maurice/snix

Fork 0

Commit graph

Author	SHA1	Message	Date
Florian Klink	d9ca20a5cc	feat(ops/keycloak): configure Forgejo Roles There's two Roles for the Forgejo application, "Admin" and "Contributors". Everyone gets the "Contributor" role assigned automatically (it doesn't really give you a ton of privileges). Regarding mapping Gerrit groups, it seems there's no support for this in the `gerrit-oauth-provider` plugin (yet) - see https://github.com/davido/gerrit-oauth-provider/issues/170. Fixes #73. Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a Reviewed-on: https://cl.snix.dev/c/snix/+/30477 Tested-by: besadii Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com> Autosubmit: Florian Klink <flokli@flokli.de>	2025-05-05 12:36:30 +00:00
Florian Klink	e20ff4cb60	fix(ops/keycloak): fix assigning grafana_roles keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was missing. It is configured to make the client roles for this Application (and only those for this application) available in the grafana_roles claim. We can also disable full scope, as we're not interested in other role mappings. The Terraform files are a bit reorganized, everything configuring the Grafana client lives in grafana.tf (and vice-versa for Forgejo, Buildkite and Gerrit). The only thing left in permissions.tf is global groups, their memberships and mappings. Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2 Reviewed-on: https://cl.snix.dev/c/snix/+/30476 Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de> Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>	2025-05-05 12:36:30 +00:00

Author

SHA1

Message

Date

Florian Klink

d9ca20a5cc

feat(ops/keycloak): configure Forgejo Roles

There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>

2025-05-05 12:36:30 +00:00

Florian Klink

e20ff4cb60

fix(ops/keycloak): fix assigning grafana_roles

keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>

2025-05-05 12:36:30 +00:00

2 commits