partial rhsso deploy role; todos pending

deploy-rhsso.yml

@@ -0,0 +1,11 @@
+---
+- name: Make sure RHSSO is deployed and configured
+  hosts: workstation.lab.example.com
+  gather_subset: min
+  become: no
+  roles:
+#    - role: check-env
+#      tags: check
+    - role: deploy-rhsso
+      tags: deploy
+...

roles/deploy-rhsso/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+sso_channel: stable
+sso_z: 7.5.1-opr-010
+sso_users:
+  - name: johndoe
+    first: John
+    last: Doe
+    roles:
+      - admins
+  - name: janedoe
+    first: Jane
+    last: Doe
+    roles:
+      - analysts
+  - name: tomjones
+    first: Tom
+    last: Jones
+    roles:
+      - cicd
+  - name: joanthomas
+    first: Joan
+    last: Thomas
+    roles:
+      - reporters
+...

roles/deploy-rhsso/files/rhsso-client.yml

@@ -0,0 +1,36 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakClient
+metadata:
+  name: rhacs-client
+  namespace: openshift-sso
+  labels:
+    app: sso
+spec:
+  realmSelector:
+     matchLabels:
+      app: sso
+  client:
+    clientId: rhacs
+    secret: averysecretsecret
+    defaultClientScopes:
+      - email
+      - offline_access
+      - profile
+      - roles
+    protocolMappers:
+      - name: groups
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-client-role-mapper
+        consentRequired: false
+        config:
+          "multivalued": "true"
+          "userinfo.token.claim": "true"
+          "access.token.claim": "true"
+          "claim.name": "groups"
+          "jsonType.label": "JSON"
+          "usermodel.clientRoleMapping.clientId": "rhacs"
+    implicitFlowEnabled: True
+    standardFlowEnabled: True
+    redirectUris:
+      - https://central-rhacs.apps.ocp4.example.com/sso/providers/oidc/callback
+      - https://central-rhacs.apps.ocp4.example.com/auth/response/oidc

roles/deploy-rhsso/files/rhsso-cr.yml

@@ -0,0 +1,11 @@
+apiVersion: keycloak.org/v1alpha1
+kind: Keycloak
+metadata:
+  namespace: openshift-sso
+  name: rhsso
+  labels:
+    app: sso
+spec:
+  instances: 1
+  externalAccess:
+    enabled: True

roles/deploy-rhsso/files/rhsso-realm.yml

@@ -0,0 +1,16 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakRealm
+metadata:
+  name: rhacs-realm
+  namespace: openshift-sso
+  labels:
+    app: sso
+spec:
+  instanceSelector:
+    matchLabels:
+      app: sso
+  realm:
+    id: rhacs
+    realm: rhacs
+    enabled: True
+    displayName: "RHACS Realm"

roles/deploy-rhsso/tasks/main.yml

@@ -0,0 +1,228 @@
+---
+- name: is there already a subscription?
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: subscription
+    namespace: openshift-sso
+    name: rhsso
+  register: sub
+
+- name: oi - is there already an operator?
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: clusterserviceversion
+    namespace: openshift-sso
+    name: "{{ sub.resources[0].status.installedCSV }}"
+  register: csv
+  when:
+    - sub.resources is defined
+    - (sub.resources | length) > 0
+    - sub.resources[0].spec.name == "rhsso-operator"
+    - sub.resources[0].status.installedCSV is defined
+
+- name: assert csv is there
+  set_fact:
+    csv_is_there: true
+
+- name: reset the above fact if not the case
+  set_fact:
+    csv_is_there: false
+  when: (csv is not defined) or (csv.resources is not defined) or (csv.resources | length == 0) or (csv.resources[0].status.phase != "Succeeded")
+
+- name: is there a rhsso pod?
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: v1
+    kind: pod
+    namespace: openshift-sso
+    label_selectors:
+      - app = keycloak
+      - component = keycloak
+  register: rhsso_pod
+
+- name: assert central is there
+  set_fact:
+    rhsso_is_there: true
+
+- name: reset the above fact if not the case
+  set_fact:
+    rhsso_is_there: false
+  when: (rhsso_pod is not defined) or (rhsso_pod.resources is not defined) or (rhsso_pod.resources | length == 0) or (rhsso_pod.resources[0].status.phase != "Running")
+
+#- name: is there anyone home at the api endpoint?
+
+- name: create ns, og, and sub
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    template: templates/rhsso-ns-and-sub.yml
+  when: not csv_is_there
+
+- name: wait until csv is there and ready
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: operators.coreos.com/v1alpha1
+    kind: clusterserviceversion
+    name: rhsso-operator.{{ sso_z }}
+    namespace: openshift-sso
+  when: not csv_is_there
+  register: csv
+  until: (csv.resources | length) > 0 and csv.resources[0].status.phase == "Succeeded"
+  retries: 30
+  delay: 5
+
+- name: deploy cr
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    src: files/rhsso-cr.yml
+  when: not rhsso_is_there
+
+- name: wait for rhsso pod to be up
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: v1
+    kind: pod
+    namespace: openshift-sso
+    label_selectors:
+      - app = keycloak
+      - component = keycloak
+  when: not rhsso_is_there
+  register: rhsso_pod
+  until: (rhsso_pod.resources | length) > 0 and rhsso_pod.resources[0].status.phase == "Running"
+  retries: 30
+  delay: 5
+
+- name: look up route
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: route.openshift.io/v1
+    kind: route
+    namespace: openshift-sso
+    name: keycloak
+  register: rhsso_route
+
+- assert:
+    that: rhsso_route.resources | length > 0
+    fail_msg: "ERROR: RHSSO seems to be there, but route is not present."
+    success_msg: "OK, got route to RHSSO."
+
+- name: store route hostname as fact
+  set_fact:
+    rhsso_ep: "{{ rhsso_route.resources[0].spec.host }}"
+
+- name: store the api endpoint in a file
+  copy:
+    dest: "{{ ansible_facts['user_dir'] }}/rhsso-endpoint"
+    content: "https://{{ rhsso_ep }}/auth/admin"
+
+- name: look up secret
+  k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: openshift-sso
+    name: credential-rhsso
+  register: rhsso_secret
+
+- assert:
+    that: rhsso_secret.resources | length > 0
+    fail_msg: "ERROR: RHSSO seems to be there, but auth secret is not present."
+    success_msg: "OK, got secret to RHSSO."
+
+- name: store rhsso pass as fact
+  set_fact:
+    rhsso_pass: "{{ rhsso_secret.resources[0].data.ADMIN_PASSWORD }}"
+
+- name: store the password in a file
+  copy:
+    dest: "{{ ansible_facts['user_dir'] }}/rhsso-password"
+    content: "{{ rhsso_pass | string | b64decode }}"
+
+- name: (re)apply the realm if necessary
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    src: files/rhsso-realm.yml
+
+- name: (re)apply the client if necessary
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    src: files/rhsso-client.yml
+    apply: yes
+
+# TODO: MAKE SURE RHSSO IS UP AND RESPONDING!
+
+- name: get an auth token
+  uri:
+    method: POST
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/realms/master/protocol/openid-connect/token"
+    headers:
+      Accept: application/json
+    body: "client_id=admin-cli&username=admin&password={{ rhsso_pass | string | b64decode }}&grant_type=password"
+  register: rhsso_token_rsp
+
+- assert:
+    that: rhsso_token_rsp.json is defined and rhsso_token_rsp.json.access_token is defined
+    fail_msg: "ERROR: Failed to obtain authentication token from RHSSO."
+    success_msg: "OK, got auth token; proceeding."
+
+- name: store the token as a fact
+  set_fact:
+    rhsso_token: "{{ rhsso_token_rsp.json.access_token }}"
+
+- name: get existing group list
+  uri:
+    method: GET
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+  register: rhsso_groups_raw
+
+- name: store existing groups as a list
+  set_fact:
+    rhsso_groups: "{{ rhsso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"
+
+- name: create groups
+  uri:
+    method: POST
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+      Content-Type: application/json
+    body: '{"name": "{{ item | string }}"}'
+    status_code:
+      - 200
+      - 201
+  loop:
+    - admins
+    - analysts
+    - cicd
+    - reporters
+    - developers
+  when: item not in rhsso_groups.keys()
+
+- name: create the users
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    template: templates/rhsso-users.yml
+...

roles/deploy-rhsso/templates/rhsso-ns-and-sub.yml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: List
+metadata: {}
+items:
+- apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: openshift-sso
+- apiVersion: operators.coreos.com/v1
+  kind: OperatorGroup
+  metadata:
+    namespace: openshift-sso
+    name: rhsso
+  spec:
+    targetNamespaces:
+      - openshift-sso
+- apiVersion: operators.coreos.com/v1alpha1
+  kind: Subscription
+  metadata:
+    namespace: openshift-sso
+    name: rhsso
+  spec:
+    sourceNamespace: openshift-marketplace
+    source: redhat-operators
+    name: rhsso-operator
+    channel: "{{ sso_channel }}"
+    installPlanApproval: Automatic

roles/deploy-rhsso/templates/rhsso-users.yml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: List
+items:
+{% for user in sso_users %}
+  - apiVersion: keycloak.org/v1alpha1
+    kind: KeycloakUser
+    metadata:
+      name: user-{{ user.name }}
+      namespace: openshift-sso
+    spec:
+      realmSelector:
+        matchLabels:
+          app: sso
+      user:
+        username: {{ user.name }}
+        credentials:
+          - temporary: False
+            type: password
+            value: redhat
+        firstName: {{ user.first }}
+        lastName: {{ user.last }}
+        email: {{ user.name }}@example.com
+        enabled: True
+        emailVerified: True
+        groups:
+{% for role in user.roles %}
+          - {{ role }}
+{% endfor %}
+{% endfor %}