Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 53e13b339c5f3b7466f954aa9f3391be558e7759 / . / roles / keystone / tasks / main.yml
blob: e2db9b98f43c3e772f77503e860ba7815e025bac [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]15- name: Uninstall the legacy HelmRelease
16 run_once: true
17 block:
18 - name: Suspend the existing HelmRelease
Mohammed Naserf0314a82023-04-11 18:53:30 +0000[diff] [blame]19 failed_when: false
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]20 kubernetes.core.k8s:
21 state: patched
22 api_version: helm.toolkit.fluxcd.io/v2beta1
23 kind: HelmRelease
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]24 name: "{{ keystone_helm_release_name }}"
25 namespace: "{{ keystone_helm_release_namespace }}"
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]26 definition:
27 spec:
28 suspend: true
29
30 - name: Remove the existing HelmRelease
Mohammed Naserf0314a82023-04-11 18:53:30 +0000[diff] [blame]31 failed_when: false
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]32 kubernetes.core.k8s:
33 state: absent
34 api_version: helm.toolkit.fluxcd.io/v2beta1
35 kind: HelmRelease
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]36 name: "{{ keystone_helm_release_name }}"
37 namespace: "{{ keystone_helm_release_namespace }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]38
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]39- name: Create Keycloak realms
40 run_once: true
41 delegate_to: localhost
42 changed_when: false
43 community.general.keycloak_realm:
44 # Keycloak settings
45 auth_keycloak_url: "{{ item.keycloak_server_url }}"
46 auth_realm: "{{ item.keycloak_user_realm_name }}"
47 auth_client_id: "{{ item.keycloak_admin_client_id }}"
48 auth_username: "{{ item.keycloak_admin_user }}"
49 auth_password: "{{ item.keycloak_admin_password }}"
50 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
51 # Realm settings
52 id: "{{ item.keycloak_realm }}"
53 realm: "{{ item.keycloak_realm }}"
54 display_name: "{{ item.label }}"
55 enabled: true
56 loop: "{{ keystone_domains }}"
57 loop_control:
58 label: "{{ item.name }}"
59
60- name: Create ConfigMap with all OpenID connect configurations
61 run_once: true
62 kubernetes.core.k8s:
63 template: configmap-openid-metadata.yml.j2
64
65- name: Create Keycloak clients
66 run_once: true
67 delegate_to: localhost
68 community.general.keycloak_client:
69 # Keycloak settings
70 auth_keycloak_url: "{{ item.keycloak_server_url }}"
71 auth_realm: "{{ item.keycloak_user_realm_name }}"
72 auth_client_id: "{{ item.keycloak_admin_client_id }}"
73 auth_username: "{{ item.keycloak_admin_user }}"
74 auth_password: "{{ item.keycloak_admin_password }}"
75 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
76 # Realm settings
77 realm: "{{ item.keycloak_realm }}"
78 client_id: "{{ item.keycloak_client_id }}"
79 secret: "{{ item.keycloak_client_secret }}"
80 redirect_uris:
81 - "{{ keystone_oidc_redirect_uri }}"
82 - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/"
83 loop: "{{ keystone_domains }}"
84 loop_control:
85 label: "{{ item.name }}"
86
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]87- name: Deploy Helm chart
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]88 run_once: true
89 kubernetes.core.helm:
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]90 name: "{{ keystone_helm_release_name }}"
91 chart_ref: "{{ keystone_helm_chart_ref }}"
92 release_namespace: "{{ keystone_helm_release_namespace }}"
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]93 create_namespace: true
94 kubeconfig: /etc/kubernetes/admin.conf
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]95 values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]96
97- name: Create Ingress
98 ansible.builtin.include_role:
99 name: openstack_helm_ingress
100 vars:
101 openstack_helm_ingress_endpoint: identity
102 openstack_helm_ingress_service_name: keystone-api
103 openstack_helm_ingress_service_port: 5000
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]104 openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]105
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]106- name: Validate if ingress is reachable
107 ansible.builtin.uri:
108 url: "https://{{ openstack_helm_endpoints_keystone_api_host }}"
109 status_code: [300]
110 register: keystone_ingress_validate
111 until: keystone_ingress_validate.status == 300
112 retries: 60
113 delay: 1
114
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]115- name: Create Keystone domains
116 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]117 vexxhost.atmosphere.identity_domain:
118 name: "{{ item.name }}"
119 register: keystone_domains_result
120 loop: "{{ keystone_domains }}"
121 loop_control:
122 label: "{{ item.name }}"
123
124- name: Create Keystone identity providers
125 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]126 vexxhost.atmosphere.federation_idp:
127 name: "{{ item.domain.name }}"
128 domain_id: "{{ item.domain.id }}"
129 remote_ids:
130 - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}"
131 loop: "{{ keystone_domains_result.results }}"
132 loop_control:
133 label: "{{ item.domain.name }}"
134
135- name: Create Keystone federation mappings
136 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]137 vexxhost.atmosphere.federation_mapping:
138 name: "{{ item.name }}-openid"
139 rules:
140 - local:
141 - user:
142 type: local
143 id: "{0}"
144 domain:
145 name: "{{ item.name }}"
146 remote:
147 - type: OIDC-sub
148 loop: "{{ keystone_domains }}"
149 loop_control:
150 label: "{{ item.name }}"
151
152- name: Create Keystone federation protocols
153 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]154 vexxhost.atmosphere.keystone_federation_protocol:
155 name: openid
156 idp_id: "{{ item.name }}"
157 mapping_id: "{{ item.name }}-openid"
158 loop: "{{ keystone_domains }}"
159 loop_control:
160 label: "{{ item.name }}"