---
# A number of checks to be performed, but ultimately modify oauth/cluster with
# an additional identityProvider for OIDC.
#
- name: Check for the KeyCloak resource
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: keycloak.org/v1alpha1
kind: keycloak
namespace: rhsso
name: rhsso
register: sso_cr
- assert:
that:
- (sso_cr.resources | length) == 1
- sso_cr.resources[0].spec.externalAccess.enabled
- sso_cr.resources[0].status.ready
- sso_cr.resources[0].status.phase == "reconciling"
fail_msg: "ERROR: RHSSO instance is missing or not configured correctly."
success_msg: "OK: RHSSO instance is configured correctly."
- name: Store RHSSO URL as a fact
set_fact:
sso_url: "{{ sso_cr.resources[0].status.externalURL }}"
- name: Check for the realm resource
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: keycloak.org/v1alpha1
kind: keycloakrealm
namespace: rhsso
name: sample-realm
register: sso_realm
- assert:
that:
- (sso_realm.resources | length) == 1
- sso_realm.resources[0].spec.realm.id == "sample"
- sso_realm.resources[0].spec.realm.realm == "sample"
- sso_realm.resources[0].spec.realm.enabled
- sso_realm.resources[0].status.ready
- sso_realm.resources[0].status.phase == "reconciling"
fail_msg: "ERROR: RHSSO sample realm is missing or not configured correctly."
success_msg: "OK: RHSSO sample realm is configured correctly."
- name: Check that the client is configured correctly
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: keycloak.org/v1alpha1
kind: keycloakclient
namespace: rhsso
name: sample-client
register: sso_client
- assert:
that:
- (sso_client.resources | length) == 1
- sso_client.resources[0].spec.client.clientId == "sample-client"
- '"offline_access" in sso_client.resources[0].spec.client.defaultClientScopes'
- sso_client.resources[0].status.ready
- sso_client.resources[0].status.phase == "reconciling"
fail_msg: "ERROR: RHSSO sample-client is missing or not configured correctly."
success_msg: "OK: RHSSO sample-client is configured correctly."
- name: Store sample-client's secret name as a fact
set_fact:
sso_client_secret: "{{ sso_client.resources[0].status.secondaryResources.Secret[0] }}"
- name: Read the sample-client's actual secret
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: v1
kind: secret
namespace: rhsso
name: "{{ sso_client_secret }}"
register: sso_client_secret
- assert:
that:
- (sso_client_secret.resources | length) == 1
- sso_client_secret.resources[0].data.CLIENT_SECRET is defined
fail_msg: "ERROR: sample-client secret is missing."
success_msg: "OK: sample-client secret found."
- name: Store the secret as a fact
set_fact:
sso_client_secret: "{{ sso_client_secret.resources[0].data.CLIENT_SECRET }}"
- name: Check that the ingresscontroller's defaultCertificate is set
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: operator.openshift.io/v1
kind: ingresscontroller
namespace: openshift-ingress-operator
name: default
register: ingress_ca
- name: Get the router's default CA content
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: v1
kind: secret
namespace: openshift-config
name: "{{ ingress_ca.resources[0].spec.defaultCertificate.name }}"
register: ingress_ca
- name: Store the CA cert as an actual fact
set_fact:
ingress_ca: "{{ ingress_ca.resources[0].data['tls.crt'] }}"
- name: Check on oauth/cluster
k8s_info:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: config.openshift.io/v1
kind: oauth
name: cluster
register: cluster_auth
- assert:
that:
- (cluster_auth.resources | length) == 1
- (cluster_auth.resources[0].spec.identityProviders | length) >= 1
- cluster_auth.resources[0].spec.identityProviders[0].type == "HTPasswd"
fail_msg: "ERROR: OpenShift cluster authentication is not configured correctly."
success_msg: "OK: OpenShift cluster authentication is configured correctly."
- name: Make certain client secret exists in openshift-config
k8s:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: v1
kind: secret
namespace: openshift-config
name: sso-client-secret
definition:
metadata:
labels:
app: sso
type: Opaque
data:
clientSecret: "{{ sso_client_secret }}"
- name: Make certain router CA CM exists in openshift-config
k8s:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: v1
kind: configmap
namespace: openshift-config
name: sso-ingress-ca
definition:
metadata:
labels:
app: sso
data:
ca.crt: "{{ ingress_ca | string | b64decode }}"
- name: Figure out what to do with oauth/cluster - option 1
set_fact:
oauth_op: add
oauth_path: /spec/identityProviders/-
when: (cluster_auth.resources[0].spec.identityProviders | length) == 1
- name: Figure out what to do with oauth/cluster - option 2
set_fact:
oauth_op: replace
oauth_path: /spec/identityProviders/1
when: (cluster_auth.resources[0].spec.identityProviders | length) == 2
- name: Patch oauth/cluster
kubernetes.core.k8s_json_patch:
kubeconfig: tmp/kubeconfig-ocp4
validate_certs: no
api_version: config.openshift.io/v1
kind: oauth
name: cluster
patch:
- op: "{{ oauth_op }}"
path: "{{ oauth_path }}"
value:
name: oidc_sso
mappingMethod: claim
type: OpenID
openID:
clientID: sample-client
clientSecret:
name: sso-client-secret
ca:
name: sso-ingress-ca
claims:
preferredUsername:
- preferred_username
name:
- name
email:
- email
groups:
- groups
issuer: "{{ sso_url }}/auth/realms/sample"
# TODO: Wait for clusteroperator/authentication to stop progressing.
# TODO: Check that all keycloakuser (or all users?) have offline_access realm role?
...