Project:Infrastructure/Single Sign-on

Keycloak
Article description::Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on sso.gentoo.org (tyrant) and sso-fallback.gentoo.org (gadwall).

Realms
Keycloak has two realms today.


 * 1) Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
 * 2) Gentoo: This realm reads from ldap.gentoo.org and is otherwise readonly for most attributes.

Deployment
Keycloak is deployed using docker containers. Postgres is used as database.

State is generally kept in /var/lib/gentoo-sso and these are mounted in various places in the containers to sustain state between container deployments.

Backups
Keycloak runs on two machines in an active / passive configuration. On the passive machine, keycloak is not even running. The postgres databases replicate from master => passive using pg_basebackup.

Failover
The normal postgres failover documentation should be used: https://www.postgresql.org/docs/12/warm-standby-failover.html.

NOTE: We should dump our realm config every so often so we can reload it.

TODOs

 * 1) Move the secrets in the puppet module to eyaml (DONE)
 * 2) Set up database replicatioɳ (DONE)
 * 3) Mount the keycloak config in the container (DONE)
 * 4) check keycloak config into puppet (DONE)
 * 5) Create a Gentoo theme for Keycloak (DONE, https://gitweb.gentoo.org/sites/sso/tyrian-keycloak-theme.git/)
 * 6) Discuss the design of the Gentoo theme