Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements

scripts/deploy-keycloak.sh

@@ -0,0 +1,214 @@
+#!/bin/bash
+set -euo pipefail
+
+# Keycloak Deployment Script
+# This script deploys and configures Keycloak for Sankofa Phoenix
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+log_info() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Check prerequisites
+check_prerequisites() {
+    log_info "Checking prerequisites..."
+    
+    if ! command -v kubectl &> /dev/null; then
+        log_error "kubectl is not installed"
+        exit 1
+    fi
+    
+    if ! command -v helm &> /dev/null; then
+        log_error "helm is not installed"
+        exit 1
+    fi
+    
+    if ! kubectl cluster-info &> /dev/null; then
+        log_error "Cannot connect to Kubernetes cluster"
+        exit 1
+    fi
+    
+    log_info "Prerequisites check passed"
+}
+
+# Generate random password
+generate_password() {
+    openssl rand -base64 32 | tr -d "=+/" | cut -c1-25
+}
+
+# Deploy PostgreSQL for Keycloak
+deploy_postgres() {
+    log_info "Deploying PostgreSQL for Keycloak..."
+    
+    POSTGRES_PASSWORD="${KEYCLOAK_DB_PASSWORD:-$(generate_password)}"
+    
+    kubectl create namespace keycloak --dry-run=client -o yaml | kubectl apply -f -
+    
+    kubectl create secret generic keycloak-db-credentials \
+        --from-literal=username=keycloak \
+        --from-literal=password="$POSTGRES_PASSWORD" \
+        --namespace=keycloak \
+        --dry-run=client -o yaml | kubectl apply -f -
+    
+    log_info "PostgreSQL secret created"
+    log_warn "PostgreSQL password saved in secret: keycloak-db-credentials"
+}
+
+# Deploy Keycloak
+deploy_keycloak() {
+    log_info "Deploying Keycloak..."
+    
+    ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-$(generate_password)}"
+    
+    kubectl create secret generic keycloak-credentials \
+        --from-literal=username=admin \
+        --from-literal=password="$ADMIN_PASSWORD" \
+        --namespace=keycloak \
+        --dry-run=client -o yaml | kubectl apply -f -
+    
+    log_info "Keycloak admin credentials created"
+    log_warn "Admin password saved in secret: keycloak-credentials"
+    
+    # Apply Keycloak manifests
+    kubectl apply -f "$PROJECT_ROOT/gitops/apps/keycloak/namespace.yaml"
+    kubectl apply -f "$PROJECT_ROOT/gitops/apps/keycloak/postgres.yaml"
+    kubectl apply -f "$PROJECT_ROOT/gitops/apps/keycloak/deployment.yaml"
+    
+    log_info "Waiting for Keycloak to be ready..."
+    kubectl wait --for=condition=available --timeout=300s \
+        deployment/keycloak -n keycloak || {
+        log_error "Keycloak deployment failed"
+        kubectl logs -n keycloak deployment/keycloak --tail=50
+        exit 1
+    }
+    
+    log_info "Keycloak deployed successfully"
+}
+
+# Configure Keycloak clients
+configure_clients() {
+    log_info "Configuring Keycloak clients..."
+    
+    # Wait for Keycloak to be fully ready
+    log_info "Waiting for Keycloak API to be ready..."
+    for i in {1..30}; do
+        if kubectl exec -n keycloak deployment/keycloak -- \
+            curl -s http://localhost:8080/health/ready &>/dev/null; then
+            break
+        fi
+        sleep 2
+    done
+    
+    # Get admin credentials
+    ADMIN_USER=$(kubectl get secret keycloak-credentials -n keycloak -o jsonpath='{.data.username}' | base64 -d)
+    ADMIN_PASS=$(kubectl get secret keycloak-credentials -n keycloak -o jsonpath='{.data.password}' | base64 -d)
+    
+    # Port-forward for client configuration
+    log_info "Configuring clients via API..."
+    kubectl port-forward -n keycloak svc/keycloak 8080:8080 &
+    PF_PID=$!
+    sleep 3
+    
+    # Get admin token
+    TOKEN=$(curl -s -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
+        -H "Content-Type: application/x-www-form-urlencoded" \
+        -d "username=$ADMIN_USER" \
+        -d "password=$ADMIN_PASS" \
+        -d "grant_type=password" \
+        -d "client_id=admin-cli" | jq -r '.access_token')
+    
+    if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then
+        log_error "Failed to get admin token"
+        kill $PF_PID 2>/dev/null || true
+        exit 1
+    fi
+    
+    # Generate client secrets
+    API_SECRET="${SANKOFA_API_CLIENT_SECRET:-$(generate_password)}"
+    PORTAL_SECRET="${PORTAL_CLIENT_SECRET:-$(generate_password)}"
+    
+    # Create API client
+    log_info "Creating API client..."
+    curl -s -X POST "http://localhost:8080/admin/realms/master/clients" \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{
+            \"clientId\": \"sankofa-api\",
+            \"name\": \"Sankofa API Client\",
+            \"enabled\": true,
+            \"clientAuthenticatorType\": \"client-secret\",
+            \"secret\": \"$API_SECRET\",
+            \"standardFlowEnabled\": false,
+            \"serviceAccountsEnabled\": true,
+            \"publicClient\": false,
+            \"protocol\": \"openid-connect\"
+        }" > /dev/null
+    
+    # Create Portal client
+    log_info "Creating Portal client..."
+    curl -s -X POST "http://localhost:8080/admin/realms/master/clients" \
+        -H "Authorization: Bearer $TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{
+            \"clientId\": \"portal-client\",
+            \"name\": \"Sankofa Portal Client\",
+            \"enabled\": true,
+            \"clientAuthenticatorType\": \"client-secret\",
+            \"secret\": \"$PORTAL_SECRET\",
+            \"standardFlowEnabled\": true,
+            \"directAccessGrantsEnabled\": true,
+            \"publicClient\": false,
+            \"protocol\": \"openid-connect\",
+            \"redirectUris\": [
+                \"http://localhost:3000/*\",
+                \"https://portal.sankofa.nexus/*\"
+            ],
+            \"webOrigins\": [\"+\"]
+        }" > /dev/null
+    
+    # Save secrets
+    kubectl create secret generic keycloak-client-secrets \
+        --from-literal=api-client-secret="$API_SECRET" \
+        --from-literal=portal-client-secret="$PORTAL_SECRET" \
+        --namespace=keycloak \
+        --dry-run=client -o yaml | kubectl apply -f -
+    
+    kill $PF_PID 2>/dev/null || true
+    
+    log_info "Keycloak clients configured successfully"
+    log_warn "Client secrets saved in secret: keycloak-client-secrets"
+}
+
+# Main deployment
+main() {
+    log_info "Starting Keycloak deployment..."
+    
+    check_prerequisites
+    deploy_postgres
+    deploy_keycloak
+    configure_clients
+    
+    log_info "Keycloak deployment completed!"
+    log_info "Access Keycloak at: https://keycloak.sankofa.nexus"
+    log_warn "Admin credentials are in secret: keycloak-credentials"
+    log_warn "Client secrets are in secret: keycloak-client-secrets"
+}
+
+# Run main function
+main "$@"