diff --git a/clusters/lychee/keycloak.yaml b/clusters/lychee/keycloak.yaml
new file mode 100644
index 0000000..829fd24
--- /dev/null
+++ b/clusters/lychee/keycloak.yaml
@@ -0,0 +1,138 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: lychee-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  project: infrastructure
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: "https://172.16.152.1:6443"
+    namespace: mareshq-keycloak
+  source:
+    chart: keycloak
+    repoURL: oci://registry-1.docker.io/bitnamicharts/keycloak
+    targetRevision: 16.1.1
+    helm:
+      releaseName: keycloak
+      valuesObject:
+        auth:
+          adminUser: mareshqadmin
+          existingSecret: keycloak-admin-password
+          passwordSecretKey: password
+
+        global:
+          storageClass: hcloud-volumes
+
+        replicaCount: 2
+
+        pdb:
+          create: true
+          minAvailable: 1
+
+        autoscaling:
+          enabled: false
+
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 1Gi
+
+        # Pods must be spread across nodes
+        # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106
+        # podAntiAffinityPreset: hard
+
+        updateStrategy:
+          type: RollingUpdate
+          rollingUpdate:
+            maxUnavailable: 1
+
+        service:
+          type: ClusterIP
+          # http:
+          #   enable: false
+
+        ingress:
+          enabled: true
+          hostname: sso.mareshq.com
+
+          servicePort: https
+
+          ingressClassName: nginx
+
+          tls: true
+
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-prod
+            # Allow self-signed certificates on the backend
+            nginx.ingress.kubernetes.io/server-snippet: |
+              proxy_ssl_verify off;
+            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+            nginx.ingress.kubernetes.io/proxy-buffering: "on"
+            nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+            nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+
+        tls:
+          enabled: true
+          autoGenerated: true
+
+        production: true
+
+        metrics:
+          enabled: true
+
+          serviceMonitor:
+            enabled: false
+
+        postgresql:
+          enabled: false
+
+        externalDatabase:
+          existingSecret: keycloak-database
+          existingSecretHostKey: host
+          existingSecretPortKey: port
+          existingSecretDatabaseKey: database
+          existingSecretUserKey: username
+          existingSecretPasswordKey: password
+
+        startupProbe:
+          # Keycloak should be ready to serve requests within 15 minutes
+          enabled: true
+          initialDelaySeconds: 180 # 3min
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 80 # 12min
+          successThreshold: 1
+
+        # Custom theme installation and configuration
+        initContainers:
+          - name: theme-installer
+            image: busybox:latest
+            command:
+              - /bin/sh
+              - "-c"
+              - |
+                wget https://cdn.mareshq.com/keywind.tar.gz -O /tmp/keywind.tar.gz
+                tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes
+
+            volumeMounts:
+              - mountPath: /opt/bitnami/keycloak/themes/keywind
+                name: theme
+
+        extraVolumes:
+          - name: theme
+            emptyDir: {}
+
+        extraVolumeMounts:
+          - name: theme
+            mountPath: /opt/bitnami/keycloak/themes/keywind