Commit graph

4 commits

Author SHA1 Message Date
Florian Klink
7eb6900129 fix(ops/keycloak): update client ID and client secret
This points to a "GitHub App" now
("https://github.com/organizations/tvlfyi/settings/apps"), rather than an
"OAuth App"
("https://github.com/organizations/tvlfyi/settings/applications").

Apparently this makes a big difference, and we should be using a "GitHub
App", not an "OAuth App".

The defails on why are in
https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468

The App can be configured at
https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak .

With this, we should get rid of spurious Exceptions with some GitHub
users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201.

Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2024-09-01 13:19:19 +00:00
Florian Klink
ebf4647976 fix(ops/keycloak): ignore delete_default_mappers field
Without this, terraform wants to recreate the resource, just because we
do /not/ want to delete the default mappers:

```
  # keycloak_ldap_user_federation.tvl_ldap must be replaced
-/+ resource "keycloak_ldap_user_federation" "tvl_ldap" {
      + delete_default_mappers          = false # forces replacement
      ~ id                              = "4e68e9f0-7aba-4465-8357-f2af6a55fd0e" -> (known after apply)
        name                            = "tvl-ldap"
      ~ use_truststore_spi              = "ALWAYS" -> "ONLY_FOR_LDAPS"
        # (27 unchanged attributes hidden)
    }
```

Keycloak lists the a few mappers. which are likely the default ones,
but in any case, we don't want to recreate this resource.

Change-Id: I170a91a44b2efa426fae268cf7fc97a7f28a5760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12412
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2024-09-01 13:18:47 +00:00
Vincent Ambo
6576c2f15f feat(ops/keycloak): import github identity provider configuration
For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.

Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.

Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 09:28:45 +00:00
Vincent Ambo
5a6f984222 refactor(ops/keycloak): Split out clients & user-sources
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).

Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-01-02 21:22:17 +00:00