Changeset View
Changeset View
Standalone View
Standalone View
site-modules/profile/manifests/keycloak/primary.pp
# Definition for the primary keycloak server | # Definition for the primary keycloak server | ||||
class profile::keycloak::primary { | class profile::keycloak::primary { | ||||
$backend_port = lookup('keycloak::backend::port') | $backend_port = lookup('keycloak::backend::port') | ||||
$postgres_host = lookup('keycloak::postgres::host') | $postgres_host = lookup('keycloak::postgres::host') | ||||
$postgres_port = lookup('keycloak::postgres::port') | $postgres_port = lookup('keycloak::postgres::port') | ||||
$postgres_dbname = lookup('keycloak::postgres::dbname') | $postgres_dbname = lookup('keycloak::postgres::dbname') | ||||
$postgres_user = lookup('keycloak::postgres::user') | $postgres_user = lookup('keycloak::postgres::user') | ||||
$postgres_password = lookup('keycloak::postgres::password') | $postgres_password = lookup('keycloak::postgres::password') | ||||
$admin_user = lookup('keycloak::admin::user') | $admin_user = lookup('keycloak::admin::user') | ||||
$admin_password = lookup('keycloak::admin::password') | $admin_password = lookup('keycloak::admin::password') | ||||
$swh_realm_name = lookup('keycloak::realm::swh::name') | |||||
$swh_realm_display_name = lookup('keycloak::realm::swh::display_name') | |||||
$swh_web_client_id = lookup('keycloak::client::swh_web::id') | |||||
class {'::keycloak': | class {'::keycloak': | ||||
# Virtual Host settings | # Virtual Host settings | ||||
proxy_https => true, | proxy_https => true, | ||||
# Bind address | # Bind address | ||||
http_port => $backend_port, | http_port => $backend_port, | ||||
# Admin user settings | # Admin user settings | ||||
admin_user => $admin_user, | admin_user => $admin_user, | ||||
admin_user_password => $admin_password, | admin_user_password => $admin_password, | ||||
# Database settings | # Database settings | ||||
datasource_driver => 'postgresql', | datasource_driver => 'postgresql', | ||||
datasource_host => $postgres_host, | datasource_host => $postgres_host, | ||||
datasource_port => $postgres_port, | datasource_port => $postgres_port, | ||||
datasource_dbname => $postgres_dbname, | datasource_dbname => $postgres_dbname, | ||||
datasource_username => $postgres_user, | datasource_username => $postgres_user, | ||||
datasource_password => $postgres_password, | datasource_password => $postgres_password, | ||||
# Don't manage the PostgreSQL database | # Don't manage the PostgreSQL database | ||||
manage_datasource => false, | manage_datasource => false, | ||||
} | } | ||||
keycloak_realm { $swh_realm_name: | |||||
ensure => 'present', | |||||
display_name => $swh_realm_display_name, | |||||
remember_me => true, | |||||
} | |||||
keycloak_client { $swh_web_client_id: | |||||
ensure => 'present', | |||||
realm => $swh_realm_name, | |||||
redirect_uris => [ | |||||
'http://localhost:5004/*', | |||||
ardumont: Make that configurable so this can also be testable on other "archive" (webapp.internal.staging. | |||||
Done Inline ActionsOh right, I forgot those. anlambert: Oh right, I forgot those. | |||||
'https://archive.softwareheritage.org/*', | |||||
'https://archive.internal.softwareheritage.org/*', | |||||
'https://webapp.internal.staging.swh.network/*', | |||||
'https://webapp.staging.swh.network/*', | |||||
'https://webapp0.softwareheritage.org/*', | |||||
ardumontUnsubmitted Not Done Inline ActionsI meant to make that as a list value in a defaults.yaml entry key. defaulting to the production one as we do other services deployment. keycloak::client::swh_web::redirect_uris: - http://localhost:5004/* # no idea if it's relevant here - https://archive.softwareheritage.org/* as default for the production and on other file (sesi_rocquencourt_staging.yml, staging for example): keycloak::client::swh_web::redirect_uris: - ... - https://webapp.internal.staging.swh.network/* for staging etc... And then in that file do a lookup of the variable and you are golden ;) ardumont: I meant to make that as a list value in a defaults.yaml entry key.
So we can configure it per… | |||||
olasdAuthorUnsubmitted Not Done Inline ActionsThat can't work. There's a single keycloak server shared across the different environments. olasd: That can't work. There's a single keycloak server shared across the different environments. | |||||
], | |||||
default_client_scopes => ['profile', 'email', 'roles', 'web-origins'], | |||||
optional_client_scopes => ['microprofile-jwt', 'offline_access'], | |||||
public_client => true, | |||||
} | |||||
keycloak_client_protocol_mapper { | |||||
"audience for ${swh_web_client_id} on ${swh_realm_name}": | |||||
type => 'oidc-audience-mapper', | |||||
included_client_audience => $swh_web_client_id, | |||||
} | |||||
keycloak_client_protocol_mapper { | |||||
"user groups for ${swh_web_client_id} on ${swh_realm_name}": | |||||
type => 'oidc-group-membership-mapper', | |||||
claim_name => 'groups', | |||||
full_path => true, | |||||
} | |||||
} | } |
Make that configurable so this can also be testable on other "archive" (webapp.internal.staging.swh.network, webapp0.softwareheritage.org)...