refactor(ops/keycloak): Split out clients & user-sources
Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
This commit is contained in:
parent
5e036ed9fc
commit
5a6f984222
3 changed files with 113 additions and 106 deletions
92
ops/keycloak/clients.tf
Normal file
92
ops/keycloak/clients.tf
Normal file
|
@ -0,0 +1,92 @@
|
|||
# All Keycloak clients, that is applications which authenticate
|
||||
# through Keycloak.
|
||||
#
|
||||
# Includes first-party (i.e. TVL-hosted) and third-party clients.
|
||||
|
||||
resource "keycloak_openid_client" "grafana" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "grafana"
|
||||
name = "Grafana"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
base_url = "https://status.tvl.su"
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://status.tvl.su/*",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "gerrit" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "gerrit"
|
||||
name = "TVL Gerrit"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
base_url = "https://cl.tvl.fyi"
|
||||
description = "TVL's code review tool"
|
||||
direct_access_grants_enabled = true
|
||||
exclude_session_state_from_auth_response = false
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://cl.tvl.fyi/*",
|
||||
]
|
||||
|
||||
web_origins = [
|
||||
"https://cl.tvl.fyi",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_saml_client" "buildkite" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "https://buildkite.com"
|
||||
name = "Buildkite"
|
||||
base_url = "https://buildkite.com/sso/tvl"
|
||||
|
||||
client_signature_required = false
|
||||
assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_saml_client.buildkite.id
|
||||
name = "buildkite-email-mapper"
|
||||
user_attribute = "email"
|
||||
saml_attribute_name = "email"
|
||||
saml_attribute_name_format = "Unspecified"
|
||||
}
|
||||
|
||||
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_saml_client.buildkite.id
|
||||
name = "buildkite-name-mapper"
|
||||
user_attribute = "displayName"
|
||||
saml_attribute_name = "name"
|
||||
saml_attribute_name_format = "Unspecified"
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "oauth2_proxy" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "oauth2-proxy"
|
||||
name = "TVL OAuth2 Proxy"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://login.tvl.fyi/oauth2/callback",
|
||||
"http://localhost:4774/oauth2/callback",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_openid_client.oauth2_proxy.id
|
||||
name = "oauth2-proxy-audience"
|
||||
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
|
||||
}
|
|
@ -32,109 +32,3 @@ resource "keycloak_realm" "tvl" {
|
|||
display_name = "The Virus Lounge"
|
||||
default_signature_algorithm = "RS256"
|
||||
}
|
||||
|
||||
resource "keycloak_ldap_user_federation" "tvl_ldap" {
|
||||
name = "tvl-ldap"
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
enabled = true
|
||||
connection_url = "ldap://localhost"
|
||||
users_dn = "ou=users,dc=tvl,dc=fyi"
|
||||
username_ldap_attribute = "cn"
|
||||
uuid_ldap_attribute = "cn"
|
||||
rdn_ldap_attribute = "cn"
|
||||
full_sync_period = 86400
|
||||
trust_email = true
|
||||
|
||||
user_object_classes = [
|
||||
"inetOrgPerson",
|
||||
"organizationalPerson",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "oauth2_proxy" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "oauth2-proxy"
|
||||
name = "TVL OAuth2 Proxy"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://login.tvl.fyi/oauth2/callback",
|
||||
"http://localhost:4774/oauth2/callback",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_openid_client.oauth2_proxy.id
|
||||
name = "oauth2-proxy-audience"
|
||||
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "grafana" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "grafana"
|
||||
name = "Grafana"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
base_url = "https://status.tvl.su"
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://status.tvl.su/*",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "gerrit" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "gerrit"
|
||||
name = "TVL Gerrit"
|
||||
enabled = true
|
||||
access_type = "CONFIDENTIAL"
|
||||
standard_flow_enabled = true
|
||||
base_url = "https://cl.tvl.fyi"
|
||||
description = "TVL's code review tool"
|
||||
direct_access_grants_enabled = true
|
||||
exclude_session_state_from_auth_response = false
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://cl.tvl.fyi/*",
|
||||
]
|
||||
|
||||
web_origins = [
|
||||
"https://cl.tvl.fyi",
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_saml_client" "buildkite" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = "https://buildkite.com"
|
||||
name = "Buildkite"
|
||||
base_url = "https://buildkite.com/sso/tvl"
|
||||
|
||||
client_signature_required = false
|
||||
assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
||||
|
||||
valid_redirect_uris = [
|
||||
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
||||
]
|
||||
}
|
||||
|
||||
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_saml_client.buildkite.id
|
||||
name = "buildkite-email-mapper"
|
||||
user_attribute = "email"
|
||||
saml_attribute_name = "email"
|
||||
saml_attribute_name_format = "Unspecified"
|
||||
}
|
||||
|
||||
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
client_id = keycloak_saml_client.buildkite.id
|
||||
name = "buildkite-name-mapper"
|
||||
user_attribute = "displayName"
|
||||
saml_attribute_name = "name"
|
||||
saml_attribute_name_format = "Unspecified"
|
||||
}
|
||||
|
|
21
ops/keycloak/user_sources.tf
Normal file
21
ops/keycloak/user_sources.tf
Normal file
|
@ -0,0 +1,21 @@
|
|||
# All user sources, that is services from which Keycloak gets user
|
||||
# information (either by accessing a system like LDAP or integration
|
||||
# through protocols like OIDC).
|
||||
|
||||
resource "keycloak_ldap_user_federation" "tvl_ldap" {
|
||||
name = "tvl-ldap"
|
||||
realm_id = keycloak_realm.tvl.id
|
||||
enabled = true
|
||||
connection_url = "ldap://localhost"
|
||||
users_dn = "ou=users,dc=tvl,dc=fyi"
|
||||
username_ldap_attribute = "cn"
|
||||
uuid_ldap_attribute = "cn"
|
||||
rdn_ldap_attribute = "cn"
|
||||
full_sync_period = 86400
|
||||
trust_email = true
|
||||
|
||||
user_object_classes = [
|
||||
"inetOrgPerson",
|
||||
"organizationalPerson",
|
||||
]
|
||||
}
|
Loading…
Reference in a new issue