Contract spec for the unified-rbac → Keycloak → NewAPI → K8s Secret hook
that materialises an SME admin's user-create action across the three
systems atomically (with idempotent reconciliation).
- Step 1: POST SME-vcluster Keycloak admin API → user in realm
- Step 2: POST NewAPI admin API in-cluster → per-user api_key
- Step 3: server-side-apply newapi-key-<uuid> Secret in tenant ns
State machine (pending → kc_created → newapi_created → secret_applied →
done, or → failed after 5 transient retries) persisted in unified-rbac's
Postgres. Reconciliation is event-driven via a self-published NATS
heartbeat subject, never a CronJob (per Inviolable Principle 1 and
ADR-0001 §6). Rollback is the inverse order, idempotent.
Locked decisions [A] [B] [Q-mine-3] [Q-mine-4] from #795 are honored;
not relitigated. Downstream tickets #798, #799, #802, #803 bind to this
contract.
Refs: #796 (this issue), #795 (parent epic), ADR-0001, ADR-0002
Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
f716fddf20