| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301 |
- ---
- # Ensures there is an instance of RHBoK running in a configurable namespace.
- #
- # Configures it with a realm, and some users.
- #
- # Required variables (some are supplied by defaults/main.yml):
- #
- # rhbk:
- # namespace: namespace to deploy to (keycloak)
- # name: name of the instance (sso)
- # replicas: how many instances
- # fqdn: fqdn of the route (hostname), detected if omitted
- # admin: bootstrap admin credentials
- # username: username (rhbk)
- # password: password (secret)
- # db: database-specific settings
- # image: db server image
- # name: database name (rhbk)
- # username: database owner (rhbk)
- # password: db owner's password (secret)
- # claim_modes: volume claim template access modes, list (ReadWriteOnce)
- # storage_class: storage class name, no default (omitted)
- # size: pvc size (1Gi)
- # replicas: how many instances (TODO ignored for now)
- # realm: name of the realm (sample-realm)
- # users: users to create in realm, no default (meaning no users)
- # - username: required (as it is key)
- # password: optional, defaults to "secret"
- # fullname: optional, set to username if empty
- # email: optional, set to username@example.com if empty
- #
- # NOTE: Must have an operator deployed in that namespace prior (use deploy-operators role for that).
- #
- - name: Check if there is a namespace.
- kubernetes.core.k8s_info:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: namespace
- name: "{{ rhbk.namespace | default('keycloak') }}"
- register: prereq_ns
- - name: Fail if not so.
- ansible.builtin.assert:
- that:
- - prereq_ns.resources is defined
- - prereq_ns.resources | length == 1
- success_msg: "OK, namespace found."
- fail_msg: "FATAL: namespace to deploy ({{ rhbk.namespace | default('keycloak') }}) not found. Ensure there is an operator already present."
- # TODO: figure this out. probably look at subscription's CSV status attribute for name or something.
- - name: Check if there is a CSV in the namespace.
- kubernetes.core.k8s_info:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: operators.coreos.com/v1alpha1
- kind: clusterserviceversion
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- register: prereq_csv
- # TODO: figure this out.
- - name: Fail if not so.
- ansible.builtin.assert:
- that:
- - prereq_csv.resources is defined
- - prereq_csv.resources | length > 0
- - name: Tech hack. Prevent anything from blowing up because rhbk is defined somewhere, but not its structured contents.
- ansible.builtin.set_fact:
- rhbk: "{{ rhbk | default({}) | combine({ 'db': {} }) }}"
- when:
- - rhbk.db is not defined
- - name: Ensure there is a secret containing DB credentials in the project.
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: secret
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-db-auth"
- resource_definition:
- data:
- username: "{{ rhbk.db.username | default('rhbk') | b64encode }}"
- password: "{{ rhbk.db.password | default('secret') | b64encode }}"
- # TODO: ensure that there is no STS to begin with, or if there is, verify that
- # only the allowed fields would change, if anything. Otherwise:
- #
- # Forbidden: updates to statefulset spec for fields other than
- # 'replicas', 'ordinals', 'template', 'updateStrategy',
- # 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are
- # forbidden
- #
- - name: Ensure there is a database sts in the project
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: apps/v1
- kind: statefulset
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-db"
- resource_definition:
- spec:
- # TODO: implement rhbk.db.replicas at some point?
- replicas: 1
- serviceName: "{{ rhbk.name | default('sso') }}-db"
- selector:
- matchLabels:
- app: "{{ rhbk.name | default('sso') }}-db"
- template:
- metadata:
- labels:
- app: "{{ rhbk.name | default('sso') }}-db"
- spec:
- containers:
- - name: "{{ rhbk.name | default('sso') }}-db"
- image: "{{ rhbk.db.image | default('registry.redhat.io/rhel9/postgresql-15:latest') }}"
- volumeMounts:
- - mountPath: /var/lib/pgsql/data
- name: "{{ rhbk.name | default('sso') }}-db-data"
- env:
- - name: POSTGRESQL_USER
- valueFrom:
- secretKeyRef:
- name: "{{ rhbk.name | default('sso') }}-db-auth"
- key: username
- - name: POSTGRESQL_PASSWORD
- valueFrom:
- secretKeyRef:
- name: "{{ rhbk.name | default('sso') }}-db-auth"
- key: password
- - name: POSTGRESQL_DATABASE
- value: "{{ rhbk.db.name | default('rhbk') }}"
- volumeClaimTemplates:
- - metadata:
- name: "{{ rhbk.name | default('sso') }}-db-data"
- spec:
- accessModes: "{{ rhbk.db.claim_modes | default(['ReadWriteOnce']) }}"
- storageClassName: "{{ rhbk.db.storage_class | default(omit) }}"
- resources:
- requests:
- storage: "{{ rhbk.db.size | default('1Gi') }}"
- - name: Ensure there is a service for the database as well
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: service
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-db"
- resource_definition:
- spec:
- selector:
- app: "{{ rhbk.name | default('sso') }}-db"
- type: LoadBalancer
- ports:
- - port: 5432
- targetPort: 5432
- protocol: TCP
- - name: Ensure there is a secret containing Keycloak bootstrap credentials
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: secret
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-auth"
- resource_definition:
- data:
- username: "{{ rhbk.admin.username | default('rhbk') | b64encode }}"
- password: "{{ rhbk.admin.password | default('secret') | b64encode }}"
- - name: If there is no FQDN, check what the default domain is.
- kubernetes.core.k8s_info:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: operator.openshift.io/v1
- kind: ingresscontroller
- namespace: openshift-ingress-operator
- name: default
- register: default_ingress
- when: rhbk.fqdn is not defined
- - name: Set a fact that reflects either the FQDN as set, or a composition of vars and default ingress info.
- ansible.builtin.set_fact:
- rhbk_fqdn: "{{ rhbk.fqdn | default((rhbk.name | default('sso')) + '-' + (rhbk.namespace | default('keycloak')) + '.' + default_ingress.resources[0].status.domain) }}"
- - name: Announce what hostname would be used.
- ansible.builtin.debug:
- msg: Using "https://{{ rhbk_fqdn }}" as the hostname.
- # TODO: remember if there were changes, and force delete any non-ready pod?
- - name: Lastly, make sure there is a Keycloak
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: k8s.keycloak.org/v2alpha1
- kind: keycloak
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}"
- resource_definition:
- spec:
- instances: "{{ rhbk.replicas | default(1) }}"
- db:
- vendor: postgres
- host: "{{ rhbk.name | default('sso') }}-db"
- database: "{{ rhbk.db.name | default('rhbk') }}"
- usernameSecret:
- name: "{{ rhbk.name | default('sso') }}-db-auth"
- key: username
- passwordSecret:
- name: "{{ rhbk.name | default('sso') }}-db-auth"
- key: password
- hostname:
- hostname: "https://{{ rhbk_fqdn }}"
- strict: false
- backchannelDynamic: true
- http:
- httpEnabled: true
- httpPort: 8080
- httpsPort: 8443
- tlsSecret: "{{ rhbk.name | default('sso') }}-tls"
- bootstrapAdmin:
- user:
- secret: "{{ rhbk.name | default('sso') }}-auth"
- ingress:
- enabled: false
- - name: Wait for the service to show up.
- kubernetes.core.k8s_info:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: service
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-service"
- register: rhbk_svc
- until:
- - rhbk_svc.resources is defined
- - (rhbk_svc.resources | length) > 0
- retries: 24
- delay: 5
- - name: Ensure the service is correctly annotated.
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: v1
- kind: service
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-service"
- state: patched
- resource_definition:
- metadata:
- annotations:
- service.beta.openshift.io/serving-cert-secret-name: "{{ rhbk.name | default('sso') }}-tls"
- - name: Make sure there is a re-encrypt route.
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: route.openshift.io/v1
- kind: route
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}"
- resource_definition:
- spec:
- to:
- kind: Service
- name: "{{ rhbk.name | default('sso') }}-service"
- port:
- targetPort: 8443
- tls:
- termination: reencrypt
- insecureEdgeTerminationPolicy: Redirect
- - name: Check whether there is already a realm import CR
- kubernetes.core.k8s_info:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: k8s.keycloak.org/v2alpha1
- kind: keycloakrealmimport
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- register: realm_imports
- - name: If there are no realm imports, create one.
- block:
- - name: Apply a template realm import.
- kubernetes.core.k8s:
- kubeconfig: tmp/kubeconfig-ocp4
- validate_certs: no
- api_version: k8s.keycloak.org/v2alpha1
- kind: keycloakrealmimport
- namespace: "{{ rhbk.namespace | default('keycloak') }}"
- name: "{{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import"
- template: templates/realm-import-template.yaml.j2
- ...
|
