Fixes #28436 - Add keycloak support #779
Conversation
There was a problem hiding this comment.
@ekohl I am also trying to use this PR as an opportunity to learn and contribute to the puppet-foreman repo.
Few questions in the comments below.
| # | ||
| # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin | ||
| # | ||
| # If $suburi is used, --location-root should also be passed in |
There was a problem hiding this comment.
Not sure what $suburi is and where/how it can we used. Can you share some insights?
There was a problem hiding this comment.
Not sure how much it's used, but if foreman_url is passed in as https://foreman.example.com/foreman then $suburi will be set. Probably ok to ignore it for now.
ekohl
force-pushed
the
28436-keycloak
branch
from
89e9ab6
to
0a966e8
Compare
|
Updated to not configure the settings and require the user to do so. |
| } elsif $keycloak { | ||
| apache::mod { 'auth_openidc': | ||
| package => 'mod_auth_openidc', | ||
| } |
There was a problem hiding this comment.
Should we also install keycloak-httpd-client-install package too?
There was a problem hiding this comment.
I was debating that, but decided against it. I think the instruction should be:
yum install keycloak-httpd-client-installkeycloak-httpd-client-install ....foreman-installer --foreman-keycloak true --foreman-keycloak-realm ...
In theory the installer could run the install command, but then we need to pass credentials and I think that's something we probably don't want.
|
@ekohl can you please rebase? |
|
I think this should good once the conflict is solved, can you please solve the conflicts and rebase? |
|
Rebased to fix the merge conflict. |
|
@ekohl @rahulbajaj0509 I am not able to test this PR as installer is failing with issue mentioned at theforeman/puppet-certs#266 (comment) I tried to revert the PR changes but still installer is failing with |
That's unrelated, but should be resolved in the latest nightly packages. |
|
@ekohl Seems fairly straight forward of a change, if you circle back to the tests I am happy to merge |
ekohl
force-pushed
the
28436-keycloak
branch
from
b31019e
to
4abb017
Compare
manifests/config/apache.pp
Outdated
| @@ -83,6 +83,9 @@ | |||
| Boolean $ipa_authentication = $::foreman::ipa_authentication, | |||
| Hash[String, Any] $http_vhost_options = {}, | |||
| Hash[String, Any] $https_vhost_options = {}, | |||
| Boolean $keycloak = $foreman::keycloak, | |||
| String[1] $keycloak_app_name = $foreman::keycloak_app_name, | |||
| String[1] $keycloak_realm = $foreman::keycloak_realm, | |||
There was a problem hiding this comment.
Do these need to be $:: prefixed?
There was a problem hiding this comment.
Technically no and I'd also like to remove that prefix everywhere else. Just haven't gotten around to it. It was needed to make Puppet 3 and Puppet 4 behave in the same way but luckily those dark days are behind us. In this case I'm going to add them to stay consistent with the rest of the file.
ekohl
force-pushed
the
28436-keycloak
branch
2 times, most recently
from
850220b
to
c5d7cdb
Compare
|
Needs a rebase |
ekohl
force-pushed
the
28436-keycloak
branch
from
c5d7cdb
to
b39013c
Compare
| let(:params) { super().merge(keycloak: true) } | ||
|
|
||
| it { should compile.with_all_deps } | ||
| it { should contain_apache_mod('auth_openidc') } |
There was a problem hiding this comment.
This needs an additional underscore apache__mod
|
I see a dependency cycle error as well in the tests but I am less clear on how to resolve that one. |
This adds support for keycloak when using the keycloak-httpd-client-install command. A more native integration would rely on the oidc support in puppetlabs-apache, but that's unreleased. It drops the dependency chaining for the passenger package because it was leading to dependency cycles and I don't see a reason for the explicit chaining.
ekohl
force-pushed
the
28436-keycloak
branch
from
b39013c
to
52052e4
Compare
This is a draft since it hasn't been tested end to end. It's here to allow end-to-end testing using forklift.
theforeman/forklift#1065 is a related PR to install a Keycloak server.