From dd392ef054a992e1a27dd01f76343b0e6f17c937 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Mon, 17 Mar 2025 11:00:52 +0000
Subject: [PATCH] feat(ops/keycloak): add GitLab SSO

Change-Id: I41ee3cb2988288e6b282d85b111c41064f09eaec
---
 ops/keycloak/identity_providers.tf      |  41 ++++++++++++++++++++++++
 ops/keycloak/user_sources.tf            |  27 ----------------
 ops/secrets/tf-keycloak.age             | Bin 654 -> 753 bytes
 web/content/docs/guides/contributing.md |  11 +++----
 4 files changed, 46 insertions(+), 33 deletions(-)
 create mode 100644 ops/keycloak/identity_providers.tf
 delete mode 100644 ops/keycloak/user_sources.tf

diff --git a/ops/keycloak/identity_providers.tf b/ops/keycloak/identity_providers.tf
new file mode 100644
index 000000000..b60804a7d
--- /dev/null
+++ b/ops/keycloak/identity_providers.tf
@@ -0,0 +1,41 @@
+variable "github_client_secret" {
+  type = string
+}
+
+variable "gitlab_client_secret" {
+  type = string
+}
+
+resource "keycloak_oidc_identity_provider" "github" {
+  alias                 = "github"
+  provider_id           = "github"
+  client_id             = "Ov23liKpXqs0aPaVgDpg"
+  client_secret         = var.github_client_secret
+  realm                 = keycloak_realm.snix.id
+  backchannel_supported = false
+  gui_order             = "1"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+  default_scopes        = "openid user:email"
+
+  authorization_url = ""
+  token_url         = ""
+}
+
+resource "keycloak_oidc_identity_provider" "gitlab" {
+  alias                 = "gitlab"
+  provider_id           = "gitlab"
+  client_id             = "6ecb359ede53f7d80003d127dc4448bd1b1d73631a01273d9576e00ff9a94d2c"
+  client_secret         = var.gitlab_client_secret
+  realm                 = keycloak_realm.snix.id
+  backchannel_supported = false
+  gui_order             = "2"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+  default_scopes        = "openid read_user"
+
+  authorization_url = ""
+  token_url         = ""
+}
diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf
deleted file mode 100644
index 499c7f7f3..000000000
--- a/ops/keycloak/user_sources.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-# All user sources, that is services from which Keycloak gets user
-# information (either by accessing a system like LDAP or integration
-# through protocols like OIDC).
-
-variable "github_client_secret" {
-  type = string
-}
-
-# keycloak_oidc_identity_provider.github will be destroyed
-# (because keycloak_oidc_identity_provider.github is not in configuration)
-resource "keycloak_oidc_identity_provider" "github" {
-  alias                 = "github"
-  provider_id           = "github"
-  client_id             = "Ov23liKpXqs0aPaVgDpg"
-  client_secret         = var.github_client_secret
-  realm                 = keycloak_realm.snix.id
-  backchannel_supported = false
-  gui_order             = "1"
-  store_token           = false
-  sync_mode             = "IMPORT"
-  trust_email           = true
-  default_scopes        = "openid user:email"
-
-  # These default to built-in values for the `github` provider_id.
-  authorization_url = ""
-  token_url         = ""
-}
diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
index 1ebcaa08282ca7edc1868cfbd3501350baa20a23..f33370e075d9b117b1f20e0cac9fd0770a1a13b6 100644
GIT binary patch
delta 721
zcmeBU{m42&r{2fgJt9BC(J03}&nT)W%_7Rkz|SC4J2Njo+u5_Spg7Xc&nqe^z|q~%
zg3H^xpt3y8wYVfI$iT-a*TBWGAk4|ID91ObFigA5sXRL@u&kog%`wO~l1tZ4A;QSi
z)X-AFBE`+yy|kb(J)k5a)GIWoAk(GL$2rX`IMdU`tUfKnvC_meqQWOE*~8d`%S}Jc
zGdU=tq$1t0G^ez<q%hQ^v^?9>#XQWXEGRW6C@Q(YAkbgG$}-RqWJPgthHh#K#2#m(
zs_;BVg(&Ud?Br4>eeIy4z=Ciu&%$h@u!2Gt-_SxM17qy~i%2hR%cAu1%u?fYF2BHf
z!`zfylT5?h;w-O3-_R(3ckfh}&?<B1s>*!Bg3L@;lj3rBH}^cVaxPt6T?N1NytGh%
z53|bTqylfJG<|<llVZ<|QqK&dBFEGU4}%a_Z}+?iSO0>ld@df=+lM}duwS%}Pz{+g
z@#KNVP^G!yp+O7v4)Svc=)S94wQ16~&GqlSQnk|NRIdBgzB+vU&r|bHdQ8!usJ3zP
z_1=RmZ#a3al_T!PD9Imn?A>%^#rfMdHn!1i7EksI^||%jJ0;b1V7vHz!)vut58VEh
zq@`@z=&AWp;0LFF8rLV5lTIqHEH=LjtNgfRk8kM5sa`gnhnI!2-Yj}JA^pv?`GR%M
zI}K72>Sz9c9kYSoWc|%m9S=IH?oLT7OWwe=T6WK#y;sB5Z`RRVwPtShj|Vg7Uw*$t
zr_o8pwdzKG%*yhoMy<*7XO^CCjo!s|`O@{eJpp|A8B$L#X(tJ8t-gOfZTT_x?tT1{
zrOX|*bH6%2b-r(Sg^giXou_Q-Q;!~<_)9`chi>aEO#8mjYiVRkykh6V6*(GrcP+Zb
z>-zt0Oh=?t4AYgwUq+|fT@~cKZ7M?dzxwy*Qqe{Bs%7!N+j6#66>oOk$UTdpF+-tg
O+Kq~Lt*^O-ttA1|W-CGf

delta 621
zcmey!+Q&LUr`{{qR6ocgHOkO4tRgwdBGJ4kJ0m5d(kD5huplrn#j-ryKwmq=%iGA=
zmCMq+(7z}--P6J~OFP2D%rhvk*eTmTv@j|nBQn6#(<IrvJSo7?vcjm+f=ky<A;QSi
z)X-8P+1Nw7!p|VjG(0dZqOv5{y&^m)B`d1fyfiz<qTbxayf8a6-?P%ID7`$ND>pmO
zFEuB_#VgMzH7dB&vcx~B*gHHRBETa(tK7{su{h1$OFP0XG}Sy5WJPgthHh#K#2#m(
zs_;BVg;eh>XTt(>lT@E_?+ibK)O;81G^dDArxN3eFbjjs^dzrfH&4^D{J<&;E)(Z^
zuTY~1!}Kce0t>&SY>z14BCoQ<#5_ya@{-^vrw~gsC$}(zV$Z0gNG@GnU4=qRXS487
z?~;<@kdlIM^N3ux$YQgktkU2@eeDp7oT4xf&!PgK{FF*pPp-TA+>g?1Guw8HFAy#K
z7(Q_xhl767i|>nnzbpNc<sb30s%66N-}R3tna-B^*d~9galywGtM8q@yI|^_lg}@y
zY44ml!{yh`OFmtBNyS2}+@j^d`&NlG+R5}CTfJk`l{dGy-LSlH>_?|wfj>)~ia_Za
z>Fwt`RG)qSzhn27*7@iD98v$fwb$cx_5B%#j_7RKID7N4m@BL6g7(IzbY0r$d~lPL
z`Tf1Qmvz&e^K6|%N|j22pDOIVDlHha^x*!df0p^2|8Mz1bg|au#yAzNXD%+G4}w4L
zjA1z2^7iG7JDWa#{5R2Zui3`SDyN(*8D{UOS=c$@>dN0D=dVcpnD(oXd-=*2T8j;f
QYd?O-j+(0<$S89W0O+d)Q2+n{

diff --git a/web/content/docs/guides/contributing.md b/web/content/docs/guides/contributing.md
index 1ebf4515d..95b50b534 100644
--- a/web/content/docs/guides/contributing.md
+++ b/web/content/docs/guides/contributing.md
@@ -29,9 +29,9 @@ went through these instructions first.
 
 ### Creating a Gerrit account
  - Navigate to [our Gerrit instance][snix-gerrit]. Hit the "Sign in" button
-   (which allows SSO with a GitHub account) [^1]
+   (which allows SSO with some common IdPs)
  - In the User settings, paste an SSH public key and hit the "Add New SSH key"
-   button. [^2]
+   button. [^1]
  - Alternatively, you can also create "HTTP Credentials" (though saving the HTTP
    password is messy).
 
@@ -58,7 +58,7 @@ replicates fast enough, then update to --push only -->
 ### Install the commit-msg hook
 Gerrit uses a `commit-msg` hook to add a `Change-Id: …` field to each commit
 message if not present already. This allows Gerrit to identify new revisions /
-updates of old commits, and track them as new revisions of the same "CL" [^3].
+updates of old commits, and track them as new revisions of the same "CL" [^2].
 
 To install the commit-msg hook, run the following from the repo root:
 
@@ -122,6 +122,5 @@ $ git push origin HEAD:refs/for/canon%r=alice,cc=bob,l=Autosubmit+1,publish-comm
 [snix-gerrit]: https://cl.snix.dev
 [Gerrit walkthrough]: https://gerrit-review.googlesource.com/Documentation/intro-gerrit-walkthrough.html
 [gerrit-for-github-users]: https://gerrit.wikimedia.org/r/Documentation/intro-gerrit-walkthrough-github.html
-[^1]: more SSO providers to come
-[^2]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key.
-[^3]: abbreviation for "change list", and the review unit in Gerrit.
+[^1]: currently, `ssh-*-sk` keytypes are not supported, so use an `ssh-ed25519` key.
+[^2]: abbreviation for "change list", and the review unit in Gerrit.