Fix missing vault sso values (#2992)

* Fix missing vault sso values * Typo
mitodl · Feb 25, 2025 · be34489 · be34489
1 parent fc3f968
commit be34489
Showing 1 changed file with 205 additions and 1 deletion.
diff --git a/src/ol_infrastructure/substructure/keycloak/__main__.py b/src/ol_infrastructure/substructure/keycloak/__main__.py
@@ -1,18 +1,22 @@
 import json
+import secrets
 import urllib.request
 from functools import partial
 
 import pulumi_keycloak as keycloak
-from pulumi import Config, ResourceOptions
+import pulumi_vault as vault
+from pulumi import Config, Output, ResourceOptions
 
 from bridge.lib.magic_numbers import SECONDS_IN_ONE_DAY
 from ol_infrastructure.lib.pulumi_helper import parse_stack
+from ol_infrastructure.lib.vault import setup_vault_provider
 
 env_config = Config("environment")
 stack_info = parse_stack()
 env_name = f"{stack_info.env_prefix}-{stack_info.env_suffix}"
 keycloak_config = Config("keycloak")
 keycloak_realm_config = Config("keycloak_realm")
+setup_vault_provider()
 
 
 def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
@@ -715,6 +719,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
         client_id=olapps_unified_ecommerce_client.id,
         opts=resource_options,
     )
+olapps_unified_ecommerce_client_data = vault.generic.Secret(
+    "olapps-unified-ecommerce-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-unified-ecommerce-client",
+    data_json=Output.all(
+        url=olapps_unified_ecommerce_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=olapps_unified_ecommerce_client.client_id,
+        client_secret=olapps_unified_ecommerce_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=olapps_unified_ecommerce_client.realm_id,
+        realm_name="olapps",
+        realm_public_key=olapps_unified_ecommerce_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # Unified Ecommerce Client [END]
 
 # Learn AI [START]
@@ -759,6 +783,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
         client_id=olapps_learn_ai_client.id,
         opts=resource_options,
     )
+olapps_learn_ai_client_data = vault.generic.Secret(
+    "olapps-learn-ai-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-learn-ai-client",
+    data_json=Output.all(
+        url=olapps_learn_ai_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=olapps_learn_ai_client.client_id,
+        client_secret=olapps_learn_ai_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=olapps_learn_ai_client.realm_id,
+        realm_name="olapps",
+        realm_public_key=olapps_learn_ai_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # Learn AI [END]
 
 # MIT LEARN [START]
@@ -805,6 +849,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
                 client_id=olapps_mitlearn_client.id,
                 opts=resource_options,
             )
+    olapps_mitlearn_client_data = vault.generic.Secret(
+        "olapps-mitlearn-client-vault-oidc-credentials",
+        path="secret-operations/sso/ol-mitlearn-client",
+        data_json=Output.all(
+            url=olapps_mitlearn_client.realm_id.apply(
+                lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+            ),
+            client_id=olapps_mitlearn_client.client_id,
+            client_secret=olapps_mitlearn_client.client_secret,
+            # This is included for the case where we are using traefik-forward-auth.
+            # It requires a random secret value to be present which is independent
+            # of the OAuth credentials.
+            secret=secrets.token_urlsafe(),
+            realm_id=olapps_mitlearn_client.realm_id,
+            realm_name="olapps",
+            realm_public_key=olapps_mitlearn_client.realm_id.apply(
+                lambda realm_id: fetch_realm_public_key_partial(realm_id)
+            ),
+        ).apply(json.dumps),
+    )
 # MIT LEARN [END]
 
 # OPEN DISCUSSIONS [START]
@@ -824,6 +888,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
     ),
     opts=resource_options.merge(ResourceOptions(delete_before_replace=True)),
 )
+olapps_open_discussions_client_data = vault.generic.Secret(
+    "olapps-open-discussions-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-open-discussions-client",
+    data_json=Output.all(
+        url=olapps_open_discussions_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=olapps_open_discussions_client.client_id,
+        client_secret=olapps_open_discussions_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=olapps_open_discussions_client.realm_id,
+        realm_name="olapps",
+        realm_public_key=olapps_open_discussions_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # OPEN DISCUSSIONS [END]
 # OLAPPS REALM - OpenID Clients [START]
 
@@ -848,6 +932,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
     ),
     opts=resource_options.merge(ResourceOptions(delete_before_replace=True)),
 )
+ol_platform_engineering_airbyte_client_data = vault.generic.Secret(
+    "ol-platform-engineering-airbyte-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-platform-engineering-airbyte-client",
+    data_json=Output.all(
+        url=ol_platform_engineering_airbyte_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=ol_platform_engineering_airbyte_client.client_id,
+        client_secret=ol_platform_engineering_airbyte_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=ol_platform_engineering_airbyte_client.realm_id,
+        realm_name="ol-platform-engineering",
+        realm_public_key=ol_platform_engineering_airbyte_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # AIRBYTE [END] # noqa: ERA001
 
 # DAGSTER [START] # noqa: ERA001
@@ -869,6 +973,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
     ),
     opts=resource_options.merge(ResourceOptions(delete_before_replace=True)),
 )
+ol_platform_engineering_dagster_client_data = vault.generic.Secret(
+    "ol-platform-engineering-dagster-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-platform-engineering-dagster-client",
+    data_json=Output.all(
+        url=ol_platform_engineering_dagster_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=ol_platform_engineering_dagster_client.client_id,
+        client_secret=ol_platform_engineering_dagster_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=ol_platform_engineering_dagster_client.realm_id,
+        realm_name="ol-platform-engineering",
+        realm_public_key=ol_platform_engineering_dagster_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # DAGSTER [END] # noqa: ERA001
 
 # LEEK [START] # noqa: ERA001
@@ -890,6 +1014,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
     ),
     opts=resource_options.merge(ResourceOptions(delete_before_replace=True)),
 )
+ol_platform_engineering_leek_client_data = vault.generic.Secret(
+    "ol-platform-engineering-leek-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-platform-engineering-leek-client",
+    data_json=Output.all(
+        url=ol_platform_engineering_leek_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=ol_platform_engineering_leek_client.client_id,
+        client_secret=ol_platform_engineering_leek_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=ol_platform_engineering_leek_client.realm_id,
+        realm_name="ol-platform-engineering",
+        realm_public_key=ol_platform_engineering_leek_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # LEEK [END] # noqa: ERA001
 
 # VAULT [START] # noqa: ERA001
@@ -912,6 +1056,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
         ),
         opts=resource_options.merge(ResourceOptions(delete_before_replace=True)),
     )
+    ol_platform_engineering_vault_client_data = vault.generic.Secret(
+        "ol-platform-engineering-vault-client-vault-oidc-credentials",
+        path="secret-operations/sso/ol-platform-engineering-vault-client",
+        data_json=Output.all(
+            url=ol_platform_engineering_vault_client.realm_id.apply(
+                lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+            ),
+            client_id=ol_platform_engineering_vault_client.client_id,
+            client_secret=ol_platform_engineering_vault_client.client_secret,
+            # This is included for the case where we are using traefik-forward-auth.
+            # It requires a random secret value to be present which is independent
+            # of the OAuth credentials.
+            secret=secrets.token_urlsafe(),
+            realm_id=ol_platform_engineering_vault_client.realm_id,
+            realm_name="ol-platform-engineering",
+            realm_public_key=ol_platform_engineering_vault_client.realm_id.apply(
+                lambda realm_id: fetch_realm_public_key_partial(realm_id)
+            ),
+        ).apply(json.dumps),
+    )
 # VAULT [END] # noqa: ERA001
 # OL-PLATFORM-ENGINEERING REALM - OpenID Clients [END]
 
@@ -944,6 +1108,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
         client_id=ol_data_platform_superset_client.id,
         opts=resource_options,
     )
+ol_data_platform_superset_client_data = vault.generic.Secret(
+    "ol-data-platform-superset-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-data-platform-superset-client",
+    data_json=Output.all(
+        url=ol_data_platform_superset_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=ol_data_platform_superset_client.client_id,
+        client_secret=ol_data_platform_superset_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=ol_data_platform_superset_client.realm_id,
+        realm_name="ol-data-platform",
+        realm_public_key=ol_data_platform_superset_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # SUPERSET [END] # noqa: ERA001
 
 # OPENMETADATA [START] # noqa: ERA001
@@ -976,6 +1160,26 @@ def fetch_realm_public_key(keycloak_url: str, realm_id: str) -> str:
         client_id=ol_data_platform_openmetadata_client.id,
         opts=resource_options,
     )
+ol_data_platform_openmetadata_client_data = vault.generic.Secret(
+    "ol-data-platform-openmetadata-client-vault-oidc-credentials",
+    path="secret-operations/sso/ol-data-platform-openmetadata-client",
+    data_json=Output.all(
+        url=ol_data_platform_openmetadata_client.realm_id.apply(
+            lambda realm_id: f"{keycloak_url}/realms/{realm_id}"
+        ),
+        client_id=ol_data_platform_openmetadata_client.client_id,
+        client_secret=ol_data_platform_openmetadata_client.client_secret,
+        # This is included for the case where we are using traefik-forward-auth.
+        # It requires a random secret value to be present which is independent
+        # of the OAuth credentials.
+        secret=secrets.token_urlsafe(),
+        realm_id=ol_data_platform_openmetadata_client.realm_id,
+        realm_name="ol-data-platform",
+        realm_public_key=ol_data_platform_openmetadata_client.realm_id.apply(
+            lambda realm_id: fetch_realm_public_key_partial(realm_id)
+        ),
+    ).apply(json.dumps),
+)
 # OPENMETADATA [END] # noqa: ERA001
 
 # OL-DATA-PLATFORM REALM - OpenID Clients [END]