fix client, create realmRoles and assign them in many ways, wait for sso ready

roles/deploy-rhsso/files/rhsso-client.yml

@@ -14,13 +14,29 @@ spec:
     secret: averysecretsecret
     defaultClientScopes:
       - email
-      - offline_access
+      - web-origins
+      - acr
       - profile
       - roles
+    optionalClientScopes:
+      - address
+      - phone
+      - offline_access
+      - microprofile-jwt
     protocolMappers:
+      - name: "realm roles"
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-realm-role-mapper
+        consentRequired: false
+        config:
+          "multivalued": "true"
+          "userinfo.token.claim": "true"
+          "access.token.claim": "true"
+          "claim.name": "realm_access.roles"
+          "jsonType.label": "String"
       - name: groups
         protocol: openid-connect
-        protocolMapper: oidc-usermodel-client-role-mapper
+        protocolMapper: oidc-usermodel-realm-role-mapper
         consentRequired: false
         config:
           "multivalued": "true"
@@ -28,9 +44,11 @@ spec:
           "access.token.claim": "true"
           "claim.name": "groups"
           "jsonType.label": "JSON"
-          "usermodel.clientRoleMapping.clientId": "rhacs"
-    implicitFlowEnabled: True
     standardFlowEnabled: True
+    directAccessGrantsEnabled: True
+    frontChannelLogout: True
+    fullScopeAllowed: True
+    implicitFlowEnabled: True
     redirectUris:
       - https://central-rhacs.apps.ocp4.example.com/sso/providers/oidc/callback
       - https://central-rhacs.apps.ocp4.example.com/auth/response/oidc

roles/deploy-rhsso/tasks/main.yml

@@ -161,7 +161,21 @@
     src: files/rhsso-client.yml
     apply: yes
 
-# TODO: MAKE SURE RHSSO IS UP AND RESPONDING!
+- name: make sure rhsso pod is ready
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
+    validate_certs: no
+    api_version: v1
+    kind: pod
+    namespace: openshift-sso
+    label_selectors:
+      - app = keycloak
+      - component = keycloak
+  when: not rhsso_is_there
+  register: rhsso_pod
+  until: (rhsso_pod.resources | length) > 0 and rhsso_pod.resources[0].status.containerStatuses[0].ready
+  retries: 60
+  delay: 5
 
 - name: get an auth token
   uri:
@@ -171,6 +185,7 @@
     url: "https://{{ rhsso_ep }}/auth/realms/master/protocol/openid-connect/token"
     headers:
       Accept: application/json
+      Content-Type: application/x-www-form-urlencoded
     body_format: json
     body: "client_id=admin-cli&username=admin&password={{ rhsso_pass | string | b64decode }}&grant_type=password"
   register: rhsso_token_rsp
@@ -184,6 +199,44 @@
   set_fact:
     rhsso_token: "{{ rhsso_token_rsp.json.access_token }}"
 
+- name: get existing role list
+  uri:
+    method: GET
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/roles"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+  register: rhsso_roles_raw
+
+- name: store existing roles as a list
+  set_fact:
+    rhsso_roles: "{{ rhsso_roles_raw.json | items2dict(key_name='name', value_name='id') }}"
+
+- name: create roles
+  uri:
+    method: POST
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/roles"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+      Content-Type: application/json
+    body_format: json
+    body: '{"name": "{{ item | string }}"}'
+    status_code:
+      - 200
+      - 201
+  loop:
+    - admins
+    - analysts
+    - cicd
+    - reporters
+    - developers
+  when: item not in rhsso_roles.keys()
+
 - name: get existing group list
   uri:
     method: GET
@@ -210,7 +263,7 @@
       Accept: application/json
       Content-Type: application/json
     body_format: json
-    body: '{"name": "{{ item | string }}"}'
+    body: '{"name": "{{ item | string }}" }'
     status_code:
       - 200
       - 201
@@ -222,6 +275,45 @@
     - developers
   when: item not in rhsso_groups.keys()
 
+- name: retrieve group list again
+  uri:
+    method: GET
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+  register: rhsso_groups_raw
+
+- name: reformat existing groups as a list
+  set_fact:
+    rhsso_groups: "{{ rhsso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"
+
+# XXX for some dumbass reason realmRoles assignment won't stick, either when creating or updating XXX
+- name: assign realm roles
+  uri:
+    method: POST
+    return_content: true
+    validate_certs: false
+    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
+    headers:
+      Authorization: Bearer {{ rhsso_token }}
+      Accept: application/json
+      Content-Type: application/json
+    body_format: json
+    body: '{"id": "{{ rhsso_groups[item] }}", "name": "{{ item | string }}", "realmRoles": [ "{{ item | string }}" ]}'
+    status_code:
+      - 200
+      - 201
+      - 204
+  loop:
+    - admins
+    - analysts
+    - cicd
+    - reporters
+    - developers
+
 - name: create the users
   kubernetes.core.k8s:
     kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"

roles/deploy-rhsso/templates/rhsso-users.yml

@@ -22,6 +22,10 @@ items:
         email: {{ user.name }}@example.com
         enabled: True
         emailVerified: True
+        realmRoles:
+{% for role in user.roles %}
+          - {{ role }}
+{% endfor %}
         groups:
 {% for role in user.roles %}
           - {{ role }}