Commit graph

24 commits

Author SHA1 Message Date
Florian Klink
7eb6900129 fix(ops/keycloak): update client ID and client secret
This points to a "GitHub App" now
("https://github.com/organizations/tvlfyi/settings/apps"), rather than an
"OAuth App"
("https://github.com/organizations/tvlfyi/settings/applications").

Apparently this makes a big difference, and we should be using a "GitHub
App", not an "OAuth App".

The defails on why are in
https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468

The App can be configured at
https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak .

With this, we should get rid of spurious Exceptions with some GitHub
users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201.

Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2024-09-01 13:19:19 +00:00
Florian Klink
ebf4647976 fix(ops/keycloak): ignore delete_default_mappers field
Without this, terraform wants to recreate the resource, just because we
do /not/ want to delete the default mappers:

```
  # keycloak_ldap_user_federation.tvl_ldap must be replaced
-/+ resource "keycloak_ldap_user_federation" "tvl_ldap" {
      + delete_default_mappers          = false # forces replacement
      ~ id                              = "4e68e9f0-7aba-4465-8357-f2af6a55fd0e" -> (known after apply)
        name                            = "tvl-ldap"
      ~ use_truststore_spi              = "ALWAYS" -> "ONLY_FOR_LDAPS"
        # (27 unchanged attributes hidden)
    }
```

Keycloak lists the a few mappers. which are likely the default ones,
but in any case, we don't want to recreate this resource.

Change-Id: I170a91a44b2efa426fae268cf7fc97a7f28a5760
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12412
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
2024-09-01 13:18:47 +00:00
Florian Klink
e74378a324 fix(ops/keycloak): set base_path
The docs mention this applies to "users of the legacy distribution of keycloak".
However, we get a "failed to perform initial login to Keycloak: error
sending POST request to https://auth.tvl.fyi/realms/master/protocol/openid-connect/token: 404 Not Found"
if we don't set this.

With this, the provider is able to talk to the API, as long as the
secrets are sourced.

Change-Id: I0b9cdd45b1628aa0870a1673491c12c07bf7f8d6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12411
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
2024-09-01 13:18:47 +00:00
Florian Klink
23f97d0df0 fix(ops/keycloak): fix terraform state config
The same fix from cl/11021 also needs to be applied to other states.

Change-Id: I0df3ee2e8970e0d08a119ecc6347f24aef0448c2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12409
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2024-09-01 13:18:14 +00:00
Florian Klink
6020b71752 chore(ops/keycloak): drop oauth2-proxy client
Nothing is using this, so it can be removed.

Change-Id: I1b812b6df89d4f79ed313e646e141909519c6083
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8914
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: flokli <flokli@flokli.de>
2023-07-01 23:35:13 +00:00
Vincent Ambo
81fd9caf3e docs: change email address mentions to depot@tvl.su
This is the new address which leads to the public inbox at inbox.tvl.su

Change-Id: I45d98a373b8acda49b05c4f74669ffb9ad1f1a3c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7632
Tested-by: BuildkiteCI
Reviewed-by: flokli <flokli@flokli.de>
2022-12-27 19:46:11 +00:00
Vincent Ambo
6576c2f15f feat(ops/keycloak): import github identity provider configuration
For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.

Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.

Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 09:28:45 +00:00
Vincent Ambo
3a1f4831a8 feat(ops/keycloak): add SMTP settings in configuration
I think these were set up in the UI and previously not supported in
the Terraform config, now they're supported and Terraform wanted to
delete them ...

Change-Id: I83eb49ceb774ac835dc81638f962e937c7e936c6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6707
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: lukegb <lukegb@tvl.fyi>
2022-09-20 09:28:45 +00:00
Vincent Ambo
8e8d6eb1df refactor(ops/keycloak): Use tools.checks.validateTerraform
Remove some ~commit message~ ... uh, code duplication.

Change-Id: Id6e8f2132999e153d3984848f95ccabd52e4f45f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5853
Tested-by: BuildkiteCI
Reviewed-by: asmundo <asmundo@gmail.com>
2022-06-07 09:32:13 +00:00
Vincent Ambo
89ba820059 test(ops/keycloak): Validate Terraform configuration in CI
Change-Id: I5602cf722b9fe9502c9d7610eefc7ba0ab647362
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5844
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-06-06 11:05:12 +00:00
Vincent Ambo
b29b6a092c docs(ops/buildkite): Add documentation about this config
Change-Id: Ia61b15127c67cdd9dddcab9f3540f1aee949cd6b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5839
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-06-06 11:05:12 +00:00
Vincent Ambo
38be32c6b0 feat(ops/keycloak): Add OIDC client for panettone
Change-Id: Idb4352e3bbf412df5569aa988a78c6438063f93a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5769
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2022-05-28 17:03:36 +00:00
Vincent Ambo
aa122cbae7 style: format entire depot with nixpkgs-fmt
This CL can be used to compare the style of nixpkgs-fmt against other
formatters (nixpkgs, alejandra).

Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: cynthia <cynthia@tvl.fyi>
Reviewed-by: edef <edef@edef.eu>
Reviewed-by: eta <tvl@eta.st>
Reviewed-by: grfn <grfn@gws.fyi>
2022-01-31 16:11:53 +00:00
Vincent Ambo
5a6f984222 refactor(ops/keycloak): Split out clients & user-sources
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).

Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-01-02 21:22:17 +00:00
Vincent Ambo
b763f183f7 fix(ops/keycloak): redefine buildkite client, correctly this time
This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.

This sets up the Buildkite provider again but with the correct
SAML configuration this time.

Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
2021-12-28 17:37:22 +00:00
Vincent Ambo
23693ca898 feat(ops/keycloak): Import Buildkite OIDC client
This was previously configured in the UI.

Change-Id: I68361b1489093b76736adab2e38ed7b474b10881
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4711
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
fb7d45abc4 feat(ops/keycloak): Import Gerrit OIDC client
This was previously configured in the UI.

Change-Id: Ib15b8ecca96d7814dc85d62199865b22bdb63f95
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4710
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
98be390576 fix(ops/keycloak): Move Terraform state to GleSYS bucket
This should never sit around locally the way it does now.

Change-Id: Icfbdaf1949d6d948a796a0759282ea6144af3621
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4709
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
e616f978d0 feat(ops/secrets): Add tf-keycloak secrets file
This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.

Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 15:53:57 +00:00
Vincent Ambo
4f030f085d feat(ops/keycloak): Add OIDC client for Grafana
Completely forgot about Grafana, so it's currently broken. Oops!

Change-Id: Ia4e6405428ad8e514d6e61635f9692c57f61defe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4705
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
2021-12-27 15:53:57 +00:00
Vincent Ambo
fc16f1e467 fix(ops/keycloak): set up client for usage with oauth2_proxy
This will be useful for things like panettone, pending a NixOS module
for oauth2-proxy (the upstream one is too complicated and doesn't
support what we need).

Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Autosubmit: tazjin <mail@tazj.in>
2021-12-26 16:59:01 +00:00
Vincent Ambo
a8923242be fix(ops/keycloak): trust email addresses from LDAP
Verified emails are required for some things, like e.g. oauth2_proxy

Change-Id: Ifb124be40d6d2863cd1b7ed5fbdfcf4827e8808c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4661
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:59:01 +00:00
Vincent Ambo
e8fa347fd1 feat(ops/keycloak): Set up oauth2_proxy client
Change-Id: I996d9644ed7e870d6e5a42af117eafbf841da679
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4640
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:59:01 +00:00
Vincent Ambo
7b3c0b3e2f feat(ops/keycloak): Check in initial Keycloak configuration
This is still missing most of the client configuration etc., in part
due to bugs in the provider which are preventing resource imports.

Change-Id: Ic224ffc001f8e1fe6dcd47b7d002580fdf7b0774
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4628
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-12-26 16:45:59 +00:00