recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

decisions(2): record operator SSO-provider policy — keycloak DEFAULT for all recipe OIDC; authentik NOT a Phase-2 DONE gate (enroll only if a recipe REQUIRES it); cryptpad OIDC under keycloak; narrow DEFERRED #9 authentik re-entry trigger

Browse Source
This commit is contained in:
autonomic-bot
2026-05-29 09:09:38 +01:00
parent 779fb8917c
commit 1537a928d5
2 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
machine-docs/DECISIONS.md
View File

@ -706,3 +706,21 @@ DEFERRED.md 2026-05-29). Until then, heavy recipes are verified via their maxima
(install+backup+restore+custom) with the upgrade tier flagged as a genuine env-level (disk) blocker
per plan §7.1 (Adversary sign-off required). The cleanup runbook for an over-full host: `pkill -f
run_recipe_ci.py`; `docker stack rm <leftover>`; remove its volumes+secrets; `docker image prune -f`.
## SSO-provider policy (operator, 2026-05-29) — keycloak is the DEFAULT; authentik is NOT a DONE gate
Standing policy for all Phase-2 (and later) recipe OIDC/SSO testing:
- **keycloak is the default SSO provider.** Default ALL recipe OIDC tests to keycloak (live-warm WC1).
- **Do NOT test authentik↔keycloak integration**, and do NOT enroll authentik merely to "prove
pluggability" / second-provider coverage. **Phase-2 DONE is NOT gated on authentik.**
- Enroll authentik + add `setup_authentik_realm` (the provider-pluggable backend in
`runner/harness/sso.py`) **ONLY if a recipe genuinely REQUIRES authentik** (cannot work under
keycloak). If it works with keycloak, use keycloak.
- **cryptpad:** its recipe-maintainer upstream SSO test uses authentik, but cc-ci tests cryptpad's OIDC
under **keycloak** (equally valid). Same for any recipe whose upstream happens to use authentik but
functions fine under keycloak.
- The OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are already
provider-agnostic; only realm/client SETUP is provider-specific, and we only need the keycloak setup
(`setup_keycloak_realm`) unless/until a recipe forces authentik.
Consequences: DEFERRED #9 (authentik enrollment) re-entry trigger narrowed to "a recipe requires
authentik"; F2-7 (authentik backend) is not a DONE blocker. plan-sso-dep-testing.md §6 updated by the
orchestrator to match.