Changeset View
Changeset View
Standalone View
Standalone View
site-modules/profile/manifests/keycloak/primary.pp
| # Definition for the primary keycloak server | # Definition for the primary keycloak server | ||||
| class profile::keycloak::primary { | class profile::keycloak::primary { | ||||
| $backend_port = lookup('keycloak::backend::port') | $backend_port = lookup('keycloak::backend::port') | ||||
| $postgres_host = lookup('keycloak::postgres::host') | $postgres_host = lookup('keycloak::postgres::host') | ||||
| $postgres_port = lookup('keycloak::postgres::port') | $postgres_port = lookup('keycloak::postgres::port') | ||||
| $postgres_dbname = lookup('keycloak::postgres::dbname') | $postgres_dbname = lookup('keycloak::postgres::dbname') | ||||
| $postgres_user = lookup('keycloak::postgres::user') | $postgres_user = lookup('keycloak::postgres::user') | ||||
| $postgres_password = lookup('keycloak::postgres::password') | $postgres_password = lookup('keycloak::postgres::password') | ||||
| $admin_user = lookup('keycloak::admin::user') | $admin_user = lookup('keycloak::admin::user') | ||||
| $admin_password = lookup('keycloak::admin::password') | $admin_password = lookup('keycloak::admin::password') | ||||
| $swh_realm_name = lookup('keycloak::realm::swh::name') | |||||
| $swh_realm_display_name = lookup('keycloak::realm::swh::display_name') | |||||
| $swh_web_client_id = lookup('keycloak::client::swh_web::id') | |||||
| class {'::keycloak': | class {'::keycloak': | ||||
| # Virtual Host settings | # Virtual Host settings | ||||
| proxy_https => true, | proxy_https => true, | ||||
| # Bind address | # Bind address | ||||
| http_port => $backend_port, | http_port => $backend_port, | ||||
| # Admin user settings | # Admin user settings | ||||
| admin_user => $admin_user, | admin_user => $admin_user, | ||||
| admin_user_password => $admin_password, | admin_user_password => $admin_password, | ||||
| # Database settings | # Database settings | ||||
| datasource_driver => 'postgresql', | datasource_driver => 'postgresql', | ||||
| datasource_host => $postgres_host, | datasource_host => $postgres_host, | ||||
| datasource_port => $postgres_port, | datasource_port => $postgres_port, | ||||
| datasource_dbname => $postgres_dbname, | datasource_dbname => $postgres_dbname, | ||||
| datasource_username => $postgres_user, | datasource_username => $postgres_user, | ||||
| datasource_password => $postgres_password, | datasource_password => $postgres_password, | ||||
| # Don't manage the PostgreSQL database | # Don't manage the PostgreSQL database | ||||
| manage_datasource => false, | manage_datasource => false, | ||||
| } | } | ||||
| keycloak_realm { $swh_realm_name: | |||||
| ensure => 'present', | |||||
| display_name => $swh_realm_display_name, | |||||
| remember_me => true, | |||||
| } | |||||
| keycloak_client { $swh_web_client_id: | |||||
| ensure => 'present', | |||||
| realm => $swh_realm_name, | |||||
| redirect_uris => [ | |||||
| 'http://localhost:5004/*', | |||||
ardumont: Make that configurable so this can also be testable on other "archive" (webapp.internal.staging. | |||||
Done Inline ActionsOh right, I forgot those. anlambert: Oh right, I forgot those. | |||||
| 'https://archive.softwareheritage.org/*', | |||||
| 'https://archive.internal.softwareheritage.org/*', | |||||
| 'https://webapp.internal.staging.swh.network/*', | |||||
| 'https://webapp.staging.swh.network/*', | |||||
| 'https://webapp0.softwareheritage.org/*', | |||||
ardumontUnsubmitted Not Done Inline ActionsI meant to make that as a list value in a defaults.yaml entry key. defaulting to the production one as we do other services deployment. keycloak::client::swh_web::redirect_uris: - http://localhost:5004/* # no idea if it's relevant here - https://archive.softwareheritage.org/* as default for the production and on other file (sesi_rocquencourt_staging.yml, staging for example): keycloak::client::swh_web::redirect_uris: - ... - https://webapp.internal.staging.swh.network/* for staging etc... And then in that file do a lookup of the variable and you are golden ;) ardumont: I meant to make that as a list value in a defaults.yaml entry key.
So we can configure it per… | |||||
olasdAuthorUnsubmitted Not Done Inline ActionsThat can't work. There's a single keycloak server shared across the different environments. olasd: That can't work. There's a single keycloak server shared across the different environments. | |||||
| ], | |||||
| default_client_scopes => ['profile', 'email', 'roles', 'web-origins'], | |||||
| optional_client_scopes => ['microprofile-jwt', 'offline_access'], | |||||
| public_client => true, | |||||
| } | |||||
| keycloak_client_protocol_mapper { | |||||
| "audience for ${swh_web_client_id} on ${swh_realm_name}": | |||||
| type => 'oidc-audience-mapper', | |||||
| included_client_audience => $swh_web_client_id, | |||||
| } | |||||
| keycloak_client_protocol_mapper { | |||||
| "user groups for ${swh_web_client_id} on ${swh_realm_name}": | |||||
| type => 'oidc-group-membership-mapper', | |||||
| claim_name => 'groups', | |||||
| full_path => true, | |||||
| } | |||||
| } | } | ||||
Make that configurable so this can also be testable on other "archive" (webapp.internal.staging.swh.network, webapp0.softwareheritage.org)...