feat(ops/keycloak): Set up oauth2_proxy client r/3426

Change-Id: I996d9644ed7e870d6e5a42af117eafbf841da679 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4640 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
author: Vincent Ambo <mail@tazj.in> 2021-12-26T15·36+0300
committer: clbot <clbot@tvl.fyi> 2021-12-26T16·59+0000
commit: e8fa347fd1e22b6c55941ecff8b6d385c7027791 (patch)
tree: 44eacfb8f02f39bef3ecd0cf16aba10f0e2d430f /ops/keycloak
parent: 7b3c0b3e2f672ba2547827105b9f14d003d16267 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index 312e8ac61f..95902476bb 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -38,3 +38,24 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" {
     "organizationalPerson",
   ]
 }
+
+resource "keycloak_openid_client" "oauth2_proxy" {
+  realm_id              = keycloak_realm.tvl.id
+  client_id             = "oauth2-proxy"
+  name                  = "TVL OAuth2 Proxy"
+  enabled               = true
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+
+  valid_redirect_uris = [
+    "https://login.tvl.fyi/oauth2/callback"
+  ]
+}
+
+resource "keycloak_openid_audience_protocol_mapper" "panettone_audience" {
+  realm_id  = keycloak_realm.tvl.id
+  client_id = keycloak_openid_client.oauth2_proxy.id
+  name      = "panettone-audience"
+
+  included_custom_audience = "b"
+}
author	Vincent Ambo <mail@tazj.in>	2021-12-26T15·36+0300
committer	clbot <clbot@tvl.fyi>	2021-12-26T16·59+0000
commit	e8fa347fd1e22b6c55941ecff8b6d385c7027791 (patch)
tree	44eacfb8f02f39bef3ecd0cf16aba10f0e2d430f /ops/keycloak
parent	7b3c0b3e2f672ba2547827105b9f14d003d16267 (diff)