diff --git a/playbooks/infrastructure/keycloak-oidc-client-config.yml b/playbooks/infrastructure/keycloak-oidc-client-config.yml index 7a8d9c33..7fc8005d 100644 --- a/playbooks/infrastructure/keycloak-oidc-client-config.yml +++ b/playbooks/infrastructure/keycloak-oidc-client-config.yml @@ -1,11 +1,10 @@ --- -- name: Configure OIDC Client for Keystone - hosts: "{{ hosts_manager|default('manager') }}" - gather_facts: false +- name: Configure OIDC client for Keystone + hosts: localhost + connection: local vars: keycloak_namespace: "keycloak" - operator_user: dragon keycloak_kcadm_binary: "/opt/keycloak/bin/kcadm.sh" keycloak_realm: "osism" @@ -13,10 +12,6 @@ keycloak_url_internal: "http://localhost:8080/auth/" keycloak_service_container_name: "keycloak-keycloakx-0" - keycloak_ldap_storage_provider_component_name: "ldap-provider" - keycloak_ldap_user: "keycloak-user" - keycloak_ldap_binddn: "uid={{ keycloak_ldap_user }},{{ ldap_users }}" - keycloak_admin_id: "admin" keycloak_key_provider_component_name: "rsa-for-keystone" @@ -30,10 +25,10 @@ keystone_logout_url: https://api.testbed.osism.xyz:5000/redirect_uri?logout=backchannel keystone_logout_redirect_url: https://api.testbed.osism.xyz:5000/redirect_uri?logout=https://api.testbed.osism.xyz:5000/logout - keycloak_private_key_file_path: "{{ configuration_directory }}/environments/infrastructure/files/keycloak/private_key.pem" + keycloak_private_key_file_path: /opt/configuration/environments/infrastructure/files/keycloak/private_key.pem keycloak_private_key_data: "{{ lookup('file', keycloak_private_key_file_path)| regex_replace('\n', '\\\\n') }}" - keycloak_certificate_file_path: "{{ configuration_directory }}/environments/infrastructure/files/keycloak/cert.crt" + keycloak_certificate_file_path: /opt/configuration/environments/infrastructure/files/keycloak/cert.crt keycloak_certificate_data: "{{ lookup('file', keycloak_certificate_file_path)| regex_replace('\n', '\\\\n') }}" tasks: @@ -58,7 +53,7 @@ --user "{{ keycloak_admin_id }}" --password "{{ keycloak_admin_secret }}" environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig changed_when: false run_once: true no_log: true @@ -69,7 +64,7 @@ {{ keycloak_kcadm_binary }} get realms --fields id environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: available_realms_json changed_when: false run_once: true @@ -88,7 +83,7 @@ --set realm="{{ keycloak_realm }}" --set enabled=true environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: keycloak_realm not in available_realms run_once: true changed_when: true @@ -101,7 +96,7 @@ --query clientId={{ keystone_client_id }} --fields id,clientId environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: available_clients_json changed_when: false run_once: true @@ -130,7 +125,7 @@ --set 'attributes."backchannel.logout.session.required"="true"' --set 'attributes."backchannel.logout.url"="{{ keystone_logout_url }}"' environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: keystone_client_id not in available_clients run_once: true no_log: true @@ -146,7 +141,7 @@ --format csv --noquotes environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: internal_client_id_json changed_when: false run_once: true @@ -164,7 +159,7 @@ --target-realm {{ keycloak_realm }} --fields name environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: available_mappers_json changed_when: false run_once: true @@ -191,7 +186,7 @@ --set 'config."user.attribute"="{{ item }}"' --set 'config."claim.name"="{{ item }}"' environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: item not in available_mappers loop: - "openstack-user-domain" @@ -207,7 +202,7 @@ --query name="{{ keycloak_key_provider_component_name }}" --fields name environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: available_components_json changed_when: false run_once: true @@ -233,7 +228,7 @@ --set "config.privateKey=[\"{{ keycloak_private_key_data }}\"]" --set "config.certificate=[\"{{ keycloak_certificate_data }}\"]" environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: keycloak_key_provider_component_name not in available_components run_once: true no_log: true @@ -246,7 +241,7 @@ get users --target-realm {{ keycloak_realm }} --fields username environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig register: available_users_json changed_when: false run_once: true @@ -267,7 +262,7 @@ --set enabled=true --set "attributes.openstack-default-project=test" environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: "'alice' not in available_users" changed_when: true @@ -279,7 +274,7 @@ --username=alice --new-password=password environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: "'alice' not in available_users" changed_when: true @@ -290,6 +285,7 @@ -cacerts -importcert -alias ca-cert -file /etc/pki/ca-trust/extracted/pem/ca-cert.pem -storepass "changeit" -noprompt environment: - KUBECONFIG: "/home/{{ operator_user }}/.kube/config" + KUBECONFIG: /share/kubeconfig when: "'alice' not in available_users" changed_when: true + ignore_errors: true # noqa: ignore-errors