ldraney/landscaping-assistant
1
0
Fork 0
Code Issues 32 Pull requests 1 Projects Releases Packages Wiki Activity Actions 4

Spike: Keycloak programmatic configuration and architecture validation #132

New issue
Closed
opened 2026-06-06 22:08:01 +00:00 by ldraney · 0 comments
ldraney commented 2026-06-06 22:08:01 +00:00
Owner
Copy link

Type

Spike

Lineage

Prerequisite for #115 (Keycloak login). Related to #107 (Auth + Roles + Audit Trail).
Manual Keycloak setup doesn't scale — need programmatic realm/client/user creation before building auth on top of it.

Repo

Multiple — ldraney/landscaping-assistant, ldraney/pal-e-platform, ldraney/pal-e-services

Question

How should Keycloak be programmatically configured for the landscaping-assistant, and does the current Keycloak architecture still fit?

  • Keycloak Admin REST API vs Terraform keycloak provider vs realm export/import — which pattern fits pal-e-platform's IaC model?
  • What already exists? Check ~/pal-e-platform for existing Keycloak Terraform modules (basketball-api uses Keycloak — how was that realm set up?)
  • Realm, client, roles, and test users — can all be created via API/Terraform, or do some require manual steps?
  • super_admin realm role — how does it compose with business roles (admin, lead, member, client)? Single realm or separate?
  • Secrets wiring — KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET into k8s secret. SOPS? Terraform? Manual?
  • Does Keycloak ROPC (direct grant) remain the right flow for a server-rendered Rails + Turbo Native app, or should we reconsider?
  • What docs/ updates are needed in landscaping-assistant, pal-e-platform, and/or pal-e-services?

Deliverables

  • docs/keycloak-setup.md created or existing doc updated
    (architecture decisions: programmatic config approach, realm design, secrets wiring, ROPC validation)
  • Follow-up tickets created or existing tickets (#115, #107) updated
    with refined scope based on what the spike discovers.
    If Keycloak config is already automated elsewhere, document the pattern to follow.

Time-box

1 session. If time-box expires: document findings, present options to Lucas.

Related

  • landscaping-assistant — project this affects
  • #115 — Phase 1 Keycloak login (blocked until this spike resolves)
  • #107 — parent auth issue
  • #130 — FeatureFlag implementation (super_admin role depends on Keycloak setup)
  • sop-keycloak-client-creation — existing manual SOP, may need update
  • ~/pal-e-platform — check for existing Keycloak Terraform modules
  • ~/westside-basketball/basketball-api — existing ROPC pattern to reference
### Type Spike ### Lineage Prerequisite for #115 (Keycloak login). Related to #107 (Auth + Roles + Audit Trail). Manual Keycloak setup doesn't scale — need programmatic realm/client/user creation before building auth on top of it. ### Repo Multiple — `ldraney/landscaping-assistant`, `ldraney/pal-e-platform`, `ldraney/pal-e-services` ### Question How should Keycloak be programmatically configured for the landscaping-assistant, and does the current Keycloak architecture still fit? - Keycloak Admin REST API vs Terraform keycloak provider vs realm export/import — which pattern fits pal-e-platform's IaC model? - What already exists? Check `~/pal-e-platform` for existing Keycloak Terraform modules (basketball-api uses Keycloak — how was that realm set up?) - Realm, client, roles, and test users — can all be created via API/Terraform, or do some require manual steps? - `super_admin` realm role — how does it compose with business roles (`admin`, `lead`, `member`, `client`)? Single realm or separate? - Secrets wiring — KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET into k8s secret. SOPS? Terraform? Manual? - Does Keycloak ROPC (direct grant) remain the right flow for a server-rendered Rails + Turbo Native app, or should we reconsider? - What docs/ updates are needed in landscaping-assistant, pal-e-platform, and/or pal-e-services? ### Deliverables - [ ] `docs/keycloak-setup.md` created or existing doc updated (architecture decisions: programmatic config approach, realm design, secrets wiring, ROPC validation) - [ ] Follow-up tickets created or existing tickets (#115, #107) updated with refined scope based on what the spike discovers. If Keycloak config is already automated elsewhere, document the pattern to follow. ### Time-box 1 session. If time-box expires: document findings, present options to Lucas. ### Related - `landscaping-assistant` — project this affects - #115 — Phase 1 Keycloak login (blocked until this spike resolves) - #107 — parent auth issue - #130 — FeatureFlag implementation (super_admin role depends on Keycloak setup) - `sop-keycloak-client-creation` — existing manual SOP, may need update - `~/pal-e-platform` — check for existing Keycloak Terraform modules - `~/westside-basketball/basketball-api` — existing ROPC pattern to reference
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs/update-app-architecture
revert-213
move-other-crew-bottom-remove-schedule
feature/today-view-improvements
154-enable-assume-ssl
revert-145-person-icon
docs/user-stories-auth
docs/update-infra-pipeline-post-incident
fix-cache-step-blocking-deploy
fix-kaniko-registry-pull
deactivate-from-today
feature/quick-address-entry
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/landscaping-assistant#132
No description provided.