Dear All,
I have been thinking to a possible solution regarding our recent issues with Jenkins accounts management and one of them would be to replace
accounts.jenkins.io by Keycloak.
It doesn't seems to be difficult to maintain and all datas are stored in a RDS database on AWS so I wouldn't be too concerned about the risk of loosing data.
Note, considering the amount of services that rely on Ldap, I am not planning to remove it anytime soon.
Basically we have access two interfaces, one for administrators(only available from VPN) and a second one for user which would replace
accounts.jenkins.io.
It's the same workflow than before and even better. It supports many different validation mechanisms like validating your email address or having password policy, etc
We can easily manage users, etc
We **could** use Github identities to login on our systems, but it's not part of my testing at the moment.
I opened a pull request
here, if you want to give some feedback
For those people who have VPN access, you can test the workflow
here using your Jenkins account or by creating a new one.
You'll notice that you will have to validate your email address, it's on purpose as I prefer to not trust our Ldap database content.
Also if some of you already have experience managing Keycloak servers, I would be glad to have a discussion to know more about potential pitfalls.
Next step is to identify if it easily scale and if I can enable High availability.
It's an experimental project so I cannot guaranty that I won't restart or delete the service in the coming days.
Best,