2.0 beta fixes

docs/building-blocks/iam.md

@@ -121,11 +121,15 @@ Replace `your.registry`, `eoepca/keycloak-with-opa-plugin`, and `your-tag` with
 
 ---
 
-### 5. Keycloak Post-Deployment Configuration
+### 5. Create `eoepca` Keycloak realm
 
-After deploying Keycloak, you need to perform some post-deployment configurations.
+Keycloak establishes an initial `master` realm which should be reserved for global adminsitration only. It is best practice to create a dedicated realm for platform identity and protection of BB resources.
 
-#### a. Obtain an Access Token for Administration
+Thus, we create a dedicated `eoepca` realm.
+
+**Obtain an Access Token for Administration**
+
+Retrieve an access token using the admin credentials.
 
 ```bash
 source ~/.eoepca/state
@@ -142,9 +146,9 @@ ACCESS_TOKEN=$( \
 )
 ```
 
-This retrieves an access token using the admin credentials.
+**Create the `eoepca` Realm**
 
-#### b. Create the `eoepca` Realm
+Creates a new realm named `eoepca`.
 
 ```bash
 curl --silent --show-error \
@@ -160,9 +164,11 @@ curl --silent --show-error \
 EOF
 ```
 
-This creates a new realm named `eoepca`.
+---
+
+### 6. Create `eoepca` user for testing
 
-#### c. (Optional) Create a Dedicated `eoepca` User
+For convenience we create an `eoepca` (test) user to support usage examples in this guide where a user must be assumed.
 
 ```bash
 curl --silent --show-error \
@@ -187,7 +193,7 @@ Replace `"changeme"` with a secure password of your choice.
 
 ---
 
-### 6. Integrate GitHub as External Identity Provider
+### 7. Integrate GitHub as External Identity Provider
 
 This involves two main steps:
 
@@ -266,7 +272,7 @@ On the **Sign-in** page, select **GitHub**, and follow the flow to authorize Key
 
 ---
 
-### 7. Deploy Open Policy Agent (OPA)
+### 8. Deploy Open Policy Agent (OPA)
 
 #### a. Create Keycloak Client for OPA
 

docs/building-blocks/oapip-engine.md

@@ -200,6 +200,8 @@ This section provides an example resource protection using Keycloak groups and p
 
 The example assumes protection for the `/eoepca` context within `zoo` - protected via the group `team-eoepca` that represents a team/project with common access.
 
+The user `eoepca` is added to the `team-eoepca` group - assuming that the user was created as described in section [Create `eoepca` user for testing](iam.md#6-create-eoepca-user-for-testing)
+
 ### Obtain an Access Token for Administration
 
 ```bash

docs/building-blocks/overview.md

@@ -18,55 +18,61 @@ To simplify and standardise the deployment process, each Building Block comes wi
 
 Below is a list of the EOEPCA+ Building Blocks available for deployment:
 
-### 1. Resource Catalogue
+### 1. Identity & Access Management (IAM)
+
+The Identity and Access Management (IAM) Building Block provides authentication and authorisation services within the EOEPCA+ ecosystem. It ensures users can access resources and services safely across the platform by managing identities, roles and permissions.
+
+[Deploy IAM »](iam.md)
+
+### 2. Resource Catalogue
 
 The Resource Catalogue BB provides search and discovery of all types of resources available within the EOEPCA+ ecosystem - including datasets, processing workflows, ML models, applications, services, and more. It provides metadata management and search capabilities.
 
 [Deploy Resource Catalogue »](resource-catalogue.md)
 
-### 2. Processing
+### 3. Processing
 
 The Processing BB provides deployment and execution of user-defined processing workflows within the EOEPCA+ platform - with support for OGC API Processes, OGC Application Packages and openEO.
 
 [Deploy Processing »](processing.md)
 
-### 3. Data Access
+### 4. Data Access
 
 The Data Access BB provides efficient access to Earth Observation data. It provides data visualisation and retrieval services, enabling users and applications to interact with large datasets.
 
 [Deploy Data Access »](data-access.md)
 
-### 4. Resource Registration
+### 5. Resource Registration
 
 Resource Registration BB allows for the addition of new resources to the EOEPCA+ ecosystem. This includes harvesting data from other (external) data sources - and associated population of Catalogue and Data Access services.
 
 [Deploy Resource Registration »](resource-registration.md)
 
-### 5. Workspace
+### 6. Workspace
 
 The Workspace BB provides collorative work environments for users and teams (projects). It offers workspace-scoped storage allowing projects to manage their own resources within the platform - with associated workspace services that support project work within the platform - such as catalogue, data access and processing.
 
 [Deploy Workspace »](workspace.md)
 
-### 6. MLOps (Machine Learning Operations)
+### 7. MLOps (Machine Learning Operations)
 
 The MLOps BB faciliates the machine learning model development lifecycle - including model training, model version management and management of training data - and supports discovery of published models and training datasets.
 
 [Deploy MLOps »](mlops.md)
 
-### 7. Resource Health
+### 8. Resource Health
 
 The Resource Health BB provides a flexible framework that allows platform users and operators to monitor the health and status of resources offered through the platform. This includes core platform services, as well as resources (datasets, workflows, etc.) offered through those platform services.
 
 [Deploy Resource Health »](resource-health.md)
 
-### 8. Application Hub
+### 9. Application Hub
 
 The Application Hub serves as a platform where users can discover, access, and launch Earth Observation (EO) applications. This includes a JupyterLab environment for interactive analysis with notebooks. It provides a user-friendly interface for managing application lifecycles and facilitates collaboration among users.
 
 [Deploy Application Hub »](application-hub.md)
 
-### 9. Application Quality
+### 10. Application Quality
 
 The Application Quality BB assesses and ensures the quality and compliance of EO applications before they are made available to users. It performs validation checks and enforces best practice for open reproducible science.
 

scripts/processing/oapip/ingress-template.yaml

@@ -19,6 +19,14 @@ spec:
         - serviceName: zoo-project-dru-service
           servicePort: 80
       plugins:
+        # Authenticate - expect JWT in `Authorization: Bearer` header
+        - name: openid-connect
+          enable: true
+          config:
+            realm: eoepca
+            bearer_only: true
+            discovery: "https://auth-apx.$INGRESS_HOST/realms/eoepca/.well-known/openid-configuration"
+          secretRef: oapip-engine-client
         # Require authorization for access to API
         - name: authz-keycloak
           enable: true