feat(ops/keycloak): add GitLab SSO
Change-Id: I41ee3cb2988288e6b282d85b111c41064f09eaec
This commit is contained in:
		
							parent
							
								
									97f22e0ea6
								
							
						
					
					
						commit
						dd392ef054
					
				
					 4 changed files with 46 additions and 33 deletions
				
			
		
							
								
								
									
										41
									
								
								ops/keycloak/identity_providers.tf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								ops/keycloak/identity_providers.tf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,41 @@ | |||
| variable "github_client_secret" { | ||||
|   type = string | ||||
| } | ||||
| 
 | ||||
| variable "gitlab_client_secret" { | ||||
|   type = string | ||||
| } | ||||
| 
 | ||||
| resource "keycloak_oidc_identity_provider" "github" { | ||||
|   alias                 = "github" | ||||
|   provider_id           = "github" | ||||
|   client_id             = "Ov23liKpXqs0aPaVgDpg" | ||||
|   client_secret         = var.github_client_secret | ||||
|   realm                 = keycloak_realm.snix.id | ||||
|   backchannel_supported = false | ||||
|   gui_order             = "1" | ||||
|   store_token           = false | ||||
|   sync_mode             = "IMPORT" | ||||
|   trust_email           = true | ||||
|   default_scopes        = "openid user:email" | ||||
| 
 | ||||
|   authorization_url = "" | ||||
|   token_url         = "" | ||||
| } | ||||
| 
 | ||||
| resource "keycloak_oidc_identity_provider" "gitlab" { | ||||
|   alias                 = "gitlab" | ||||
|   provider_id           = "gitlab" | ||||
|   client_id             = "6ecb359ede53f7d80003d127dc4448bd1b1d73631a01273d9576e00ff9a94d2c" | ||||
|   client_secret         = var.gitlab_client_secret | ||||
|   realm                 = keycloak_realm.snix.id | ||||
|   backchannel_supported = false | ||||
|   gui_order             = "2" | ||||
|   store_token           = false | ||||
|   sync_mode             = "IMPORT" | ||||
|   trust_email           = true | ||||
|   default_scopes        = "openid read_user" | ||||
| 
 | ||||
|   authorization_url = "" | ||||
|   token_url         = "" | ||||
| } | ||||
|  | @ -1,27 +0,0 @@ | |||
| # All user sources, that is services from which Keycloak gets user | ||||
| # information (either by accessing a system like LDAP or integration | ||||
| # through protocols like OIDC). | ||||
| 
 | ||||
| variable "github_client_secret" { | ||||
|   type = string | ||||
| } | ||||
| 
 | ||||
| # keycloak_oidc_identity_provider.github will be destroyed | ||||
| # (because keycloak_oidc_identity_provider.github is not in configuration) | ||||
| resource "keycloak_oidc_identity_provider" "github" { | ||||
|   alias                 = "github" | ||||
|   provider_id           = "github" | ||||
|   client_id             = "Ov23liKpXqs0aPaVgDpg" | ||||
|   client_secret         = var.github_client_secret | ||||
|   realm                 = keycloak_realm.snix.id | ||||
|   backchannel_supported = false | ||||
|   gui_order             = "1" | ||||
|   store_token           = false | ||||
|   sync_mode             = "IMPORT" | ||||
|   trust_email           = true | ||||
|   default_scopes        = "openid user:email" | ||||
| 
 | ||||
|   # These default to built-in values for the `github` provider_id. | ||||
|   authorization_url = "" | ||||
|   token_url         = "" | ||||
| } | ||||
										
											Binary file not shown.
										
									
								
							|  | @ -29,9 +29,9 @@ went through these instructions first. | |||
| 
 | ||||
| ### Creating a Gerrit account | ||||
|  - Navigate to [our Gerrit instance][snix-gerrit]. Hit the "Sign in" button | ||||
|    (which allows SSO with a GitHub account) [^1] | ||||
|    (which allows SSO with some common IdPs) | ||||
|  - In the User settings, paste an SSH public key and hit the "Add New SSH key" | ||||
|    button. [^2] | ||||
|    button. [^1] | ||||
|  - Alternatively, you can also create "HTTP Credentials" (though saving the HTTP | ||||
|    password is messy). | ||||
| 
 | ||||
|  | @ -58,7 +58,7 @@ replicates fast enough, then update to --push only --> | |||
| ### Install the commit-msg hook | ||||
| Gerrit uses a `commit-msg` hook to add a `Change-Id: …` field to each commit | ||||
| message if not present already. This allows Gerrit to identify new revisions / | ||||
| updates of old commits, and track them as new revisions of the same "CL" [^3]. | ||||
| updates of old commits, and track them as new revisions of the same "CL" [^2]. | ||||
| 
 | ||||
| To install the commit-msg hook, run the following from the repo root: | ||||
| 
 | ||||
|  | @ -122,6 +122,5 @@ $ git push origin HEAD:refs/for/canon%r=alice,cc=bob,l=Autosubmit+1,publish-comm | |||
| [snix-gerrit]: https://cl.snix.dev | ||||
| [Gerrit walkthrough]: https://gerrit-review.googlesource.com/Documentation/intro-gerrit-walkthrough.html | ||||
| [gerrit-for-github-users]: https://gerrit.wikimedia.org/r/Documentation/intro-gerrit-walkthrough-github.html | ||||
| [^1]: more SSO providers to come | ||||
| [^2]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key. | ||||
| [^3]: abbreviation for "change list", and the review unit in Gerrit. | ||||
| [^1]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key. | ||||
| [^2]: abbreviation for "change list", and the review unit in Gerrit. | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue