about summary refs log tree commit diff
path: root/ops/keycloak
AgeCommit message (Collapse)AuthorFilesLines
2024-09-01 r/8634 fix(ops/keycloak): update client ID and client secretFlorian Klink1-1/+1
This points to a "GitHub App" now ("https://github.com/organizations/tvlfyi/settings/apps"), rather than an "OAuth App" ("https://github.com/organizations/tvlfyi/settings/applications"). Apparently this makes a big difference, and we should be using a "GitHub App", not an "OAuth App". The defails on why are in https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468 The App can be configured at https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak . With this, we should get rid of spurious Exceptions with some GitHub users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201. Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413 Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2024-09-01 r/8633 fix(ops/keycloak): ignore delete_default_mappers fieldFlorian Klink1-0/+7
Without this, terraform wants to recreate the resource, just because we do /not/ want to delete the default mappers: ``` # keycloak_ldap_user_federation.tvl_ldap must be replaced -/+ resource "keycloak_ldap_user_federation" "tvl_ldap" { + delete_default_mappers = false # forces replacement ~ id = "4e68e9f0-7aba-4465-8357-f2af6a55fd0e" -> (known after apply) name = "tvl-ldap" ~ use_truststore_spi = "ALWAYS" -> "ONLY_FOR_LDAPS" # (27 unchanged attributes hidden) } ``` Keycloak lists the a few mappers. which are likely the default ones, but in any case, we don't want to recreate this resource. Change-Id: I170a91a44b2efa426fae268cf7fc97a7f28a5760 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12412 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
2024-09-01 r/8632 fix(ops/keycloak): set base_pathFlorian Klink1-0/+5
The docs mention this applies to "users of the legacy distribution of keycloak". However, we get a "failed to perform initial login to Keycloak: error sending POST request to https://auth.tvl.fyi/realms/master/protocol/openid-connect/token: 404 Not Found" if we don't set this. With this, the provider is able to talk to the API, as long as the secrets are sourced. Change-Id: I0b9cdd45b1628aa0870a1673491c12c07bf7f8d6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12411 Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su>
2024-09-01 r/8630 fix(ops/keycloak): fix terraform state configFlorian Klink1-4/+8
The same fix from cl/11021 also needs to be applied to other states. Change-Id: I0df3ee2e8970e0d08a119ecc6347f24aef0448c2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12409 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2023-07-01 r/6382 chore(ops/keycloak): drop oauth2-proxy clientFlorian Klink1-21/+0
Nothing is using this, so it can be removed. Change-Id: I1b812b6df89d4f79ed313e646e141909519c6083 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8914 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: flokli <flokli@flokli.de>
2022-12-27 r/5507 docs: change email address mentions to depot@tvl.suVincent Ambo1-1/+1
This is the new address which leads to the public inbox at inbox.tvl.su Change-Id: I45d98a373b8acda49b05c4f74669ffb9ad1f1a3c Reviewed-on: https://cl.tvl.fyi/c/depot/+/7632 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
2022-09-20 r/4930 feat(ops/keycloak): import github identity provider configurationVincent Ambo2-1/+24
For some reason Terraform decided that it would otherwise like to *delete* this configuration, which is undesirable. Note that there is a "magic" special behaviour when the `alias` and `provider_id` are set to the name of a built-in supported provider (github, gitlab etc.), which lets us skip the authorization_url setup. Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 r/4929 feat(ops/keycloak): add SMTP settings in configurationVincent Ambo1-0/+10
I think these were set up in the UI and previously not supported in the Terraform config, now they're supported and Terraform wanted to delete them ... Change-Id: I83eb49ceb774ac835dc81638f962e937c7e936c6 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6707 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-06-07 r/4227 refactor(ops/keycloak): Use tools.checks.validateTerraformVincent Ambo1-5/+5
Remove some ~commit message~ ... uh, code duplication. Change-Id: Id6e8f2132999e153d3984848f95ccabd52e4f45f Reviewed-on: https://cl.tvl.fyi/c/depot/+/5853 Tested-by: BuildkiteCI Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-06 r/4218 test(ops/keycloak): Validate Terraform configuration in CIVincent Ambo1-2/+8
Change-Id: I5602cf722b9fe9502c9d7610eefc7ba0ab647362 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5844 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-06-06 r/4213 docs(ops/buildkite): Add documentation about this configVincent Ambo1-1/+1
Change-Id: Ia61b15127c67cdd9dddcab9f3540f1aee949cd6b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5839 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-28 r/4177 feat(ops/keycloak): Add OIDC client for panettoneVincent Ambo1-0/+14
Change-Id: Idb4352e3bbf412df5569aa988a78c6438063f93a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5769 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2022-01-31 r/3723 style: format entire depot with nixpkgs-fmtVincent Ambo1-1/+1
This CL can be used to compare the style of nixpkgs-fmt against other formatters (nixpkgs, alejandra). Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: kanepyork <rikingcoding@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: cynthia <cynthia@tvl.fyi> Reviewed-by: edef <edef@edef.eu> Reviewed-by: eta <tvl@eta.st> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-02 r/3511 refactor(ops/keycloak): Split out clients & user-sourcesVincent Ambo3-106/+113
Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-28 r/3495 fix(ops/keycloak): redefine buildkite client, correctly this timeVincent Ambo1-15/+26
This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-27 r/3473 feat(ops/keycloak): Import Buildkite OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: I68361b1489093b76736adab2e38ed7b474b10881 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3472 feat(ops/keycloak): Import Gerrit OIDC clientVincent Ambo1-0/+21
This was previously configured in the UI. Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3471 fix(ops/keycloak): Move Terraform state to GleSYS bucketVincent Ambo1-0/+11
This should never sit around locally the way it does now. Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3470 feat(ops/secrets): Add tf-keycloak secrets fileVincent Ambo1-0/+18
This file can be sourced (somehow, depending on the user) while working with //ops/keycloak to get the relevant secrets. Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 r/3469 feat(ops/keycloak): Add OIDC client for GrafanaVincent Ambo1-0/+14
Completely forgot about Grafana, so it's currently broken. Oops! Change-Id: Ia4e6405428ad8e514d6e61635f9692c57f61defe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4705 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-26 r/3428 fix(ops/keycloak): set up client for usage with oauth2_proxyVincent Ambo1-7/+7
This will be useful for things like panettone, pending a NixOS module for oauth2-proxy (the upstream one is too complicated and doesn't support what we need). Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
2021-12-26 r/3427 fix(ops/keycloak): trust email addresses from LDAPVincent Ambo1-0/+1
Verified emails are required for some things, like e.g. oauth2_proxy Change-Id: Ifb124be40d6d2863cd1b7ed5fbdfcf4827e8808c Reviewed-on: https://cl.tvl.fyi/c/depot/+/4661 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 r/3426 feat(ops/keycloak): Set up oauth2_proxy clientVincent Ambo1-0/+21
Change-Id: I996d9644ed7e870d6e5a42af117eafbf841da679 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4640 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 r/3425 feat(ops/keycloak): Check in initial Keycloak configurationVincent Ambo3-0/+51
This is still missing most of the client configuration etc., in part due to bugs in the provider which are preventing resource imports. Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: Profpatsch <mail@profpatsch.de>