Skip to content

Commit

Permalink
Update install and decommission how-tos to use Keycloak
Browse files Browse the repository at this point in the history
  • Loading branch information
simu authored and bastjan committed Nov 7, 2023
1 parent 592876b commit 4d4afb0
Show file tree
Hide file tree
Showing 8 changed files with 70 additions and 35 deletions.
16 changes: 1 addition & 15 deletions docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -143,21 +143,7 @@ At this point in the decommissioning process, you'll have to extract the Restic

. Delete all other Vault entries

. Delete LDAP service (via portal)
+
Go to https://control.vshn.net/vshn/services
+
- Search cluster name
+
- Delete cluster entry service using the delete button

. Remove IPs from LDAP allowlist
+
Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
+
- Search cluster IPs and remove those lines and any comments related.
+
- Create a Merge Request and invite a colleague for a review/approve/merge
include::partial$decommission/idp.adoc[]

. Delete all DNS records related with cluster (zonefiles)

Expand Down
6 changes: 3 additions & 3 deletions docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -195,9 +195,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/floaty \
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
# Set the LDAP password
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
bindPassword=${LDAP_PASSWORD}
# Set the Keycloak client secret
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
clientSecret=${KEYCLOAK_CLIENT_SECRET}
# Generate a master password for K8up backups
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
Expand Down
2 changes: 1 addition & 1 deletion docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,6 @@ NOTE: Don't forget to remove the LB configuration in the https://git.vshn.net/ap

. Remove cluster DNS records from VSHN DNS

. Remove cluster IPs from LDAP allowlist, if applicable
include::partial$decommission/idp.adoc[]

. https://kb.vshn.ch/vshnsyn/how-tos/decommission.html[Decommission cluster in Project Syn]
6 changes: 3 additions & 3 deletions docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -219,9 +219,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/exoscale/storage_iam \
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
# Set the LDAP password
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
bindPassword=${LDAP_PASSWORD}
# Set the Keycloak client secret
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
clientSecret=${KEYCLOAK_CLIENT_SECRET}
# Generate a master password for K8up backups
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
Expand Down
33 changes: 33 additions & 0 deletions docs/modules/ROOT/partials/decommission/idp.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
. Delete the IDP service
+
[%collapsible]
.LDAP
====
. Delete LDAP service (via portal)
+
Go to https://control.vshn.net/vshn/services
+
- Search cluster name
+
- Delete cluster entry service using the delete button

. Remove IPs from LDAP allowlist
+
Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
+
- Search cluster IPs and remove those lines and any comments related.
+
- Create a Merge Request and invite a colleague for a review/approve/merge
====
+
[%collapsible]
.Keycloak
====
. Delete Keycloak client
+
Go to https://TBD
+
- Search cluster name
+
- Delete cluster client using the delete button
====
2 changes: 1 addition & 1 deletion docs/modules/ROOT/partials/install/prepare-syn-config.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ yq eval -i ".parameters.openshift.clusterID = \"$(jq -r .clusterID "${INSTALLER_
yq eval -i ".parameters.openshift.ssh_key = \"$(cat ${SSH_PUBLIC_KEY})\"" \
${CLUSTER_ID}.yml

yq eval -i ".parameters.vshnLdap.serviceId = \"${LDAP_ID}\"" \
yq eval -i ".parameters.vshnKeycloak.clientId = \"${KEYCLOAK_CLIENT_ID}\"" \
${CLUSTER_ID}.yml
----
+
Expand Down
14 changes: 2 additions & 12 deletions docs/modules/ROOT/partials/install/register.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,6 @@ Use the following endpoint for Lieutenant:
VSHN:: https://api.syn.vshn.net
****

=== Set up LDAP service
=== Set up Keycloak client

. Create an LDAP service
+
Use https://control.vshn.net/vshn/services/_create to create a service.
The name must contain the customer and the cluster name.
And then put the LDAP service ID in the following variable:
+
[source,bash]
----
export LDAP_ID="Your_LDAP_ID_here"
export LDAP_PASSWORD="Your_LDAP_pw_here"
----
include::partial$setup-keycloak-client.adoc[]
26 changes: 26 additions & 0 deletions docs/modules/ROOT/partials/setup-keycloak-client.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
. Create a new Keycloak client in the `VSHN` realm with the following settings:
+
[source]
----
Client ID = ocp_<customer>_<c-cluster-id> <1>
Access Type = confidential
Valid Redirect URIs = https://oauth-openshift.apps.cluster-id.tld/oauth2callback/VSHN <2>
Base URL = https://console-openshift-console.apps.cluster-id.tld/ <3>
----
<1> Create a separate client for each cluster.
The client ID shall use the format `ocp_<customer-name>_<cluster-id>`.
<2> The Redirect URI assumes that the authentication method in the OpenShift cluster is named `VSHN`.
<3> Adjust the Base URL to match the desired web console URL of your cluster.
+
Use https://TBD to create a client.
The name must contain the customer and the cluster name.
+
TODO: Add required config for authentication flow & mappers
. Save the Keycloak client details (client ID and secret) in the following variables for subsequent steps.
+
[source,bash]
----
export KEYCLOAK_CLIENT_ID="Your_client_ID_here"
export KEYCLOAK_CLIENT_SECRET="Your_client_secret"
----

0 comments on commit 4d4afb0

Please sign in to comment.