rht
/
sso-playbooks


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
							---
# Ensures that there are also users, groups, and roles in the test realm.
- name: Check for the KeyCloak resource
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloak
    namespace: rhsso
    name: rhsso
  register: sso_cr

- assert:
    that:
      - (sso_cr.resources | length) == 1
      - sso_cr.resources[0].status.ready
      - sso_cr.resources[0].status.phase == "reconciling"
    fail_msg: "ERROR: RHSSO instance is missing or not configured correctly."
    success_msg: "OK: RHSSO instance is configured correctly."

- name: Store RHSSO URL as a fact
  set_fact:
    sso_url: "{{ sso_cr.resources[0].status.externalURL }}"

- name: Check for the realm resource
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloakrealm
    namespace: rhsso
    name: sample-realm
  register: sso_realm

- assert:
    that:
      - (sso_realm.resources | length) == 1
      - sso_realm.resources[0].spec.realm.id == "sample"
      - sso_realm.resources[0].spec.realm.realm == "sample"
      - sso_realm.resources[0].status.ready
      - sso_realm.resources[0].status.phase == "reconciling"
    fail_msg: "ERROR: RHSSO sample realm is missing or not configured correctly."
    success_msg: "OK: RHSSO sample realm is configured correctly."

# Authentication bits from here until we can get group list.
- name: Read the SSO admin pass
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: rhsso
    name: "{{ sso_cr.resources[0].status.credentialSecret }}"
  register: sso_secret

- name: Store RHSSO admin pass as fact
  set_fact:
    sso_pass: "{{ sso_secret.resources[0].data.ADMIN_PASSWORD }}"

- name: Get an auth token from RHSSO
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "{{ sso_url }}/auth/realms/master/protocol/openid-connect/token"
    headers:
      Accept: application/json
    body: "client_id=admin-cli&username=admin&password={{ sso_pass | string | b64decode }}&grant_type=password"
  register: sso_token_rsp

- assert:
    that: sso_token_rsp.json is defined and sso_token_rsp.json.access_token is defined
    fail_msg: "ERROR: Failed to obtain authentication token from RHSSO."
    success_msg: "OK: got authentication token."

- name: Store the token as a fact
  set_fact:
    sso_token: "{{ sso_token_rsp.json.access_token }}"

# Back to business as usual from here on.
- name: Get existing group list
  uri:
    method: GET
    return_content: true
    validate_certs: false
    url: "{{ sso_url }}/auth/admin/realms/sample/groups"
    headers:
      Authorization: Bearer {{ sso_token }}
      Accept: application/json
  register: sso_groups_raw
  tags:
    - groups

- name: Store existing groups as a list
  set_fact:
    sso_groups: "{{ sso_groups_raw.json | items2dict(key_name='name', value_name='id') }}"
  tags:
    - groups

- name: Create missing groups
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "{{ sso_url }}/auth/admin/realms/sample/groups"
    headers:
      Authorization: Bearer {{ sso_token }}
      Accept: application/json
      Content-Type: application/json
    body_format: json
    body: '{"name": "{{ item | string }}"}'
    status_code:
      - 200
      - 201
  loop: "{{ pop_groups }}"
  when: item not in sso_groups.keys()
  tags:
    - groups

# You need offline_access in realmRoles to be able to use OCP OIDC.
- name: Make sure KeycloakUser resources exist
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloakuser
    namespace: rhsso
    name: "user-{{ item.username }}"
    definition:
      metadata:
        labels:
          app: sso
          realm: sample
      spec:
        realmSelector:
          matchLabels:
            app: sso
            realm: sample
        user:
          username: "{{ item.username }}"
          credentials:
            - temporary: False
              type: password
              value: "{{ item.password }}"
          firstName: "{{ item.firstname }}"
          lastName: "{{ item.lastname }}"
          email: "{{ item.username }}@example.com"
          enabled: True
          emailVerified: True
          groups: "{{ item.groups | list }}"
          realmRoles:
            - offline_access
  loop: "{{ pop_users }}"
  tags:
    - users

# TODO: assign roles to groups?
# TODO: remove any stale identities / openshift users if keycloakuser resources have been created?

...