M6 (part 2): recipe #2 keycloak install green (DB-backed, no harness surgery)

keycloak+mariadb deployed via only tests/keycloak/recipe_meta.py + test_install.py
(realm health + Playwright admin login). Proves recipe-agnostic enrollment (D5).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL.md

@@ -409,3 +409,17 @@ harness-code change (D5):
 
 **Next:** mirror hedgedoc (postgres+hedgedoc, DB-backed) via the mirror+PR flow with a committed
 tests/ dir, write tests/hedgedoc/ (install/upgrade/backup + recipe_meta), run all stages + D4 green.
+
+## 2026-05-27 — M6 (part 2): recipe #2 keycloak install green (DB-backed, no harness surgery)
+
+Enrolled keycloak (recipe #2): keycloak 26.6.2 **+ mariadb 12.2** — genuinely DB-backed/multi-service
+(vs custom-html stateless). Added only `tests/keycloak/recipe_meta.py` (HEALTH_PATH=/realms/master,
+HEALTH_OK=(200,), 600s timeouts) + `tests/keycloak/test_install.py` (realm-endpoint health +
+Playwright admin-console login). **No change to runner/harness code** — the recipe-agnostic harness
+(per-recipe meta) handled it (D5 evidence).
+
+Run: `RECIPE=keycloak STAGES=install cc-ci-run runner/run_recipe_ci.py` → 2 passed in 545s (keycloak
+is slow: image pull + JVM + mariadb migration). Teardown clean (0 keyc-* services/volumes after).
+
+**Next:** D4 demo via a mirror shipping committed tests/ (recipe-local run against live app); then
+keycloak upgrade + backup/restore (DB data survival via a realm marker through the admin API).

tests/keycloak/recipe_meta.py

@@ -0,0 +1,6 @@
+# Per-recipe harness config for keycloak (DB-backed: keycloak + mariadb). Read by the shared
+# conftest — enrolling this recipe needs NO change to runner/harness code (D5).
+HEALTH_PATH = "/realms/master"          # 200 JSON once keycloak is up (not "/", which redirects)
+HEALTH_OK = (200,)
+DEPLOY_TIMEOUT = 600                     # JVM + DB migration are slow on a 2-vCPU VM
+HTTP_TIMEOUT = 600

tests/keycloak/test_install.py

@@ -0,0 +1,28 @@
+"""keycloak — install stage (recipe #2, DB-backed SSO; D2 install + D3 Playwright)."""
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import lifecycle  # noqa: E402
+
+
+def test_realm_endpoint_healthy(deployed_app):
+    """The master realm endpoint answers 200 over HTTPS (keycloak + mariadb are up)."""
+    assert lifecycle.http_get(deployed_app, "/realms/master") == 200
+
+
+def test_playwright_admin_login(deployed_app):
+    """A real browser loads the keycloak admin console (renders the sign-in UI)."""
+    from playwright.sync_api import sync_playwright
+
+    url = f"https://{deployed_app}/admin/master/console/"
+    with sync_playwright() as p:
+        browser = p.chromium.launch(args=["--no-sandbox"])
+        try:
+            page = browser.new_context(ignore_https_errors=True).new_page()
+            page.goto(url, wait_until="domcontentloaded", timeout=45000)
+            # admin console redirects to the login form; wait for a username field to render
+            page.wait_for_selector("input#username, input[name='username']", timeout=30000)
+            assert "keycloak" in page.content().lower() or page.locator("input#username").count() > 0
+        finally:
+            browser.close()