Keycloak Reborn?

[h3mmy]

Details

Describe the solution you'd like:

Keycloak is something I miss. It's very versatile and is able to do various things declaratively that I have been unable to accomplish with authentik.

Keycloak is going to be way way easier to setup and configure as they shift to the quarkus framework. See Keycloak Operator Guides

Anything else you would like to add:

Other Auth providers to consider:

• Dex
• FreeIPA (Does a LOT more than IdP)
• Auth0
• Pomerium
• Authelia
• Glauth <-- Not an IdP itself. Can be integrated into whatever as LDAP interface

Additional Information:

[h3mmy]

Todo remaining for canary realm

• Provision CNPG cluster via CRD (including backups)
• Consider use-case for redis vs default memcached
• Create Realm CRD

[h3mmy]

Next major step is some cert management for signing certificates (PKI). May end up lingering until I re-do the vault TF

[h3mmy]

Another contender: https://github.com/lldap/lldap

[h3mmy]

Progress Check-in.
Keycloak (Quarkus) is deployed to the cluster. Teardown and Restore work as expected. Backups are made. Backup restoration works as expected. Grafana dashboards aren't fully in place yet but that's not part of this issue.

Remaining items:
[] Implement LDAP backend
[] Define User Model declaratively (experimental)
[] Expose metrics for Prometheus

[h3mmy]

Nixing lldap. Did not allow user creation via keycloak

[h3mmy]

Looping lldap back in because of lldap/lldap#301

Basically if that is done, it will fill my use-case and I won't have to go over-engineer a freeIPA instance to get simple federation.

[h3mmy]

Remaining tasks:
[] 2-way ldap federation
[] Shifting userbase from authentik into keycloak transparently to users (not part of this issue)

My testing for solutions to the grafana-operator migration (#4108) and emqx refactor (#2769) kind of tie in significantly here as keycloak will be the auth controller. I feel it would probably be a good idea to prioritize #4775 since that should provide a framework for identity management

[h3mmy]

https://www.keycloak.org/operator/customizing-keycloak For theming, will need to build a custom image and have build time params there instead of the keycloak instance >_<

So to have a theme:

• new dockerfile
• where to build? the params and secrets are in-cluster. Do I need to externalize them? Does something need to watch for changes and trigger a re-build if a password is rotated? That's a silly amount of overhead to have a logo
• pipeline to build/rebuild when params like db password changes
• redo secret management for the special-case. It is pretty annoying to have the one special exception for single apps that want to do things a particular way only.

This is confirmed in keycloak/keycloak#19772