diff --git a/ci-scripts/rhdh-setup/create_resource.sh b/ci-scripts/rhdh-setup/create_resource.sh
index c6316d5f..dfca49f7 100755
--- a/ci-scripts/rhdh-setup/create_resource.sh
+++ b/ci-scripts/rhdh-setup/create_resource.sh
@@ -195,7 +195,7 @@ get_group_path_by_name() {
   local group_name="$input"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
 
@@ -221,7 +221,7 @@ get_group_id_by_name() {
   group_name="$1"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
   
@@ -269,7 +269,7 @@ assign_parent_group() {
   attempt=1
   while (( attempt <= max_attempts )); do
     token=$(get_token)
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups/${parent_id}/children" \
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups/${parent_id}/children" \
       -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
       --data-raw '{"name":"'"${child_name}"'"}' 2>&1)"
     if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -296,7 +296,7 @@ create_group() {
       groupname="g${idx}"
       while ((attempt <= max_attempts)); do
         token=$(get_token)
-        response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+        response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
           -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
           --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
         if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -319,7 +319,7 @@ create_group() {
     groupname="g${idx}"
     while ((attempt <= max_attempts)); do
       token=$(get_token)
-      response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+      response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
         -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
         --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
       if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -443,8 +443,8 @@ create_user() {
   groups="$groups]"
   while ((attempt <= max_attempts)); do
     token=$(get_token)
-    username="t${0}"
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
+    username="t_${0}"
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/users" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
       --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com","emailVerified":"true", "enabled":"true", "username":"'"${username}"'","groups":'"$groups"',"credentials":[{"type":"password","value":"'"${KEYCLOAK_USER_PASS}"'","temporary":false}]}' 2>&1)"
@@ -499,7 +499,13 @@ log_token_err() {
 }
 
 keycloak_token() {
-  curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=$1" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
+  client_secret=$(oc -n "${RHDH_NAMESPACE}" get secret keycloak-client-secret-backstage -o template --template='{{.data.CLIENT_SECRET}}' | base64 -d)
+  curl -s -k "$(keycloak_url)/realms/backstage/protocol/openid-connect/token" \
+    -d username=guru \
+    -d "password=$1" \
+    -d 'grant_type=password' \
+    -d 'client_id=backstage' \
+    -d "client_secret=$client_secret" | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
 }
 
 rhdh_token() {
@@ -526,7 +532,7 @@ rhdh_token() {
     --data-urlencode "redirect_uri=${REDIRECT_URL}" \
     --data-urlencode "scope=openid email profile" \
     --data-urlencode "response_type=code" \
-    "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+    "$(keycloak_url)/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
 
   execution=$(echo "$AUTH_URL" | grep -oE 'execution=[^&]+' | grep -oE '[^=]+$')
   tab_id=$(echo "$AUTH_URL" | grep -oE 'tab_id=[^&]+' | grep -oE '[^=]+$')
@@ -588,7 +594,7 @@ get_token() {
         log_token_err "Unable to get $token_type token, re-attempting"
       fi
     else
-      keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret credential-rhdh-sso -o template --template='{{.data.ADMIN_PASSWORD}}' | base64 -d)
+      keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d)
       if ! keycloak_token "$keycloak_pass" >"$token_file"; then
         log_token_err "Unable to get $token_type token, re-attempting"
       fi
diff --git a/ci-scripts/rhdh-setup/deploy.sh b/ci-scripts/rhdh-setup/deploy.sh
index a587fe2d..cdb08982 100755
--- a/ci-scripts/rhdh-setup/deploy.sh
+++ b/ci-scripts/rhdh-setup/deploy.sh
@@ -61,6 +61,7 @@ export GROUP_COUNT="${GROUP_COUNT:-1}"
 export API_COUNT="${API_COUNT:-1}"
 export COMPONENT_COUNT="${COMPONENT_COUNT:-1}"
 export KEYCLOAK_USER_PASS=${KEYCLOAK_USER_PASS:-$(mktemp -u XXXXXXXXXX)}
+export KEYCLOAK_ADMIN_PASS=${KEYCLOAK_ADMIN_PASS:-admin}
 export AUTH_PROVIDER="${AUTH_PROVIDER:-''}"
 export ENABLE_RBAC="${ENABLE_RBAC:-false}"
 export ENABLE_ORCHESTRATOR="${ENABLE_ORCHESTRATOR:-false}"
@@ -234,11 +235,32 @@ keycloak_install() {
     )
     envsubst <template/keycloak/keycloak-op.yaml | $clin apply -f -
     envsubst <template/backstage/perf-test-secrets.yaml | $clin apply -f -
-    grep -m 1 "rhsso-operator" <($clin get pods -w)
-    wait_to_start deployment rhsso-operator 300 300
+    grep -m 1 "rhbk-operator" <($clin get pods -w)
+    wait_to_start deployment rhbk-operator 300 300
+
+    export KEYCLOAK_DB_PASSWORD
+    KEYCLOAK_DB_PASSWORD=$(mktemp -u XXXXXXXXXX)
+    export KEYCLOAK_DB_STORAGE
+    KEYCLOAK_DB_STORAGE=${KEYCLOAK_DB_STORAGE:-${RHDH_DB_STORAGE:-1Gi}}
+
+    log_info "Creating Keycloak PostgreSQL database with storage: $KEYCLOAK_DB_STORAGE"
+    envsubst <template/keycloak/keycloak-postgresql.yaml | $clin apply -f -
+    wait_to_start statefulset keycloak-postgresql 300 300
+
+    $clin create secret generic keycloak-db-user --from-literal=keycloak-db-user=keycloak --dry-run=client -o yaml | $clin apply -f -
+
     envsubst <template/keycloak/keycloak.yaml | $clin apply -f -
-    wait_to_start statefulset keycloak 450 600
-    envsubst <template/keycloak/keycloakRealm.yaml | $clin apply -f -
+    wait_to_start statefulset rhdh-keycloak 450 600
+
+    $clin create secret generic credential-rhdh-keycloak \
+        --from-literal=ADMIN_PASSWORD="$KEYCLOAK_ADMIN_PASS" \
+        --dry-run=client -o yaml | $clin apply -f -
+
+    $clin create route edge keycloak \
+        --service=rhdh-keycloak-service \
+        --port=8080 \
+        --dry-run=client -o yaml | $clin apply -f -
+
     if [ "$INSTALL_METHOD" == "helm" ]; then
         export OAUTH2_REDIRECT_URI="https://${RHDH_HELM_RELEASE_NAME}-developer-hub-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/oauth2/callback"
     elif [ "$INSTALL_METHOD" == "olm" ]; then
@@ -248,9 +270,9 @@ keycloak_install() {
             export OAUTH2_REDIRECT_URI="https://backstage-developer-hub-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/oauth2/callback"
         fi
     fi
-    envsubst <template/keycloak/keycloakClient.yaml | $clin apply -f -
     # shellcheck disable=SC2016
-    envsubst '${KEYCLOAK_USER_PASS}' <template/keycloak/keycloakUser.yaml | $clin apply -f -
+    envsubst '${KEYCLOAK_CLIENT_SECRET} ${OAUTH2_REDIRECT_URI} ${KEYCLOAK_USER_PASS} ${KEYCLOAK_ADMIN_PASS}' <template/keycloak/keycloakRealmImport.yaml | $clin apply -f -
+    $clin create secret generic keycloak-client-secret-backstage --from-literal=CLIENT_ID=backstage --from-literal=CLIENT_SECRET="$KEYCLOAK_CLIENT_SECRET" --dry-run=client -o yaml | oc apply -f -
 }
 
 create_users_groups() {
diff --git a/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml b/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml
index 8739b663..af676101 100644
--- a/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml
@@ -8,6 +8,25 @@ global:
     plugins:
       - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
         disabled: false
+        pluginConfig:
+          catalog:
+            providers:
+              keycloakOrg:
+                default:
+                  baseUrl: ${KEYCLOAK_BASE_URL}
+                  realm: ${KEYCLOAK_REALM}
+                  loginRealm: ${KEYCLOAK_LOGIN_REALM}
+                  clientId: ${CLIENT_ID}
+                  clientSecret: ${CLIENT_SECRET}
+                  userQuerySize: 1000
+                  groupQuerySize: 1000
+                  schedule:
+                    frequency:
+                      minutes: 30
+                    timeout:
+                      minutes: 1
+                    initialDelay:
+                      seconds: 15
       - package: ./dynamic-plugins/dist/backstage-community-plugin-analytics-provider-segment
         disabled: true
       # TechDocs
@@ -57,7 +76,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM
diff --git a/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml b/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml
index 8ed14b4d..9bb8f2cf 100644
--- a/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml
@@ -8,6 +8,25 @@ global:
     plugins:
       - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
         disabled: false
+        pluginConfig:
+          catalog:
+            providers:
+              keycloakOrg:
+                default:
+                  baseUrl: ${KEYCLOAK_BASE_URL}
+                  realm: ${KEYCLOAK_REALM}
+                  loginRealm: ${KEYCLOAK_LOGIN_REALM}
+                  clientId: ${CLIENT_ID}
+                  clientSecret: ${CLIENT_SECRET}
+                  userQuerySize: 1000
+                  groupQuerySize: 1000
+                  schedule:
+                    frequency:
+                      minutes: 30
+                    timeout:
+                      minutes: 1
+                    initialDelay:
+                      seconds: 15
       - package: ./dynamic-plugins/dist/backstage-community-plugin-analytics-provider-segment
         disabled: true
       # TechDocs
@@ -57,7 +76,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM
diff --git a/ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml b/ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml
index 9e47f850..7113da1e 100644
--- a/ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml
@@ -18,7 +18,7 @@ extraContainers:
             key: keycloak_cookie_secret
             name: perf-test-secrets
       - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
       - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
         value: "true"
       - name: OAUTH2_PROXY_LOGGING_LEVEL
diff --git a/ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml b/ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
index 904ab1f2..e4aa9514 100644
--- a/ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
@@ -18,7 +18,7 @@ spec:
     extraEnvs:
       envs:
         - name: KEYCLOAK_BASE_URL
-          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
         - name: KEYCLOAK_LOGIN_REALM
           value: "backstage"
         - name: KEYCLOAK_REALM
diff --git a/ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml b/ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml
index c5f7208b..39b4dd4b 100644
--- a/ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml
@@ -40,7 +40,7 @@ spec:
                   key: keycloak_cookie_secret
                   name: perf-test-secrets
             - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
             - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
               value: "true"
           image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloak-op.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloak-op.yaml
index d225abf1..41a34ba4 100644
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloak-op.yaml
+++ b/ci-scripts/rhdh-setup/template/keycloak/keycloak-op.yaml
@@ -1,7 +1,7 @@
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
-  name: rhsso-operator-group
+  name: rhbk-operator-group
 spec:
   targetNamespaces:
     - ${RHDH_NAMESPACE}
@@ -9,10 +9,10 @@ spec:
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
-  name: rhsso-operator
+  name: rhbk-operator
 spec:
-  channel: stable
-  name: rhsso-operator
+  channel: stable-v26.2
+  name: rhbk-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
   installPlanApproval: Automatic
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml
new file mode 100644
index 00000000..58663386
--- /dev/null
+++ b/ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+type: Opaque
+stringData:
+  postgres-password: ${KEYCLOAK_DB_PASSWORD}
+  password: ${KEYCLOAK_DB_PASSWORD}
+  replication-password: ${KEYCLOAK_DB_PASSWORD}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  type: ClusterIP
+  ports:
+    - name: tcp-postgresql
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app: keycloak-postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  serviceName: keycloak-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak-postgresql
+  template:
+    metadata:
+      labels:
+        app: keycloak-postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: registry.redhat.io/rhel9/postgresql-15:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: tcp-postgresql
+              containerPort: 5432
+          env:
+            - name: POSTGRESQL_USER
+              value: keycloak
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: password
+            - name: POSTGRESQL_DATABASE
+              value: keycloak
+            - name: POSTGRESQL_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: postgres-password
+            - name: PGDATA
+              value: /var/lib/pgsql/data/userdata
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/pgsql/data
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: ${KEYCLOAK_DB_STORAGE}
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloak.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloak.yaml
index b1ff5c72..0657f113 100644
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloak.yaml
+++ b/ci-scripts/rhdh-setup/template/keycloak/keycloak.yaml
@@ -1,10 +1,32 @@
-apiVersion: keycloak.org/v1alpha1
+apiVersion: k8s.keycloak.org/v2alpha1
 kind: Keycloak
 metadata:
-  name: rhdh-sso
+  name: rhdh-keycloak
   labels:
-    app: sso
+    app: keycloak
 spec:
   instances: ${RHDH_KEYCLOAK_REPLICAS}
-  externalAccess:
-    enabled: True
+  db:
+    vendor: postgres
+    host: keycloak-postgresql
+    port: 5432
+    database: keycloak
+    usernameSecret:
+      name: keycloak-db-user
+      key: keycloak-db-user
+    passwordSecret:
+      name: keycloak-postgresql
+      key: password
+  hostname:
+    strict: false
+  http:
+    httpEnabled: true
+  ingress:
+    enabled: true
+  additionalOptions:
+    - name: bootstrap-admin-username
+      value: admin
+    - name: bootstrap-admin-password
+      value: admin
+    - name: proxy-headers
+      value: forwarded
\ No newline at end of file
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloakClient.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloakClient.yaml
deleted file mode 100644
index ba47c607..00000000
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloakClient.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: keycloak.org/v1alpha1
-kind: KeycloakClient
-metadata:
-  name: backstage
-  labels:
-    app: sso
-spec:
-  client:
-    clientId: backstage
-    secret: ${KEYCLOAK_CLIENT_SECRET}
-    clientAuthenticatorType: client-secret
-    defaultClientScopes:
-    - profile
-    - email
-    - roles
-    directAccessGrantsEnabled: true
-    implicitFlowEnabled: false
-    publicClient: false
-    redirectUris:
-      - ${OAUTH2_REDIRECT_URI}
-    serviceAccountsEnabled: true
-    standardFlowEnabled: true
-  realmSelector:
-    matchLabels:
-      app: sso
-  serviceAccountClientRoles:
-    realm-management:
-    - query-groups
-    - query-users
-    - view-users
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloakRealm.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloakRealm.yaml
deleted file mode 100644
index 78be5854..00000000
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloakRealm.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: keycloak.org/v1alpha1
-kind: KeycloakRealm
-metadata:
-  name: backstage
-  labels:
-    app: sso
-spec:
-  realm:
-    id: "backstage"
-    realm: "backstage"
-    enabled: True
-    displayName: "Backstage Realm"
-  instanceSelector:
-    matchLabels:
-      app: sso
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloakRealmImport.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloakRealmImport.yaml
new file mode 100644
index 00000000..fe5bc67c
--- /dev/null
+++ b/ci-scripts/rhdh-setup/template/keycloak/keycloakRealmImport.yaml
@@ -0,0 +1,51 @@
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: KeycloakRealmImport
+metadata:
+  name: backstage-realm-import
+  labels:
+    app: keycloak
+spec:
+  keycloakCRName: rhdh-keycloak
+  realm:
+    id: "backstage"
+    realm: "backstage"
+    enabled: true
+    displayName: "Backstage Realm"
+    clients:
+      - clientId: backstage
+        secret: ${KEYCLOAK_CLIENT_SECRET}
+        clientAuthenticatorType: client-secret
+        defaultClientScopes:
+          - profile
+          - email
+          - roles
+        directAccessGrantsEnabled: true
+        implicitFlowEnabled: false
+        publicClient: false
+        redirectUris:
+          - ${OAUTH2_REDIRECT_URI}
+        serviceAccountsEnabled: true
+        standardFlowEnabled: true
+        serviceAccountClientRoles:
+          realm-management:
+            - query-groups
+            - query-users
+            - view-users
+            - view-clients
+            - view-realm
+            - manage-users
+            - manage-clients
+    users:
+      - username: guru
+        firstName: Guru
+        lastName: RHDH Admin
+        email: guru@test.com
+        enabled: true
+        emailVerified: true
+        credentials:
+          - type: password
+            value: ${KEYCLOAK_USER_PASS}
+            temporary: false
+        clientRoles:
+          realm-management:
+            - realm-admin
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
deleted file mode 100644
index 4254be85..00000000
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: keycloak.org/v1alpha1
-kind: KeycloakUser
-metadata:
-  name: guru
-  labels:
-    app: sso
-spec:
-  realmSelector:
-    matchLabels:
-      app: sso
-  user:
-    username: guru
-    firstName: Guru
-    lastName: RHDH Admin
-    email: guru@test.com
-    enabled: true
-    emailVerified: true
-    temporary: false
-    credentials:
-      - type: password
-        value: ${KEYCLOAK_USER_PASS}