fix(k8s): stabilize keycloak rollout and align CD deploy manifests

Update Keycloak probe/realm import behavior and authority config so auth services start reliably on the dev cluster, while keeping CD deployment steps aligned with the actual Kubernetes overlay behavior.

.gitea/workflows/cd-deploy.yml

@@ -47,11 +47,12 @@ jobs:
       - name: Kustomize Edit Image Tag
         working-directory: ./infra/k8s/overlays/dev
         run: |
-          kustomize edit set image 192.168.241.13:8080/workclub-api=192.168.241.13:8080/workclub-api:$IMAGE_TAG
-          kustomize edit set image 192.168.241.13:8080/workclub-frontend=192.168.241.13:8080/workclub-frontend:$IMAGE_TAG
+          kustomize edit set image workclub-api=192.168.241.13:8080/workclub-api:$IMAGE_TAG
+          kustomize edit set image workclub-frontend=192.168.241.13:8080/workclub-frontend:$IMAGE_TAG
 
       - name: Deploy to Kubernetes
         run: |
+          set -euo pipefail
           export KUBECONFIG=$HOME/.kube/config
           mkdir -p $HOME/.kube
           if echo "${{ secrets.KUBECONFIG }}" | grep -q "apiVersion"; then
@@ -63,28 +64,34 @@ jobs:
             printf '%s' "${{ secrets.KUBECONFIG }}" | base64 -d > $KUBECONFIG
           fi
           chmod 600 $KUBECONFIG
+
+          kubectl --kubeconfig="$KUBECONFIG" config view >/dev/null
           
           # Diagnostics
           echo "Kubeconfig path: $KUBECONFIG"
           echo "Kubeconfig size: $(wc -c < $KUBECONFIG) bytes"
           echo "Available contexts:"
-          kubectl config get-contexts
+          kubectl --kubeconfig="$KUBECONFIG" config get-contexts
           
           if ! grep -q "current-context" $KUBECONFIG; then
             echo "Warning: current-context missing, attempting to fix..."
-            FIRST_CONTEXT=$(kubectl config get-contexts -o name | head -n 1)
+            FIRST_CONTEXT=$(kubectl --kubeconfig="$KUBECONFIG" config get-contexts -o name | head -n 1)
             if [ -n "$FIRST_CONTEXT" ]; then
-              kubectl config use-context "$FIRST_CONTEXT"
+              kubectl --kubeconfig="$KUBECONFIG" config use-context "$FIRST_CONTEXT"
             fi
           fi
           
-          echo "Current context: $(kubectl config current-context)"
+          echo "Current context: $(kubectl --kubeconfig="$KUBECONFIG" config current-context)"
           
           # Ensure target namespace exists
-          kubectl create namespace workclub-dev --dry-run=client -o yaml | kubectl apply -f -
+          kubectl --kubeconfig="$KUBECONFIG" create namespace workclub-dev --dry-run=client -o yaml | kubectl --kubeconfig="$KUBECONFIG" apply -f -
           
-          # Delete existing StatefulSet to allow immutable field changes (vct -> emptyDir)
-          kubectl delete statefulset workclub-postgres -n workclub-dev --ignore-not-found
-          
-          kubectl config view --minify # Verification of context
-          kubectl apply -k infra/k8s/overlays/dev
+          # Apply manifests (non-destructive by default; avoid DB state churn)
+          kubectl --kubeconfig="$KUBECONFIG" config view --minify # Verification of context
+          kustomize build --load-restrictor LoadRestrictionsNone infra/k8s/overlays/dev | kubectl --kubeconfig="$KUBECONFIG" apply -f -
+
+          # Rollout verification
+          kubectl --kubeconfig="$KUBECONFIG" rollout status statefulset/workclub-postgres -n workclub-dev --timeout=300s
+          kubectl --kubeconfig="$KUBECONFIG" rollout status deployment/workclub-keycloak -n workclub-dev --timeout=600s
+          kubectl --kubeconfig="$KUBECONFIG" rollout status deployment/workclub-api -n workclub-dev --timeout=300s
+          kubectl --kubeconfig="$KUBECONFIG" rollout status deployment/workclub-frontend -n workclub-dev --timeout=300s