Provision Keycloak realm and client for palinks #31

New issue

Open

opened 2026-06-08 03:20:18 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-08 03:20:18 +00:00

Owner

Copy link

Type

Feature

Lineage

Follow-up from spike #16 (docs/auth.md — Keycloak Provisioning section).

Repo

ldraney/pal-e-services + ldraney/pal-e-platform + ldraney/pal-e-deployments

User Story

As Lucas
I want a Keycloak realm configured for palinks
So that users can authenticate via OIDC

Context

Palinks needs a palinks realm with two roles (superadmin, member), a confidential OIDC client with PKCE S256, and secrets wired into the k8s deployment. The spike doc has exact terraform config blocks. Registration is disabled — Lucas creates users manually. Network policy must allow palinks namespace to reach Keycloak.

File Targets

pal-e-services:

• terraform/k3s.tfvars — add palinks realm + client to keycloak blocks

pal-e-platform:

• terraform/network-policies.tf — add palinks namespace to Keycloak allowlist

pal-e-deployments:

• overlays/palinks/prod/secrets.enc.yaml — add KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET
• overlays/palinks/prod/deployment-patch.yaml — add secretKeyRef env entries

Feature Flag

None — infrastructure provisioning, not user-facing behavior.

Acceptance Criteria

• palinks realm exists in Keycloak with superadmin and member roles
• Confidential client palinks configured with PKCE S256
• Redirect URI points to /auth/keycloak/callback
• Lucas user created with superadmin role
• Network policy allows palinks->keycloak traffic
• Secrets wired and ArgoCD syncs successfully
• OIDC discovery endpoint returns valid config

Test Expectations

• Manual: curl https://keycloak.tail5b443a.ts.net/realms/palinks/.well-known/openid-configuration returns valid JSON
• Manual: verify client exists in admin console
• Manual: ArgoCD shows palinks app healthy after secret sync

Constraints

• Follow sop-keycloak-client-creation SOP
• Registration disabled (Lucas creates users manually)
• Direct access grants disabled per SOP
• Realm roles mapper included so roles appear in ID token

Checklist

• Terraform applied in pal-e-services
• Network policy applied in pal-e-platform
• Secrets wired in pal-e-deployments
• Lucas user created
• No unrelated changes

Related

• project-palinks — project page
• docs/auth.md — full provisioning spec
• sop-keycloak-client-creation — platform SOP

### Type Feature ### Lineage Follow-up from spike #16 (`docs/auth.md` — Keycloak Provisioning section). ### Repo `ldraney/pal-e-services` + `ldraney/pal-e-platform` + `ldraney/pal-e-deployments` ### User Story As Lucas I want a Keycloak realm configured for palinks So that users can authenticate via OIDC ### Context Palinks needs a `palinks` realm with two roles (superadmin, member), a confidential OIDC client with PKCE S256, and secrets wired into the k8s deployment. The spike doc has exact terraform config blocks. Registration is disabled — Lucas creates users manually. Network policy must allow palinks namespace to reach Keycloak. ### File Targets **pal-e-services:** - `terraform/k3s.tfvars` — add `palinks` realm + client to keycloak blocks **pal-e-platform:** - `terraform/network-policies.tf` — add palinks namespace to Keycloak allowlist **pal-e-deployments:** - `overlays/palinks/prod/secrets.enc.yaml` — add KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET - `overlays/palinks/prod/deployment-patch.yaml` — add secretKeyRef env entries ### Feature Flag None — infrastructure provisioning, not user-facing behavior. ### Acceptance Criteria - [ ] `palinks` realm exists in Keycloak with `superadmin` and `member` roles - [ ] Confidential client `palinks` configured with PKCE S256 - [ ] Redirect URI points to `/auth/keycloak/callback` - [ ] Lucas user created with `superadmin` role - [ ] Network policy allows palinks->keycloak traffic - [ ] Secrets wired and ArgoCD syncs successfully - [ ] OIDC discovery endpoint returns valid config ### Test Expectations - [ ] Manual: `curl https://keycloak.tail5b443a.ts.net/realms/palinks/.well-known/openid-configuration` returns valid JSON - [ ] Manual: verify client exists in admin console - [ ] Manual: ArgoCD shows palinks app healthy after secret sync ### Constraints - Follow `sop-keycloak-client-creation` SOP - Registration disabled (Lucas creates users manually) - Direct access grants disabled per SOP - Realm roles mapper included so roles appear in ID token ### Checklist - [ ] Terraform applied in pal-e-services - [ ] Network policy applied in pal-e-platform - [ ] Secrets wired in pal-e-deployments - [ ] Lucas user created - [ ] No unrelated changes ### Related - `project-palinks` — project page - `docs/auth.md` — full provisioning spec - `sop-keycloak-client-creation` — platform SOP

ldraney referenced this issue 2026-06-08 03:20:36 +00:00

Create users table and OmniAuth integration #32

ldraney referenced this issue 2026-06-08 03:21:52 +00:00

Deploy Cloudflare Tunnel for canonical palinks.app #38

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

40-canvas-view-activity-sizing

28-custom-domain-reverse-proxy

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/palinks#31

No description provided.