feat: keycloak service added with pre-defined realm and configurations

[marslanabdulrauf]

What are the relevant tickets?

https://github.com/mitodl/hq/issues/6821

Description (What does it do?)

This PR:

1. Adds keycloak service
2. ol-local realm configuration for keycloak
3. Adds management command to transfer all MOIRA lists to keycloak and django and group them under the same MOIRA list name

How can this be tested?

1. Checkout to this branch
2. Run docker-compose up --build -d
3. If the db is already setup then you might need to create keycloak db manually -- follow the steps mentioned in init-db file in db container
4. Make sure you have a running keycloak container now by using docker desktop or docker ps command
5. Now follow keycloak integration README to configure keycloak. Also set USE_KEYCLOAK = True in env file to start enable Kyecloak
6. Now you should be able to login via keycloak service.

### To Test MOIRA transfer
We can test this along with MOIRA migration to Keycloak PR

1. I have added a management command that will create users from MOIRA list into keycloak and django and assign them group in keycloak
2. To test this add a MOIRA list in local setup
3. Run the management command python manage.py migrate_moira_to_keycloak.py
4. It should create group and users in keycloak and django as well with temporary passwords.

[gitguardian]

⚠️ GitGuardian has uncovered 6 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
13777604	Triggered	Generic High Entropy Secret	db8bd53	config/keycloak/realms/ol-local-realm.json	View secret
13777605	Triggered	Generic High Entropy Secret	db8bd53	config/keycloak/realms/ol-local-realm.json	View secret
13777606	Triggered	Generic Private Key	db8bd53	config/keycloak/tls/tls.key	View secret
13777607	Triggered	Generic High Entropy Secret	db8bd53	config/keycloak/realms/ol-local-realm.json	View secret
13777609	Triggered	Generic Password	6b791a1	config/keycloak/realms/ovs-local-realm.json	View secret
10259317	Triggered	Generic Password	db8bd53	docker-compose.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[gemini-code-assist]

Summary of Changes

Hello @marslanabdulrauf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new Keycloak service to the application's local development environment, along with a pre-configured realm. This integration establishes a foundation for centralized identity and access management, allowing the application to leverage Keycloak for user authentication and authorization workflows.

Highlights

• Keycloak Service Integration: A new keycloak service has been added to the docker-compose.yml file, enabling the application to run a local Keycloak instance for identity and access management.
• Pre-configured Local Realm: A comprehensive ol-local-realm.json file is included to automatically configure a default Keycloak realm upon startup. This realm defines initial users (admin, prof, student), groups (Admin, Staff, Students), clients (e.g., apisix), roles, and various authentication/authorization settings.
• Database Initialization: An init-keycloak.sql script is now mounted to the PostgreSQL container, ensuring that the necessary keycloak database is automatically created and configured when the db service starts.
• TLS Configuration for Keycloak: Default TLS certificates (tls.crt, tls.key) are provided for Keycloak's HTTPS communication, along with a README.md explaining how to manage and regenerate these certificates for custom domains.
• Environment Variable Updates: The .env.example file has been updated to include new environment variables for configuring the Keycloak service, such as hostname, admin credentials, and ports, allowing for easy customization.
• Pre-commit Hook Adjustment: The .pre-commit-config.yaml has been modified to exclude Keycloak configuration files from Prettier formatting, preventing unintended changes to large JSON files.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a Keycloak service for local development, including a pre-configured realm. The main concerns are around security practices: several secrets and private keys are hardcoded in the realm configuration and committed to the repository, default credentials for Keycloak are weak, and the Keycloak Docker image uses the :latest tag, which can lead to non-reproducible builds.

[gemini-code-assist]

Using the :latest tag for the Keycloak image can lead to unexpected behavior and breakages when a new version is released. It's a best practice to pin the image to a specific version (e.g., quay.io/keycloak/keycloak:25.0.5) to ensure reproducible builds. The keycloakVersion in the realm JSON is 25.0.5, so that would be a good version to pin to.

    image: quay.io/keycloak/keycloak:25.0.5

[marslanabdulrauf]

Hi @pdpinch,
Could we move forward with reviewing the Touchstone to Keycloak migration PR?