rht
/
ocp-ing-ichp-materials


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
							---
# Ensures there is an OIDC identity provider configured in OpenShift, that uses
# a client defined in RHBK deployed by the deploy-rhbk role.
#
# Required variables (some are reused from deploy-rhbk role):
#
# openshift:
#   rhbk_client_id: the name of a client above to use for authentication
#   (default "openshift")
#
# rhbk:
#   namespace:      namespace to deploy to (keycloak)
#   name:           name of the instance (sso)
#   fqdn:           fqdn of the route (hostname), detected if omitted
#   admin:          bootstrap admin credentials
#     username:       username (rhbk)
#     password:       password (secret)
#   realm:          name of the realm (sample-realm)
#   clients:[]      a list of clients to create in the realm
#     - id:           clientId
#       name:         client (human readable) name (client.id)
#       secret:       the client secret, if used
#       base_url:     the base URL for redirects and other bits
#
# TODO: prerequisite check:
#   - either a fqdn or an existing keycloak resource coordinates
#   - admin credentials
#
- name: Check that the ingresscontroller's defaultCertificate is set
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: ingress_ca

- name: Get the router's default CA content
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: "{{ ingress_ca.resources[0].spec.defaultCertificate.name }}"
  register: ingress_ca

- name: Store the CA cert as an actual fact
  set_fact:
    ingress_ca: "{{ ingress_ca.resources[0].data['tls.crt'] }}"

- name: Check on oauth/cluster
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
  register: cluster_auth

- assert:
    that:
      - (cluster_auth.resources | length) == 1
      - (cluster_auth.resources[0].spec.identityProviders | length) >= 1
      - cluster_auth.resources[0].spec.identityProviders[0].type == "HTPasswd"
    fail_msg: "ERROR: OpenShift cluster authentication is not configured correctly."
    success_msg: "OK: OpenShift cluster authentication is configured correctly."

- name: If there is no FQDN, check what the default domain of the cluster is.
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: default_ingress
  when: rhbk.fqdn is not defined

- name: Set a fact that reflects either the FQDN as set, or a composition of vars and default ingress info.
  ansible.builtin.set_fact:
    rhbk_fqdn: "{{ rhbk.fqdn | default((rhbk.name | default('sso')) + '-' + (rhbk.namespace | default('keycloak')) + '.' + default_ingress.resources[0].status.domain) }}"

- name: Announce what hostname would be used.
  ansible.builtin.debug:
    msg: Using "https://{{ rhbk_fqdn }}" as the hostname.

- name: Make certain router CA CM exists in openshift-config
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: configmap
    namespace: openshift-config
    name: sso-ingress-ca
    definition:
      metadata:
        labels:
          app: sso
      data:
        ca.crt: "{{ ingress_ca | string | b64decode }}"

- name: Make certain client secret exists in openshift-config
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: sso-client-secret
    definition:
      metadata:
        labels:
          app: sso
      type: Opaque
      data:
        clientSecret: "{{ (rhbk | community.general.json_query('clients[?id==`' + (openshift.rhbk_client_id | default('openshift')) + '`].secret'))[0] | b64encode }}"

- name: Figure out what to do with oauth/cluster - option 1
  set_fact:
    oauth_op: add
    oauth_path: /spec/identityProviders/-
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 1

- name: Figure out what to do with oauth/cluster - option 2
  set_fact:
    oauth_op: replace
    oauth_path: /spec/identityProviders/1
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 2

- name: Patch oauth/cluster
  kubernetes.core.k8s_json_patch:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
    patch:
      - op: "{{ oauth_op }}"
        path: "{{ oauth_path }}"
        value:
          name: oidc
          mappingMethod: claim 
          type: OpenID
          openID:
            clientID: "{{ openshift.rhbk_client_id | default('openshift') }}"
            clientSecret: 
              name: sso-client-secret
            ca:
              name: sso-ingress-ca
            claims: 
              preferredUsername:
              - preferred_username
              name:
              - name
              email:
              - email
              groups:
              - groups
            issuer: "https://{{ rhbk_fqdn }}/realms/{{ rhbk.realm | default('sample-realm') }}"

## TODO: Wait for clusteroperator/authentication to stop progressing.
#
## TODO: Check that all keycloakuser (or all users?) have offline_access realm role?
...