From ccc4780a2844ef546442f890e047badd3a42f1d7 Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Mon, 13 Jun 2022 14:43:05 +0200
Subject: [PATCH] Update install and decommission how-tos to use Keycloak

---
 .../how-tos/cloudscale/decommission.adoc      | 16 +--------
 .../pages/how-tos/cloudscale/install.adoc     |  6 ++--
 .../pages/how-tos/exoscale/decommission.adoc  |  2 +-
 .../ROOT/pages/how-tos/exoscale/install.adoc  |  6 ++--
 .../ROOT/partials/decommission/idp.adoc       | 33 +++++++++++++++++++
 .../partials/install/prepare-terraform.adoc   |  2 +-
 .../ROOT/partials/install/register.adoc       | 25 ++++++++++----
 7 files changed, 61 insertions(+), 29 deletions(-)
 create mode 100644 docs/modules/ROOT/partials/decommission/idp.adoc

diff --git a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
index 565cd0d6..587e925c 100644
--- a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
+++ b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
@@ -143,21 +143,7 @@ At this point in the decommissioning process, you'll have to extract the Restic
 
 . Delete all other Vault entries
 
-. Delete LDAP service (via portal)
-+
-Go to https://control.vshn.net/vshn/services
-+
-- Search cluster name
-+
-- Delete cluster entry service using the delete button
-
-. Remove IPs from LDAP allowlist
-+
-Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
-+
-- Search cluster IPs and remove those lines and any comments related.
-+
-- Create a Merge Request and invite a colleague for a review/approve/merge
+include::partial$decommission/idp.adoc[]
 
 . Delete all DNS records related with cluster (zonefiles)
 
diff --git a/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc b/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
index b653b9a2..f12a304e 100644
--- a/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
+++ b/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
@@ -206,9 +206,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/floaty \
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
   httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
 
-# Set the LDAP password
-vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
-  bindPassword=${LDAP_PASSWORD}
+# Set the Keycloak client secret
+vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
+  clientSecret=${KEYCLOAK_CLIENT_SECRET}
 
 # Generate a master password for K8up backups
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
index 9feb2cee..3e907c57 100644
--- a/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
+++ b/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
@@ -129,6 +129,6 @@ NOTE: Don't forget to remove the LB configuration in the https://git.vshn.net/ap
 
 . Remove cluster DNS records from VSHN DNS
 
-. Remove cluster IPs from LDAP allowlist, if applicable
+include::partial$decommission/idp.adoc[]
 
 . https://kb.vshn.ch/vshnsyn/how-tos/decommission.html[Decommission cluster in Project Syn]
diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
index aafbe141..c2688045 100644
--- a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
+++ b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
@@ -155,9 +155,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/floaty \
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
   httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
 
-# Set the LDAP password
-vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
-  bindPassword=${LDAP_PASSWORD}
+# Set the Keycloak client secret
+vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
+  clientSecret=${KEYCLOAK_CLIENT_SECRET}
 
 # Generate a master password for K8up backups
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
diff --git a/docs/modules/ROOT/partials/decommission/idp.adoc b/docs/modules/ROOT/partials/decommission/idp.adoc
new file mode 100644
index 00000000..0fa30a99
--- /dev/null
+++ b/docs/modules/ROOT/partials/decommission/idp.adoc
@@ -0,0 +1,33 @@
+. Delete the IDP service
++
+[%collapsible]
+.LDAP
+====
+. Delete LDAP service (via portal)
++
+Go to https://control.vshn.net/vshn/services
++
+- Search cluster name
++
+- Delete cluster entry service using the delete button
+
+. Remove IPs from LDAP allowlist
++
+Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
++
+- Search cluster IPs and remove those lines and any comments related.
++
+- Create a Merge Request and invite a colleague for a review/approve/merge
+====
++
+[%collapsible]
+.Keycloak
+====
+. Delete Keycloak client
++
+Go to https://TBD
++
+- Search cluster name
++
+- Delete cluster client using the delete button
+====
diff --git a/docs/modules/ROOT/partials/install/prepare-terraform.adoc b/docs/modules/ROOT/partials/install/prepare-terraform.adoc
index f26aaa3a..cd9d8106 100644
--- a/docs/modules/ROOT/partials/install/prepare-terraform.adoc
+++ b/docs/modules/ROOT/partials/install/prepare-terraform.adoc
@@ -71,7 +71,7 @@ yq eval -i ".parameters.openshift4_version.spec.channel = \"stable-{ocp-minor-ve
 yq eval -i ".parameters.openshift4_ingress.ingressControllers.default.replicas = 3" \
   ${CLUSTER_ID}.yml
 
-yq eval -i ".parameters.vshnLdap.serviceId = \"${LDAP_ID}\"" \
+yq eval -i ".parameters.vshnKeycloak.clientId = \"${KEYCLOAK_CLIENT_ID}\"" \
   ${CLUSTER_ID}.yml
 
 # Configure Git author information for the CI pipeline
diff --git a/docs/modules/ROOT/partials/install/register.adoc b/docs/modules/ROOT/partials/install/register.adoc
index c7f16fd5..c3d4c768 100644
--- a/docs/modules/ROOT/partials/install/register.adoc
+++ b/docs/modules/ROOT/partials/install/register.adoc
@@ -7,16 +7,29 @@ Use the following endpoint for Lieutenant:
 VSHN:: https://api.syn.vshn.net
 ****
 
-=== Set up LDAP service
+=== Set up Keycloak client
 
-. Create an LDAP service
+. Create a new Keycloak client with the following settings:
 +
-Use https://control.vshn.net/vshn/services/_create to create a service.
+[source]
+----
+Client ID = ocp_<customer>_<c-cluster-id> <1>
+Access Type = confidential
+Valid Redirect URIs = https://oauth-openshift.apps.cluster-id.tld/oauth2callback/VSHN <2>
+Base URL = https://console-openshift-console.apps.cluster-id.tld/ <3>
+----
+<1> Create a separate client for each cluster.
+The client ID shall use the format `ocp_<customer-name>_<cluster-id>`.
+<2> The Redirect URI assumes that the authentication method in the OpenShift cluster is named `VSHN`.
+<3> Adjust the Base URL to match the desired web console URL of your cluster.
++
+Use https://TBD to create a client.
 The name must contain the customer and the cluster name.
-And then put the LDAP service ID in the following variable:
+
+. Save the Keycloak client details (client ID and secret) in the following variables for subsequent steps.
 +
 [source,bash]
 ----
-export LDAP_ID="Your_LDAP_ID_here"
-export LDAP_PASSWORD="Your_LDAP_pw_here"
+export KEYCLOAK_CLIENT_ID="Your_client_ID_here"
+export KEYCLOAK_CLIENT_SECRET="Your_client_secret"
 ----