ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Playground: Protect behind Keycloak + point at pal-e-docs-app #343

New issue
Closed
opened 2026-05-05 04:07:31 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-05-05 04:07:31 +00:00
Contributor
Copy link

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm and SSO being functional.

Repo

forgejo_admin/pal-e-deployments

User Story

As a platform admin
I want my playground protected behind Keycloak login and configured to serve the pal-e-docs-app for development
So that my development environment is secure and I can iterate on the docs frontend

Context

Currently playground.tail5b443a.ts.net and svelte-playground.tail5b443a.ts.net are public (no auth). They should be behind Keycloak (platform realm) since they contain internal development work. Additionally, the svelte-playground deployment should be re-pointed to serve the new pal-e-docs-app SvelteKit project for frontend development of the documentation system.

File Targets

Files the agent should modify or create:

  • overlays/playground/prod/ — add oauth2-proxy sidecar or Keycloak gating
  • overlays/svelte-playground/prod/ — re-point to pal-e-docs-app source

Files the agent should NOT touch:

  • The playground source repos themselves (just the k8s deployment config)

Acceptance Criteria

  • playground.tail5b443a.ts.net requires Keycloak login
  • svelte-playground.tail5b443a.ts.net requires Keycloak login
  • svelte-playground serves pal-e-docs-app (or new dedicated overlay)
  • Authenticated users see content normally after login
  • SSO session from pal-e-admin carries over (no re-login)

Test Expectations

  • Unauthenticated curl to playground returns 302 to Keycloak
  • Authenticated access shows playground content
  • Run command: curl -s -o /dev/null -w "%{http_code}" https://playground.tail5b443a.ts.net/

Constraints

  • Use same Keycloak platform realm (SSO session sharing)
  • Don't break the playground content — just add auth layer
  • Consider oauth2-proxy as sidecar for static sites that can't do OIDC natively

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-pal-e-platform — platform project
  • project-frontend-playground — playground project
### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm and SSO being functional. ### Repo `forgejo_admin/pal-e-deployments` ### User Story As a platform admin I want my playground protected behind Keycloak login and configured to serve the pal-e-docs-app for development So that my development environment is secure and I can iterate on the docs frontend ### Context Currently `playground.tail5b443a.ts.net` and `svelte-playground.tail5b443a.ts.net` are public (no auth). They should be behind Keycloak (platform realm) since they contain internal development work. Additionally, the svelte-playground deployment should be re-pointed to serve the new pal-e-docs-app SvelteKit project for frontend development of the documentation system. ### File Targets Files the agent should modify or create: - `overlays/playground/prod/` — add oauth2-proxy sidecar or Keycloak gating - `overlays/svelte-playground/prod/` — re-point to pal-e-docs-app source Files the agent should NOT touch: - The playground source repos themselves (just the k8s deployment config) ### Acceptance Criteria - [ ] `playground.tail5b443a.ts.net` requires Keycloak login - [ ] `svelte-playground.tail5b443a.ts.net` requires Keycloak login - [ ] svelte-playground serves pal-e-docs-app (or new dedicated overlay) - [ ] Authenticated users see content normally after login - [ ] SSO session from pal-e-admin carries over (no re-login) ### Test Expectations - [ ] Unauthenticated curl to playground returns 302 to Keycloak - [ ] Authenticated access shows playground content - Run command: `curl -s -o /dev/null -w "%{http_code}" https://playground.tail5b443a.ts.net/` ### Constraints - Use same Keycloak platform realm (SSO session sharing) - Don't break the playground content — just add auth layer - Consider oauth2-proxy as sidecar for static sites that can't do OIDC natively ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project - `project-frontend-playground` — playground project
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#343
No description provided.