diff --git a/fleet/lib/keycloak-pg/cluster-keycloak-pg.yaml b/fleet/lib/keycloak-pg/cluster-keycloak-pg.yaml
index 00a7d3b80..989ef63f6 100644
--- a/fleet/lib/keycloak-pg/cluster-keycloak-pg.yaml
+++ b/fleet/lib/keycloak-pg/cluster-keycloak-pg.yaml
@@ -20,6 +20,10 @@ spec:
       max_connections: "500"
       shared_buffers: 256MB
       idle_session_timeout: 4h
+      "pgaudit.log": all, -misc
+      "pgaudit.log_catalog": "off"
+      "pgaudit.log_parameter": "on"
+      "pgaudit.log_relation": "on"
     pg_hba:
       - host replication postgres all md5
       - host all all 139.229.134.0/23 md5
@@ -38,6 +42,8 @@ spec:
 
   monitoring:
     enablePodMonitor: true
+    podMonitorAdditionalLabels:
+      lsst.io/monitor: "true"
 
   resources:
     limits:
diff --git a/fleet/lib/keycloak-pg/fleet.yaml b/fleet/lib/keycloak-pg/fleet.yaml
index 0a9cbc861..55eb7b954 100644
--- a/fleet/lib/keycloak-pg/fleet.yaml
+++ b/fleet/lib/keycloak-pg/fleet.yaml
@@ -13,6 +13,17 @@ dependsOn:
       matchLabels:
         bundle: cnpg-system
 targetCustomizations:
+  - name: luan
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - ayekan
+    yaml:
+      overlays:
+        - generic
+        - ayekan
   - name: luan
     clusterSelector:
       matchExpressions:
diff --git a/fleet/lib/keycloak-pg/overlays/ayekan/service-keycloak-pg.yaml b/fleet/lib/keycloak-pg/overlays/ayekan/service-keycloak-pg.yaml
new file mode 100644
index 000000000..b41afafa0
--- /dev/null
+++ b/fleet/lib/keycloak-pg/overlays/ayekan/service-keycloak-pg.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-pg
+  labels:
+    cnpg.io/cluster: keycloak-pg
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 139.229.144.45
+spec:
+  ports:
+    - name: postgres
+      port: 5432
+      protocol: TCP
+  selector:
+    cnpg.io/cluster: keycloak-pg
+    role: primary
+  type: LoadBalancer
diff --git a/fleet/lib/keycloak-pre/externalsecret-keycloak-realm-master.yaml b/fleet/lib/keycloak-pre/externalsecret-keycloak-realm-master.yaml
new file mode 100644
index 000000000..89a371f51
--- /dev/null
+++ b/fleet/lib/keycloak-pre/externalsecret-keycloak-realm-master.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-realm-master
+  namespace: keycloak
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  data:
+    - secretKey: realm-master.json
+      remoteRef:
+        key: realm-master.json
+        property: notesPlain
diff --git a/fleet/lib/keycloak/fleet.yaml b/fleet/lib/keycloak/fleet.yaml
index b7a9ef134..b6f81dc75 100644
--- a/fleet/lib/keycloak/fleet.yaml
+++ b/fleet/lib/keycloak/fleet.yaml
@@ -21,6 +21,16 @@ dependsOn:
       matchLabels:
         bundle: keycloak-pg
 targetCustomizations:
+  - name: ayekan
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - ayekan
+    helm:
+      valuesFiles:
+        - overlays/ayekan/values.yaml
   - name: luan
     clusterSelector:
       matchExpressions:
diff --git a/fleet/lib/keycloak/overlays/ayekan/values.yaml b/fleet/lib/keycloak/overlays/ayekan/values.yaml
new file mode 100644
index 000000000..6d086455e
--- /dev/null
+++ b/fleet/lib/keycloak/overlays/ayekan/values.yaml
@@ -0,0 +1,57 @@
+---
+replicaCount: 3
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 2Gi
+  requests:
+    cpu: 500m
+    memory: 1Gi
+
+extraEnvVars:
+  - name: KC_HEALTH_ENABLED
+    value: "true"
+  - name: KEYCLOAK_LOGLEVEL
+    value: INFO
+  - name: KEYCLOAK_PRODUCTION
+    value: "true"
+  - name: KEYCLOAK_PROXY
+    value: edge
+  - name: KC_HOSTNAME
+    value: keycloak.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+  - name: KC_HOSTNAME_STRICT
+    value: "true"
+  - name: KC_HOSTNAME_STRICT_HTTPS
+    value: "true"
+  - name: KC_HTTP_ENABLED
+    value: "false"
+  - name: KEYCLOAK_REGISTRATION
+    value: "false"
+
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  servicePort: http
+  tls: true
+  hostname: keycloak.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+
+auth:
+  adminUser: rubinobs
+  existingSecret: keycloak-admin
+  passwordSecretKey: password
+
+postgresql:
+  enabled: false
+
+externalDatabase:
+  host: keycloak-pg.keycloak-pg.svc.cluster.local
+  port: 5432
+  user: keycloak
+  database: keycloak
+  existingSecret: keycloak-pg
+  existingSecretPasswordKey: password
diff --git a/fleet/s/dev/c/ayekan/cnpg-system b/fleet/s/dev/c/ayekan/cnpg-system
new file mode 120000
index 000000000..d67b55bb2
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/cnpg-system
@@ -0,0 +1 @@
+../../../../lib/cnpg-system
\ No newline at end of file
diff --git a/fleet/s/dev/c/ayekan/keycloak b/fleet/s/dev/c/ayekan/keycloak
new file mode 120000
index 000000000..e7a72b61d
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/keycloak
@@ -0,0 +1 @@
+../../../../lib/keycloak
\ No newline at end of file
diff --git a/fleet/s/dev/c/ayekan/keycloak-pg b/fleet/s/dev/c/ayekan/keycloak-pg
new file mode 120000
index 000000000..8a8ae7653
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/keycloak-pg
@@ -0,0 +1 @@
+../../../../lib/keycloak-pg
\ No newline at end of file
diff --git a/fleet/s/dev/c/ayekan/keycloak-pre b/fleet/s/dev/c/ayekan/keycloak-pre
new file mode 120000
index 000000000..69e1997cb
--- /dev/null
+++ b/fleet/s/dev/c/ayekan/keycloak-pre
@@ -0,0 +1 @@
+../../../../lib/keycloak-pre
\ No newline at end of file