design-proposal: per-tenant Keycloak realms for tenant Kubernetes cluster OIDC

[IvanHunters]

Summary

Design proposal companion to cozystack#3044.

The proposal answers the architectural decision raised in that PR's review: what is the identity unit for tenant Kubernetes cluster OIDC. This document picks per-tenant Keycloak realm (tenant-<ns>), with per-cluster public clients providing audience-bound token isolation, and explains why that is structurally different from using the flat cozy realm. It is intentionally written to compare both options head-on under Alternatives considered, so the trade-off is on the record before the implementation PR lands.

What the proposal covers

• Identity model. Per-tenant Keycloak realm tenant-<ns> owned by the tenant admin, separate from the platform-admin cozy realm. Provisioned declaratively via Tenant.spec.oidc=true.
• Per-cluster isolation. A KeycloakClient and a KeycloakClientScope per tenant cluster inside the tenant's realm; id_token.aud matches the per-cluster --oidc-client-id, so tokens are non-replayable across clusters.
• Default RBAC. Two-tier view + admin KeycloakRealmGroup per cluster, bound inside the tenant cluster to upstream ClusterRole/view and ClusterRole/cluster-admin respectively. No blanket cluster-admin grant; the static admin kubeconfig remains as the documented break-glass path.
• Realm propagation. Through cozystack-basics's static _namespace.oidc-realm emission, the same channel that already propagates DNS suffix and ingress class. Explicitly no Helm lookup is used.
• OIDC kubeconfig Secret. A kubernetes-<cluster>-oidc-kubeconfig Secret in the management cluster's tenant namespace, exposed via cozyrds spec.secrets.include, carrying a ready-to-use kubeconfig with a kubectl oidc-login exec auth block.
• Lifecycle. Create, inherit (child tenant), add a cluster, delete a cluster, disable OIDC on a tenant. All declarative.
• Open questions and follow-ups. BYO-OIDC via --authentication-config on KamajiControlPlane, RFC 8693 token exchange via a custom credential plugin, and a cozystack CLI helper. All called out as separate future proposals.
• Alternatives considered. Flat cozy realm + per-cluster client, BYO-OIDC only, EKS-style flat IAM + webhook, RFC 8693 token exchange plugin, embedding into the existing admin-kubeconfig Secret, single global client. Each with a short rationale for the rejection.

Status

Draft. Looking for review on the identity-unit decision and on the open questions before the cozystack#3044 implementation lands.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eeaa7cbc-2289-4900-9f01-0d8b054d28de

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request introduces a design proposal for implementing per-tenant Keycloak realms to back OIDC authentication for tenant Kubernetes clusters in Cozystack. The feedback suggests clarifying that the bootstrap Job runs in the management cluster rather than inside the tenant cluster itself. Additionally, it warns that attempting to delete ClusterRoleBindings inside the tenant cluster during a pre-delete hook is redundant and could block Helm release deletion if the control plane becomes unreachable.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The phrasing 'Inside the tenant Kubernetes cluster, a bootstrap Job...' is misleading. Based on the context (the ServiceAccount is scoped to the tenant namespace in the management cluster, and it later writes a Secret to the management namespace), this Job actually runs in the management cluster and targets the tenant cluster's API. Clarifying this to 'A bootstrap Job running in the management cluster's tenant namespace...' would prevent confusion about where the Job is scheduled and executed.

[gemini-code-assist]

Attempting to delete ClusterRoleBindings inside the tenant cluster during a pre-delete hook is redundant because the entire tenant cluster is being destroyed. Furthermore, if the tenant cluster's control plane is already partially torn down or unreachable, this hook could hang or fail, blocking the deletion of the Helm release. Consider limiting the cleanup Job to removing management-cluster resources like the OIDC kubeconfig Secret.

[Andrei Kvapil (kvaps)]

Thanks for writing this up — the doc is thorough and the "Alternatives considered" section is genuinely useful as the record for the per-tenant-realm direction. The structured --authentication-config delivery mechanism (Layer 5) and its rationale (multi-issuer, private-CA, additive BYO) are the right call and match where we want to land.

My main concern is alignment with today's two OIDC syncs, which settled the phasing after this doc was written. The agreed shape was:

• Phase 1: authenticate tenant-cluster users via the existing platform cozy realm + per-cluster public client for audience isolation, plus the ability to pass a BYO OIDC/authentication config into the cluster. No groups, no auto-provisioning into Keycloak. API as a selector, e.g. oidc: System | CustomConfig | None.
• Phase 2 (deferred, may not be needed): per-tenant Keycloak realm / "managed IdP", as a separate, fully-designed product (oidc: ... | KeycloakRealm | ...).

As written, the proposal does the inverse of that split, so I'd ask to realign it before the #3044 implementation lands:

1. Identity unit (Overview / Rollout). The doc picks per-tenant realm tenant-<ns> as the unit to implement now. Per the syncs that's Phase 2. Phase 1 is the shared cozy realm + per-cluster client.
2. "Flat cozy realm + per-cluster public client" (Alternatives, L278) is rejected — but that's the option we chose for Phase 1. Note the rejection somewhat misframes it: Phase 1 does not put tenant end-users into cozy. It authenticates the platform users that already exist there, and BYO covers a company's external users. Could you re-evaluate it as the Phase-1 baseline rather than a rejected alternative?
3. BYO-OIDC is marked non-goal/deferred (L18, Non-goals) — it's part of Phase 1. Passing a custom OIDC/authn config into the cluster is one of the two Phase-1 deliverables, not a follow-up. Layer 5 already mounts a structured config, so this is mostly a framing/scope change.
4. Groups + auto-RBAC (Layer 4). Two KeycloakRealmGroups per cluster + auto ClusterRoleBindings is exactly the group/auto-provisioning machinery the syncs put out of Phase 1 ("no groups"; a users: map with a role is enough). Auto-creating clients/groups in the IdP at cluster-creation is the "deep integration = a product that needs serious design" we flagged — and it breaks the customer-Keycloak case where the tenant does not want us spawning groups in their realm. Suggest dropping it from Phase 1.
5. Billing / central-Keycloak load is unaddressed. All tenant-<ns> realms live on the platform master ClusterKeycloak (L72). That's the load/billing blocker raised on the call. Please add a section covering it and the alternative of running Keycloak as an External App inside the tenant namespace (billing becomes trivial, it's just API + DB pods), which was the proposed mitigation.

Factual fixes about the current codebase (verified against main):

• L81 — it's packages/system/cozystack-basics/, not packages/core/..., and the emission lives in templates/cozystack-values-secret.yaml; there is no _namespace.tpl.
• L85 — _namespace.dns-suffix / _namespace.kubelet-image-credential-provider-config are not propagated today. The actual _namespace.* keys are host, etcd, ingress, gateway, monitoring, seaweedfs, schedulingClass. The real precedent is host/ingress.
• L82 — there is no tenant-hierarchy walk-up today; propagation is single-level parent lookup (packages/apps/tenant/templates/namespace.yaml). Recursive inheritance (Layer 2) is new mechanism, not "the same channel that already exists" — worth calling out as new work.
• L46, L278 — the cozy groups are not <ns>-admins / <ns>-users. They are <tenant>-view, <tenant>-use, <tenant>-admin, <tenant>-super-admin (packages/apps/tenant/templates/keycloakgroups.yaml). This also affects the "group collision" argument.
• L35 — KamajiControlPlane in cozystack is controlplane.cluster.x-k8s.io/v1alpha1 (packages/apps/kubernetes/templates/cluster.yaml). tcp.kamaji.clastix.io is the TenantControlPlane group — a different CRD.
• L33 — apps/kubernetes has no oidc value at all today (not a "no-op field").
• L17 vs Layer 5 — Scope says --oidc-* wiring, Design uses --authentication-config. Please make these consistent.

None of this is a knock on the analysis — it's solid and I'd keep it as the Phase-2 design record. The ask is to re-frame the doc around the Phase-1/Phase-2 split we agreed on, fix the codebase references, and add the billing section. Happy to pair on the Phase-1 scope if useful.