[PROJECT ONBOARDING] Keycloak

[amye]

Welcome to CNCF Project Onboarding! This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project. We would like to complete onboarding within one month of acceptance.

From the project side, please ensure that you:

• [x] Understand the project proposal process and reqs: https://github.com/cncf/toc/blob/main/process/project_proposals.md#introduction
• [x] Understand the services available for your project at CNCF https://www.cncf.io/services-for-projects/
• [x] Ensure your project meets the CNCF IP Policy: https://github.com/cncf/foundation/blob/master/charter.md#11-ip-policy
• [x] Review the online programs guidelines: https://github.com/cncf/foundation/blob/master/online-programs-guidelines.md
• [x] Understand the trademark guidelines: https://www.linuxfoundation.org/en/trademark-usage/
• [x] Understand the license allowlist: https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md#approved-licenses-for-allowlist
• [x] Is your project working on written, open governance? see https://contribute.cncf.io/maintainers/governance/
• [x] Slack: Are your slack channels migrated to the Kubernetes or CNCF Slack? (see https://slack.com/help/articles/217872578-Import-data-from-one-Slack-workspace-to-another for more details)
• [x] Is your project in its own separate neutral github organization?
• [x] Submitted a Pull request to add your project as a incubating project to https://landscape.cncf.io
• [x] Create maintainer list + add to aggregated https://maintainers.cncf.io list by submitting a PR to it
• [x] Artwork: Submit a pull request to https://github.com/cncf/artwork with your artwork
• [ ] Domain: transfer domain to the CNCF - https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63

Things that CNCF will need from the project:

• [x] Provide emails for the maintainers added to https://maintainers.cncf.io in order to get access to the maintainers mailing list and ServiceDesk - project-onboarding@cncf.io is the best email to send those to
• [x] Trademarks: transfer any trademark and logo mark assets over to the LF - https://github.com/cncf/foundation/tree/master/agreements has agreements
• [ ] GitHub: ensure 'thelinuxfoundation' and 'caniszczyk' are added as initial org owners, this helps us make sure we have continuity of GH ownership that we will onboard to our GitHub Enterprise instance: https://github.com/enterprises/cncf
• [x] GitHub: ensure DCO or CLA are enabled for all GitHub repositories of the project
• [x] GitHub: ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub
• [x] Website: ensure LF footer is there and website guidelines followed (if your project doesn't have a dedicated website, please adopt those guidelines to the README file of your project on GitHub).
• [x] Website: Analytics transferred to projects@cncf.io
• [x] OpenSSF Best Practices Badge: Start on an OpenSSF Best Practices Badge https://bestpractices.coreinfrastructure.org/en

Things that the CNCF will do or help the project to do:

• [x] Devstats: add to devstats https://devstats.cncf.io/
• [ ] Insights: add to LFX Insights https://insights.v3.lfx.linuxfoundation.org/
• [x] Marketing: update relevant intro + slide decks
• [x] Events: update CFP + Registration + CFP Area forms
• [x] ServiceDesk: confirm maintainers have read https://www.cncf.io/services-for-projects/
• [x] CNCF Welcome Email Sent to confirm maintainer list access
• [x] Book time with the team with http://project-meetings.cncf.io
• [x] Create space for meetings/events on https://community.cncf.io, e.g., https://community.cncf.io/pravega-community/ - (https://github.com/cncf/communitygroups/blob/main/README.md#cncf-projects)
• [x] Adopt a license scanning tool, like FOSSA or Snyk
• [x] Help add the project to the CNCF store

[lukaszgryglicki]

I just noticed this, so I will add this to DevStats after the KubeCon.

[lukaszgryglicki]

On it.

[lukaszgryglicki]

DevStats page added. Now adding Keycloak to All CNCF DevStats instance.

[lukaszgryglicki]

Also added to All CNCF, examples:

• Activity vs. Kubernetes.
• Keycloak project health.
• All projects health.

Affiliations task will be finished later.

[lukaszgryglicki]

Some affiliations imported, and more affiliations will be continuously enhanced & updated in the future (as with all other CNCF projects).

• https://keycloak.devstats.cncf.io/d/4/company-statistics-by-repository-group?orgId=1.
• https://keycloak.devstats.cncf.io/d/74/contributions-chart?orgId=1.
• https://keycloak.devstats.cncf.io/d/5/companies-table?orgId=1.
• https://keycloak.devstats.cncf.io/d/56/company-commits-table?orgId=1.
• https://keycloak.devstats.cncf.io/d/55/company-prs-in-repository-groups-table?orgId=1.
• https://keycloak.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1.
• https://keycloak.devstats.cncf.io/d/21/prs-authors-companies-table?orgId=1. And so on...

I'm considering DevStats part done.

[stianst]

We've migrated chat to CNCF Slack (current channels are #keycloak #keycloak-dev and #keycloak-maintainers)

[stianst]

Provided emails for the maintainers to https://maintainers.cncf.io/ (https://github.com/cncf/foundation/pull/559)

[amye]

@stianst Checking in on this one:

• Submitted a Pull request to add your project as a sandbox project to https://landscape.cncf.io/

This both puts your project on the landscape and the CNCF projects page, so it's pretty important!

Also - artwork?

[stianst]

@amye Keycloak is already listed on https://landscape.cncf.io/ (Keycloak was accepted as an Incubating project, not Sandbox). PR was sent here https://github.com/cncf/landscape/pull/3143

[stianst]

@amye for artwork we have our logos in SVG and PNG formats here https://github.com/cncf/artwork, but not in the sizes/formats/layouts expected by https://github.com/cncf/artwork. There's also some bugs in some of the SVGs that causes them not to render properly. We could probably do with a little help from someone in the CNCF to clean these up.

[abstractj]

@amye Keycloak does have an open governance written here https://github.com/keycloak/keycloak/blob/main/GOVERNANCE.md, I believe we can check this item as completed.

[abstractj]

@amye Keycloak does have its separate neutral GitHub organization https://github.com/keycloak. Could you please check this item as completed. I don't have the rights to do it.

[abstractj]

@amye we do understand the services available for your project at CNCF. Could you please check this item as completed?

[abstractj]

@amye we do understand the project proposal process. Could you please check this item as completed?

[abstractj]

@amye online programs were already reviewed. I believe we can check this item as completed.

[stianst]

For signed commits will the Require signed commits option provided by GitHub fill the needs for ensure DCO or CLA are enabled for all GitHub repositories of the project

[krook]

For signed commits will the Require signed commits option provided by GitHub fill the needs for ensure DCO or CLA are enabled for all GitHub repositories of the project

No, as that option only verifies the authenticity of the commits. The DCO ensures that what is actually committed is clean for IP purposes.

[stianst]

We're actively trying to get through this list at the moment, so far we've made some progress. The following tasks are completed from our perspective:

• Understand the project proposal process and reqs
• Understand the services available for your project at CNCF
• Website: ensure LF footer is there and website guidelines followed
• ServiceDesk: confirm maintainers have read https://www.cncf.io/services-for-projects/
• CNCF Welcome Email Sent to confirm maintainer list access

We've also sent a PR for artwork here https://github.com/cncf/artwork/pull/439

[stianst]

For signed commits will the Require signed commits option provided by GitHub fill the needs for ensure DCO or CLA are enabled for all GitHub repositories of the project

No, as that option only verifies the authenticity of the commits. The DCO ensures that what is actually committed is clean for IP purposes.

Got it thanks, we'll look at DCO or CLA then. Any suggestions which is the best?

[jberkus]

DCOs require substantially less administration. They're basically automatic. CLAs are not.

[stianst]

Thanks, having read about this some more I'd say DCOs seem the way to go. One final question here though is previous contributions/commits. Is it acceptable to say DCO are required for new contributions, but not past contributions?

Same problem would apply only differently for CLAs. We would have a hard time to get a CLA with every developer that has contributed to Keycloak in the past.

[jberkus]

Yeah, that's normal for projects joining the CNCF. You just start taking DCOs for new contributions.

[Cmierly]

Hi @stianst ! My name is Crystal Mierly and I will be taking over assisting new sandbox projects with the onboarding process! I have gone ahead and updated the list based on your completed tasks so you are a bit closer to completing onboarding.

Did you successfully adopt DCOs for new contributions? Please let me know if you have any further questions or concerns!

[stianst]

Hi @Cmierly

We're an incubating project, not a sandbox project, and we've been trying to wrap-up the on-boarding this year, but took longer than we hoped. We are hoping that we can wrap this stuff up early 2024.

We have adopted DCOs and enabled the app for all repositories under our GitHub organization. We've also transferred website analytics to projects@cncf.io.

[Cmierly]

Apologies for the mistake! I've updated the list again, thank you so much for the update

[abstractj]

@amye when you get the chance, could you please add a checkmark to the "Code of Conduct" checkbox? It was completed with https://github.com/keycloak/keycloak?tab=coc-ov-file and https://github.com/keycloak/keycloak/blob/main/README.md.

[krook]

@abstractj it looks like that item is now checked off.

[abstractj]

Thank you @krook, we will continue the work on the remaining items.

[idvoretskyi]

@abstractj a quick check here. There are a few remaining items, any assistance is required with them?

[abstractj]

@abstractj a quick check here. There are a few remaining items, any assistance is required with them?

@idvoretskyi thank you for offering your help. Our team is currently reassessing all the licenses involved in the project. Based on this reassessment, we are making adjustments wherever possible. Once we have completed this process, we will be in a better position to request any required license exceptions.

We appreciate your support and will reach out if necessary.

[idvoretskyi]

@abstractj no problem, thanks!

[RobertKielty]

Keycloak are setup on the CNCF Group on Snyk so marking

Adopt a license scanning tool, like FOSSA or Snyk

as complete.

[stianst]

Keycloak are setup on the CNCF Group on Snyk so marking

Adopt a license scanning tool, like FOSSA or Snyk

as complete.

Thanks for setting this up. How can we access this ourselves? We have reviewed Snyk ourselves, and found quite a few issues with it, so are currently looking at alternatives. I would not consider adopt a license scanning tool as completed from our end at least.

@abstractj FIY

[idvoretskyi]

@RobertKielty may assist here

[RobertKielty]

@stianst Thank you for setting up the scan and generating the report!

Here is the license policy that the project needs to comply with:

https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md

And this is the report that was generated by Snyk

https://app.snyk.io/org/keycloak-ZRks6RWforY2vApE6rMePA/reports/licenses

If you have questions about the policy and need to get advice on how best to handle non-conformance log a Service Desk highlighting the specific dependancies and their licenses. Download a CSV version of the report. When you filter for the licenses that ranked medium and high there are 4 medium issues and 1 high priority issue.

The CNCF Project Team will triage the request and advise on how best to proceed.

[jberkus]

@Cmierly the trademark and IP transfer should have been complete months ago. Can you verify?

[Cmierly]

@jberkus Yup! It is signed and complete!

[abstractj]

@Cmierly @jberkus @jeefy considering that we have already submitted a license exception request, completed the trademarks and IP transfer, and established Keycloak as a separate organization, can we mark the following items as complete?

• Ensure your project meets the CNCF IP Policy
• Understand the trademark guidelines
• Understand the license allowlist
• Is your project in its own separate neutral github organization?

cc @stianst

[krook]

Update from meeting between @krook, @jeefy, and @stianst

• We'll fork the Keycloak repo and move that into GHE to test whether the GitHub Action runners behave as expected
• Once that's confirmed, we'll move the org to GHE, add thelinuxfoundation as an owner, and board Insights
• For the domain, we can move it to LF IT who in turn delegate management for greater control of records in Netlify
• License exception requests will be managed outside of this onboarding checklist, so completing this is separate of that
• There is a separate Service Desk ticket open about use of the Keycloak name in domains owned by third parties

[ahus1]

@amye - please check off "OpenSSF Best Practices Badge" as it has been implemented, see the screenshot below taken from Keycloak's main repository: https://github.com/keycloak/keycloak

[abstractj]

@mrbobbytables why this was moved under sandbox, if the project is under incubation? cc @stianst