ProficientNowTechRFCs
Platform RFCs/RFC-IAM-0001: Federated Identity and Access Management Architecture

10. Evolution

RFC-IAM-0001                                                 Section 10
Category: Standards Track                                  Evolution

10. Evolution

← Previous: Rationale | Index | Next: Appendix A →

10.1 Anticipated Extensions

10.1.1 Additional Application Integrations

The architecture anticipates integration of additional platform tools:

Application CategoryPotential AdditionsIntegration Considerations
Source ControlGitLab, GiteaOIDC for user auth; robot accounts for CI
CI/CDJenkins, TektonOIDC for UI; service accounts for pipelines
MonitoringGrafana, PrometheusOIDC for dashboards; API tokens for agents
DocumentationWiki systemsOIDC for access control
CommunicationMattermost, Slack alternativesOIDC for user provisioning

Each integration follows the established pattern:

  1. Register Keycloak OIDC client
  2. Map Keycloak roles to application permissions
  3. Store secrets in Vault
  4. Distribute secrets through ESO
  5. Template Crossplane resources if applicable

10.1.2 Fine-Grained Authorization

Future evolution may require more granular authorization:

Attribute-Based Access Control (ABAC):

  • Extend beyond role-based decisions
  • Incorporate resource attributes (owner, sensitivity level)
  • Policy engines (Open Policy Agent) for complex decisions
  • Maintain Azure AD ceiling constraint

Resource-Level Permissions:

  • Per-project access within applications
  • Dynamic permission grants based on resource ownership
  • Temporary elevated access with automatic revocation

10.1.3 Dynamic Secret Generation

Vault supports dynamic secrets that could extend the architecture:

Database Credentials:

  • Short-lived credentials generated on demand
  • Automatic rotation without coordination
  • Reduced exposure window

Cloud Provider Credentials:

  • Assume role patterns for cloud access
  • Just-in-time credential generation
  • Scoped to specific operations

10.1.4 Service Mesh Integration

Service mesh (Istio, Linkerd) integration would extend identity to service-to-service communication:

mTLS for Services:

  • Automatic certificate provisioning
  • Identity-based service authorization
  • Workload identity bound to Keycloak service accounts

Authorization Policies:

  • Service-level access control
  • Integration with Keycloak tokens for service identity
  • Consistent authorization model across user and service access

10.2 Scalability Considerations

10.2.1 Identity Scale

As the platform grows, identity components must scale:

Keycloak Scaling:

  • Horizontal scaling through Keycloak clustering
  • Session storage externalization (Infinispan, Redis)
  • Database connection pooling
  • Load balancing across Keycloak instances

Token Validation Scaling:

  • JWKS caching at application level
  • Reduced Keycloak dependency for token validation
  • Offline token validation capability

10.2.2 Secret Management Scale

Vault scaling considerations:

Request Volume:

  • Vault performance replication for read scaling
  • Regional Vault deployments for latency reduction
  • ESO refresh interval tuning to balance freshness and load

Secret Count:

  • Path organization for efficient policy evaluation
  • Namespace isolation for policy simplification
  • Secret metadata indexing for audit queries

10.2.3 GitOps Scale

As configuration grows, GitOps must adapt:

Repository Organization:

  • Monorepo vs. multi-repo based on team structure
  • Application-scoped directories for ownership clarity
  • Shared configuration extraction for consistency

Reconciliation Performance:

  • Application-of-applications pattern for hierarchical sync
  • Selective sync for large repositories
  • Sync wave configuration for dependency ordering

10.2.4 Resource Management Scale

Crossplane scaling for resource management:

Provider Capacity:

  • Rate limiting awareness for target system APIs
  • Provider horizontal scaling
  • Backoff strategies for API limits

Resource Count:

  • Composition strategies for resource bundling
  • Provider-specific batching where supported
  • Status caching for reduced API calls

10.3 Migration Pathways

10.3.1 Incremental Application Migration

Existing applications can migrate to the architecture incrementally:

Phase 1: Authentication Migration

  • Add Keycloak OIDC alongside existing auth
  • Users can authenticate through either method
  • Validate Keycloak integration without disruption

Phase 2: Authorization Migration

  • Map existing permissions to Keycloak roles
  • Configure application to use Keycloak claims
  • Verify authorization decisions match expectations

Phase 3: Secret Migration

  • Move secrets to Vault
  • Configure ExternalSecrets
  • Remove direct secret storage

Phase 4: Resource Migration

  • Define Crossplane resources for existing entities
  • Import existing resources under management
  • Verify reconciliation works correctly

10.3.2 Legacy System Coexistence

Some systems may not migrate:

OIDC Proxy Pattern:

  • Deploy OAuth2 Proxy in front of legacy application
  • Proxy handles Keycloak authentication
  • Legacy application receives authenticated requests

Service Account Pattern:

  • Legacy system uses service account credentials
  • Credentials stored in Vault, rotated periodically
  • Limited integration but consistent secret management

10.3.3 Multi-Cluster Evolution

The architecture may extend to multiple clusters:

Federated Keycloak:

  • Keycloak realm replication across clusters
  • Consistent authentication regardless of cluster
  • Regional Keycloak deployments for latency

Distributed Vault:

  • Vault replication for secret availability
  • Consistent secret access across clusters
  • Namespace-based isolation within shared Vault

Cross-Cluster GitOps:

  • Cluster-specific value overlays
  • Shared base configuration
  • ApplicationSets for cluster-aware deployment

10.4 Deprecation Considerations

10.4.1 Component Deprecation

When components require replacement:

Identity Provider Migration:

  • New provider federation alongside existing
  • Gradual client migration
  • Token format compatibility during transition
  • Session migration strategies

Secret Store Migration:

  • Dual-write during transition
  • ESO reconfiguration to new store
  • Verification of secret availability
  • Cleanup of old store

10.4.2 Protocol Evolution

As protocols evolve:

OIDC Evolution:

  • Monitor for breaking changes in specifications
  • Plan for library updates
  • Test protocol compliance in staging

API Changes:

  • Crossplane provider API versioning
  • Managed resource migration between API versions
  • Backward compatibility considerations

10.4.3 Organizational Change

The architecture accommodates organizational evolution:

Team Restructuring:

  • Group membership changes in Azure AD propagate automatically
  • New teams receive standard resource templates
  • Deprecated teams have access revoked through group removal

Application Lifecycle:

  • Decommissioned applications have resources cleaned up
  • Secrets revoked when applications removed
  • Audit trail preserved for compliance

Document Navigation

PreviousIndexNext
← 9. RationaleTable of ContentsAppendix A: Glossary →

End of Section 10

Next

9. Rationale

Next

Appendix A: Glossary

On this page