docs(runbook): Keycloak realm rename 0mpc -> 0mcp#21
Merged
Conversation
After the 0mpc.com -> 0mcp.com domain migration, keycloak_realm_name now derives '0mcp' but the live realm is still '0mpc'. A naive converge-keycloak would create an empty '0mcp' realm and orphan the populated '0mpc' one (community.general.keycloak_realm creates by id; realm id is immutable). Document the safe in-place PUT rename (Option A, preserves users/clients) vs fresh-import (Option B), with backup, maintenance-window, reconcile-converge, verify, and rollback steps. Execution is deferred to a maintenance window. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a runbook for reconciling note #2: the live Keycloak realm is still
0mpcwhile config now derives0mcpfrom the migrated domain.Verified live before writing:
https://sso.0mcp.com/realms/0mpc/...→ 200,/realms/0mcp/...→ 404. Verified the create-vs-rename hazard by readingroles/keycloak_runtime/tasks/main.yml(usescommunity.general.keycloak_realmwithid: {{ keycloak_realm_name }}, which would create an empty0mcprealm and orphan0mpc).The runbook documents the safe in-place PUT rename (Option A, preserves users/clients) vs fresh-import (Option B), with backup, maintenance window, reconcile-converge, verify, and rollback.
Why docs-only (not executed)
The rename is a platform-wide SSO outage touching authentication and requires live admin credentials. It is deferred to an operator-run maintenance window rather than executed autonomously.
Test plan