feat(keycloak): modular client import via post-start pipeline

[michaelstingl]

Description

Extract OpenCloud clients from the monolithic realm JSON into individual files in config/keycloak/clients/. A numbered post-start pipeline imports them via kcadm.sh partialImport after Keycloak starts.

Adding a new OIDC client = drop a .json + .scopes file in clients/. No realm JSON editing required.

Post-start pipeline:

Step	Script	What it does
0	00-wait-for-keycloak.sh	Wait for Keycloak, authenticate kcadm.sh
1	10-import-clients.sh	partialImport each clients/*.json (SKIP existing)
2	11-assign-client-scopes.sh	Assign scopes from *.scopes sidecars

Step 2 is a workaround for keycloak#16289 (partialImport ignores defaultClientScopes). Can be removed when Keycloak fixes the issue.

Related Issue

• Ref coworking-nuernberg/opencloud-deploy#95

Motivation and Context

The two realm .dist.json files (LDAP + autoprovisioning) are ~85-95KB monoliths with ~90% overlap. Client definitions are duplicated between the monolith realm JSON and the unused clients/ directory. This PR activates the existing clients/*.json files and removes the duplicated client definitions from the realm JSONs.

Benefits:

• Modular: add/remove clients without editing a 3000-line JSON
• Community-friendly: custom clients (monitoring SSO, internal tooling) via Compose override mount
• Less duplication: clients maintained once in clients/, not twice in two realm JSONs
• Debuggable: each pipeline step runs standalone via docker exec

This uses a zero-dependency shell approach (kcadm.sh ships inside the Keycloak container). No extra images or services needed. For larger-scale deployments, keycloak-config-cli is the established alternative.

How Has This Been Tested?

• test environment: local throwaway Keycloak 26.5.6 containers (Docker for Mac)
• test case 1: LDAP realm — full realm comparison (clients, client-scopes, roles, groups, realm settings) between original monolith and modular approach → all identical
• test case 2: Autoprovisioning realm — same comparison → all identical
• test case 3: Cyberduck client imported as new client from clients/ directory → works
• validation script: bash config/keycloak/validate-modular-clients.sh downloads the original upstream realm JSONs from GitHub, starts two containers per variant, exports and diffs with jq

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation added (config/keycloak/README.md)

[michaelstingl]

Rebased onto upstream/main (2026-05-18)

Branch is now on current upstream opencloud-eu/opencloud-compose:main (29 commits caught up, 0 conflicts).

Notable upstream changes since the original branch point (2026-04-03):

• Keycloak 26.4 → 26.6.1
• Traefik 3.6.11 → 3.6.14
• OpenCloud rolling → 6.1.0
• TRAEFIK_PORT_HTTPS for Keycloak config (use TRAEFIK_PORT_HTTPS for keycloak config opencloud-eu/opencloud-compose#283)
• Multiple external-idp.yml updates (External idp | new variables for various clients opencloud-eu/opencloud-compose#270 etc.)
• Maps app v3 + CSP fix
• ClamAV depends_on adjustment

Re-validation post-rebase

validate-modular-clients.sh against KC 26.5.6 throwaway containers (using rebased branch + current upstream realm JSONs):

• LDAP realm: 11 clients / 14 scopes / 7 roles / 10 groups / 102 realm settings — all identical, + Cyberduck as new client
• Autoprovisioning realm: 11 clients / 13 scopes / 7 roles / 9 groups / 104 realm settings — all identical, + Cyberduck as new client

PR ready for upstream submission.