roles/keystone/tasks/main.yml

# Copyright (c) 2022 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Uninstall the legacy HelmRelease
  run_once: true
  block:
    - name: Suspend the existing HelmRelease
      failed_when: false
      kubernetes.core.k8s:
        state: patched
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ keystone_helm_release_name }}"
        namespace: "{{ keystone_helm_release_namespace }}"
        definition:
          spec:
            suspend: true

    - name: Remove the existing HelmRelease
      failed_when: false
      kubernetes.core.k8s:
        state: absent
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ keystone_helm_release_name }}"
        namespace: "{{ keystone_helm_release_namespace }}"

- name: Create Keycloak realms
  no_log: true
  run_once: true
  changed_when: false
  community.general.keycloak_realm:
    # Keycloak settings
    auth_keycloak_url: "{{ item.keycloak_server_url }}"
    auth_realm: "{{ item.keycloak_user_realm_name }}"
    auth_client_id: "{{ item.keycloak_admin_client_id }}"
    auth_username: "{{ item.keycloak_admin_user }}"
    auth_password: "{{ item.keycloak_admin_password }}"
    validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
    # Realm settings
    id: "{{ item.keycloak_realm }}"
    realm: "{{ item.keycloak_realm }}"
    display_name: "{{ item.label }}"
    enabled: true
  loop: "{{ keystone_domains }}"
  loop_control:
    label: "{{ item.name }}"

- name: Create ConfigMap with all OpenID connect configurations
  run_once: true
  kubernetes.core.k8s:
    template: configmap-openid-metadata.yml.j2

- name: Create Keycloak clients
  no_log: true
  run_once: true
  community.general.keycloak_client:
    # Keycloak settings
    auth_keycloak_url: "{{ item.keycloak_server_url }}"
    auth_realm: "{{ item.keycloak_user_realm_name }}"
    auth_client_id: "{{ item.keycloak_admin_client_id }}"
    auth_username: "{{ item.keycloak_admin_user }}"
    auth_password: "{{ item.keycloak_admin_password }}"
    validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
    # Realm settings
    realm: "{{ item.keycloak_realm }}"
    client_id: "{{ item.keycloak_client_id }}"
    secret: "{{ item.keycloak_client_secret }}"
    redirect_uris:
      - "{{ keystone_oidc_redirect_uri }}"
      - "https://{{ openstack_helm_endpoints_horizon_api_host }}/auth/logout/"
  loop: "{{ keystone_domains }}"
  loop_control:
    label: "{{ item.name }}"

- name: Deploy Helm chart
  run_once: true
  kubernetes.core.helm:
    name: "{{ keystone_helm_release_name }}"
    chart_ref: "{{ keystone_helm_chart_ref }}"
    release_namespace: "{{ keystone_helm_release_namespace }}"
    create_namespace: true
    kubeconfig: /etc/kubernetes/admin.conf
    values: "{{ _keystone_helm_values | combine(keystone_helm_values, recursive=True) }}"

- name: Create Ingress
  ansible.builtin.include_role:
    name: openstack_helm_ingress
  vars:
    openstack_helm_ingress_endpoint: identity
    openstack_helm_ingress_service_name: keystone-api
    openstack_helm_ingress_service_port: 5000
    openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"

- name: Validate if ingress is reachable
  ansible.builtin.uri:
    url: "https://{{ openstack_helm_endpoints_keystone_api_host }}"
    status_code: [300]
  register: keystone_ingress_validate
  until: keystone_ingress_validate.status == 300
  retries: 120
  delay: 1

- name: Wait until identity service ready
  kubernetes.core.k8s_info:
    api_version: apps/v1
    kind: Deployment
    name: keystone-api
    namespace: openstack
    wait_sleep: 10
    wait_timeout: 600
    wait: true
    wait_condition:
      type: Available
      status: true

- name: Create Keystone domains
  run_once: true
  vexxhost.atmosphere.identity_domain:
    name: "{{ item.name }}"
  loop: "{{ keystone_domains }}"
  loop_control:
    label: "{{ item.name }}"
  # NOTE: This often fails since it takes time for the keystone api ready.
  retries: 60
  delay: 5
  register: keystone_domains_result
  until: keystone_domains_result is not failed

- name: Create Keystone identity providers
  run_once: true
  vexxhost.atmosphere.federation_idp:
    name: "{{ item.domain.name }}"
    domain_id: "{{ item.domain.id }}"
    remote_ids:
      - "{{ item.item | vexxhost.atmosphere.issuer_from_domain }}"
  loop: "{{ keystone_domains_result.results }}"
  loop_control:
    label: "{{ item.domain.name }}"

- name: Create Keystone federation mappings
  run_once: true
  vexxhost.atmosphere.federation_mapping:
    name: "{{ item.name }}-openid"
    rules:
      - local:
          - user:
              type: local
              id: "{0}"
              name: "{1}"
              domain:
                name: "{{ item.name }}"
        remote:
          - type: OIDC-sub
          - type: OIDC-preferred_username
  loop: "{{ keystone_domains }}"
  loop_control:
    label: "{{ item.name }}"

- name: Create Keystone federation protocols
  run_once: true
  vexxhost.atmosphere.keystone_federation_protocol:
    name: openid
    idp_id: "{{ item.name }}"
    mapping_id: "{{ item.name }}-openid"
  loop: "{{ keystone_domains }}"
  loop_control:
    label: "{{ item.name }}"