Skip to content

Commit

Permalink
Run keycloak-oidc-client-config inside the osism-ansible container (#371
Browse files Browse the repository at this point in the history 
)

Signed-off-by: Christian Berendt <[email protected]>
  • Loading branch information
@berendt
berendt authored Feb 17, 2024
1 parent 701ab2a commit 44a9f29
Showing 1 changed file with 20 additions and 24 deletions.
44 changes: 20 additions & 24 deletions playbooks/infrastructure/keycloak-oidc-client-config.yml
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,17 @@
---
- name: Configure OIDC Client for Keystone
hosts: "{{ hosts_manager|default('manager') }}"
gather_facts: false
- name: Configure OIDC client for Keystone
hosts: localhost
connection: local

vars:
keycloak_namespace: "keycloak"
operator_user: dragon

keycloak_kcadm_binary: "/opt/keycloak/bin/kcadm.sh"
keycloak_realm: "osism"
keycloak_url: "https://keycloak.testbed.osism.xyz/auth/"
keycloak_url_internal: "http://localhost:8080/auth/"
keycloak_service_container_name: "keycloak-keycloakx-0"

keycloak_ldap_storage_provider_component_name: "ldap-provider"
keycloak_ldap_user: "keycloak-user"
keycloak_ldap_binddn: "uid={{ keycloak_ldap_user }},{{ ldap_users }}"

keycloak_admin_id: "admin"
keycloak_key_provider_component_name: "rsa-for-keystone"

Expand All @@ -30,10 +25,10 @@
keystone_logout_url: https://api.testbed.osism.xyz:5000/redirect_uri?logout=backchannel
keystone_logout_redirect_url: https://api.testbed.osism.xyz:5000/redirect_uri?logout=https://api.testbed.osism.xyz:5000/logout

keycloak_private_key_file_path: "{{ configuration_directory }}/environments/infrastructure/files/keycloak/private_key.pem"
keycloak_private_key_file_path: /opt/configuration/environments/infrastructure/files/keycloak/private_key.pem
keycloak_private_key_data: "{{ lookup('file', keycloak_private_key_file_path)| regex_replace('\n', '\\\\n') }}"

keycloak_certificate_file_path: "{{ configuration_directory }}/environments/infrastructure/files/keycloak/cert.crt"
keycloak_certificate_file_path: /opt/configuration/environments/infrastructure/files/keycloak/cert.crt
keycloak_certificate_data: "{{ lookup('file', keycloak_certificate_file_path)| regex_replace('\n', '\\\\n') }}"

tasks:
Expand All @@ -58,7 +53,7 @@
--user "{{ keycloak_admin_id }}"
--password "{{ keycloak_admin_secret }}"
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
changed_when: false
run_once: true
no_log: true
Expand All @@ -69,7 +64,7 @@
{{ keycloak_kcadm_binary }}
get realms --fields id
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: available_realms_json
changed_when: false
run_once: true
Expand All @@ -88,7 +83,7 @@
--set realm="{{ keycloak_realm }}"
--set enabled=true
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: keycloak_realm not in available_realms
run_once: true
changed_when: true
Expand All @@ -101,7 +96,7 @@
--query clientId={{ keystone_client_id }}
--fields id,clientId
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: available_clients_json
changed_when: false
run_once: true
Expand Down Expand Up @@ -130,7 +125,7 @@
--set 'attributes."backchannel.logout.session.required"="true"'
--set 'attributes."backchannel.logout.url"="{{ keystone_logout_url }}"'
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: keystone_client_id not in available_clients
run_once: true
no_log: true
Expand All @@ -146,7 +141,7 @@
--format csv
--noquotes
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: internal_client_id_json
changed_when: false
run_once: true
Expand All @@ -164,7 +159,7 @@
--target-realm {{ keycloak_realm }}
--fields name
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: available_mappers_json
changed_when: false
run_once: true
Expand All @@ -191,7 +186,7 @@
--set 'config."user.attribute"="{{ item }}"'
--set 'config."claim.name"="{{ item }}"'
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: item not in available_mappers
loop:
- "openstack-user-domain"
Expand All @@ -207,7 +202,7 @@
--query name="{{ keycloak_key_provider_component_name }}"
--fields name
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: available_components_json
changed_when: false
run_once: true
Expand All @@ -233,7 +228,7 @@
--set "config.privateKey=[\"{{ keycloak_private_key_data }}\"]"
--set "config.certificate=[\"{{ keycloak_certificate_data }}\"]"
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: keycloak_key_provider_component_name not in available_components
run_once: true
no_log: true
Expand All @@ -246,7 +241,7 @@
get users --target-realm {{ keycloak_realm }}
--fields username
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
register: available_users_json
changed_when: false
run_once: true
Expand All @@ -267,7 +262,7 @@
--set enabled=true
--set "attributes.openstack-default-project=test"
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: "'alice' not in available_users"
changed_when: true

Expand All @@ -279,7 +274,7 @@
--username=alice
--new-password=password
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: "'alice' not in available_users"
changed_when: true

Expand All @@ -290,6 +285,7 @@
-cacerts -importcert -alias ca-cert -file /etc/pki/ca-trust/extracted/pem/ca-cert.pem
-storepass "changeit" -noprompt
environment:
KUBECONFIG: "/home/{{ operator_user }}/.kube/config"
KUBECONFIG: /share/kubeconfig
when: "'alice' not in available_users"
changed_when: true
ignore_errors: true # noqa: ignore-errors

0 comments on commit 44a9f29

Please sign in to comment.