Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 6c022e351f94fe3c7d3dffc53d12d8a180e4b9f5 / . / roles / keystone / tasks / main.yml
blob: 44a92a623f8fac6cc814c458425f8e5af1d93f4d [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]15- name: Create Keycloak realms
Mohammed Naser59853d42023-11-29 20:32:24 -0500[diff] [blame]16 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]17 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]18 changed_when: false
19 community.general.keycloak_realm:
20 # Keycloak settings
21 auth_keycloak_url: "{{ item.keycloak_server_url }}"
22 auth_realm: "{{ item.keycloak_user_realm_name }}"
23 auth_client_id: "{{ item.keycloak_admin_client_id }}"
24 auth_username: "{{ item.keycloak_admin_user }}"
25 auth_password: "{{ item.keycloak_admin_password }}"
26 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
27 # Realm settings
28 id: "{{ item.keycloak_realm }}"
29 realm: "{{ item.keycloak_realm }}"
30 display_name: "{{ item.label }}"
31 enabled: true
32 loop: "{{ keystone_domains }}"
33 loop_control:
34 label: "{{ item.name }}"
35
36- name: Create ConfigMap with all OpenID connect configurations
37 run_once: true
38 kubernetes.core.k8s:
39 template: configmap-openid-metadata.yml.j2
40
41- name: Create Keycloak clients
Mohammed Naser8dc7add2024-01-02 16:43:07 -0500[diff] [blame]42 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]43 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]44 community.general.keycloak_client:
45 # Keycloak settings
46 auth_keycloak_url: "{{ item.keycloak_server_url }}"
47 auth_realm: "{{ item.keycloak_user_realm_name }}"
48 auth_client_id: "{{ item.keycloak_admin_client_id }}"
49 auth_username: "{{ item.keycloak_admin_user }}"
50 auth_password: "{{ item.keycloak_admin_password }}"
51 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
52 # Realm settings
53 realm: "{{ item.keycloak_realm }}"
54 client_id: "{{ item.keycloak_client_id }}"
55 secret: "{{ item.keycloak_client_secret }}"
56 redirect_uris:
57 - "{{ keystone_oidc_redirect_uri }}"
58 - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/"
59 loop: "{{ keystone_domains }}"
60 loop_control:
61 label: "{{ item.name }}"
62
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]63- name: Deploy Helm chart
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]64 run_once: true
65 kubernetes.core.helm:
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]66 name: "{{ keystone_helm_release_name }}"
67 chart_ref: "{{ keystone_helm_chart_ref }}"
68 release_namespace: "{{ keystone_helm_release_namespace }}"
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]69 create_namespace: true
70 kubeconfig: /etc/kubernetes/admin.conf
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]71 values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]72
73- name: Create Ingress
74 ansible.builtin.include_role:
75 name: openstack_helm_ingress
76 vars:
77 openstack_helm_ingress_endpoint: identity
78 openstack_helm_ingress_service_name: keystone-api
79 openstack_helm_ingress_service_port: 5000
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]80 openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]81
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]82- name: Validate if ingress is reachable
83 ansible.builtin.uri:
84 url: "https://{{ openstack_helm_endpoints_keystone_api_host }}"
85 status_code: [300]
86 register: keystone_ingress_validate
87 until: keystone_ingress_validate.status == 300
Oleksandr K897b78b2023-12-29 10:55:06 +0100[diff] [blame]88 retries: 120
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]89 delay: 1
90
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]91- name: Wait until identity service ready
92 kubernetes.core.k8s_info:
93 api_version: apps/v1
94 kind: Deployment
95 name: keystone-api
96 namespace: openstack
97 wait_sleep: 10
98 wait_timeout: 600
99 wait: true
100 wait_condition:
101 type: Available
102 status: true
103
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]104- name: Create Keystone domains
105 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]106 vexxhost.atmosphere.identity_domain:
107 name: "{{ item.name }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]108 loop: "{{ keystone_domains }}"
109 loop_control:
110 label: "{{ item.name }}"
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]111 # NOTE: This often fails since it takes time for the keystone api ready.
112 retries: 60
113 delay: 5
114 register: keystone_domains_result
115 until: keystone_domains_result is not failed
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]116
117- name: Create Keystone identity providers
118 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]119 vexxhost.atmosphere.federation_idp:
120 name: "{{ item.domain.name }}"
121 domain_id: "{{ item.domain.id }}"
Mohammed Naser6c022e32025-02-05 13:20:09 -0500[diff] [blame^]122 is_enabled: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]123 remote_ids:
124 - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}"
125 loop: "{{ keystone_domains_result.results }}"
126 loop_control:
127 label: "{{ item.domain.name }}"
128
129- name: Create Keystone federation mappings
130 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]131 vexxhost.atmosphere.federation_mapping:
132 name: "{{ item.name }}-openid"
133 rules:
134 - local:
135 - user:
136 type: local
137 id: "{0}"
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]138 name: "{1}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]139 domain:
140 name: "{{ item.name }}"
141 remote:
142 - type: OIDC-sub
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]143 - type: OIDC-preferred_username
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]144 loop: "{{ keystone_domains }}"
145 loop_control:
146 label: "{{ item.name }}"
147
148- name: Create Keystone federation protocols
149 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]150 vexxhost.atmosphere.keystone_federation_protocol:
151 name: openid
152 idp_id: "{{ item.name }}"
153 mapping_id: "{{ item.name }}-openid"
154 loop: "{{ keystone_domains }}"
155 loop_control:
156 label: "{{ item.name }}"