Keycloak¶
Keycloak is an open source identity and access management solution, currently a Cloud Native Computing Foundation (CNCF) incubating project. It provides user federation, identity brokering, and social login capabilities.
Role in Platform-Mesh¶
Platform-Mesh deploys and manages its own Keycloak instance to handle:
- User Authentication - OIDC-based authentication for portal and API access
- Organization Isolation - One realm per organization for tenant separation
- Service Account Management - OAuth2 client credentials for operator authentication
- User Lifecycle - Invitation flow, email verification, password management
Key Patterns¶
| Pattern | Description |
|---|---|
| Realm per Organization | Each organization gets its own Keycloak realm |
| Service Account Clients | Operators authenticate via OAuth2 client credentials |
| OIDC Dynamic Registration | Clients are registered dynamically using RFC 7591 |
| Kubernetes-native Secrets | All credentials stored in K8s Secrets |
Component Responsibilities¶
| Component | Day 1 | Day 2 |
|---|---|---|
| helm-charts | Deploy Keycloak, expose via gateway, configure init container | — |
| security-operator | Bootstrap service account clients (init container) | Manage realms, register OIDC clients, invite users |
| iam-service | — | Query users from Keycloak |
| platform-mesh-operator | — | Bind workspace auth to realm |
| upstream-images | Build Keycloak image | — |
Documentation¶
- Deployment & Configuration - Day 1 setup via Helm
- Operations - Day 2 runtime operations