Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 1 | # Copyright (c) 2022 VEXXHOST, Inc. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 15 | - name: Create Keycloak realms |
Mohammed Naser | 59853d4 | 2023-11-29 20:32:24 -0500 | [diff] [blame] | 16 | no_log: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 17 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 18 | changed_when: false |
| 19 | community.general.keycloak_realm: |
| 20 | # Keycloak settings |
| 21 | auth_keycloak_url: "{{ item.keycloak_server_url }}" |
| 22 | auth_realm: "{{ item.keycloak_user_realm_name }}" |
| 23 | auth_client_id: "{{ item.keycloak_admin_client_id }}" |
| 24 | auth_username: "{{ item.keycloak_admin_user }}" |
| 25 | auth_password: "{{ item.keycloak_admin_password }}" |
| 26 | validate_certs: "{{ cluster_issuer_type != 'self-signed' }}" |
| 27 | # Realm settings |
| 28 | id: "{{ item.keycloak_realm }}" |
| 29 | realm: "{{ item.keycloak_realm }}" |
| 30 | display_name: "{{ item.label }}" |
| 31 | enabled: true |
Mohammed Naser | 2e5a63a | 2025-02-05 15:25:25 -0500 | [diff] [blame] | 32 | password_policy: "{{ item.keycloak_password_policy | default(keystone_keycloak_realm_default_password_policy | default(omit)) }}" |
| 33 | brute_force_protected: "{{ item.keycloak_brute_force_protected | default(keystone_keycloak_realm_default_brute_force_protected | default(omit)) }}" |
| 34 | failure_factor: "{{ item.keycloak_brute_force_failure_factor | default(keystone_keycloak_realm_default_brute_force_failure_factor | default(omit)) }}" |
| 35 | wait_increment_seconds: "{{ item.keycloak_brute_force_wait_increment_seconds | default(keystone_keycloak_realm_default_brute_force_wait_increment_seconds | default(omit)) }}" |
| 36 | max_failure_wait_seconds: "{{ item.keycloak_brute_force_max_failure_wait_seconds | default(keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds | default(omit)) }}" |
| 37 | max_delta_time_seconds: "{{ item.keycloak_brute_force_max_delta_time_seconds | default(keystone_keycloak_realm_default_brute_force_max_delta_time_seconds | default(omit)) }}" |
| 38 | minimum_quick_login_wait_seconds: "{{ item.keycloak_minimum_quick_login_wait_seconds | default(keystone_keycloak_realm_default_minimum_quick_login_wait_seconds | default(omit)) }}" |
| 39 | quick_login_check_milli_seconds: "{{ item.keycloak_quick_login_check_milli_seconds | default(keystone_keycloak_realm_default_quick_login_check_milli_seconds | default(omit)) }}" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 40 | loop: "{{ keystone_domains }}" |
| 41 | loop_control: |
| 42 | label: "{{ item.name }}" |
| 43 | |
Mohammed Naser | 99c00a7 | 2025-02-05 15:32:27 -0500 | [diff] [blame] | 44 | - name: Setup Keycloak Authentication Required Actions (MFA) |
| 45 | community.general.keycloak_authentication_required_actions: |
| 46 | # Keycloak settings |
| 47 | auth_keycloak_url: "{{ item.keycloak_server_url }}" |
| 48 | auth_realm: "{{ item.keycloak_user_realm_name }}" |
| 49 | auth_client_id: "{{ item.keycloak_admin_client_id }}" |
| 50 | auth_username: "{{ item.keycloak_admin_user }}" |
| 51 | auth_password: "{{ item.keycloak_admin_password }}" |
| 52 | validate_certs: "{{ cluster_issuer_type != 'self-signed' }}" |
| 53 | # Realm settings |
| 54 | realm: "{{ item.name }}" |
| 55 | required_actions: |
| 56 | - alias: "CONFIGURE_TOTP" |
| 57 | name: "Configure OTP" |
| 58 | providerId: "CONFIGURE_TOTP" |
| 59 | defaultAction: "{{ item.keycloak_totp_default_action | default(keystone_keycloak_realm_default_totp_default_action | default(omit)) }}" |
| 60 | enabled: true |
| 61 | state: present |
| 62 | loop: "{{ keystone_domains }}" |
| 63 | loop_control: |
| 64 | label: "{{ item.name }}" |
| 65 | |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 66 | - name: Create ConfigMap with all OpenID connect configurations |
| 67 | run_once: true |
| 68 | kubernetes.core.k8s: |
| 69 | template: configmap-openid-metadata.yml.j2 |
| 70 | |
| 71 | - name: Create Keycloak clients |
Mohammed Naser | 8dc7add | 2024-01-02 16:43:07 -0500 | [diff] [blame] | 72 | no_log: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 73 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 74 | community.general.keycloak_client: |
| 75 | # Keycloak settings |
| 76 | auth_keycloak_url: "{{ item.keycloak_server_url }}" |
| 77 | auth_realm: "{{ item.keycloak_user_realm_name }}" |
| 78 | auth_client_id: "{{ item.keycloak_admin_client_id }}" |
| 79 | auth_username: "{{ item.keycloak_admin_user }}" |
| 80 | auth_password: "{{ item.keycloak_admin_password }}" |
| 81 | validate_certs: "{{ cluster_issuer_type != 'self-signed' }}" |
| 82 | # Realm settings |
| 83 | realm: "{{ item.keycloak_realm }}" |
| 84 | client_id: "{{ item.keycloak_client_id }}" |
| 85 | secret: "{{ item.keycloak_client_secret }}" |
| 86 | redirect_uris: |
| 87 | - "{{ keystone_oidc_redirect_uri }}" |
| 88 | - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/" |
| 89 | loop: "{{ keystone_domains }}" |
| 90 | loop_control: |
| 91 | label: "{{ item.name }}" |
| 92 | |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 93 | - name: Deploy Helm chart |
guilhermesteinmuller | 4980b13 | 2023-01-24 18:50:14 +0000 | [diff] [blame] | 94 | run_once: true |
| 95 | kubernetes.core.helm: |
Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 96 | name: "{{ keystone_helm_release_name }}" |
| 97 | chart_ref: "{{ keystone_helm_chart_ref }}" |
| 98 | release_namespace: "{{ keystone_helm_release_namespace }}" |
guilhermesteinmuller | 4980b13 | 2023-01-24 18:50:14 +0000 | [diff] [blame] | 99 | create_namespace: true |
Austin Talbot | 78a774a | 2024-09-25 10:15:36 -0600 | [diff] [blame] | 100 | kubeconfig: "{{ keystone_helm_kubeconfig }}" |
Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 101 | values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}" |
Mohammed Naser | b7b97d6 | 2022-03-12 16:30:00 -0500 | [diff] [blame] | 102 | |
| 103 | - name: Create Ingress |
| 104 | ansible.builtin.include_role: |
| 105 | name: openstack_helm_ingress |
| 106 | vars: |
| 107 | openstack_helm_ingress_endpoint: identity |
| 108 | openstack_helm_ingress_service_name: keystone-api |
| 109 | openstack_helm_ingress_service_port: 5000 |
Mohammed Naser | 2145fc3 | 2023-01-29 23:23:03 +0000 | [diff] [blame] | 110 | openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}" |
Mohammed Naser | c139abc | 2025-02-05 14:03:20 -0500 | [diff] [blame] | 111 | openstack_helm_ingress_class_name: "{{ keystone_ingress_class_name }}" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 112 | |
Michiel Piscaer | 9ce6e89 | 2023-11-16 09:02:35 +0100 | [diff] [blame] | 113 | - name: Validate if ingress is reachable |
| 114 | ansible.builtin.uri: |
| 115 | url: "https://{{ openstack_helm_endpoints_keystone_api_host }}" |
| 116 | status_code: [300] |
| 117 | register: keystone_ingress_validate |
| 118 | until: keystone_ingress_validate.status == 300 |
Oleksandr K | 897b78b | 2023-12-29 10:55:06 +0100 | [diff] [blame] | 119 | retries: 120 |
Michiel Piscaer | 9ce6e89 | 2023-11-16 09:02:35 +0100 | [diff] [blame] | 120 | delay: 1 |
| 121 | |
Oleksandr Kozachenko | 7299c98 | 2023-11-23 10:48:14 +0100 | [diff] [blame] | 122 | - name: Wait until identity service ready |
| 123 | kubernetes.core.k8s_info: |
| 124 | api_version: apps/v1 |
| 125 | kind: Deployment |
| 126 | name: keystone-api |
| 127 | namespace: openstack |
| 128 | wait_sleep: 10 |
| 129 | wait_timeout: 600 |
| 130 | wait: true |
| 131 | wait_condition: |
| 132 | type: Available |
| 133 | status: true |
| 134 | |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 135 | - name: Create Keystone domains |
| 136 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 137 | vexxhost.atmosphere.identity_domain: |
| 138 | name: "{{ item.name }}" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 139 | loop: "{{ keystone_domains }}" |
| 140 | loop_control: |
| 141 | label: "{{ item.name }}" |
Oleksandr Kozachenko | 7299c98 | 2023-11-23 10:48:14 +0100 | [diff] [blame] | 142 | # NOTE: This often fails since it takes time for the keystone api ready. |
| 143 | retries: 60 |
| 144 | delay: 5 |
| 145 | register: keystone_domains_result |
| 146 | until: keystone_domains_result is not failed |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 147 | |
| 148 | - name: Create Keystone identity providers |
| 149 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 150 | vexxhost.atmosphere.federation_idp: |
| 151 | name: "{{ item.domain.name }}" |
| 152 | domain_id: "{{ item.domain.id }}" |
Mohammed Naser | 8ccabb6 | 2025-02-05 13:20:09 -0500 | [diff] [blame] | 153 | is_enabled: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 154 | remote_ids: |
| 155 | - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}" |
| 156 | loop: "{{ keystone_domains_result.results }}" |
| 157 | loop_control: |
| 158 | label: "{{ item.domain.name }}" |
| 159 | |
| 160 | - name: Create Keystone federation mappings |
| 161 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 162 | vexxhost.atmosphere.federation_mapping: |
| 163 | name: "{{ item.name }}-openid" |
| 164 | rules: |
| 165 | - local: |
| 166 | - user: |
| 167 | type: local |
| 168 | id: "{0}" |
Ed Timmons Jr | 4ba25cf | 2023-11-29 23:22:43 -0500 | [diff] [blame] | 169 | name: "{1}" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 170 | domain: |
| 171 | name: "{{ item.name }}" |
| 172 | remote: |
| 173 | - type: OIDC-sub |
Ed Timmons Jr | 4ba25cf | 2023-11-29 23:22:43 -0500 | [diff] [blame] | 174 | - type: OIDC-preferred_username |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 175 | loop: "{{ keystone_domains }}" |
| 176 | loop_control: |
| 177 | label: "{{ item.name }}" |
| 178 | |
| 179 | - name: Create Keystone federation protocols |
| 180 | run_once: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 181 | vexxhost.atmosphere.keystone_federation_protocol: |
| 182 | name: openid |
| 183 | idp_id: "{{ item.name }}" |
| 184 | mapping_id: "{{ item.name }}-openid" |
| 185 | loop: "{{ keystone_domains }}" |
| 186 | loop_control: |
| 187 | label: "{{ item.name }}" |