Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 88ac73f80041b03a34f4495b9cd5ef2ed63cd942 / . / roles / keystone / tasks / main.yml
blob: 84dc04772a1415e5de025381a81b5dca5cdeb993 [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]15- name: Create Keycloak realms
Mohammed Naser59853d42023-11-29 20:32:24 -0500[diff] [blame]16 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]17 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]18 changed_when: false
19 community.general.keycloak_realm:
20 # Keycloak settings
21 auth_keycloak_url: "{{ item.keycloak_server_url }}"
22 auth_realm: "{{ item.keycloak_user_realm_name }}"
23 auth_client_id: "{{ item.keycloak_admin_client_id }}"
24 auth_username: "{{ item.keycloak_admin_user }}"
25 auth_password: "{{ item.keycloak_admin_password }}"
26 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
27 # Realm settings
28 id: "{{ item.keycloak_realm }}"
29 realm: "{{ item.keycloak_realm }}"
30 display_name: "{{ item.label }}"
31 enabled: true
Mohammed Naser14edc542025-02-05 15:25:25 -0500[diff] [blame]32 password_policy: "{{ item.keycloak_password_policy | default(keystone_keycloak_realm_default_password_policy | default(omit)) }}"
33 brute_force_protected: "{{ item.keycloak_brute_force_protected | default(keystone_keycloak_realm_default_brute_force_protected | default(omit)) }}"
34 failure_factor: "{{ item.keycloak_brute_force_failure_factor | default(keystone_keycloak_realm_default_brute_force_failure_factor | default(omit)) }}"
35 wait_increment_seconds: "{{ item.keycloak_brute_force_wait_increment_seconds | default(keystone_keycloak_realm_default_brute_force_wait_increment_seconds | default(omit)) }}"
36 max_failure_wait_seconds: "{{ item.keycloak_brute_force_max_failure_wait_seconds | default(keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds | default(omit)) }}"
37 max_delta_time_seconds: "{{ item.keycloak_brute_force_max_delta_time_seconds | default(keystone_keycloak_realm_default_brute_force_max_delta_time_seconds | default(omit)) }}"
38 minimum_quick_login_wait_seconds: "{{ item.keycloak_minimum_quick_login_wait_seconds | default(keystone_keycloak_realm_default_minimum_quick_login_wait_seconds | default(omit)) }}"
39 quick_login_check_milli_seconds: "{{ item.keycloak_quick_login_check_milli_seconds | default(keystone_keycloak_realm_default_quick_login_check_milli_seconds | default(omit)) }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]40 loop: "{{ keystone_domains }}"
41 loop_control:
42 label: "{{ item.name }}"
43
44- name: Create ConfigMap with all OpenID connect configurations
45 run_once: true
46 kubernetes.core.k8s:
47 template: configmap-openid-metadata.yml.j2
48
49- name: Create Keycloak clients
Mohammed Naser8dc7add2024-01-02 16:43:07 -0500[diff] [blame]50 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]51 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]52 community.general.keycloak_client:
53 # Keycloak settings
54 auth_keycloak_url: "{{ item.keycloak_server_url }}"
55 auth_realm: "{{ item.keycloak_user_realm_name }}"
56 auth_client_id: "{{ item.keycloak_admin_client_id }}"
57 auth_username: "{{ item.keycloak_admin_user }}"
58 auth_password: "{{ item.keycloak_admin_password }}"
59 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
60 # Realm settings
61 realm: "{{ item.keycloak_realm }}"
62 client_id: "{{ item.keycloak_client_id }}"
63 secret: "{{ item.keycloak_client_secret }}"
64 redirect_uris:
65 - "{{ keystone_oidc_redirect_uri }}"
66 - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/"
67 loop: "{{ keystone_domains }}"
68 loop_control:
69 label: "{{ item.name }}"
70
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]71- name: Deploy Helm chart
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]72 run_once: true
73 kubernetes.core.helm:
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]74 name: "{{ keystone_helm_release_name }}"
75 chart_ref: "{{ keystone_helm_chart_ref }}"
76 release_namespace: "{{ keystone_helm_release_namespace }}"
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]77 create_namespace: true
78 kubeconfig: /etc/kubernetes/admin.conf
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]79 values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]80
81- name: Create Ingress
82 ansible.builtin.include_role:
83 name: openstack_helm_ingress
84 vars:
85 openstack_helm_ingress_endpoint: identity
86 openstack_helm_ingress_service_name: keystone-api
87 openstack_helm_ingress_service_port: 5000
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]88 openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"
Mohammed Naser58052682025-02-05 14:03:20 -0500[diff] [blame]89 openstack_helm_ingress_class_name: "{{ keystone_ingress_class_name }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]90
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]91- name: Validate if ingress is reachable
92 ansible.builtin.uri:
93 url: "https://{{ openstack_helm_endpoints_keystone_api_host }}"
94 status_code: [300]
95 register: keystone_ingress_validate
96 until: keystone_ingress_validate.status == 300
Oleksandr K897b78b2023-12-29 10:55:06 +0100[diff] [blame]97 retries: 120
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]98 delay: 1
99
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]100- name: Wait until identity service ready
101 kubernetes.core.k8s_info:
102 api_version: apps/v1
103 kind: Deployment
104 name: keystone-api
105 namespace: openstack
106 wait_sleep: 10
107 wait_timeout: 600
108 wait: true
109 wait_condition:
110 type: Available
111 status: true
112
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]113- name: Create Keystone domains
114 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]115 vexxhost.atmosphere.identity_domain:
116 name: "{{ item.name }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]117 loop: "{{ keystone_domains }}"
118 loop_control:
119 label: "{{ item.name }}"
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]120 # NOTE: This often fails since it takes time for the keystone api ready.
121 retries: 60
122 delay: 5
123 register: keystone_domains_result
124 until: keystone_domains_result is not failed
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]125
126- name: Create Keystone identity providers
127 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]128 vexxhost.atmosphere.federation_idp:
129 name: "{{ item.domain.name }}"
130 domain_id: "{{ item.domain.id }}"
Mohammed Naser6c022e32025-02-05 13:20:09 -0500[diff] [blame]131 is_enabled: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]132 remote_ids:
133 - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}"
134 loop: "{{ keystone_domains_result.results }}"
135 loop_control:
136 label: "{{ item.domain.name }}"
137
138- name: Create Keystone federation mappings
139 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]140 vexxhost.atmosphere.federation_mapping:
141 name: "{{ item.name }}-openid"
142 rules:
143 - local:
144 - user:
145 type: local
146 id: "{0}"
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]147 name: "{1}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]148 domain:
149 name: "{{ item.name }}"
150 remote:
151 - type: OIDC-sub
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]152 - type: OIDC-preferred_username
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]153 loop: "{{ keystone_domains }}"
154 loop_control:
155 label: "{{ item.name }}"
156
157- name: Create Keystone federation protocols
158 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]159 vexxhost.atmosphere.keystone_federation_protocol:
160 name: openid
161 idp_id: "{{ item.name }}"
162 mapping_id: "{{ item.name }}-openid"
163 loop: "{{ keystone_domains }}"
164 loop_control:
165 label: "{{ item.name }}"