Finally after a hundred iterations I got our Indico instance online! Thanks to everyone for their help (including this helpful post about Keycloak configuration). For reference, our current Helm chart being deployed is here, which uses images from the slightly modified container image build script here.
I encountered the same logout redirect bug discussed in this post, and I hacked around it in a horrible way in the init script I execute at the beginning of the app and celery container launcher scripts:
sed -i "s/{'post_logout_redirect_uri': return_url}/{}/g" \
/opt/indico/.venv/lib/python3.10/site-packages/flask_multipass/providers/authlib.py
The original reason I created that init script was because I wanted to build the Python-language config file from environment variables, because this is the most natural way to get secret values into an app config in Kubernetes, as well making it easier to override individual config parameters via Helm and ArgoCD hierarchically.
envsubst < "${INDICO_CONFIG}" > /tmp/indico.conf
cp /tmp/indico.conf "${INDICO_CONFIG}"
If someone is willing to review our chart and overall deployment strategy and provide feedback, it would be welcomed.