Keycloak Integration with Governance Platform

README.md

@@ -11,6 +11,7 @@ This repository contains Helm charts for deploying the EQTY Lab Governance Platf
 | [governance-service](charts/governance-service/)   | Subchart | Go-based backend API and workflow engine              |
 | [integrity-service](charts/integrity-service/)     | Subchart | Rust-based verifiable credentials and lineage service |
 | [auth-service](charts/auth-service/)               | Subchart | Go-based authentication and authorization service     |
+| [keycloak-bootstrap](charts/keycloak-bootstrap/)   | Utility  | Keycloak realm and client configuration job           |
 
 ## Architecture
 
@@ -25,7 +26,8 @@ charts/
 ├── governance-studio/       # Frontend subchart
 ├── governance-service/      # Backend API subchart
 ├── integrity-service/       # Credentials/lineage subchart
-└── auth-service/            # Authentication subchart
+├── auth-service/            # Authentication subchart
+└── keycloak-bootstrap/      # Keycloak configuration utility
 ```
 
 **Recommended approach**: Deploy using the `governance-platform` umbrella chart. This provides:
@@ -246,6 +248,7 @@ The umbrella chart (`governance-platform`) version is incremented when:
 | [governance-service/README.md](charts/governance-service/README.md)   | Backend API configuration            |
 | [integrity-service/README.md](charts/integrity-service/README.md)     | Credentials service configuration    |
 | [auth-service/README.md](charts/auth-service/README.md)               | Authentication service configuration |
+| [keycloak-bootstrap/README.md](charts/keycloak-bootstrap/README.md)   | Keycloak realm/client configuration  |
 
 ## Support
 

charts/keycloak-bootstrap/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/keycloak-bootstrap/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: keycloak-bootstrap
+description: A Helm chart for deploying the EQTY Lab Keycloak Bootstrap - automated realm and client configuration for the Governance Platform
+type: application
+version: 1.1.0
+appVersion: "1.1.0"
+home: https://github.com/eqtylab/governance-studio-infrastructure
+sources:
+  - https://github.com/eqtylab/governance-studio-infrastructure/tree/main/charts/keycloak-bootstrap
+maintainers:
+  - name: EQTY Lab
+    email: support@eqtylab.io

charts/keycloak-bootstrap/templates/NOTES.txt

@@ -0,0 +1,34 @@
+{{- if .Values.bootstrap.enabled }}
+Keycloak Bootstrap Job has been created!
+
+The bootstrap job will:
+1. Wait for Keycloak to be ready at {{ .Values.keycloak.url }}
+2. Create the realm: {{ .Values.keycloak.realm.name }}
+3. Configure clients:
+   - Frontend: {{ .Values.clients.frontend.clientId }}
+   - Backend: {{ .Values.clients.backend.clientId }}
+   - Worker: {{ .Values.clients.worker.clientId }}
+4. Create custom scopes for governance platform
+{{- if .Values.users.admin.enabled }}
+5. Create admin user: {{ .Values.users.admin.username }}
+{{- end }}
+
+To check the job status:
+  kubectl get jobs -l "app.kubernetes.io/name={{ include "keycloak-bootstrap.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+
+To view the job logs:
+  kubectl logs -l "app.kubernetes.io/name={{ include "keycloak-bootstrap.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+
+{{- if .Values.output.createSecrets }}
+
+Configuration secrets have been created:
+- Frontend: {{ .Values.output.secrets.frontend }}
+- Backend: {{ .Values.output.secrets.backend }}
+- Worker: {{ .Values.output.secrets.worker }}
+
+You can use these secrets in your application deployments.
+{{- end }}
+
+{{- else }}
+Keycloak Bootstrap is disabled. To enable it, set bootstrap.enabled=true
+{{- end }}

charts/keycloak-bootstrap/templates/_helpers.tpl

@@ -0,0 +1,44 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "keycloak-bootstrap.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "keycloak-bootstrap.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name (include "keycloak-bootstrap.name" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "keycloak-bootstrap.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "keycloak-bootstrap.labels" -}}
+helm.sh/chart: {{ include "keycloak-bootstrap.chart" . }}
+{{ include "keycloak-bootstrap.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "keycloak-bootstrap.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "keycloak-bootstrap.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}