Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keycloak user authentication #33

Merged
merged 1 commit into from
Mar 26, 2024
Merged

keycloak user authentication #33

merged 1 commit into from
Mar 26, 2024

Conversation

yogananth-subramanian
Copy link
Collaborator

This patch enabled user authentication using keycloak.

@openshift-ci openshift-ci bot requested review from jhutar and pmacik February 1, 2024 08:26
@openshift-ci openshift-ci bot added the approved label Feb 1, 2024
@yogananth-subramanian
Copy link
Collaborator Author

/hold

@yogananth-subramanian yogananth-subramanian force-pushed the user-authentication branch 2 times, most recently from c433694 to f40588e Compare February 12, 2024 11:53
@yogananth-subramanian
Copy link
Collaborator Author

Hello @pmacik The hard-coded password references have been removed, and the keycloak user password is now stored in a secret for reference.

@pmacik
Copy link
Collaborator

pmacik commented Feb 26, 2024
edited
Loading

@yogananth-subramanian Your changes do enable the keycloak authentication all the time. IMHO, it would be useful to have a means to disabe the keycloak authentication feature. So that we can still have the original behavior (un-authenticated) available. For example, via means of an environment variable such as
KEYCLOAK_AUTHENTICATION_DISABLED with false (or not set, at all) as the default value.

If it is set to true then the framework would behave as it is now in all of it's phases (setup, test, collect-results). When set to false (or not set, at all), the changes in this PR would be in effect.

This would also enable us to measure the authentication's own overhead.

Thanks!

pmacik
pmacik reviewed Feb 26, 2024
View reviewed changes
ci-scripts/rhdh-setup/template/backstage/chart-values.yaml Outdated
key: CLIENT_SECRET
name: keycloak-client-secret-backstage
- name: OAUTH2_PROXY_COOKIE_SECRET
value: '${COOKIE_SECRET}'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yogananth-subramanian A best-practice advice: As it is a secret, it should not be put into the container spec as plain text. You should put it into a Secret resource and use the same .valueFrom.secretKeyRef approach as shown in case of CLIENT_SECRET variable above.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pmacik for the review, agree with your comment. Have fixed it in the latest commit, have moved it to a secret.

@yogananth-subramanian
keycloak user authentication
458c5db 
This patch enables user authentication using keycloak in backstage
setup and locust mvp test.
This is done by setting environment variable AUTH_PROVIDER to
keycloak.
export AUTH_PROVIDER=keycloak
@yogananth-subramanian
Copy link
Collaborator Author

Hello @pmacik , thanks for your review.
In the latest commit, have added the option/flag for user authentication using keycloak in backstage setup and in locust mvp test.
This is done by setting environment variable AUTH_PROVIDER to keycloak.
export AUTH_PROVIDER=keycloak

@yogananth-subramanian Your changes do enable the keycloak authentication all the time. IMHO, it would be useful to have a means to disabe the keycloak authentication feature. So that we can still have the original behavior (un-authenticated) available. For example, via means of an environment variable such as KEYCLOAK_AUTHENTICATION_DISABLED with false (or not set, at all) as the default value.

If it is set to true then the framework would behave as it is now in all of it's phases (setup, test, collect-results). When set to false (or not set, at all), the changes in this PR would be in effect.

This would also enable us to measure the authentication's own overhead.

Thanks!

jhutar
jhutar approved these changes Mar 26, 2024
View reviewed changes
Copy link
Collaborator

@jhutar jhutar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 26, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 26, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhutar, yogananth-subramanian

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jhutar,yogananth-subramanian]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 59f40e7 into redhat-performance:main Mar 26, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmacik pmacik pmacik left review comments

@jhutar jhutar jhutar approved these changes

Assignees

@jhutar jhutar

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yogananth-subramanian @pmacik @jhutar