tvl-depot/ops/keycloak
Florian Klink 7eb6900129 fix(ops/keycloak): update client ID and client secret
This points to a "GitHub App" now
("https://github.com/organizations/tvlfyi/settings/apps"), rather than an
"OAuth App"
("https://github.com/organizations/tvlfyi/settings/applications").

Apparently this makes a big difference, and we should be using a "GitHub
App", not an "OAuth App".

The defails on why are in
https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468

The App can be configured at
https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak .

With this, we should get rid of spurious Exceptions with some GitHub
users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201.

Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2024-09-01 13:19:19 +00:00
..
.gitignore feat(ops/keycloak): Check in initial Keycloak configuration 2021-12-26 16:45:59 +00:00
clients.tf chore(ops/keycloak): drop oauth2-proxy client 2023-07-01 23:35:13 +00:00
default.nix refactor(ops/keycloak): Use tools.checks.validateTerraform 2022-06-07 09:32:13 +00:00
main.tf fix(ops/keycloak): set base_path 2024-09-01 13:18:47 +00:00
README.md docs(ops/buildkite): Add documentation about this config 2022-06-06 11:05:12 +00:00
user_sources.tf fix(ops/keycloak): update client ID and client secret 2024-09-01 13:19:19 +00:00

Terraform for Keycloak

This contains the Terraform configuration for deploying TVL's Keycloak instance (which lives at auth.tvl.fyi).

Secrets are needed for applying this. The encrypted file //ops/secrets/tf-keycloak.age contains export calls which should be sourced, for example via direnv, by users with the appropriate credentials.

An example direnv configuration used by tazjin is this:

# //ops/keycloak/.envrc
source_up
eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)