Skip to main content

Keycloak AWS Dev Helm Workload

OP-067 adds the AWS dev identity-provider workload needed before frontend login and super-admin tenant onboarding can become real console flows.

What Changed

  • AWS dev Terraform capacity now targets two arm64 nodes so Keycloak can schedule alongside API, frontend, worker, NATS, ClickHouse, GitLab Agent, AWS Load Balancer Controller, CoreDNS, EBS CSI, VPC CNI, kube-proxy, and pod identity workloads.
  • The Helm chart can deploy Keycloak as a single-replica StatefulSet with a persistent volume and realm import.
  • Keycloak is exposed through a dedicated ALB ingress at auth.watchtower-app.mergematter.io.
  • The API OIDC issuer points to the public AWS dev Keycloak realm, while JWKS lookup uses the in-cluster Keycloak Service so API token verification does not depend on public DNS or ALB/NAT egress.
  • The Keycloak admin bootstrap credentials are read from a Kubernetes Secret, not committed into Helm values or realm JSON.

Operator Notes

Before deploying OP-067 from develop, Terraform must apply the arm64 node capacity change and request/validate the auth ACM certificate. The AWS_DEV_HELM_VALUES_FILE must then be updated with the issued auth certificate ARN and the Keycloak admin Secret must exist in oneprotect-dev. Keep the issuer public and the JWKS URL internal when updating that protected file. If Terraform creates the auth ACM certificate, copy the issued ARN only into Helm values; do not paste it back into Terraform variables or the managed certificate resource will plan for deletion.

Keycloak is an AWS dev workload for console activation. It does not decide the staging/production IdP operating model, does not implement the frontend login shell, and does not create super-admin tenant-management APIs.

Until OP-069 lands, the first AWS dev system-admin user is created operationally in Keycloak. The user must carry tenant_id and oneprotect_role attributes so the access token contains the API-required tenant and single-role claims. The user must also have email, first name, and last name populated, email verified, and no accidental profile-update required action; otherwise Keycloak can stop login at profile verification before OneProtect receives the callback.

Validation

The OP-067 branch should validate with Helm render, Terraform formatting and validation, docs build, and contract validation before the single final push.