Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / roles / keystone / tasks / main.yml
blob: e5abcb07cc379426415fe86f71949003fc555575 [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]15- name: Create Keycloak realms
Mohammed Naser59853d42023-11-29 20:32:24 -0500[diff] [blame]16 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]17 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]18 changed_when: false
19 community.general.keycloak_realm:
20 # Keycloak settings
21 auth_keycloak_url: "{{ item.keycloak_server_url }}"
22 auth_realm: "{{ item.keycloak_user_realm_name }}"
23 auth_client_id: "{{ item.keycloak_admin_client_id }}"
24 auth_username: "{{ item.keycloak_admin_user }}"
25 auth_password: "{{ item.keycloak_admin_password }}"
26 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
27 # Realm settings
28 id: "{{ item.keycloak_realm }}"
29 realm: "{{ item.keycloak_realm }}"
30 display_name: "{{ item.label }}"
31 enabled: true
Mohammed Naser2e5a63a2025-02-05 15:25:25 -0500[diff] [blame]32 password_policy: "{{ item.keycloak_password_policy | default(keystone_keycloak_realm_default_password_policy | default(omit)) }}"
33 brute_force_protected: "{{ item.keycloak_brute_force_protected | default(keystone_keycloak_realm_default_brute_force_protected | default(omit)) }}"
34 failure_factor: "{{ item.keycloak_brute_force_failure_factor | default(keystone_keycloak_realm_default_brute_force_failure_factor | default(omit)) }}"
35 wait_increment_seconds: "{{ item.keycloak_brute_force_wait_increment_seconds | default(keystone_keycloak_realm_default_brute_force_wait_increment_seconds | default(omit)) }}"
36 max_failure_wait_seconds: "{{ item.keycloak_brute_force_max_failure_wait_seconds | default(keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds | default(omit)) }}"
37 max_delta_time_seconds: "{{ item.keycloak_brute_force_max_delta_time_seconds | default(keystone_keycloak_realm_default_brute_force_max_delta_time_seconds | default(omit)) }}"
38 minimum_quick_login_wait_seconds: "{{ item.keycloak_minimum_quick_login_wait_seconds | default(keystone_keycloak_realm_default_minimum_quick_login_wait_seconds | default(omit)) }}"
39 quick_login_check_milli_seconds: "{{ item.keycloak_quick_login_check_milli_seconds | default(keystone_keycloak_realm_default_quick_login_check_milli_seconds | default(omit)) }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]40 loop: "{{ keystone_domains }}"
41 loop_control:
42 label: "{{ item.name }}"
43
Mohammed Naser99c00a72025-02-05 15:32:27 -0500[diff] [blame]44- name: Setup Keycloak Authentication Required Actions (MFA)
45 community.general.keycloak_authentication_required_actions:
46 # Keycloak settings
47 auth_keycloak_url: "{{ item.keycloak_server_url }}"
48 auth_realm: "{{ item.keycloak_user_realm_name }}"
49 auth_client_id: "{{ item.keycloak_admin_client_id }}"
50 auth_username: "{{ item.keycloak_admin_user }}"
51 auth_password: "{{ item.keycloak_admin_password }}"
52 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
53 # Realm settings
54 realm: "{{ item.name }}"
55 required_actions:
56 - alias: "CONFIGURE_TOTP"
57 name: "Configure OTP"
58 providerId: "CONFIGURE_TOTP"
59 defaultAction: "{{ item.keycloak_totp_default_action | default(keystone_keycloak_realm_default_totp_default_action | default(omit)) }}"
60 enabled: true
61 state: present
62 loop: "{{ keystone_domains }}"
63 loop_control:
64 label: "{{ item.name }}"
65
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]66- name: Create ConfigMap with all OpenID connect configurations
67 run_once: true
68 kubernetes.core.k8s:
69 template: configmap-openid-metadata.yml.j2
70
71- name: Create Keycloak clients
Mohammed Naser8dc7add2024-01-02 16:43:07 -0500[diff] [blame]72 no_log: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]73 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]74 community.general.keycloak_client:
75 # Keycloak settings
76 auth_keycloak_url: "{{ item.keycloak_server_url }}"
77 auth_realm: "{{ item.keycloak_user_realm_name }}"
78 auth_client_id: "{{ item.keycloak_admin_client_id }}"
79 auth_username: "{{ item.keycloak_admin_user }}"
80 auth_password: "{{ item.keycloak_admin_password }}"
81 validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
82 # Realm settings
83 realm: "{{ item.keycloak_realm }}"
84 client_id: "{{ item.keycloak_client_id }}"
85 secret: "{{ item.keycloak_client_secret }}"
86 redirect_uris:
87 - "{{ keystone_oidc_redirect_uri }}"
88 - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/"
89 loop: "{{ keystone_domains }}"
90 loop_control:
91 label: "{{ item.name }}"
92
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]93- name: Deploy Helm chart
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]94 run_once: true
95 kubernetes.core.helm:
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]96 name: "{{ keystone_helm_release_name }}"
97 chart_ref: "{{ keystone_helm_chart_ref }}"
98 release_namespace: "{{ keystone_helm_release_namespace }}"
guilhermesteinmuller4980b132023-01-24 18:50:14 +0000[diff] [blame]99 create_namespace: true
Austin Talbot78a774a2024-09-25 10:15:36 -0600[diff] [blame]100 kubeconfig: "{{ keystone_helm_kubeconfig }}"
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]101 values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}"
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]102
103- name: Create Ingress
104 ansible.builtin.include_role:
105 name: openstack_helm_ingress
106 vars:
107 openstack_helm_ingress_endpoint: identity
108 openstack_helm_ingress_service_name: keystone-api
109 openstack_helm_ingress_service_port: 5000
Mohammed Naser2145fc32023-01-29 23:23:03 +0000[diff] [blame]110 openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"
Mohammed Naserc139abc2025-02-05 14:03:20 -0500[diff] [blame]111 openstack_helm_ingress_class_name: "{{ keystone_ingress_class_name }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]112
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]113- name: Validate if ingress is reachable
114 ansible.builtin.uri:
115 url: "https://{{ openstack_helm_endpoints_keystone_api_host }}"
116 status_code: [300]
117 register: keystone_ingress_validate
118 until: keystone_ingress_validate.status == 300
Oleksandr K897b78b2023-12-29 10:55:06 +0100[diff] [blame]119 retries: 120
Michiel Piscaer9ce6e892023-11-16 09:02:35 +0100[diff] [blame]120 delay: 1
121
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]122- name: Wait until identity service ready
123 kubernetes.core.k8s_info:
124 api_version: apps/v1
125 kind: Deployment
126 name: keystone-api
127 namespace: openstack
128 wait_sleep: 10
129 wait_timeout: 600
130 wait: true
131 wait_condition:
132 type: Available
133 status: true
134
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]135- name: Create Keystone domains
136 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]137 vexxhost.atmosphere.identity_domain:
138 name: "{{ item.name }}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]139 loop: "{{ keystone_domains }}"
140 loop_control:
141 label: "{{ item.name }}"
Oleksandr Kozachenko7299c982023-11-23 10:48:14 +0100[diff] [blame]142 # NOTE: This often fails since it takes time for the keystone api ready.
143 retries: 60
144 delay: 5
145 register: keystone_domains_result
146 until: keystone_domains_result is not failed
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]147
148- name: Create Keystone identity providers
149 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]150 vexxhost.atmosphere.federation_idp:
151 name: "{{ item.domain.name }}"
152 domain_id: "{{ item.domain.id }}"
Mohammed Naser8ccabb62025-02-05 13:20:09 -0500[diff] [blame]153 is_enabled: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]154 remote_ids:
155 - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}"
156 loop: "{{ keystone_domains_result.results }}"
157 loop_control:
158 label: "{{ item.domain.name }}"
159
160- name: Create Keystone federation mappings
161 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]162 vexxhost.atmosphere.federation_mapping:
163 name: "{{ item.name }}-openid"
164 rules:
165 - local:
166 - user:
167 type: local
168 id: "{0}"
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]169 name: "{1}"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]170 domain:
171 name: "{{ item.name }}"
172 remote:
173 - type: OIDC-sub
Ed Timmons Jr4ba25cf2023-11-29 23:22:43 -0500[diff] [blame]174 - type: OIDC-preferred_username
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]175 loop: "{{ keystone_domains }}"
176 loop_control:
177 label: "{{ item.name }}"
178
179- name: Create Keystone federation protocols
180 run_once: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200[diff] [blame]181 vexxhost.atmosphere.keystone_federation_protocol:
182 name: openid
183 idp_id: "{{ item.name }}"
184 mapping_id: "{{ item.name }}-openid"
185 loop: "{{ keystone_domains }}"
186 loop_control:
187 label: "{{ item.name }}"