Configure proper Keycloak autoprovisioning mode

[michaelstingl]

Problem

When using Keycloak with the helm chart, autoprovisioning is not properly configured. The chart currently runs both Keycloak and the built-in IDM service simultaneously, which is not supported and causes undefined behavior. Users created in Keycloak may or may not be properly provisioned in OpenCloud.

Current State

The helm chart:

• Runs both external Keycloak and built-in IDM/IDP services
• Does not set required autoprovisioning environment variables
• Creates a hybrid mode that can lead to errors like:

  LDAP Result Code 200 "Network Error": dial tcp [::1]:9235: connect: connection refused
  failed to add user
  Autoprovisioning user failed
  

Expected Behavior

When Keycloak is enabled, the helm chart should:

1. Automatically disable built-in IDM/IDP services
2. Enable and configure autoprovisioning
3. Set proper user claim mappings
4. Configure LDAP for write access

Reference: opencloud-compose Pattern

The opencloud-compose repository correctly configures autoprovisioning in idm/external-idp.yml:

# Disable built-in identity services
OC_EXCLUDE_RUN_SERVICES: idp,idm

# Enable autoprovisioning
PROXY_AUTOPROVISION_ACCOUNTS: "true"
OC_LDAP_SERVER_WRITE_ENABLED: "true"

# Configure user claims
PROXY_USER_OIDC_CLAIM: "sub"
PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
PROXY_USER_CS3_CLAIM: "username"

# Additional configuration
OC_ADMIN_USER_ID: ""
GRAPH_LDAP_SERVER_UUID: "false"
OC_LDAP_USER_SCHEMA_ID: "opencloudUUID"
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf"

Proposed Solution

Add a new configuration section to properly handle Keycloak autoprovisioning:

keycloak:
  autoprovisioning:
    # Enable autoprovisioning mode (disables built-in IDM/IDP)
    enabled: true
    # User identification claim
    userClaim: "sub"
    # Username claim for provisioning
    usernameClaim: "sub"
    # Make user attributes read-only in UI
    readonlyAttributes: true

When keycloak.autoprovisioning.enabled is true, automatically:

1. Add idp,idm to excludeServices
2. Set all required autoprovisioning environment variables
3. Clear OC_ADMIN_USER_ID to prevent conflicts
4. Configure LDAP write access

Benefits

• Proper separation between Keycloak and built-in identity services
• Predictable autoprovisioning behavior
• Prevents common deployment errors
• Follows established patterns from opencloud-compose
• Simplifies configuration for users

Related Issues

• Multiple opencloud replicas not working with keycloak and opencloud.replicas description misleading #53: Multiple replicas not working with Keycloak (shows the exact errors when IDM/IDP aren't disabled)
• Issues with the integrated IDM "The admin user ID has not been configured for settings" #98: Issues with integrated IDM - admin user ID not configured (related confusion about OC_ADMIN_USER_ID)
• Option to configure other IDP #40: Option to configure other IDP (general external IDP support)
• docs: add comprehensive HA configuration section #102: HA documentation (documents OC_EXCLUDE_RUN_SERVICES but not full autoprovisioning)

Testing

The configuration can be tested by:

1. Creating a new user in Keycloak
2. Logging in with that user
3. Verifying the user is automatically created in OpenCloud
4. Checking that built-in IDM/IDP services are not running