Keycloak is currently used to implement a Single sign-on (SSO) for Gentoo developers. It is currently deployed on sso.gentoo.org (tyrant) and sso-fallback.gentoo.org (gadwall).
Keycloak has two realms today.
- Admin: This realm is to administer the keycloak deployment. It has significantly more restrictions on credentials; normal users don't use this realm and don't have accounts here.
- Gentoo: This realm reads from ldap.gentoo.org and is otherwise readonly for most attributes.
Keycloak is deployed using docker containers. Postgres is used as database.
State is generally kept in /var/lib/gentoo-sso and these are mounted in various places in the containers to sustain state between container deployments.
Keycloak runs on two machines in an active / passive configuration. On the passive machine, keycloak is not even running. The postgres databases replicate from master => passive using pg_basebackup.
The normal postgres failover documentation should be used: https://www.postgresql.org/docs/12/warm-standby-failover.html.
NOTE: We should dump our realm config every so often so we can reload it.
|Bugzilla||Gatekeeper||Not Started||We can set bugzilla user_info_class to ENV, CGI|
|Wiki||OpenId Extension||Not Started||https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Example:_Using_it_against_Keycloak|
|AWS||SAML 2.0||Not Started||Use their existing identity provider stuff with SAML 2.0|
|Gentoo Admin||Gatekeeper||Not Started||Use htpasswd as fallback (i.e. in case sso.g.o is down)|
|Infrawiki||Gatekeeper||Not Started||Use htpasswd as fallback (i.e. in case sso.g.o is down)|
|Glsamaker (ruby)||Gatekeeper||Not Started||Set a cookie to integrate with the existing user management|
|Glsamaker (go)||Go OpenId Client||Not Started||i.e. https://github.com/coreos/go-oidc|
Move the secrets in the puppet module to eyaml(DONE) Set up database replicatioɳ(DONE) Mount the keycloak config in the container(DONE) check keycloak config into puppet(DONE) Create a Gentoo theme for Keycloak(DONE, https://gitweb.gentoo.org/sites/sso/tyrian-keycloak-theme.git/)
- Discuss the design of the Gentoo theme