diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2fcffd542..fea8af32f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -277,7 +277,6 @@ jobs:
       -
         name: Build Helm Dependencies
         run: |
-          helm repo add bitnami https://charts.bitnami.com/bitnami/
           helm repo add stable https://charts.helm.sh/stable/
           helm dependency build ./helm/api-platform
       -
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index ef589f43b..6f2301e5e 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -88,7 +88,6 @@ jobs:
       -
         name: Build Helm Dependencies
         run: |
-          helm repo add bitnami https://charts.bitnami.com/bitnami/
           helm repo add stable https://charts.helm.sh/stable/
           helm dependency build ./helm/api-platform
       # Release name MUST start with a letter
@@ -115,7 +114,7 @@ jobs:
             --wait \
             --namespace=$namespace \
             --set=app.version=${{ github.sha }} \
-            --set=keycloak.image.repository=${{ secrets.gke-project }}/${{ secrets.gke-project }}/keycloak \
+            --set=keycloak.image.repository=europe-west1-docker.pkg.dev/${{ secrets.gke-project }}/${{ secrets.gke-project }}/keycloak \
             --set=keycloak.image.tag=${{ inputs.docker-images-version }} \
             --set=keycloak.auth.adminPassword=${{ secrets.keycloak-admin-password }} \
             --set-string=keycloak.extraEnvVars[0].value=https://$url/oidc/ \
diff --git a/helm/api-platform/Chart.lock b/helm/api-platform/Chart.lock
index 52a2ccd29..180a9838b 100644
--- a/helm/api-platform/Chart.lock
+++ b/helm/api-platform/Chart.lock
@@ -1,6 +1,3 @@
-dependencies:
-- name: external-dns
-  repository: https://charts.bitnami.com/bitnami/
-  version: 9.0.3
-digest: sha256:3b0229942127a01c02f151e18b739c39b68e6458c6b865e3a3dd90fcfe198c99
-generated: "2026-02-04T16:01:05.816182082+01:00"
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2026-02-05T15:23:06.955496718Z"
diff --git a/helm/api-platform/Chart.yaml b/helm/api-platform/Chart.yaml
index 9394e8258..02843d38a 100644
--- a/helm/api-platform/Chart.yaml
+++ b/helm/api-platform/Chart.yaml
@@ -24,8 +24,4 @@ version: 4.2.15
 # follow Semantic Versioning. They should reflect the version the application is using.
 appVersion: 4.2.15
 
-dependencies:
-  - name: external-dns
-    version: 9.0.3
-    repository: https://charts.bitnami.com/bitnami/
-    condition: external-dns.enabled
+dependencies: []
diff --git a/helm/api-platform/templates/configmap.yaml b/helm/api-platform/templates/configmap.yaml
index 62d2cd7f3..7d2f9a907 100644
--- a/helm/api-platform/templates/configmap.yaml
+++ b/helm/api-platform/templates/configmap.yaml
@@ -15,12 +15,12 @@ data:
   mercure-extra-directives: {{ .Values.mercure.extraDirectives | quote }}
   caddy-global-options: {{ .Values.php.caddyGlobalOptions | quote }}
   oidc-server-url: "https://{{ (first .Values.ingress.hosts).host }}/oidc/realms/demo"
-  oidc-server-url-internal: "http://{{ template "common.names.fullname" .Subcharts.keycloak }}/oidc/realms/demo"
+  oidc-server-url-internal: "http://{{ include "api-platform.fullname" . }}-keycloak/oidc/realms/demo"
   next-auth-url: "https://{{ (first .Values.ingress.hosts).host }}/api/auth"
   pwa-client-id: {{ .Values.pwa.oidcClientId | quote }}
   pwa-authorization-client-id: {{ .Values.php.oidcClientId | quote }}
   {{- if .Values.keycloak.postgresql.enabled }}
-  keycloak-database-url: {{ printf "jdbc:postgresql://%s:%s/%s" .Release.Name .Values.keycloak.postgresql.global.postgresql.auth.database | b64enc | quote }}
+  keycloak-database-url: {{ printf "jdbc:postgresql://localhost:5432/%s" .Values.keycloak.postgresql.global.postgresql.auth.database | quote }}
   {{- else }}
   keycloak-database-url: {{ .Values.keycloak.postgresql.url | b64enc | quote }}
   {{- end }}
@@ -35,6 +35,5 @@ metadata:
   labels:
     {{- include "api-platform.labelsKeycloak" . | nindent 4 }}
 data:
-  realm.json: |
-    {{ (.Files.Glob .Values.keycloak.importRealm.path).AsConfig | indent 2 }}
+{{ (.Files.Glob .Values.keycloak.importRealm.path).AsConfig | indent 2 }}
 {{- end }}
diff --git a/helm/api-platform/templates/external-dns-deployment.yaml b/helm/api-platform/templates/external-dns-deployment.yaml
new file mode 100644
index 000000000..1ffcbc8e5
--- /dev/null
+++ b/helm/api-platform/templates/external-dns-deployment.yaml
@@ -0,0 +1,110 @@
+{{- if index .Values "external-dns" "enabled" -}}
+{{- $externalDns := index .Values "external-dns" -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  labels:
+    app.kubernetes.io/name: external-dns
+    {{- include "api-platform.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-dns
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-dns
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ include "api-platform.fullname" . }}-external-dns
+      containers:
+      - name: external-dns
+        image: {{ $externalDns.image.repository }}:{{ $externalDns.image.tag | default "v0.15.0" }}
+        imagePullPolicy: {{ $externalDns.image.pullPolicy | default "IfNotPresent" }}
+        args:
+        - --source=ingress
+        - --provider={{ $externalDns.provider }}
+        {{- range $externalDns.domainFilters }}
+        - --domain-filter={{ . }}
+        {{- end }}
+        {{- range $externalDns.zoneIdFilters }}
+        - --zone-id-filter={{ . }}
+        {{- end }}
+        - --policy=sync
+        - --registry=txt
+        - --txt-owner-id={{ .Release.Name }}
+        {{- if eq $externalDns.provider "cloudflare" }}
+        env:
+        - name: CF_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "api-platform.fullname" . }}-external-dns
+              key: cloudflare-api-token
+        {{- end }}
+        resources:
+          {{- toYaml $externalDns.resources | nindent 10 }}
+      securityContext:
+        fsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+---
+{{- if $externalDns.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  labels:
+    app.kubernetes.io/name: external-dns
+    {{- include "api-platform.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  labels:
+    app.kubernetes.io/name: external-dns
+    {{- include "api-platform.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["extensions","networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get","watch","list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  labels:
+    app.kubernetes.io/name: external-dns
+    {{- include "api-platform.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "api-platform.fullname" . }}-external-dns
+subjects:
+- kind: ServiceAccount
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- if and (eq $externalDns.provider "cloudflare") $externalDns.cloudflare.apiToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "api-platform.fullname" . }}-external-dns
+  labels:
+    app.kubernetes.io/name: external-dns
+    {{- include "api-platform.labels" . | nindent 4 }}
+type: Opaque
+data:
+  cloudflare-api-token: {{ $externalDns.cloudflare.apiToken | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/helm/api-platform/templates/ingress.yaml b/helm/api-platform/templates/ingress.yaml
index e1783e8ed..eecc5fd30 100644
--- a/helm/api-platform/templates/ingress.yaml
+++ b/helm/api-platform/templates/ingress.yaml
@@ -70,12 +70,12 @@ spec:
               {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               {{ $service := default dict $backend.service }}
               service:
-                name: {{ template "common.names.fullname" $.Subcharts.keycloak }}
+                name: {{ $service.name | default (printf "%s-keycloak" $fullName) }}
                 {{ $port := default dict $service.port }}
                 port:
                   number: {{ $port.number | default $svcPort }}
               {{- else }}
-              serviceName: {{ template "common.names.fullname" $.Subcharts.keycloak }}
+              serviceName: {{ $backend.serviceName | default (printf "%s-keycloak" $fullName) }}
               servicePort: {{ $backend.servicePort | default $svcPort }}
               {{- end }}
           {{- end }}
diff --git a/helm/api-platform/templates/keycloak-deployment.yaml b/helm/api-platform/templates/keycloak-deployment.yaml
index c4f398f63..2bfb0fc8c 100644
--- a/helm/api-platform/templates/keycloak-deployment.yaml
+++ b/helm/api-platform/templates/keycloak-deployment.yaml
@@ -126,19 +126,23 @@ spec:
                 secretKeyRef:
                   name: {{ include "api-platform.fullname" . }}
                   key: keycloak-database-password
-            {{- toYaml .Values.keycloak.postgresql.extraEnvVars | nindent 12 }}
+            {{- with .Values.keycloak.postgresql.extraEnvVars }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           ports:
-            - name: main
+            - name: postgresql
               containerPort: 5432
-              protocol: UDP
+              protocol: TCP
           livenessProbe:
-            httpGet:
-              path: /
-              port: main
+            tcpSocket:
+              port: postgresql
+            initialDelaySeconds: 30
+            periodSeconds: 10
           readinessProbe:
-            httpGet:
-              path: /
-              port: main
+            tcpSocket:
+              port: postgresql
+            initialDelaySeconds: 5
+            periodSeconds: 10
           resources:
             {{- toYaml .Values.keycloak.postgresql.resources | nindent 12 }}
         {{- end }}
diff --git a/helm/api-platform/templates/keycloak-service.yaml b/helm/api-platform/templates/keycloak-service.yaml
new file mode 100644
index 000000000..7c38ed97c
--- /dev/null
+++ b/helm/api-platform/templates/keycloak-service.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.keycloak.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "api-platform.fullname" . }}-keycloak
+  labels:
+    {{- include "api-platform.labelsKeycloak" . | nindent 4 }}
+spec:
+  type: {{ .Values.keycloak.service.type }}
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "api-platform.selectorLabelsKeycloak" . | nindent 4 }}
+{{- end }}
diff --git a/helm/api-platform/values.yaml b/helm/api-platform/values.yaml
index 47c41423d..82d7f4130 100644
--- a/helm/api-platform/values.yaml
+++ b/helm/api-platform/values.yaml
@@ -161,7 +161,9 @@ keycloak:
 external-dns:
   enabled: true
   image:
-    repository: bitnamilegacy/external-dns
+    repository: registry.k8s.io/external-dns/external-dns
+    tag: v0.15.0
+    pullPolicy: IfNotPresent
   resources:
     requests:
       memory: 50Mi