Differential D2896
Keycloak: add realm and client definition in puppet manifest Authored by olasd on Mar 26 2020, 9:28 PM.
Details
This diff adds in puppet manifest for Keycloak:
I managed to test locally with docker by hacking on pupperware and using a docker image with Nevertheless, puppet module for Keycloak needs to upgraded to its latest version (6.10). Related to T1927
Diff Detail
Event Timeline
Comment Actions Thanks for this config canvas ! I think we might want separate realms for production, staging and "localhost testing". At the very least, we will want separate clients, because I don't think application credentials and user sessions should be shared across the different usecases. If you agree with this I'm happy to pick this diff up to implement the idea.
Comment Actions
Sure go ahead ! Comment Actions
One realm per environment seems the right way to go I think. This will enable to have a different set of users for each of them and test new clients safely. Comment Actions octocatalog-diff output: diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
+ Keycloak_client[swh-web on SoftwareHeritageStaging] =>
parameters =>
"client_id": "swh-web"
"default_client_scopes": ["profile", "email", "roles", "web-origins"]
"ensure": "present"
"name": "swh-web"
"optional_client_scopes": ["microprofile-jwt", "offline_access"]
"public_client": true
"realm": "SoftwareHeritageStaging"
"redirect_uris": ["https://webapp.staging.swh.network/*", "https://webapp.internal.staging.swh.network/*"]
*******************************************
+ Keycloak_client[swh-web on SoftwareHeritage] =>
parameters =>
"client_id": "swh-web"
"default_client_scopes": ["profile", "email", "roles", "web-origins"]
"ensure": "present"
"name": "swh-web"
"optional_client_scopes": ["microprofile-jwt", "offline_access"]
"public_client": true
"realm": "SoftwareHeritage"
"redirect_uris": ["https://archive.softwareheritage.org/*", "https://base.softwareheritage.org/*", "https://archive.internal.softwareheritage.org/*", "https://webapp0.softwareheritage.org/*"]
*******************************************
+ Keycloak_protocol_mapper[audience for swh-web on SoftwareHeritageStaging] =>
parameters =>
"client_scope": "swh-web"
"ensure": "present"
"included_client_audience": "swh-web"
"realm": "SoftwareHeritageStaging"
"resource_name": "audience"
"type": "oidc-audience-mapper"
*******************************************
+ Keycloak_protocol_mapper[audience for swh-web on SoftwareHeritage] =>
parameters =>
"client_scope": "swh-web"
"ensure": "present"
"included_client_audience": "swh-web"
"realm": "SoftwareHeritage"
"resource_name": "audience"
"type": "oidc-audience-mapper"
*******************************************
+ Keycloak_protocol_mapper[user groups for swh-web on SoftwareHeritageStaging] =>
parameters =>
"claim_name": "groups"
"client_scope": "swh-web"
"ensure": "present"
"full_path": true
"realm": "SoftwareHeritageStaging"
"resource_name": "user groups"
"type": "oidc-group-membership-mapper"
*******************************************
+ Keycloak_protocol_mapper[user groups for swh-web on SoftwareHeritage] =>
parameters =>
"claim_name": "groups"
"client_scope": "swh-web"
"ensure": "present"
"full_path": true
"realm": "SoftwareHeritage"
"resource_name": "user groups"
"type": "oidc-group-membership-mapper"
*******************************************
+ Keycloak_realm[SoftwareHeritageStaging] =>
parameters =>
"display_name": "Software Heritage (Staging)"
"ensure": "present"
"internationalization_enabled": true
"login_with_email_allowed": true
"remember_me": true
*******************************************
+ Keycloak_realm[SoftwareHeritage] =>
parameters =>
"display_name": "Software Heritage"
"ensure": "present"
"internationalization_enabled": true
"login_with_email_allowed": true
"remember_me": true
*******************************************I'm not sure if the resource ordering will work but we can adapt that later. Comment Actions Thanks for the improvements ! I could not resist to test locally. This is the puppet output of my first run once I plugged the code in my local puppet testing env : P633 After a (painful) debugging session, I noticed that an explicit id must be set for each client with the same name in order for Keycloak to I added inline comments fixing the observed issues. Resulting puppet run after those changes can be found here: P634
Comment Actions I paste below the current state of the puppet configuration and profile for Keycloak that I got locally working: configuration keycloak::resources::realms::common_settings: remember_me: true login_with_email_allowed: true internationalization_enabled: true keycloak::resources::clients::common_settings: public_client: true default_client_scopes: - profile - email - roles - web-origins optional_client_scopes: - microprofile-jwt - offline_access keycloak::resources::protocol_mappers::audience: name: audience type: oidc-audience-mapper included_client_audience: __client_id__ keycloak::resources::protocol_mappers::groups: name: groups type: oidc-group-membership-mapper claim_name: groups full_path: true keycloak::resources::realms: SoftwareHeritage: settings: display_name: Software Heritage clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_production.domains - https://archive.softwareheritage.org/* - https://base.softwareheritage.org/* - https://archive.internal.softwareheritage.org/* - https://webapp0.softwareheritage.org/* protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" SoftwareHeritageStaging: settings: display_name: Software Heritage (Staging) clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_staging.domains - https://webapp.staging.swh.network/* - https://webapp.internal.staging.swh.network/* protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" profile class profile::keycloak::resources { $realms = lookup({ name => 'keycloak::resources::realms', value_type => Hash, merge => { strategy => 'deep', knockout_prefix => '--', }, default_value => {}, }) $realm_common_settings = lookup({ name => 'keycloak::resources::realms::common_settings', value_type => Hash, merge => { strategy => 'deep', knockout_prefix => '--', }, default_value => {}, }) $client_common_settings = lookup({ name => 'keycloak::resources::clients::common_settings', value_type => Hash, merge => { strategy => 'deep', knockout_prefix => '--', }, default_value => {}, }) $realms.each |$realm_name, $realm_data| { $_local_realm_settings = pick($realm_data['settings'], {}) $_full_realm_settings = deep_merge($realm_common_settings, $_local_realm_settings) keycloak_realm {$realm_name: ensure => present, * => $_full_realm_settings, } $clients = pick($realm_data['clients'], {}) $realm_client_common_settings = deep_merge($client_common_settings, pick($realm_data['client_settings'], {})) $clients.each |$client_name, $client_data| { $_local_client_settings = pick($client_data['settings'], {}) $_full_client_settings = deep_merge($realm_client_common_settings, $_local_client_settings) $client_id = fqdn_uuid("${realm_name}.${client_name}") keycloak_client {"${client_name} on ${realm_name}": ensure => present, id => $client_id, * => $_full_client_settings, } $protocol_mappers = pick($client_data['protocol_mappers'], []) $protocol_mappers.each | Hash $protocol_mapper_data | { $_pm_data = Hash($protocol_mapper_data.map |$key, $value| { [$key, $value ? {'__client_id__' => $client_name, default => $value}] }) $protocol_mapper_name = $protocol_mapper_data['name'] $protocol_mapper_id = fqdn_uuid("${realm_name}.${client_name}.${protocol_mapper_name}") keycloak_client_protocol_mapper {"${protocol_mapper_data['name']} for ${client_id} on ${realm_name}": ensure => present, id => $protocol_mapper_id, * => $_pm_data, } } } } } | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||