Use archlinux realm for applications instead of master

25a41929 · Sven-Hendrik Haase · 3e2b6934 · 25a41929 · 25a41929 · 25a41929
Verified Commit 25a41929 authored May 02, 2020 by Sven-Hendrik Haase
--- a/one-shots/keycloak-importer/import_user_groups.py
+++ b/one-shots/keycloak-importer/import_user_groups.py
@@ -20,9 +20,9 @@ CLIENT_ID = "admin-cli"
 KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
 KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
 KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
-KEYCLOAK_REALM = "master"
+KEYCLOAK_REALM = "archlinux"

-REALM_URL = f"{KEYCLOAK_URL}/realms/{KEYCLOAK_REALM}"
+REALM_URL = f"{KEYCLOAK_URL}/realms/master"
 FETCH_TOKEN_URL = f"{REALM_URL}/protocol/openid-connect/token"
 API_BASE_URL = f"{KEYCLOAK_URL}/admin/realms/{KEYCLOAK_REALM}"


--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -9,7 +9,7 @@
    - restart keycloak

 - name: create an admin user
-  command: /opt/keycloak/bin/add-user-keycloak.sh -u "{{ vault_keycloak_admin_user }}" -p "{{ vault_keycloak_admin_password }}"
+  command: /opt/keycloak/bin/add-user-keycloak.sh -r master -u "{{ vault_keycloak_admin_user }}" -p "{{ vault_keycloak_admin_password }}"
  args:
    creates: /opt/keycloak/standalone/configuration/keycloak-add-user.json


--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -34,4 +34,8 @@ server {
        proxy_set_header Host $host;
        proxy_ssl_verify       off;
    }
+
+    location = / {
+        return 301 https://$server_name/auth/;
+    }
 }
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -34,8 +34,8 @@ variable "gitlab_instance" {
  }
 }

-resource "keycloak_realm" "master" {
-  realm = "master"
+resource "keycloak_realm" "archlinux" {
+  realm = "archlinux"
  enabled = true
  remember_me = true
  display_name = "Arch Linux"
@@ -59,7 +59,7 @@ resource "keycloak_realm" "master" {
 }

 resource "keycloak_saml_client" "saml_gitlab" {
-  realm_id = "master" // "${keycloak_realm.realm.id}"
+  realm_id = "archlinux" // "${keycloak_realm.realm.id}"
  client_id = "saml_gitlab"

  name = "Arch Linux Accounts"
@@ -84,7 +84,7 @@ resource "keycloak_saml_client" "saml_gitlab" {


 resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
-  realm_id = "master"
+  realm_id = "archlinux"
  client_id = keycloak_saml_client.saml_gitlab.id

  name = "email"
@@ -96,7 +96,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {


 resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_name" {
-  realm_id = "master"
+  realm_id = "archlinux"
  client_id = keycloak_saml_client.saml_gitlab.id

  name = "name"
@@ -108,7 +108,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_name" {


 resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
-  realm_id = "master"
+  realm_id = "archlinux"
  client_id = keycloak_saml_client.saml_gitlab.id

  name = "first_name"
@@ -120,7 +120,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name"


 resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
-  realm_id = "master"
+  realm_id = "archlinux"
  client_id = keycloak_saml_client.saml_gitlab.id

  name = "last_name"
@@ -138,18 +138,18 @@ variable "arch_groups" {
 resource "keycloak_group" "arch_groups" {
  for_each = var.arch_groups

-  realm_id = "master"
+  realm_id = "archlinux"
  name = each.value
 }

 resource "keycloak_role" "devops" {
-  realm_id = "master"
+  realm_id = "archlinux"
  name = "DevOps"
  description = "DevOps role"
 }

 resource "keycloak_group_roles" "group_roles" {
-  realm_id = "master"
+  realm_id = "archlinux"
  group_id = keycloak_group.arch_groups["DevOps"].id
  role_ids = [
    keycloak_role.devops.id
@@ -161,7 +161,7 @@ output "gitlab_saml_configuration" {
    issuer = keycloak_saml_client.saml_gitlab.client_id
    assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
    admin_groups = [keycloak_role.devops.name]
-    idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/master/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
+    idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
    signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
  }
 }