--- # Ensures there is an OIDC identity provider configured in OpenShift, that uses # a client defined in RHBK deployed by the deploy-rhbk role. # # Required variables (some are reused from deploy-rhbk role): # # openshift: # rhbk_client_id: the name of a client above to use for authentication (default "openshift") # create_groups: whether to create the groups from realm in OpenShift as well (default yes) # # rhbk: # namespace: namespace to deploy to (keycloak) # name: name of the instance (sso) # fqdn: fqdn of the route (hostname), detected if omitted # admin: bootstrap admin credentials # username: username (rhbk) # password: password (secret) # realm: name of the realm (sample-realm) # clients:[] a list of clients to create in the realm # - id: clientId # name: client (human readable) name (client.id) # secret: the client secret, if used # base_url: the base URL for redirects and other bits # groups:[] groups to create, this time create them in OpenShift TODO # # TODO: prerequisite check: # - either a fqdn or an existing keycloak resource coordinates # - admin credentials # - name: Check that the ingresscontroller's defaultCertificate is set k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: operator.openshift.io/v1 kind: ingresscontroller namespace: openshift-ingress-operator name: default register: ingress_ca - name: Get the router's default CA content k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: v1 kind: secret namespace: openshift-config name: "{{ ingress_ca.resources[0].spec.defaultCertificate.name }}" register: ingress_ca - name: Store the CA cert as an actual fact set_fact: ingress_ca: "{{ ingress_ca.resources[0].data['tls.crt'] }}" - name: Check on oauth/cluster k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: config.openshift.io/v1 kind: oauth name: cluster register: cluster_auth - assert: that: - (cluster_auth.resources | length) == 1 - (cluster_auth.resources[0].spec.identityProviders | length) >= 1 - cluster_auth.resources[0].spec.identityProviders[0].type == "HTPasswd" fail_msg: "ERROR: OpenShift cluster authentication is not configured correctly." success_msg: "OK: OpenShift cluster authentication is configured correctly." - name: If there is no FQDN, check what the default domain of the cluster is. kubernetes.core.k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: operator.openshift.io/v1 kind: ingresscontroller namespace: openshift-ingress-operator name: default register: default_ingress when: rhbk.fqdn is not defined - name: Set a fact that reflects either the FQDN as set, or a composition of vars and default ingress info. ansible.builtin.set_fact: rhbk_fqdn: "{{ rhbk.fqdn | default((rhbk.name | default('sso')) + '-' + (rhbk.namespace | default('keycloak')) + '.' + default_ingress.resources[0].status.domain) }}" - name: Announce what hostname would be used. ansible.builtin.debug: msg: Using "https://{{ rhbk_fqdn }}" as the hostname. - name: Make certain router CA CM exists in openshift-config k8s: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: v1 kind: configmap namespace: openshift-config name: sso-ingress-ca definition: metadata: labels: app: sso data: ca.crt: "{{ ingress_ca | string | b64decode }}" - name: Make certain client secret exists in openshift-config k8s: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: v1 kind: secret namespace: openshift-config name: sso-client-secret definition: metadata: labels: app: sso type: Opaque data: clientSecret: "{{ (rhbk | community.general.json_query('clients[?id==`' + (openshift.rhbk_client_id | default('openshift')) + '`].secret'))[0] | b64encode }}" - name: Figure out what to do with oauth/cluster - option 1 set_fact: oauth_op: add oauth_path: /spec/identityProviders/- when: (cluster_auth.resources[0].spec.identityProviders | length) == 1 - name: Figure out what to do with oauth/cluster - option 2 set_fact: oauth_op: replace oauth_path: /spec/identityProviders/1 when: (cluster_auth.resources[0].spec.identityProviders | length) == 2 - name: Patch oauth/cluster kubernetes.core.k8s_json_patch: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: config.openshift.io/v1 kind: oauth name: cluster patch: - op: "{{ oauth_op }}" path: "{{ oauth_path }}" value: name: oidc mappingMethod: claim type: OpenID openID: clientID: "{{ openshift.rhbk_client_id | default('openshift') }}" clientSecret: name: sso-client-secret ca: name: sso-ingress-ca claims: preferredUsername: - preferred_username name: - name email: - email groups: - groups issuer: "https://{{ rhbk_fqdn }}/realms/{{ rhbk.realm | default('sample-realm') }}" register: patched_oauth - name: Wait for OAuth to rollout if the resource was patched. block: - name: Wait for co/authentication to start progressing. kubernetes.core.k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: config.openshift.io/v1 kind: clusteroperator name: authentication register: co_auth until: - co_auth.resources is defined - co_auth.resources | length == 1 - (co_auth.resources[0].status | community.general.json_query('conditions[?type==`Progressing`].status'))[0] retries: 24 delay: 5 - name: Wait for co/authentication to finish progressing. kubernetes.core.k8s_info: kubeconfig: tmp/kubeconfig-ocp4 validate_certs: no api_version: config.openshift.io/v1 kind: clusteroperator name: authentication register: co_auth until: - co_auth.resources is defined - co_auth.resources | length == 1 - not (co_auth.resources[0].status | community.general.json_query('conditions[?type==`Progressing`].status'))[0] retries: 24 delay: 5 when: patched_oauth.changed ...