Move Traction OIDC capabilities over to digitaltrust-citz Keycloak realm

[loneil]

Presently the OIDC capabilities of Traction (the Tenant UI, specifically) providing IDIR login use the custom Keycloak realm(s) digitaltrust-nrm We don't need to use this realm for what we need so we might as well just decommission it so that the SSO team has one less custom realm to track and administer.

The things the realm are used for are quite small, as the actual VC things the DITP team is doing are contained in another custom realm digitaltrust-citz so we can just cut the Traction needs over to that one.

Traction uses OIDC for

• Innkeeper authentication
• Requiring IDIR for Tenant reservation.

Steps to set up the digitaltrust-citz realm to meet the needs of the Traction Tenant UI Do for dev, test, and prod

1. Add the public client used by the Tenant UI (can find existing example for test here). Can probably rename to "Traction-Frontend" so it's not "innkeeper" specific.
2. Add an "Innkeeper" role (example)
3. Add an Innkeeper group (just maps to the role, but nicer to add users to groups IMO. example)

Set up the Tenant UI config for each environment to reflect the new settings from above In each config, find the oidc blocks in the frontend and server config blocks.

1. For local/default use, the dev Keycloak env and set in default.json. That's committed to the Traction repo.
2. Update PR env. Same as local/dev. In traction code this is in values-pr.yaml
3. Update dev env. In traction code this is in values-development.yaml. Merging to main will deploy the dev env and update the settings.
4. Update Sandbox env. Same as dev. Config for this is at https://github.com/bcgov/trust-over-ip-configurations/blob/main/helm-values/traction/values-sandbox.yaml. Will require a redeploy of that helm to pick up values.
5. Update Test env. Use test KC realm. Config is at https://github.com/bcgov/trust-over-ip-configurations/blob/main/helm-values/traction/values-test.yaml. Will need a redeploy, or coincide this with a version release?
6. Update Prod env. Use prod KC realm. Config is at https://github.com/bcgov/trust-over-ip-configurations/blob/main/helm-values/traction/values-production.yaml. Will need a redeploy, or coincide this with a version release?

Decommission digitaltrust-nrm once everything is working. Tracking this separately as https://github.com/bcgov/DITP/issues/77

[loneil]

Probably question for @WadeBarnes or @esune if using the digitaltrust-citz realm means we should add any client/roles/etc added to any backup scripts/automation or any documentation or anything. Or ok to just go into console and set up as needed.

[esune]

We have historically - as far as I know - set everything up manually in the console since usually configurations are relatively simple and we have limited numbers of users/features relying on them. Do you know if there are automation tools to get these set-up tasks more automated, or was it just to make sure we keep things in sync if there were any?

[loneil]

We have historically - as far as I know - set everything up manually in the console since usually configurations are relatively simple and we have limited numbers of users/features relying on them. Do you know if there are automation tools to get these set-up tasks more automated, or was it just to make sure we keep things in sync if there were any?

I know some teams have used realm exports and tied that into scripts for setting up envs and stuff, but no, generally I've just done the same with the console. Just noting that if there is any existing stuff like that for this realm we could keep it up to date.

[WadeBarnes]

@loneil, I have some thoroughly tested scripts and documentation for migrating clients from one realm to another here; https://github.com/bcgov/DITP-DevOps/blob/main/code/scripts/KeyCloak%20Migration.md

[loneil]

Planning for Week of Dec 11

[loneil]

Added KC config to CITZ realms (dev/test/prod) and tested them out. Dev/PR helm val changes deployed and Tenant UI update is in-place.

Sandbox/Test/Prod changes contained here https://github.com/bcgov/trust-over-ip-configurations/pull/176

[loneil]

Sandbox/Test/Prod helm updated to point at new KC realm. I've migrated my Innkeeper user over and can add anyone else to the group in those new realms as required.