Use Keycloak on base-lsp.lsst.codes

Point Gafaelfawr at local Keycloak on base-lsp.lsst.codes instead of using GitHub. Get user metadata from the IPA LDAP server. Switch to the new home directory source. Add values.yaml documentation for the new groupSearchByDn setting.
lsst-sqre · Nov 28, 2023 · fddef43 · fddef43
1 parent 4e1b0e4
commit fddef43
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 78 deletions.
diff --git a/applications/gafaelfawr/README.md b/applications/gafaelfawr/README.md
@@ -49,6 +49,7 @@ Authentication and identity system
 | config.ldap.groupBaseDn | string | None, must be set | Base DN for the LDAP search to find a user's groups |
 | config.ldap.groupMemberAttr | string | `"member"` | Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
 | config.ldap.groupObjectClass | string | `"posixGroup"` | Object class containing group information |
+| config.ldap.groupSearchByDn | bool | `false` | Whether to search for group membership by user DN rather than bare usernames. Most LDAP servers use full DNs for group membership, so normally this should be set to true, but it requires `userBaseDn` also be set. |
 | config.ldap.kerberosConfig | string | Use anonymous binds | Enable GSSAPI (Kerberos) binds to LDAP using this `krb5.conf` file. If set, `ldap-keytab` must be set in the Gafaelfawr Vault secret. Set either this or `userDn`, not both. |
 | config.ldap.nameAttr | string | `"displayName"` | Attribute containing the user's full name |
 | config.ldap.uidAttr | string | Get UID from upstream authentication provider | Attribute containing the user's UID number (set to `uidNumber` for most LDAP servers) |

diff --git a/applications/gafaelfawr/templates/configmap.yaml b/applications/gafaelfawr/templates/configmap.yaml
@@ -129,6 +129,7 @@
       {{- end }}
       groupObjectClass: {{ .Values.config.ldap.groupObjectClass | quote }}
       groupMemberAttr: {{ .Values.config.ldap.groupMemberAttr | quote }}
+      groupSearchByDn: {{ .Values.config.ldap.groupSearchByDn }}
       {{- if .Values.config.ldap.userBaseDn }}
       userBaseDn: {{ .Values.config.ldap.userBaseDn | quote }}
       userSearchAttr: {{ .Values.config.ldap.userSearchAttr | quote }}

diff --git a/applications/gafaelfawr/values-base.yaml b/applications/gafaelfawr/values-base.yaml
@@ -3,11 +3,28 @@ redis:
     storageClass: "rook-ceph-block"
 
 config:
+  logLevel: "DEBUG"
   slackAlerts: true
   databaseUrl: "postgresql://[email protected]/gafaelfawr"
 
-  github:
-    clientId: "ec88b9b897f302b620d1"
+  oidc:
+    clientId: "rsp-bts"
+    audience: "rsp-bts"
+    loginUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/auth"
+    tokenUrl: "https://keycloak.ls.lsst.org/realms/master/protocol/openid-connect/token"
+    issuer: "https://keycloak.ls.lsst.org/realms/master"
+    scopes:
+      - "openid"
+    usernameClaim: "preferred_username"
+
+  ldap:
+    url: "ldap://ipa1.ls.lsst.org"
+    userDn: "uid=svc_rsp,cn=users,cn=accounts,dc=lsst,dc=cloud"
+    userBaseDn: "cn=users,cn=accounts,dc=lsst,dc=cloud"
+    uidAttr: "uidNumber"
+    gidAttr: "gidNumber"
+    groupBaseDn: "cn=groups,cn=accounts,dc=lsst,dc=cloud"
+    groupSearchByDn: true
 
   # Support OpenID Connect clients like Chronograf.
   oidcServer:
@@ -16,85 +33,21 @@ config:
   # Allow access by GitHub team.
   groupMapping:
     "admin:provision":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
+      - "sqre"
     "exec:admin":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-ts"
-          team: "integration-testing-team"
+      - "sqre"
     "exec:internal-tools":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "exec:notebook":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "exec:portal":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "read:image":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "read:tap":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
-      - github:
-          organization: "lsst-sqre"
-          team: "friends"
-      - github:
-          organization: "lsst-ts"
-          team: "base-access"
-      - github:
-          organization: "rubin-summit"
-          team: "rsp-access"
+      - "rsp-bts"
     "write:sasquatch":
-      - github:
-          organization: "lsst-sqre"
-          team: "square"
+      - "sqre"
 
   initialAdmins:
     - "afausti"

diff --git a/applications/gafaelfawr/values.yaml b/applications/gafaelfawr/values.yaml
@@ -199,6 +199,12 @@ config:
     # returned in the token from the OpenID Connect authentication server.
     groupMemberAttr: "member"
 
+    # -- Whether to search for group membership by user DN rather than bare
+    # usernames. Most LDAP servers use full DNs for group membership, so
+    # normally this should be set to true, but it requires `userBaseDn` also
+    # be set.
+    groupSearchByDn: false
+
     # -- Base DN for the LDAP search to find a user's entry
     # @default -- Get user metadata from the upstream authentication provider
     userBaseDn: ""

diff --git a/applications/nublado/values-base.yaml b/applications/nublado/values-base.yaml
@@ -30,16 +30,16 @@ controller:
         - containerPath: "/home"
           mode: "rw"
           source:
-            serverPath: "/jhome"
-            server: "nfs-jhome.ls.lsst.org"
+            serverPath: "/rsphome"
+            server: "nfs-rsphome.ls.lsst.org"
             type: "nfs"
       volumes:
       - containerPath: "/home"
         mode: "rw"
         source:
           type: "nfs"
-          serverPath: "/jhome"
-          server: "nfs-jhome.ls.lsst.org"
+          serverPath: "/rsphome"
+          server: "nfs-rsphome.ls.lsst.org"
       - containerPath: "/project"
         mode: "rw"
         source: