Keycloak Integration with Governance Platform

.gitignore

@@ -56,3 +56,5 @@ Session.vim
 .envrc
 .direnv
 my-secrets.yaml
+
+**/.helm_ls_cache/**

charts/auth-service/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: auth-service
 description: EQTYLab Auth Service - Authentication and authorization service for the Governance Platform
 type: application
-version: 1.0.0
-appVersion: "1.0.0"
+version: 1.0.4
+appVersion: "1.0.2"
 keywords:
   - auth
   - authentication

charts/auth-service/templates/deployment.yaml

@@ -169,6 +169,14 @@ spec:
             - name: IDP_KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET
               value: {{ .Values.config.idp.keycloak.serviceAccountClientSecret | quote }}
             {{- end }}
+            {{- if .Values.config.idp.keycloak.enableUserManagement }}
+            - name: IDP_KEYCLOAK_ENABLE_USER_MANAGEMENT
+              value: {{ .Values.config.idp.keycloak.enableUserManagement | quote }}
+            {{- end }}
+            {{- if .Values.config.idp.keycloak.enableGroupSync }}
+            - name: IDP_KEYCLOAK_ENABLE_GROUP_SYNC
+              value: {{ .Values.config.idp.keycloak.enableGroupSync | quote }}
+            {{- end }}
             {{- end }}
 
             {{- if eq .Values.config.idp.provider "zitadel" }}
@@ -276,7 +284,10 @@ spec:
             {{- if .Values.config.serviceAccounts.governanceWorker.enabled }}
             - name: SERVICE_ACCOUNT_DEFAULT_NAME
               value: {{ .Values.config.serviceAccounts.governanceWorker.name | quote }}
-            # Auth0 M2M credentials for governance-worker
+
+            # M2M credentials for governance-worker
+            {{- if eq .Values.config.idp.provider "auth0" }}
+            # Auth0 service account credentials
             {{- if .Values.config.serviceAccounts.governanceWorker.auth0ClientId }}
             - name: AUTH0_GOVERNANCE_WORKER_CLIENT_ID
               value: {{ .Values.config.serviceAccounts.governanceWorker.auth0ClientId | quote }}
@@ -302,6 +313,31 @@ spec:
               value: {{ .Values.config.serviceAccounts.governanceWorker.audience | quote }}
             {{- end }}
             {{- end }}
+
+            {{- if eq .Values.config.idp.provider "keycloak" }}
+            # Keycloak service account credentials
+            {{- if .Values.config.serviceAccounts.governanceWorker.keycloakClientId }}
+            - name: KEYCLOAK_GOVERNANCE_WORKER_CLIENT_ID
+              value: {{ .Values.config.serviceAccounts.governanceWorker.keycloakClientId | quote }}
+            {{- else if .Values.config.serviceAccounts.existingSecret }}
+            - name: KEYCLOAK_GOVERNANCE_WORKER_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "auth-service.serviceAccountSecretName" . }}
+                  key: {{ .Values.config.serviceAccounts.existingSecretKeys.governanceWorkerClientId | default "governance-worker-client-id" }}
+            {{- end }}
+            {{- if .Values.config.serviceAccounts.governanceWorker.keycloakClientSecret }}
+            - name: KEYCLOAK_GOVERNANCE_WORKER_CLIENT_SECRET
+              value: {{ .Values.config.serviceAccounts.governanceWorker.keycloakClientSecret | quote }}
+            {{- else if .Values.config.serviceAccounts.existingSecret }}
+            - name: KEYCLOAK_GOVERNANCE_WORKER_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "auth-service.serviceAccountSecretName" . }}
+                  key: {{ .Values.config.serviceAccounts.existingSecretKeys.governanceWorkerClientSecret | default "governance-worker-client-secret" }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
             {{- if .Values.config.serviceAccounts.existingSecret }}
             - name: SERVICE_ACCOUNT_ENCRYPTION_KEY
               valueFrom:
@@ -320,6 +356,22 @@ spec:
               value: {{ .Values.metrics.path | quote }}
             {{- end }}
 
+            # Token Exchange configuration
+            {{- if .Values.config.tokenExchange.enabled }}
+            - name: AUTH_SERVICE_KEY_ID
+              value: {{ .Values.config.tokenExchange.keyId | quote }}
+            - name: AUTH_SERVICE_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.tokenExchange.existingSecret | default (printf "%s-keys" (include "auth-service.fullname" .)) }}
+                  key: {{ .Values.config.tokenExchange.existingSecretKeys.privateKey | default "private-key" }}
+            {{- end }}
+
+            {{- if .Values.config.authUrl }}
+            - name: AUTH_SERVICE_URL
+              value: {{ .Values.config.authUrl | quote }}
+            {{- end }}
+
             {{- with .Values.extraEnvVars }}
             {{- toYaml . | nindent 12 }}
             {{- end }}

charts/auth-service/templates/hpa.yaml

@@ -29,4 +29,4 @@ spec:
           type: Utilization
           averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/ingress.yaml

@@ -58,4 +58,4 @@ spec:
               {{- end }}
           {{- end }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/migration-job.yaml

@@ -44,4 +44,4 @@ spec:
               value: {{ .Values.config.database.sslMode | quote }}
             - name: DATABASE_MIGRATIONS_PATH
               value: {{ .Values.config.database.migrationsPath | default "/internal/database/migrations" | quote }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/networkpolicy.yaml

@@ -20,4 +20,4 @@ spec:
   egress:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/pdb.yaml

@@ -15,4 +15,4 @@ spec:
   selector:
     matchLabels:
       {{- include "auth-service.selectorLabels" . | nindent 6 }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/secrets.yaml

@@ -24,10 +24,24 @@ data:
   {{- end }}
   {{- if .Values.config.idp.keycloak.adminPassword }}
   admin-password: {{ .Values.config.idp.keycloak.adminPassword | b64enc | quote }}
-  {{- end }}
-  {{- end }}
+{{- end }}
+{{- end }}
 {{- end }}
 
+{{- if .Values.config.tokenExchange.enabled }}
+{{- if not .Values.config.tokenExchange.existingSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "auth-service.fullname" . }}-keys
+  labels:
+    {{- include "auth-service.labels" . | nindent 4 }}
+type: Opaque
+data:
+  private-key: {{ .Values.config.tokenExchange.privateKey | b64enc | quote }}
+{{- end }}
+{{- end }}
 {{- if and (not .Values.postgresql.enabled) (not .Values.config.database.existingSecret) }}
 ---
 apiVersion: v1

charts/auth-service/templates/service.yaml

@@ -22,4 +22,4 @@ spec:
       name: metrics
     {{- end }}
   selector:
-    {{- include "auth-service.selectorLabels" . | nindent 4 }}
+    {{- include "auth-service.selectorLabels" . | nindent 4 }}

charts/auth-service/templates/serviceaccount.yaml

@@ -10,4 +10,4 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
+{{- end }}

charts/auth-service/templates/servicemonitor.yaml

@@ -17,4 +17,4 @@ spec:
       path: {{ .Values.metrics.path }}
       interval: {{ .Values.metrics.serviceMonitor.interval }}
       scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
-{{- end }}
+{{- end }}

charts/auth-service/values-auth0-with-service-accounts.yaml

@@ -0,0 +1,59 @@
+# Auth0-specific values with service account configuration
+# This file shows how to configure the auth-service with Auth0 and service accounts
+
+# Auth0 configuration
+config:
+  idp:
+    provider: "auth0"
+    issuer: "https://your-tenant.auth0.com/"
+    clientId: "your-client-id"
+    clientSecret: "your-client-secret"
+    redirectUri: "https://auth.yourdomain.com/callback"
+
+    auth0:
+      domain: "your-tenant.auth0.com"
+      enableManagementAPI: true
+      managementClientId: "your-m2m-client-id"
+      managementClientSecret: "your-m2m-client-secret"
+      managementAudience: "https://your-tenant.auth0.com/api/v2/"
+      apiIdentifier: "https://api.yourdomain.com"
+      defaultConnection: "Username-Password-Authentication"
+      syncAtStartup: true
+      syncPageSize: 100
+
+  # Service Account configuration
+  serviceAccounts:
+    autoCreate: true
+    governanceWorker:
+      enabled: true
+      name: "governance-worker"
+      description: "Automated governance service worker for processing indicator evaluations"
+      # No organizationId - platform-wide access
+      scopes:
+        - "governance:declarations:create"
+        - "integrity:statements:create"
+    # Generate a secure encryption key: openssl rand -base64 32
+    encryptionKey: "your-base64-encoded-32-byte-key"
+
+  # Security configuration
+  security:
+    apiSecret: "your-api-secret"  # Used by Auth0 actions
+
+  # Key Vault configuration (for DID keys)
+  keyVault:
+    provider: "azure"
+    azure:
+      vaultUrl: "https://your-vault.vault.azure.net/"
+      tenantId: "your-azure-tenant-id"
+      clientId: "your-azure-client-id"
+      clientSecret: "your-azure-client-secret"
+
+# For production, use existing secrets instead of inline values
+# config:
+#   idp:
+#     existingSecret: "auth0-credentials"
+#   serviceAccounts:
+#     existingSecret: "service-account-secrets"
+#   keyVault:
+#     azure:
+#       existingSecret: "azure-keyvault-credentials"

charts/auth-service/values-auth0.yaml

@@ -0,0 +1,110 @@
+# Auth0 Provider Configuration for SaaS Deployment
+# This values file configures the auth-service to use Auth0 as the identity provider
+
+config:
+  # CORS is disabled by default as ingress controller handles it
+  cors:
+    enabled: false
+    origins: "*"
+
+  idp:
+    provider: "auth0"
+    issuer: "https://your-tenant.auth0.com/"
+    clientId: "your-auth0-client-id"
+    clientSecret: "your-auth0-client-secret"
+
+    # Auth0-specific configuration
+    auth0:
+      domain: "your-tenant.auth0.com"
+      managementClientId: "your-management-api-client-id"
+      managementClientSecret: "your-management-api-client-secret"
+      managementAudience: "https://your-tenant.auth0.com/api/v2/"
+      apiIdentifier: "https://api.your-app.com"
+      defaultConnection: "Username-Password-Authentication"
+      defaultRoles: ["user"]
+      sendInvitationEmail: true
+
+    # Use existing secret for production
+    # existingSecret: "auth-service-auth0-credentials"
+    # existingSecretKeys:
+    #   clientId: "client-id"
+    #   clientSecret: "client-secret"
+    #   managementClientId: "mgmt-client-id"
+    #   managementClientSecret: "mgmt-client-secret"
+
+  # Database configuration for SaaS
+  database:
+    # Use managed database service
+    host: "your-rds-endpoint.amazonaws.com"
+    port: 5432
+    name: "auth_service"
+    user: "auth_service_user"
+    sslMode: "require"
+    # Use existing secret for credentials
+    existingSecret: "auth-service-db-credentials"
+    existingSecretKeys:
+      password: "password"
+
+  # Key Vault configuration for SaaS
+  keyVault:
+    provider: "azure"
+    azure:
+      vaultUrl: "https://your-keyvault.vault.azure.net/"
+      tenantId: "your-azure-tenant-id"
+      # Use managed identity or existing secret
+      existingSecret: "auth-service-keyvault-credentials"
+      existingSecretKeys:
+        clientId: "client-id"
+        clientSecret: "client-secret"
+
+# Production-ready settings for SaaS
+replicaCount: 3
+
+autoscaling:
+  enabled: true
+  minReplicas: 3
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 70
+  targetMemoryUtilizationPercentage: 80
+
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 250m
+    memory: 256Mi
+
+# Enable metrics for monitoring
+metrics:
+  enabled: true
+  port: 9090
+  path: "/metrics"
+
+# Health checks
+healthCheck:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 30
+    periodSeconds: 10
+  readiness:
+    enabled: true
+    initialDelaySeconds: 10
+    periodSeconds: 5
+
+# Ingress configuration for SaaS
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  hosts:
+    - host: auth.your-saas-domain.com
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: auth-service-tls
+      hosts:
+        - auth.your-saas-domain.com