Initial commit: add .gitignore and README

identity/keycloak/k8s-deployment.yaml

@@ -0,0 +1,109 @@
+# Keycloak Identity Provider Kubernetes Deployment
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: identity
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-db-secret
+  namespace: identity
+type: Opaque
+stringData:
+  username: keycloak
+  password: change-me-in-production
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  namespace: identity
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:23.0
+          args:
+            - start
+            - --hostname-strict=false
+            - --proxy-headers=xforwarded
+            - --http-relative-path=/
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: admin
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-admin-secret
+                  key: password
+            - name: KC_DB
+              value: postgres
+            - name: KC_DB_URL
+              value: jdbc:postgresql://postgres:5432/keycloak
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-secret
+                  key: username
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-secret
+                  key: password
+          ports:
+            - containerPort: 8080
+              name: http
+          resources:
+            requests:
+              memory: "1Gi"
+              cpu: "500m"
+            limits:
+              memory: "2Gi"
+              cpu: "1000m"
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  namespace: identity
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+  selector:
+    app: keycloak
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-admin-secret
+  namespace: identity
+type: Opaque
+stringData:
+  password: change-me-in-production
+

identity/user-management/keycloak-realm.json

@@ -0,0 +1,69 @@
+{
+  "realm": "workspace",
+  "enabled": true,
+  "displayName": "Workspace Realm",
+  "displayNameHtml": "<div class=\"kc-logo-text\"><span>Workspace</span></div>",
+  "users": [
+    {
+      "username": "admin",
+      "enabled": true,
+      "emailVerified": true,
+      "firstName": "Admin",
+      "lastName": "User",
+      "email": "admin@example.com",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "change-me-in-production",
+          "temporary": false
+        }
+      ],
+      "realmRoles": ["admin", "user"]
+    }
+  ],
+  "roles": {
+    "realm": [
+      {
+        "name": "admin",
+        "description": "Administrator role"
+      },
+      {
+        "name": "user",
+        "description": "Standard user role"
+      },
+      {
+        "name": "developer",
+        "description": "Developer role"
+      },
+      {
+        "name": "viewer",
+        "description": "View-only role"
+      }
+    ]
+  },
+  "clients": [
+    {
+      "clientId": "workspace-api",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "change-me-in-production",
+      "redirectUris": ["*"],
+      "webOrigins": ["*"],
+      "protocol": "openid-connect",
+      "publicClient": false,
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": true
+    }
+  ],
+  "identityProviders": [],
+  "smtpServer": {
+    "host": "smtp.example.com",
+    "port": "587",
+    "from": "noreply@example.com",
+    "auth": true,
+    "starttls": true,
+    "user": "smtp-user",
+    "password": "smtp-password"
+  }
+}
+

identity/user-management/setup.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# Setup centralized user management in Keycloak
+
+set -e
+
+NAMESPACE="identity"
+KEYCLOAK_URL="${KEYCLOAK_URL:-http://keycloak.${NAMESPACE}.svc.cluster.local:8080}"
+ADMIN_USER="${KEYCLOAK_ADMIN:-admin}"
+ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-change-me-in-production}"
+
+echo "👥 Setting up centralized user management..."
+
+# Check if Keycloak is accessible
+if ! curl -s "${KEYCLOAK_URL}/health" > /dev/null; then
+  echo "⚠️  Keycloak not accessible at $KEYCLOAK_URL"
+  echo "   → Ensure Keycloak is deployed and running"
+  exit 1
+fi
+
+# Get admin token
+echo "🔑 Getting admin token..."
+TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+  -d "client_id=admin-cli" \
+  -d "username=${ADMIN_USER}" \
+  -d "password=${ADMIN_PASSWORD}" \
+  -d "grant_type=password" | jq -r '.access_token')
+
+if [ -z "$TOKEN" ] || [ "$TOKEN" == "null" ]; then
+  echo "❌ Failed to get admin token"
+  exit 1
+fi
+
+# Create realm
+echo "🌍 Creating workspace realm..."
+curl -s -X POST "${KEYCLOAK_URL}/admin/realms" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d @keycloak-realm.json
+
+echo "✅ User management setup complete!"
+echo ""
+echo "📝 Next steps:"
+echo "   1. Access Keycloak admin console"
+echo "   2. Review realm configuration"
+echo "   3. Create additional users and roles"
+echo "   4. Configure identity providers (if needed)"
+echo "   5. Set up user federation (if needed)"
+