rht
/
ocp-ing-ichp-materials


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245
							---
# Ensures there is an instance of RHBoK running in a configurable namespace.
#
# Configures it with a realm, and some users.
#
# Required variables (some are supplied by defaults/main.yml):
#
# rhbk:
#   namespace:      namespace to deploy to (keycloak)
#   name:           name of the instance (sso)
#   replicas:       how many instances
#   fqdn:           fqdn of the route (hostname), detected if omitted
#   admin:          bootstrap admin credentials
#     username:       username (rhbk)
#     password:       password (secret)
#   db:             database-specific settings
#     image:          db server image
#     name:           database name (rhbk)
#     username:       database owner (rhbk)
#     password:       db owner's password (secret)
#     claim_modes:    volume claim template access modes, list (ReadWriteOnce)
#     storage_class:  storage class name, no default (omitted)
#     size:           pvc size (1Gi)
#     replicas:       how many instances (TODO ignored for now)
#   realm:          name of the realm (sample-realm)
#   users:          users to create in realm, no default (meaning no users)
#     - username:     required (as it is key)
#       password:     optional, defaults to "secret"
#       fullname:     optional, set to username if empty
#       email:        optional, set to username@example.com if empty
#
# NOTE: Must have an operator deployed in that namespace prior (use deploy-operators role for that).
#
- name: Tech hack. Prevent anything from blowing up because rhbk is defined somewhere, but not its structured contents.
  ansible.builtin.set_fact:
    rhbk:
      db: {}
  when:
    - rhbk.db is not defined

- name: Ensure there is a secret containing DB credentials in the project.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-db-auth"
    resource_definition:
      data:
        username: "{{ rhbk.db.username | default('rhbk') | b64encode }}"
        password: "{{ rhbk.db.password | default('secret') | b64encode }}"

# TODO: ensure that there is no STS to begin with, or if there is, verify that
#       only the allowed fields would change, if anything. Otherwise:
#
#         Forbidden: updates to statefulset spec for fields other than
#         'replicas', 'ordinals', 'template', 'updateStrategy',
#         'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are
#         forbidden
#
- name: Ensure there is a database sts in the project
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: apps/v1
    kind: statefulset
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-db"
    resource_definition:
      spec:
        # TODO: implement rhbk.db.replicas at some point?
        replicas: 1
        serviceName: "{{ rhbk.name | default('sso') }}-db"
        selector:
          matchLabels:
            app: "{{ rhbk.name | default('sso') }}-db"
        template:
          metadata:
            labels:
              app: "{{ rhbk.name | default('sso') }}-db"
          spec:
            containers:
              - name: "{{ rhbk.name | default('sso') }}-db"
                image: "{{ rhbk.db.image | default('registry.redhat.io/rhel9/postgresql-15:latest') }}"
                volumeMounts:
                  - mountPath: /var/lib/pgsql/data
                    name: "{{ rhbk.name | default('sso') }}-db-data"
                env:
                  - name: POSTGRESQL_USER
                    valueFrom:
                      secretKeyRef:
                        name: "{{ rhbk.name | default('sso') }}-db-auth"
                        key: username
                  - name: POSTGRESQL_PASSWORD
                    valueFrom:
                      secretKeyRef:
                        name: "{{ rhbk.name | default('sso') }}-db-auth"
                        key: password
                  - name: POSTGRESQL_DATABASE
                    value: "{{ rhbk.db.name | default('rhbk') }}"
        volumeClaimTemplates:
          - metadata:
              name: "{{ rhbk.name | default('sso') }}-db-data"
            spec:
              accessModes: "{{ rhbk.db.claim_modes | default(['ReadWriteOnce']) }}"
              storageClassName: "{{ rhbk.db.storage_class | default(omit) }}"
              resources:
                requests:
                  storage: "{{ rhbk.db.size | default('1Gi') }}"

- name: Ensure there is a service for the database as well
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: service
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-db"
    resource_definition:
      spec:
        selector:
          app: "{{ rhbk.name | default('sso') }}-db"
        type: LoadBalancer
        ports:
          - port: 5432
            targetPort: 5432
            protocol: TCP

- name: Ensure there is a secret containing Keycloak bootstrap credentials
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-auth"
    resource_definition:
      data:
        username: "{{ rhbk.admin.username | default('rhbk') | b64encode }}"
        password: "{{ rhbk.admin.password | default('secret') | b64encode }}"

- name: If there is no FQDN, check what the default domain is.
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: default_ingress
  when: rhbk.fqdn is not defined

- name: Set a fact that reflects either the FQDN as set, or a composition of vars and default ingress info.
  ansible.builtin.set_fact:
    rhbk_fqdn: "{{ rhbk.fqdn | default((rhbk.name | default('sso')) + '-' + (rhbk.namespace | default('keycloak')) + '.' + default_ingress.resources[0].status.domain) }}"

- name: Announce what hostname would be used.
  ansible.builtin.debug:
    msg: Using "https://{{ rhbk_fqdn }}" as the hostname.

# TODO: remember if there were changes, and force delete any non-ready pod?
- name: Lastly, make sure there is a Keycloak
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: k8s.keycloak.org/v2alpha1
    kind: keycloak
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}"
    resource_definition:
      spec:
        instances: "{{ rhbk.replicas | default(1) }}"
        db:
          vendor: postgres
          host: "{{ rhbk.name | default('sso') }}-db"
          database: "{{ rhbk.db.name | default('rhbk') }}"
          usernameSecret:
            name: "{{ rhbk.name | default('sso') }}-db-auth"
            key: username
          passwordSecret:
            name: "{{ rhbk.name | default('sso') }}-db-auth"
            key: password
        hostname:
          hostname: "https://{{ rhbk_fqdn }}"
          strict: false
          backchannelDynamic: true
        http:
          httpEnabled: true
          httpPort: 8080
          httpsPort: 8443
          tlsSecret: "{{ rhbk.name | default('sso') }}-tls"
        bootstrapAdmin:
          user:
            secret: "{{ rhbk.name | default('sso') }}-auth"
        ingress:
          enabled: false

- name: Wait for the service to show up.
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: service
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-service"
  register: rhbk_svc
  until:
    - rhbk_svc.resources is defined
    - (rhbk_svc.resources | length) > 0
  retries: 24
  delay: 5

- name: Ensure the service is correctly annotated.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: service
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}-service"
    state: patched
    resource_definition:
      metadata:
        annotations:
          service.beta.openshift.io/serving-cert-secret-name: "{{ rhbk.name | default('sso') }}-tls"

- name: Make sure there is a re-encrypt route.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: route.openshift.io/v1
    kind: route
    namespace: "{{ rhbk.namespace | default('keycloak') }}"
    name: "{{ rhbk.name | default('sso') }}"
    resource_definition:
      spec:
        to:
          kind: Service
          name: "{{ rhbk.name | default('sso') }}-service"
        port:
          targetPort: 8443
        tls:
          termination: reencrypt
...