acs-playbooks/roles/deploy-rhsso/tasks/main.yml

---
- name: is there already a subscription?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: subscription
    namespace: openshift-sso
    name: rhsso
  register: sub

- name: oi - is there already an operator?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: clusterserviceversion
    namespace: openshift-sso
    name: "{{ sub.resources[0].status.installedCSV }}"
  register: csv
  when:
    - sub.resources is defined
    - (sub.resources | length) > 0
    - sub.resources[0].spec.name == "rhsso-operator"
    - sub.resources[0].status.installedCSV is defined

- name: assert csv is there
  set_fact:
    csv_is_there: true

- name: reset the above fact if not the case
  set_fact:
    csv_is_there: false
  when: (csv is not defined) or (csv.resources is not defined) or (csv.resources | length == 0) or (csv.resources[0].status.phase != "Succeeded")

- name: is there a rhsso pod?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: openshift-sso
    label_selectors:
      - app = keycloak
      - component = keycloak
  register: rhsso_pod

- name: assert central is there
  set_fact:
    rhsso_is_there: true

- name: reset the above fact if not the case
  set_fact:
    rhsso_is_there: false
  when: (rhsso_pod is not defined) or (rhsso_pod.resources is not defined) or (rhsso_pod.resources | length == 0) or (rhsso_pod.resources[0].status.phase != "Running")

#- name: is there anyone home at the api endpoint?

- name: create ns, og, and sub
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    template: templates/rhsso-ns-and-sub.yml
  when: not csv_is_there

- name: wait until csv is there and ready
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: clusterserviceversion
    name: rhsso-operator.{{ sso_z }}
    namespace: openshift-sso
  when: not csv_is_there
  register: csv
  until: (csv.resources | length) > 0 and csv.resources[0].status.phase == "Succeeded"
  retries: 30
  delay: 5

- name: deploy cr
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    src: files/rhsso-cr.yml
  when: not rhsso_is_there

- name: wait for rhsso pod to be up
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: openshift-sso
    label_selectors:
      - app = keycloak
      - component = keycloak
  when: not rhsso_is_there
  register: rhsso_pod
  until: (rhsso_pod.resources | length) > 0 and rhsso_pod.resources[0].status.phase == "Running"
  retries: 30
  delay: 5

- name: look up route
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: route.openshift.io/v1
    kind: route
    namespace: openshift-sso
    name: keycloak
  register: rhsso_route

- assert:
    that: rhsso_route.resources | length > 0
    fail_msg: "ERROR: RHSSO seems to be there, but route is not present."
    success_msg: "OK, got route to RHSSO."

- name: store route hostname as fact
  set_fact:
    rhsso_ep: "{{ rhsso_route.resources[0].spec.host }}"

- name: store the api endpoint in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/rhsso-endpoint"
    content: "https://{{ rhsso_ep }}/auth/admin"

- name: look up secret
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-sso
    name: credential-rhsso
  register: rhsso_secret

- assert:
    that: rhsso_secret.resources | length > 0
    fail_msg: "ERROR: RHSSO seems to be there, but auth secret is not present."
    success_msg: "OK, got secret to RHSSO."

- name: store rhsso pass as fact
  set_fact:
    rhsso_pass: "{{ rhsso_secret.resources[0].data.ADMIN_PASSWORD }}"

- name: store the password in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/rhsso-password"
    content: "{{ rhsso_pass | string | b64decode }}"

- name: (re)apply the realm if necessary
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    src: files/rhsso-realm.yml

# TODO: wait for realm to reconcile

- name: (re)apply the client if necessary
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    src: files/rhsso-client.yml
    apply: yes

- name: make sure rhsso pod is ready
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: openshift-sso
    label_selectors:
      - app = keycloak
      - component = keycloak
  when: not rhsso_is_there
  register: rhsso_pod
  until: (rhsso_pod.resources | length) > 0 and rhsso_pod.resources[0].status.containerStatuses[0].ready
  retries: 60
  delay: 5

- name: get an auth token
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/realms/master/protocol/openid-connect/token"
    headers:
      Accept: application/json
      Content-Type: application/x-www-form-urlencoded
    body_format: json
    body: "client_id=admin-cli&username=admin&password={{ rhsso_pass | string | b64decode }}&grant_type=password"
  register: rhsso_token_rsp

- assert:
    that: rhsso_token_rsp.json is defined and rhsso_token_rsp.json.access_token is defined
    fail_msg: "ERROR: Failed to obtain authentication token from RHSSO."
    success_msg: "OK, got auth token; proceeding."

- name: store the token as a fact
  set_fact:
    rhsso_token: "{{ rhsso_token_rsp.json.access_token }}"

- name: get existing role list
  uri:
    method: GET
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/roles"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
  register: rhsso_roles_raw

- name: store existing roles as a list
  set_fact:
    rhsso_roles: "{{ rhsso_roles_raw.json | items2dict(key_name='name', value_name='id') }}"

- name: create roles
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/roles"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
      Content-Type: application/json
    body_format: json
    body: '{"name": "{{ item | string }}"}'
    status_code:
      - 200
      - 201
  loop:
    - admins
    - analysts
    - cicd
    - reporters
    - developers
  when: item not in rhsso_roles.keys()

- name: get existing group list
  uri:
    method: GET
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
  register: rhsso_groups_raw

- name: store existing groups as a list
  set_fact:
    rhsso_groups: "{{ rhsso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"

- name: create groups
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
      Content-Type: application/json
    body_format: json
    body: '{"name": "{{ item | string }}" }'
    status_code:
      - 200
      - 201
  loop:
    - admins
    - analysts
    - cicd
    - reporters
    - developers
  when: item not in rhsso_groups.keys()

- name: retrieve group list again
  uri:
    method: GET
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
  register: rhsso_groups_raw

- name: reformat existing groups as a list
  set_fact:
    rhsso_groups: "{{ rhsso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"

# XXX for some dumbass reason realmRoles assignment won't stick, either when creating or updating XXX
- name: assign realm roles
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "https://{{ rhsso_ep }}/auth/admin/realms/rhacs/groups"
    headers:
      Authorization: Bearer {{ rhsso_token }}
      Accept: application/json
      Content-Type: application/json
    body_format: json
    body: '{"id": "{{ rhsso_groups[item] }}", "name": "{{ item | string }}", "realmRoles": [ "{{ item | string }}" ]}'
    status_code:
      - 200
      - 201
      - 204
  loop:
    - admins
    - analysts
    - cicd
    - reporters
    - developers

- name: create the users
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    template: templates/rhsso-users.yml
...