[Infrastructure]: Fix current IDM issues #59

New Issue

label · 2024-03-22T21:37:24Z

label commented

2024-03-22 21:37:24 +00:00

Current IDM infrastructure needs help. Some boxes are multihomed and they need to be sent to containers. Some services (such as ipsilon and keycloak) need to be consolidated into a single app (keycloak or new one). Some services are still using ipsilon and will need to be moved from SAML/OpenID to OIDC.

Checklist

Move or replace keycloak with another product and place in a container or kube environment[1]
Change above service domain to be id.rockylinux.org instead [2]
Move noggin to container or kube environment
Identify applications still using ipsilon and force them to use keycloak/other [3]

Things to consider

Setup redirects from id.resf.org and/or accounts.resf.org to current places? [4]

footnotes

[1] Keycloak, being in java, can be a bit annoying. Granted, it can be put into a kube/container environment and we can basically let it be. On the flip side, products like Authelia is built in go, starts up and runs fast, and just works™️ and can be ran in a container/kube environment as well (or even replace the running services as is with some configuration)

[2] This would require changes in all services that use keycloak/future service to readjust the URL's they go to for auth. Services such as mailman, distrobuild, MBS (not an all inclusive list)

[3] AFAIK the only service using this is mirror manager.

[4] As of now, there's no RESF IPA domain (and thinking migrating to it or transitioning to one is more trouble than it's worth, and standing one up wouldn't even be worth the maintenance burden). IPA-IPA trusts are on the horizon and could be used as a way to help that transition, but it's years out.

Current IDM infrastructure needs help. Some boxes are multihomed and they need to be sent to containers. Some services (such as ipsilon and keycloak) need to be consolidated into a single app (keycloak or new one). Some services are still using ipsilon and will need to be moved from SAML/OpenID to OIDC. ## Checklist * [ ] Move or replace keycloak with another product and place in a container or kube environment[1] * [ ] Change above service domain to be id.rockylinux.org instead [2] * [ ] Move noggin to container or kube environment * [ ] Identify applications still using ipsilon and force them to use keycloak/other [3] ## Things to consider * [ ] Setup redirects from id.resf.org and/or accounts.resf.org to current places? [4] ## footnotes [1] Keycloak, being in java, can be a bit annoying. Granted, it can be put into a kube/container environment and we can basically let it be. On the flip side, products like Authelia is built in go, starts up and runs fast, and just works:tm: and can be ran in a container/kube environment as well (or even replace the running services as is with some configuration) [2] This would require changes in all services that use keycloak/future service to readjust the URL's they go to for auth. Services such as mailman, distrobuild, MBS (not an all inclusive list) [3] AFAIK the only service using this is mirror manager. [4] As of now, there's no RESF IPA domain (and thinking migrating to it or transitioning to one is more trouble than it's worth, and standing one up wouldn't even be worth the maintenance burden). IPA-IPA trusts are on the horizon and could be used as a way to help that transition, but it's years out.

label added the

labels 2024-03-22 21:37:24 +00:00

label added the

priority

high

label 2024-03-22 23:32:10 +00:00