Local Lab with Keycloak
Use this protected local lab stack when you want to test:
- Keycloak-backed OIDC auth services
- endpoint auth on
/apiand/mcp - browser PKCE login for the UI
- durable validation runs
Main files:
examples/tools-configs/keycloak-protected-validation.yamlexamples/server-configs/protected-api-mcp-ui.yamlexamples/validation-runtime-configs/durable-validation-sqlite.yamlexamples/keycloak/docker-compose.keycloak.yamlexamples/keycloak/keycloak-setup.shexamples/containerlab/noc-foundry-lab.clab.yamlexamples/containerlab/install-containerlab.sh
For contributors who want a realistic local network instead of static sample targets, pair this protected stack with the SR Linux containerlab fabric.
- install containerlab on demand with
./examples/containerlab/install-containerlab.sh - deploy the lab with
sudo containerlab deploy -t examples/containerlab/noc-foundry-lab.clab.yaml - destroy it with
sudo containerlab destroy -t examples/containerlab/noc-foundry-lab.clab.yaml
Start Keycloak
Start the local Keycloak example:
docker compose -f examples/keycloak/docker-compose.keycloak.yaml up -d
Bootstrap the demo realm, clients, and test user:
./examples/keycloak/keycloak-setup.sh
This creates:
- the
network-opsrealm - the
noc-foundryresource-side client - the
noc-foundry-uibrowser PKCE client - the
noc-operatortest user
Start NOCFoundry
./nocfoundry \
--tools-file examples/tools-configs/keycloak-protected-validation.yaml \
--server-config examples/server-configs/protected-api-mcp-ui.yaml \
--validation-config examples/validation-runtime-configs/durable-validation-sqlite.yaml \
--ui
Then open:
http://127.0.0.1:5000/ui/
and sign in with the local Keycloak test account created by
./examples/keycloak/keycloak-setup.sh.