127a563-86ba-40bc-a281-84b1d4d2752a

📥 Commits

Reviewing files that changed from the base of the PR and between 744e844 and 7f75847.

📒 Files selected for processing (3)

• deploy/import-init-values.yaml
• deploy/upgrade-init-values.yaml
• keycloak-init/keycloak_init.py