ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

SSO: Create platform realm + ldraney admin user in Keycloak #335

New issue
Closed
opened 2026-05-05 04:06:09 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-05-05 04:06:09 +00:00
Contributor
Copy link

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04).

Repo

forgejo_admin/pal-e-platform

User Story

As a platform admin
I want a dedicated Keycloak realm for platform services
So that I have one login across all infra tools (Forgejo, Grafana, Harbor, MinIO)

Context

Keycloak is deployed but only serves the westside realm today. Per convention (one realm per brand/audience), platform infra services need their own realm. This ticket creates the realm and the ldraney admin user. Unblocks all subsequent OIDC client wiring tickets.

Two approaches: (1) Keycloak admin API calls, or (2) add the terraform-provider-keycloak to manage realm/clients as IaC. Recommend approach 1 for now (faster, no new provider dependency), with a follow-up to IaC it later if desired.

File Targets

Files the agent should modify or create:

  • No terraform file changes — this is a Keycloak admin API operation
  • Optionally: terraform/modules/keycloak/main.tf if we add the keycloak terraform provider

Files the agent should NOT touch:

  • keycloak/themes/westside/ — westside realm is separate

Acceptance Criteria

  • platform realm exists at keycloak.tail5b443a.ts.net/realms/platform
  • ldraney user exists in platform realm with password set
  • User has realm admin role assigned
  • Realm well-known endpoint responds: /realms/platform/.well-known/openid-configuration

Test Expectations

  • Curl the OIDC well-known endpoint and confirm valid JSON response
  • Authenticate as ldraney via token endpoint and receive access token
  • Run command: curl -s https://keycloak.tail5b443a.ts.net/realms/platform/.well-known/openid-configuration | jq .issuer

Constraints

  • Use Keycloak admin API (not terraform keycloak provider) for now
  • Realm name must be platform (not master, not pal-e)
  • ldraney password should come from secrets, not hardcoded

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-pal-e-platform — platform project
### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform admin I want a dedicated Keycloak realm for platform services So that I have one login across all infra tools (Forgejo, Grafana, Harbor, MinIO) ### Context Keycloak is deployed but only serves the westside realm today. Per convention (one realm per brand/audience), platform infra services need their own realm. This ticket creates the realm and the ldraney admin user. Unblocks all subsequent OIDC client wiring tickets. Two approaches: (1) Keycloak admin API calls, or (2) add the terraform-provider-keycloak to manage realm/clients as IaC. Recommend approach 1 for now (faster, no new provider dependency), with a follow-up to IaC it later if desired. ### File Targets Files the agent should modify or create: - No terraform file changes — this is a Keycloak admin API operation - Optionally: `terraform/modules/keycloak/main.tf` if we add the keycloak terraform provider Files the agent should NOT touch: - `keycloak/themes/westside/` — westside realm is separate ### Acceptance Criteria - [ ] `platform` realm exists at `keycloak.tail5b443a.ts.net/realms/platform` - [ ] `ldraney` user exists in platform realm with password set - [ ] User has realm admin role assigned - [ ] Realm well-known endpoint responds: `/realms/platform/.well-known/openid-configuration` ### Test Expectations - [ ] Curl the OIDC well-known endpoint and confirm valid JSON response - [ ] Authenticate as ldraney via token endpoint and receive access token - Run command: `curl -s https://keycloak.tail5b443a.ts.net/realms/platform/.well-known/openid-configuration | jq .issuer` ### Constraints - Use Keycloak admin API (not terraform keycloak provider) for now - Realm name must be `platform` (not master, not pal-e) - ldraney password should come from secrets, not hardcoded ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#335
No description provided.