Project:Infrastructure/Single Sign-on
Keycloak
Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on sso.gentoo.org (tyrant) and sso-fallback.gentoo.org (gadwall).
Realms
Keycloak has two realms today.
- Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
- Gentoo: This realm reads from ldap.gentoo.org and is otherwise readonly for most attributes.
Deployment
Keycloak is deployed using docker containers. Postgres is used as database.
State is generally kept in /var/lib/gentoo-sso and these are mounted in various places in the containers to sustain state between container deployments.
Backups
Keycloak runs on two machines in an active / passive configuration. On the passive machine, keycloak is not even running. The postgres databases replicate from master => passive using pg_basebackup.
Failover
The normal postgres failover documentation should be used: https://www.postgresql.org/docs/12/warm-standby-failover.html.
NOTE: We should dump our realm config every so often so we can reload it.
Service integrations
| Service | Integration | Status | Notes |
|---|---|---|---|
| Bugzilla | Gatekeeper | Not Started | We can set bugzilla user_info_class to ENV, CGI |
| Wiki | OpenId Extension | Not Started | https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Example:_Using_it_against_Keycloak |
| AWS | SAML 2.0 | Not Started | Use their existing identity provider stuff with SAML 2.0 |
| Gentoo Admin | Gatekeeper | Not Started | Use htpasswd as fallback (i.e. in case sso.g.o is down) |
| Infrawiki | Gatekeeper | Not Started | Use htpasswd as fallback (i.e. in case sso.g.o is down) |
| Glsamaker (ruby) | Gatekeeper | Not Started | Set a cookie to integrate with the existing user management |
| Glsamaker (go) | Go OpenId Client | Not Started | i.e. https://github.com/coreos/go-oidc |
| Gerrit | SAML | Not Started | https://gerrit.googlesource.com/plugins/saml/+/refs/heads/stable-2.14/README.md |
| Gitea | OAuth2 | Not Started | - |
| Forums | ? | Not Started | - |
TODOs
Move the secrets in the puppet module to eyaml(DONE)Set up database replicatioɳ(DONE)Mount the keycloak config in the container(DONE)check keycloak config into puppet(DONE)Create a Gentoo theme for Keycloak(DONE, https://gitweb.gentoo.org/sites/sso/tyrian-keycloak-theme.git/)- Discuss the design of the Gentoo theme