Commit 8942802c authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase

Add GitHub OAuth for Keycloak

parent 682d34c5
......@@ -10,6 +10,7 @@ It also contains git submodules so you have to run `git submodule update --init
Install these packages:
- terraform
- terraform-provider-keycloak
- python-typer
### Instructions
......@@ -53,7 +54,7 @@ Note that some roles already run this automatically.
We use packer to build snapshots on hcloud to use as server base images.
In order to use this, you need to install packer and then run
packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key env) packer/archlinux.json
packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.
......
$ANSIBLE_VAULT;1.1;AES256
34363332353038316637303436316631666563666264313531616334306135373565353333653532
6231316461666563316462373266356338616262623463350a633631376361343430336235326430
35353265643161666333313330383137633965303862303963616537643363393532666236373934
3830323863326235640a346537613464316364613139386362363136643138363538613835393135
34663063383763323733356361323530303761323739303538636237663834353538643066393230
61663836616137616339353630616238323763663136363365363966363763386331623935393336
34656161663539346263633738636533613532383231366266633230316138346330363834636338
39366435383561306330666663396138363066646466663465613134346136616565383336653162
63663432646563373631363765386635323430323161313162343962396634353234336438326364
37653931613636323166613939383736343465323561326236336161626333653266623130303463
346430393562333431363766636263316633
#!/usr/bin/python3
from contextlib import contextmanager
from enum import Enum
from pathlib import Path
import argparse
import json
import os
import sys
from contextlib import contextmanager
from enum import Enum
from pathlib import Path
from typing import List
import typer
import yaml
app = typer.Typer()
@contextmanager
def chdir(path):
......@@ -45,7 +48,7 @@ def load_vault(path):
)
class Output(Enum):
class OutputFormat(str, Enum):
BARE = "bare"
ENV = "env"
JSON = "json"
......@@ -54,37 +57,31 @@ class Output(Enum):
return self.value
def parse_args():
parser = argparse.ArgumentParser(
description="Retrieve a password from an Ansible vault."
)
parser.add_argument(dest="vault", type=Path, help="vault to open")
parser.add_argument(dest="key", help="key to extract")
parser.add_argument(
dest="output",
nargs="?",
type=Output,
choices=Output,
default=Output.BARE,
help="style of output",
)
return parser.parse_args()
def main():
args = parse_args()
value = load_vault(args.vault)[args.key]
if args.output == Output.BARE:
print(value)
elif args.output == Output.ENV:
print(f"{args.key}={value}")
elif args.output == Output.JSON:
json.dump({args.key: value}, sys.stdout)
def main(
vault: Path = typer.Argument(...),
keys: List[str] = typer.Argument(...),
format: OutputFormat = typer.Option(
OutputFormat.BARE, show_default=True, help="Output format"
),
):
"""
Get a bunch of entries from the vault located at VAULT.
Use KEYS to choose which keys in the vault you want to output.
"""
vault = load_vault(vault)
filtered = {vault_key: vault[vault_key] for vault_key in keys}
if format == OutputFormat.BARE:
for secret in filtered.values():
print(secret)
elif format == OutputFormat.ENV:
for key, secret in filtered.items():
print(f"{key}={secret}")
elif format == OutputFormat.JSON:
json.dump(filtered, sys.stdout)
print()
else:
assert False
if __name__ == "__main__":
main()
typer.run(main)
......@@ -5,7 +5,7 @@ terraform {
}
data "external" "hetzner_cloud_api_key" {
program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "json"]
program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "--format", "json"]
}
data "hcloud_image" "archlinux" {
......
......@@ -4,34 +4,33 @@ terraform {
}
}
data "external" "keycloak_admin_user" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_user", "json"]
data "external" "vault_keycloak" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml",
"vault_keycloak_admin_user",
"vault_keycloak_admin_password",
"vault_keycloak_smtp_user",
"vault_keycloak_smtp_password",
"--format", "json"]
}
data "external" "keycloak_admin_password" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_password", "json"]
data "external" "vault_google" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml",
"vault_google_recaptcha_site_key",
"vault_google_recaptcha_secret_key",
"--format", "json"]
}
data "external" "keycloak_smtp_user" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_user", "json"]
}
data "external" "keycloak_smtp_password" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_password", "json"]
}
data "external" "google_recaptcha_site_key" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_site_key", "json"]
}
data "external" "google_recaptcha_secret_key" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_secret_key", "json"]
data "external" "vault_github" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_github.yml",
"vault_github_oauth_app_client_id",
"vault_github_oauth_app_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.keycloak_admin_user.result.vault_keycloak_admin_user
password = data.external.keycloak_admin_password.result.vault_keycloak_admin_password
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
url = "https://accounts.archlinux.org"
}
......@@ -65,8 +64,8 @@ resource "keycloak_realm" "archlinux" {
starttls = true
auth {
username = data.external.keycloak_smtp_user.result.vault_keycloak_smtp_user
password = data.external.keycloak_smtp_password.result.vault_keycloak_smtp_password
username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
}
}
......@@ -92,6 +91,24 @@ resource "keycloak_realm" "archlinux" {
}
}
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
realm = "archlinux"
alias = "github"
provider_id = "github"
authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
token_url = ""
default_scopes = ""
enabled = false
trust_email = false
store_token = false
backchannel_supported = false
extra_config = {
syncMode = "IMPORT"
}
}
resource "keycloak_saml_client" "saml_gitlab" {
realm_id = "archlinux"
client_id = "saml_gitlab"
......@@ -299,8 +316,8 @@ resource "keycloak_authentication_execution_config" "registration_recaptcha_acti
execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
config = {
"useRecaptchaNet" = "false",
"site.key" = data.external.google_recaptcha_site_key.result.vault_google_recaptcha_site_key
"secret" = data.external.google_recaptcha_secret_key.result.vault_google_recaptcha_secret_key
"site.key" = data.external.vault_google.result.vault_google_recaptcha_site_key
"secret" = data.external.vault_google.result.vault_google_recaptcha_secret_key
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment