diff --git a/apps/keycloak/dns-endpoint.yaml b/apps/keycloak/dns-endpoint.yaml
new file mode 100644
index 0000000..30af113
--- /dev/null
+++ b/apps/keycloak/dns-endpoint.yaml
@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: keycloak.michaelthomson.dev
+  namespace: keycloak
+spec:
+  endpoints:
+  - dnsName: keycloak.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"
diff --git a/apps/keycloak/namespace.yaml b/apps/keycloak/namespace.yaml
new file mode 100644
index 0000000..80e7888
--- /dev/null
+++ b/apps/keycloak/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
diff --git a/apps/keycloak/release.yaml b/apps/keycloak/release.yaml
new file mode 100644
index 0000000..379ff96
--- /dev/null
+++ b/apps/keycloak/release.yaml
@@ -0,0 +1,29 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  chart:
+    spec:
+      chart: keycloak
+      version: 24.x
+      sourceRef:
+        kind: OCIRepository
+        name: keycloak
+  interval: 15m
+  releaseName: keycloak
+  values:
+    proxy: edge
+    production: true
+    ingress:
+      enabled: true
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hostname: keycloak.michaelthomson.dev
+      tls: true
+      extraTls:
+        - hosts:
+            - keycloak.michaelthomson.dev
+          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
diff --git a/apps/keycloak/repository.yaml b/apps/keycloak/repository.yaml
new file mode 100644
index 0000000..f6fb26d
--- /dev/null
+++ b/apps/keycloak/repository.yaml
@@ -0,0 +1,10 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  interval: 15m
+  url: oci://registry-1.docker.io/bitnamicharts/keycloak
+  ref:
+    semver: ">=24.0.0"
diff --git a/bootstrap/apps/kustomization-keycloak.yaml b/bootstrap/apps/kustomization-keycloak.yaml
new file mode 100644
index 0000000..996a48e
--- /dev/null
+++ b/bootstrap/apps/kustomization-keycloak.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: keycloak
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./apps/keycloak
+  prune: false # remove any elements later removed from the above path
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: infra-configs