README
¶
[!WARNING] This Repository is under development and not ready for productive use. It is in an alpha stage. That means APIs and concepts may change on short notice including breaking changes or complete removal of apis.
Platform Mesh - iam-service
Local dev
To run the application locally, create .env config file from .env.sample and run:
go run ./main.go serve
Important: The service now requires Keycloak client credentials for authentication. Ensure you configure:
KEYCLOAK_CLIENT_ID: Your Keycloak client ID (default:iam)KEYCLOAK_CLIENT_SECRET: Your Keycloak client secret (required, no default)
Description
The Platform Mesh IAM service is a Go-based microservice that provides a GraphQL API for user management and authorization. The service uses:
- OpenFGA for fine-grained authorization backend
- KCP for multi-cluster resource management
- Keycloak for identity management
Features
- GraphQL API for user and role management
- Multi-tenant authorization through OpenFGA
- Multi-cluster resource coordination via KCP
- Keycloak integration for identity provider support
- Robust JWT token validation and tenant context management
Architecture
This service has been refactored to eliminate traditional database dependencies, instead using:
- OpenFGA as the authorization data backend
- KCP for Kubernetes resource management
- Keycloak for user identity management
Quick Start
Prerequisites
- Go 1.25.1+
- Platform Mesh installation (OpenFGA and KCP)
- Task runner (optional)
Development Setup
- Copy
.env.sampleto.envand configure services - Configure Keycloak client credentials:
- Set
KEYCLOAK_CLIENT_SECRETwith your Keycloak client secret - Ensure your Keycloak client supports client credentials grant type
- Default client ID is
iam(configurable viaKEYCLOAK_CLIENT_ID)
- Set
- Start your local platform-mesh using the local-setup, see
local-setupin https://github.com/platform-mesh/helm-charts - Start a port-forward to make openfga available on your local host, e.g.
kubectl port-forward -n platform-mesh-system svc/openfga 3000 8080 8081:8081 - Prepare a kubeconfig for the iam-service to connect to kcp and set the
KCP_KUBECONFIGenvironment - Run the service:
go run ./main.go serve
Testing
Run tests with coverage reporting:
task cover
For detailed development information, architecture details, and contribution guidelines, see CONTRIBUTING.md.
Releasing
The release is performed automatically through a GitHub Actions Workflow. All the released versions will be available through access to GitHub (as any other Golang Module).
Requirements
The iam-service requires a installation of go. Checkout the go.mod for the required go version and dependencies.
Contributing
Please refer to the CONTRIBUTING.md file in this repository for instructions on how to contribute to Platform Mesh.
Code of Conduct
Please refer to the CODE_OF_CONDUCT.md file in this repository information on the expected Code of Conduct for contributing to Platform Mesh.
Licensing
Copyright 2024 SAP SE or an SAP affiliate company and Platform Mesh contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
fga/store
Package store provides functionality for managing OpenFGA store and authorization model operations with caching capabilities.
|
Package store provides functionality for managing OpenFGA store and authorization model operations with caching capabilities. |
|
keycloak/client
Package keycloak provides primitives to interact with the openapi HTTP API.
|
Package keycloak provides primitives to interact with the openapi HTTP API. |