Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 99c00a72202cf81e5e1c83a71e9cab9f2614d471^! / .
commit99c00a72202cf81e5e1c83a71e9cab9f2614d471[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Wed Feb 05 15:32:27 2025 -0500
committerMohammed Naser <mnaser@vexxhost.com>Wed Feb 05 21:35:01 2025 -0500
treebc81ecef194c70d948c37f4301e9e7a0e8c48303
parent2e5a63ad3f5ea0f28c4592316de0bcf274e5e7ff [diff]
Add support for MFA options

Change-Id: I0e667f702a5208ce1c2235754ba8e77c66931775

diff --git a/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml b/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml
new file mode 100644
index 0000000..cb2d445
--- /dev/null
+++ b/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - The Keystone role now supports configuring multi-factor authentication for
+    the users within the Atmosphere realm.

diff --git a/roles/keystone/defaults/main.yml b/roles/keystone/defaults/main.yml
index 5b5c5e9..67031c5 100644
--- a/roles/keystone/defaults/main.yml
+++ b/roles/keystone/defaults/main.yml

@@ -45,6 +45,7 @@
 # keystone_keycloak_realm_default_brute_force_max_delta_time_seconds:
 # keystone_keycloak_realm_default_minimum_quick_login_wait_seconds:
 # keystone_keycloak_realm_default_quick_login_check_milli_seconds:
+# keystone_keycloak_realm_default_totp_default_action:
 
 keystone_keycloak_client_id: keystone
 # keystone_keycloak_client_secret:

diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml
index f17c68e..b6d0a8e 100644
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml

@@ -41,6 +41,28 @@
   loop_control:
     label: "{{ item.name }}"
 
+- name: Setup Keycloak Authentication Required Actions (MFA)
+  community.general.keycloak_authentication_required_actions:
+    # Keycloak settings
+    auth_keycloak_url: "{{ item.keycloak_server_url }}"
+    auth_realm: "{{ item.keycloak_user_realm_name }}"
+    auth_client_id: "{{ item.keycloak_admin_client_id }}"
+    auth_username: "{{ item.keycloak_admin_user }}"
+    auth_password: "{{ item.keycloak_admin_password }}"
+    validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
+    # Realm settings
+    realm: "{{ item.name }}"
+    required_actions:
+      - alias: "CONFIGURE_TOTP"
+        name: "Configure OTP"
+        providerId: "CONFIGURE_TOTP"
+        defaultAction: "{{ item.keycloak_totp_default_action | default(keystone_keycloak_realm_default_totp_default_action | default(omit)) }}"
+        enabled: true
+    state: present
+  loop: "{{ keystone_domains }}"
+  loop_control:
+    label: "{{ item.name }}"
+
 - name: Create ConfigMap with all OpenID connect configurations
   run_once: true
   kubernetes.core.k8s: