|
|
@@ -0,0 +1,228 @@
|
|
|
+---
|
|
|
+- name: is there already a subscription?
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: operators.coreos.com/v1alpha1
|
|
|
+ kind: subscription
|
|
|
+ namespace: openshift-sso
|
|
|
+ name: rhsso
|
|
|
+ register: sub
|
|
|
+
|
|
|
+- name: oi - is there already an operator?
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: operators.coreos.com/v1alpha1
|
|
|
+ kind: clusterserviceversion
|
|
|
+ namespace: openshift-sso
|
|
|
+ name: "{{ sub.resources[0].status.installedCSV }}"
|
|
|
+ register: csv
|
|
|
+ when:
|
|
|
+ - sub.resources is defined
|
|
|
+ - (sub.resources | length) > 0
|
|
|
+ - sub.resources[0].spec.name == "rhsso-operator"
|
|
|
+ - sub.resources[0].status.installedCSV is defined
|
|
|
+
|
|
|
+- name: assert csv is there
|
|
|
+ set_fact:
|
|
|
+ csv_is_there: true
|
|
|
+
|
|
|
+- name: reset the above fact if not the case
|
|
|
+ set_fact:
|
|
|
+ csv_is_there: false
|
|
|
+ when: (csv is not defined) or (csv.resources is not defined) or (csv.resources | length == 0) or (csv.resources[0].status.phase != "Succeeded")
|
|
|
+
|
|
|
+- name: is there a rhsso pod?
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: v1
|
|
|
+ kind: pod
|
|
|
+ namespace: openshift-sso
|
|
|
+ label_selectors:
|
|
|
+ - app = keycloak
|
|
|
+ - component = keycloak
|
|
|
+ register: rhsso_pod
|
|
|
+
|
|
|
+- name: assert central is there
|
|
|
+ set_fact:
|
|
|
+ rhsso_is_there: true
|
|
|
+
|
|
|
+- name: reset the above fact if not the case
|
|
|
+ set_fact:
|
|
|
+ rhsso_is_there: false
|
|
|
+ when: (rhsso_pod is not defined) or (rhsso_pod.resources is not defined) or (rhsso_pod.resources | length == 0) or (rhsso_pod.resources[0].status.phase != "Running")
|
|
|
+
|
|
|
+#- name: is there anyone home at the api endpoint?
|
|
|
+
|
|
|
+- name: create ns, og, and sub
|
|
|
+ kubernetes.core.k8s:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ template: templates/rhsso-ns-and-sub.yml
|
|
|
+ when: not csv_is_there
|
|
|
+
|
|
|
+- name: wait until csv is there and ready
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: operators.coreos.com/v1alpha1
|
|
|
+ kind: clusterserviceversion
|
|
|
+ name: rhsso-operator.{{ sso_z }}
|
|
|
+ namespace: openshift-sso
|
|
|
+ when: not csv_is_there
|
|
|
+ register: csv
|
|
|
+ until: (csv.resources | length) > 0 and csv.resources[0].status.phase == "Succeeded"
|
|
|
+ retries: 30
|
|
|
+ delay: 5
|
|
|
+
|
|
|
+- name: deploy cr
|
|
|
+ kubernetes.core.k8s:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ src: files/rhsso-cr.yml
|
|
|
+ when: not rhsso_is_there
|
|
|
+
|
|
|
+- name: wait for rhsso pod to be up
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: v1
|
|
|
+ kind: pod
|
|
|
+ namespace: openshift-sso
|
|
|
+ label_selectors:
|
|
|
+ - app = keycloak
|
|
|
+ - component = keycloak
|
|
|
+ when: not rhsso_is_there
|
|
|
+ register: rhsso_pod
|
|
|
+ until: (rhsso_pod.resources | length) > 0 and rhsso_pod.resources[0].status.phase == "Running"
|
|
|
+ retries: 30
|
|
|
+ delay: 5
|
|
|
+
|
|
|
+- name: look up route
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: route.openshift.io/v1
|
|
|
+ kind: route
|
|
|
+ namespace: openshift-sso
|
|
|
+ name: keycloak
|
|
|
+ register: rhsso_route
|
|
|
+
|
|
|
+- assert:
|
|
|
+ that: rhsso_route.resources | length > 0
|
|
|
+ fail_msg: "ERROR: RHSSO seems to be there, but route is not present."
|
|
|
+ success_msg: "OK, got route to RHSSO."
|
|
|
+
|
|
|
+- name: store route hostname as fact
|
|
|
+ set_fact:
|
|
|
+ rhsso_ep: "{{ rhsso_route.resources[0].spec.host }}"
|
|
|
+
|
|
|
+- name: store the api endpoint in a file
|
|
|
+ copy:
|
|
|
+ dest: "{{ ansible_facts['user_dir'] }}/rhsso-endpoint"
|
|
|
+ content: "https://{{ rhsso_ep }}/auth/admin"
|
|
|
+
|
|
|
+- name: look up secret
|
|
|
+ k8s_info:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ api_version: v1
|
|
|
+ kind: secret
|
|
|
+ namespace: openshift-sso
|
|
|
+ name: credential-rhsso
|
|
|
+ register: rhsso_secret
|
|
|
+
|
|
|
+- assert:
|
|
|
+ that: rhsso_secret.resources | length > 0
|
|
|
+ fail_msg: "ERROR: RHSSO seems to be there, but auth secret is not present."
|
|
|
+ success_msg: "OK, got secret to RHSSO."
|
|
|
+
|
|
|
+- name: store rhsso pass as fact
|
|
|
+ set_fact:
|
|
|
+ rhsso_pass: "{{ rhsso_secret.resources[0].data.ADMIN_PASSWORD }}"
|
|
|
+
|
|
|
+- name: store the password in a file
|
|
|
+ copy:
|
|
|
+ dest: "{{ ansible_facts['user_dir'] }}/rhsso-password"
|
|
|
+ content: "{{ rhsso_pass | string | b64decode }}"
|
|
|
+
|
|
|
+- name: (re)apply the realm if necessary
|
|
|
+ kubernetes.core.k8s:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ src: files/rhsso-realm.yml
|
|
|
+
|
|
|
+- name: (re)apply the client if necessary
|
|
|
+ kubernetes.core.k8s:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ src: files/rhsso-client.yml
|
|
|
+ apply: yes
|
|
|
+
|
|
|
+# TODO: MAKE SURE RHSSO IS UP AND RESPONDING!
|
|
|
+
|
|
|
+- name: get an auth token
|
|
|
+ uri:
|
|
|
+ method: POST
|
|
|
+ return_content: true
|
|
|
+ validate_certs: false
|
|
|
+ url: "https://{{ rhsso_ep }}/auth/realms/master/protocol/openid-connect/token"
|
|
|
+ headers:
|
|
|
+ Accept: application/json
|
|
|
+ body: "client_id=admin-cli&username=admin&password={{ rhsso_pass | string | b64decode }}&grant_type=password"
|
|
|
+ register: rhsso_token_rsp
|
|
|
+
|
|
|
+- assert:
|
|
|
+ that: rhsso_token_rsp.json is defined and rhsso_token_rsp.json.access_token is defined
|
|
|
+ fail_msg: "ERROR: Failed to obtain authentication token from RHSSO."
|
|
|
+ success_msg: "OK, got auth token; proceeding."
|
|
|
+
|
|
|
+- name: store the token as a fact
|
|
|
+ set_fact:
|
|
|
+ rhsso_token: "{{ rhsso_token_rsp.json.access_token }}"
|
|
|
+
|
|
|
+- name: get existing group list
|
|
|
+ uri:
|
|
|
+ method: GET
|
|
|
+ return_content: true
|
|
|
+ validate_certs: false
|
|
|
+ url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
|
|
|
+ headers:
|
|
|
+ Authorization: Bearer {{ rhsso_token }}
|
|
|
+ Accept: application/json
|
|
|
+ register: rhsso_groups_raw
|
|
|
+
|
|
|
+- name: store existing groups as a list
|
|
|
+ set_fact:
|
|
|
+ rhsso_groups: "{{ rhsso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"
|
|
|
+
|
|
|
+- name: create groups
|
|
|
+ uri:
|
|
|
+ method: POST
|
|
|
+ return_content: true
|
|
|
+ validate_certs: false
|
|
|
+ url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
|
|
|
+ headers:
|
|
|
+ Authorization: Bearer {{ rhsso_token }}
|
|
|
+ Accept: application/json
|
|
|
+ Content-Type: application/json
|
|
|
+ body: '{"name": "{{ item | string }}"}'
|
|
|
+ status_code:
|
|
|
+ - 200
|
|
|
+ - 201
|
|
|
+ loop:
|
|
|
+ - admins
|
|
|
+ - analysts
|
|
|
+ - cicd
|
|
|
+ - reporters
|
|
|
+ - developers
|
|
|
+ when: item not in rhsso_groups.keys()
|
|
|
+
|
|
|
+- name: create the users
|
|
|
+ kubernetes.core.k8s:
|
|
|
+ kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
|
|
|
+ validate_certs: no
|
|
|
+ template: templates/rhsso-users.yml
|
|
|
+...
|
