also, this whole "keychain is safer" kind of goes out the window when Authzed also provides a one-liner to install some random thing from the internet into my kubernetes cluster:

kubectl apply --server-side -k github.com/authzed/spicedb-operator/config

What would you have preferred? The operator is available as a kustomize package which can be managed however you like. It doesn’t strike me as unusual to have a quickstart that deploys directly so I’m curious what you expected to see

It's not that anything is wrong. What I'm trying to convey is that the response that "we enforce keycloak" because it is "better" security falls flat when you have a one liner to install something into a kubernetes cluster