Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
30 lines
958 B
YAML
30 lines
958 B
YAML
# Keycloak (S-02) with four pre-seeded realms imported at boot:
|
|
# digid · eherkenning · eidas · medewerker
|
|
# Dev mode, H2 in-memory store, realm JSONs imported from ./realms.
|
|
#
|
|
# docker compose -f infra/keycloak/docker-compose.yml up -d
|
|
# curl -s -o /dev/null -w '%{http_code}\n' \
|
|
# http://localhost:8180/realms/digid/.well-known/openid-configuration # -> 200
|
|
#
|
|
# Admin console: http://localhost:8180/ (admin / admin — dev only)
|
|
services:
|
|
keycloak:
|
|
image: quay.io/keycloak/keycloak:26.1
|
|
command: ["start-dev", "--import-realm"]
|
|
environment:
|
|
KC_BOOTSTRAP_ADMIN_USERNAME: admin
|
|
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
|
|
# Older var names too, harmless on 26.x:
|
|
KEYCLOAK_ADMIN: admin
|
|
KEYCLOAK_ADMIN_PASSWORD: admin
|
|
KC_HEALTH_ENABLED: "true"
|
|
KC_HTTP_ENABLED: "true"
|
|
ports:
|
|
- "8180:8080"
|
|
volumes:
|
|
- ./realms:/opt/keycloak/data/import:ro,z
|
|
networks: [cg]
|
|
|
|
networks:
|
|
cg:
|