diff --git a/base/keycloak-olm/deploy-keycloak-job.yaml b/base/keycloak-olm/deploy-keycloak-job.yaml
new file mode 100644
index 0000000..fe3c33a
--- /dev/null
+++ b/base/keycloak-olm/deploy-keycloak-job.yaml
@@ -0,0 +1,47 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: deploy-keycloak-operator
+spec:
+  template:
+    spec:
+      serviceAccountName: deploy-keycloak-operator
+      containers:
+        - name: deploy-keycloak-operator
+          image: docker.io/bitnami/kubectl:latest
+          command: ["/bin/bash", "-cx"]
+          args: ["./deploy-keycloak.sh"]
+          volumeMounts:
+            - name: keycloak-operator-resources
+              mountPath: deploy-keycloak.sh
+              subPath: deploy-keycloak.sh
+            - name: keycloak-operator-resources
+              mountPath: resources/keycloak.yaml
+              subPath: keycloak.yaml
+            - name: keycloak-operator-resources
+              mountPath: resources/keycloak-subscription.yaml
+              subPath: keycloak-subscription.yaml
+            - name: keycloak-operator-resources
+              mountPath: resources/load-balancer-service.yaml
+              subPath: load-balancer-service.yaml
+            - name: keycloak-operator-resources
+              mountPath: resources/operator-group.yaml.tpl
+              subPath: operator-group.yaml.tpl
+      volumes:
+        - name: keycloak-operator-resources
+          configMap:
+            name: keycloak-operator-resources
+            items:
+              - key: deploy-keycloak.sh
+                mode: 0750
+                path: deploy-keycloak.sh
+              - key: keycloak.yaml
+                path: keycloak.yaml
+              - key: keycloak-subscription.yaml
+                path: keycloak-subscription.yaml
+              - key: load-balancer-service.yaml
+                path: load-balancer-service.yaml
+              - key: operator-group.yaml.tpl
+                path: operator-group.yaml.tpl
+      restartPolicy: Never
diff --git a/base/keycloak-olm/deploy-keycloak.sh b/base/keycloak-olm/deploy-keycloak.sh
new file mode 100755
index 0000000..86a2c56
--- /dev/null
+++ b/base/keycloak-olm/deploy-keycloak.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -exo pipefail
+command -v envsubst
+
+TIMEOUT_TIME="${TIMEOUT_TIME:=125}"
+CTL="${CTL:=kubectl}"
+RESOURCES="${BASH_SOURCE%/*}"/resources
+
+NAMESPACE="${NAMESPACE:=tools}"
+
+export NAMESPACE
+
+function set_kubectl_context {
+  $CTL config set-cluster ctx --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  $CTL config set-credentials user --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+  $CTL config set-context ctx --user=user --cluster=ctx
+  $CTL config use-context ctx
+}
+
+function deploy_keycloak {
+  # subscribe to the keycloak operator
+  <"${RESOURCES}"/operator-group.yaml.tpl envsubst | ${CTL} apply -n "${NAMESPACE}" -f -
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/keycloak-subscription.yaml
+  $CTL wait -n "${NAMESPACE}" --for=jsonpath=status.installPlanRef.name subscription keycloak-operator --timeout="$TIMEOUT_TIME"s
+  $CTL wait -n "${NAMESPACE}" installplan "$($CTL get -n "${NAMESPACE}" subscription keycloak-operator -o=jsonpath='{.status.installPlanRef.name}')" --for=condition=Installed --timeout="$TIMEOUT_TIME"s
+
+  # create Keycloak CRD and Keycloak service of load-balancer type
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/keycloak.yaml
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/load-balancer-service.yaml
+
+  # create secret named `credential-sso` from admin credentials for compatibility with how testsuite is working
+  timeout "$TIMEOUT_TIME" grep -qm1 '^secret/keycloak-initial-admin$' <($CTL get secret -w -n "${NAMESPACE}" -o name)
+  ADMIN_USERNAME="$($CTL get secret keycloak-initial-admin -o jsonpath='{.data.username}' | base64 -d)"
+  ADMIN_PASSWORD="$($CTL get secret keycloak-initial-admin -o jsonpath='{.data.password}' | base64 -d)"
+  $CTL create secret generic credential-sso --from-literal=ADMIN_USERNAME="${ADMIN_USERNAME}" --from-literal=ADMIN_PASSWORD="${ADMIN_PASSWORD}"
+}
+
+if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then  # if running inside kubernetes pod
+    NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
+    set_kubectl_context
+fi
+
+deploy_keycloak
diff --git a/base/keycloak-olm/kustomization.yaml b/base/keycloak-olm/kustomization.yaml
new file mode 100644
index 0000000..74ef7dc
--- /dev/null
+++ b/base/keycloak-olm/kustomization.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: keycloak-operator-deployment
+
+resources:
+  - rbac.yaml
+  - deploy-keycloak-job.yaml
+
+configMapGenerator:
+  - name: keycloak-operator-resources
+    files:
+      - deploy-keycloak.sh
+      - resources/keycloak.yaml
+      - resources/keycloak-subscription.yaml
+      - resources/load-balancer-service.yaml
+      - resources/operator-group.yaml.tpl
diff --git a/base/keycloak-olm/rbac.yaml b/base/keycloak-olm/rbac.yaml
new file mode 100644
index 0000000..8021f76
--- /dev/null
+++ b/base/keycloak-olm/rbac.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: deploy-keycloak-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: deploy-keycloak-operator-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: deploy-keycloak-operator
diff --git a/base/keycloak-olm/resources/keycloak-subscription.yaml b/base/keycloak-olm/resources/keycloak-subscription.yaml
new file mode 100644
index 0000000..6cf8212
--- /dev/null
+++ b/base/keycloak-olm/resources/keycloak-subscription.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: keycloak-operator
+spec:
+  channel: fast
+  installPlanApproval: Automatic
+  name: keycloak-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace
diff --git a/base/keycloak-olm/resources/keycloak.yaml b/base/keycloak-olm/resources/keycloak.yaml
new file mode 100644
index 0000000..c752db8
--- /dev/null
+++ b/base/keycloak-olm/resources/keycloak.yaml
@@ -0,0 +1,18 @@
+---
+kind: Keycloak
+apiVersion: k8s.keycloak.org/v2alpha1
+metadata:
+  name: keycloak
+  labels:
+    app: sso
+spec:
+  additionalOptions:
+    - name: KC_CACHE
+      value: local
+  hostname:
+    strict: false
+  ingress:
+    enabled: false
+  http:
+    httpEnabled: true
+    httpPort: 8080
diff --git a/base/keycloak-olm/resources/load-balancer-service.yaml b/base/keycloak-olm/resources/load-balancer-service.yaml
new file mode 100644
index 0000000..977672d
--- /dev/null
+++ b/base/keycloak-olm/resources/load-balancer-service.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-service-load-balancer
+  labels:
+    app: keycloak
+spec:
+  selector:
+    app: keycloak
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+  type: LoadBalancer
diff --git a/base/keycloak-olm/resources/operator-group.yaml.tpl b/base/keycloak-olm/resources/operator-group.yaml.tpl
new file mode 100644
index 0000000..e8abe20
--- /dev/null
+++ b/base/keycloak-olm/resources/operator-group.yaml.tpl
@@ -0,0 +1,8 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: ${NAMESPACE}
+spec:
+  targetNamespaces:
+    - ${NAMESPACE}