Revision 0e862141
Added by Ewoud Kohl van Wijngaarden over 4 years ago
manifests/config/apache.pp | ||
---|---|---|
Boolean $ipa_authentication = false,
|
||
Hash[String, Any] $http_vhost_options = {},
|
||
Hash[String, Any] $https_vhost_options = {},
|
||
Boolean $keycloak = false,
|
||
String[1] $keycloak_app_name = 'foreman-openidc',
|
||
String[1] $keycloak_realm = 'ssl-realm',
|
||
) {
|
||
$docroot = "${app_root}/public"
|
||
|
||
... | ... | |
include ::apache::mod::intercept_form_submit
|
||
include ::apache::mod::lookup_identity
|
||
include ::apache::mod::auth_kerb
|
||
} elsif $keycloak {
|
||
# TODO: https://github.com/puppetlabs/puppetlabs-apache/commit/9f7f38ff21036c9a1ce4d669ccaea816941209ca
|
||
# adds apache::mod::auth_openidc which allows for proper integration but
|
||
# the current release (5.4.0) doesn't include this yet.
|
||
include ::apache::mod::authz_user
|
||
apache::mod { 'auth_openidc':
|
||
package => 'mod_auth_openidc',
|
||
}
|
||
|
||
# This file is generated by keycloak-httpd-client-install and that manages
|
||
# the content. The command would be:
|
||
#
|
||
# keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin
|
||
#
|
||
# If $suburi is used, --location-root should also be passed in
|
||
#
|
||
# By defining it here we avoid purging it and also tighten the
|
||
# permissions so the world can't read its secrets.
|
||
# This is functionally equivalent to apache::custom_config without content/source
|
||
file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf":
|
||
ensure => file,
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0640',
|
||
}
|
||
}
|
||
|
||
file { "${apache::confd_dir}/${priority}-foreman.d":
|
Also available in: Unified diff
Fixes #28436 - Add keycloak support
This adds support for keycloak when using the
keycloak-httpd-client-install command. A more native integration would
rely on the oidc support in puppetlabs-apache, but that's unreleased.
It drops the dependency chaining for the passenger package because it
was leading to dependency cycles and I don't see a reason for the
explicit chaining.