rht
/
sso-playbooks


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
							---
# A number of checks to be performed, but ultimately modify oauth/cluster with
# an additional identityProvider for OIDC.
#
- name: Check for the KeyCloak resource
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloak
    namespace: rhsso
    name: rhsso
  register: sso_cr

- assert:
    that:
      - (sso_cr.resources | length) == 1
      - sso_cr.resources[0].spec.externalAccess.enabled
      - sso_cr.resources[0].status.ready
      - sso_cr.resources[0].status.phase == "reconciling"
    fail_msg: "ERROR: RHSSO instance is missing or not configured correctly."
    success_msg: "OK: RHSSO instance is configured correctly."

- name: Store RHSSO URL as a fact
  set_fact:
    sso_url: "{{ sso_cr.resources[0].status.externalURL }}"

- name: Check for the realm resource
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloakrealm
    namespace: rhsso
    name: sample-realm
  register: sso_realm

- assert:
    that:
      - (sso_realm.resources | length) == 1
      - sso_realm.resources[0].spec.realm.id == "sample"
      - sso_realm.resources[0].spec.realm.realm == "sample"
      - sso_realm.resources[0].spec.realm.enabled
      - sso_realm.resources[0].status.ready
      - sso_realm.resources[0].status.phase == "reconciling"
    fail_msg: "ERROR: RHSSO sample realm is missing or not configured correctly."
    success_msg: "OK: RHSSO sample realm is configured correctly."

- name: Check that the client is configured correctly
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: keycloak.org/v1alpha1
    kind: keycloakclient
    namespace: rhsso
    name: sample-client
  register: sso_client

- assert:
    that:
      - (sso_client.resources | length) == 1
      - sso_client.resources[0].spec.client.clientId == "sample-client"
      - '"offline_access" in sso_client.resources[0].spec.client.defaultClientScopes'
      - sso_client.resources[0].status.ready
      - sso_client.resources[0].status.phase == "reconciling"
    fail_msg: "ERROR: RHSSO sample-client is missing or not configured correctly."
    success_msg: "OK: RHSSO sample-client is configured correctly."

- name: Store sample-client's secret name as a fact
  set_fact:
    sso_client_secret: "{{ sso_client.resources[0].status.secondaryResources.Secret[0] }}"

- name: Read the sample-client's actual secret
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: rhsso
    name: "{{ sso_client_secret }}"
  register: sso_client_secret

- assert:
    that:
      - (sso_client_secret.resources | length) == 1
      - sso_client_secret.resources[0].data.CLIENT_SECRET is defined
    fail_msg: "ERROR: sample-client secret is missing."
    success_msg: "OK: sample-client secret found."

- name: Store the secret as a fact
  set_fact:
    sso_client_secret: "{{ sso_client_secret.resources[0].data.CLIENT_SECRET }}"

- name: Check that the ingresscontroller's defaultCertificate is set
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: ingress_ca

- name: Get the router's default CA content
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: "{{ ingress_ca.resources[0].spec.defaultCertificate.name }}"
  register: ingress_ca

- name: Store the CA cert as an actual fact
  set_fact:
    ingress_ca: "{{ ingress_ca.resources[0].data['tls.crt'] }}"

- name: Check on oauth/cluster
  k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
  register: cluster_auth

- assert:
    that:
      - (cluster_auth.resources | length) == 1
      - (cluster_auth.resources[0].spec.identityProviders | length) >= 1
      - cluster_auth.resources[0].spec.identityProviders[0].type == "HTPasswd"
    fail_msg: "ERROR: OpenShift cluster authentication is not configured correctly."
    success_msg: "OK: OpenShift cluster authentication is configured correctly."

- name: Make certain client secret exists in openshift-config
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: sso-client-secret
    definition:
      metadata:
        labels:
          app: sso
      type: Opaque
      data:
        clientSecret: "{{ sso_client_secret }}"

- name: Make certain router CA CM exists in openshift-config
  k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: configmap
    namespace: openshift-config
    name: sso-ingress-ca
    definition:
      metadata:
        labels:
          app: sso
      data:
        ca.crt: "{{ ingress_ca | string | b64decode }}"

- name: Figure out what to do with oauth/cluster - option 1
  set_fact:
    oauth_op: add
    oauth_path: /spec/identityProviders/-
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 1

- name: Figure out what to do with oauth/cluster - option 2
  set_fact:
    oauth_op: replace
    oauth_path: /spec/identityProviders/1
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 2

- name: Patch oauth/cluster
  kubernetes.core.k8s_json_patch:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
    patch:
      - op: "{{ oauth_op }}"
        path: "{{ oauth_path }}"
        value:
          name: oidc_sso
          mappingMethod: claim 
          type: OpenID
          openID:
            clientID: sample-client
            clientSecret: 
              name: sso-client-secret
            ca:
              name: sso-ingress-ca
            claims: 
              preferredUsername:
              - preferred_username
              name:
              - name
              email:
              - email
              groups:
              - groups
            issuer: "{{ sso_url }}/auth/realms/sample"

# TODO: Wait for clusteroperator/authentication to stop progressing.

# TODO: Check that all keycloakuser (or all users?) have offline_access realm role?
...