[multiple] Add OIDC federation configuration on OSP17

Add Ansible playbooks and role tasks to configure OSP 17.1 for OIDC
federation, enabling adoption testing with Keycloak as the identity
provider.

Changes:
- Add federation-osp17-pre-deploy hook playbook that renders the
  Heat environment file and configures Keystone for OIDC
- Add run_osp17_oidc_setup.yml tasks to create the federation domain,
  identity provider, mapping, group, project and protocol on OSP 17.1
- Add enable-federation-openidc.yaml.j2 Heat template for OIDC params
- Refactor Keycloak operator deployment to use kubernetes.core.k8s
  instead of oc apply with a template file
- Make operator namespace configurable via
  cifmw_federation_operator_namespace variable
- Add passthrough Route for Keycloak and grant privileged SCC
- Conditionally include the OIDC env file in overcloud deploy

Jira: https://issues.redhat.com/browse/OSPRH-19960
Signed-off-by: Andre Aranha <afariasa@redhat.com>
Co-authored-by: Grzegorz Grasza <xek@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

hooks/playbooks/federation-osp17-post-deploy.yml

@@ -0,0 +1,21 @@
+---
+- name: Configure OSP 17.1 for OIDC federation (render env + Keystone setup)
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  vars:
+    _cloud_name: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: OSP 17.1 OIDC setup via federation role
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_osp17_oidc_setup.yml

roles/adoption_osp_deploy/tasks/deploy_overcloud.yml

@@ -74,6 +74,12 @@
         dest: "{{ _private_overcloud_conf_file }}"
         mode: "0644"
 
+    - name: Check if OIDC federation env file exists
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.stat:
+        path: "{{ ansible_user_dir }}/enable-federation-openidc.yaml"
+      register: _oidc_env_stat
+
     - name: Run overcloud deploy
       delegate_to: "osp-undercloud-0"
       vars:
@@ -84,6 +90,7 @@
           --roles-file {{ _roles_file_dest }}
           -n {{ _network_data_file_dest }}
           --ntp-server {{ cifmw_adoption_osp_deploy_ntp_server }}
+          {{ _oidc_env_stat.stat.exists | ternary('-e ' ~ ansible_user_dir ~ '/enable-federation-openidc.yaml', '') }}
           -e {{ _overcloud_vars }}
           -e {{ ansible_user_dir }}/containers-prepare-parameters.yaml
           -e {{ ansible_user_dir }}/config_download_{{ _overcloud_name }}.yaml

roles/federation/defaults/main.yml

@@ -12,6 +12,7 @@
 # Basic namespace and domain settings for the federation deployment
 
 # Kubernetes namespaces
+cifmw_federation_operator_namespace: openstack-operators
 cifmw_federation_keycloak_namespace: openstack
 cifmw_federation_run_osp_cmd_namespace: openstack
 

roles/federation/tasks/run_keycloak_setup.yml

@@ -52,6 +52,9 @@
   kubernetes.core.k8s_info:
     api_version: operators.coreos.com/v1alpha1
     kind: InstallPlan
+    namespace: "{{ cifmw_federation_operator_namespace }}"
+    label_selectors:
+      - "operators.coreos.com/rhsso-operator.{{ cifmw_federation_operator_namespace }}"
   register: ip_list
   until: >-
     ip_list.resources |
@@ -70,8 +73,9 @@
     PATH: "{{ cifmw_path }}"
   ansible.builtin.shell: >-
     oc patch installplan
-    $(oc get ip
-    -o=jsonpath='{.items[].metadata.name}')
+    $(oc get installplan -n {{ cifmw_federation_operator_namespace }}
+    -o=jsonpath='{.items[0].metadata.name}')
+    -n {{ cifmw_federation_operator_namespace }}
     --type merge --patch '{"spec":{"approved":true}}'
 
 - name: Add sso admin user secret
@@ -89,18 +93,72 @@
         ADMIN_USERNAME: "{{ cifmw_federation_keycloak_admin_username | b64encode }}"
         ADMIN_PASSWORD: "{{ cifmw_federation_keycloak_admin_password | b64encode }}"
 
-- name: Read federation sso template
-  ansible.builtin.template:
-    src: sso.yaml.j2
-    dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}"
-    mode: "0644"
+- name: Install federation Keycloak instance
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: keycloak.org/v1alpha1
+      kind: Keycloak
+      metadata:
+        name: sso
+        namespace: "{{ cifmw_federation_keycloak_namespace }}"
+        labels:
+          app: sso
+      spec:
+        instances: 1
+        externalAccess:
+          enabled: true
+
+- name: Wait for Keycloak service to be created
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_version: v1
+    kind: Service
+    name: keycloak
+    namespace: "{{ cifmw_federation_keycloak_namespace }}"
+  register: keycloak_service
+  until: keycloak_service.resources | length > 0
+  retries: 30
+  delay: 10
 
-- name: Install federation sso pod
+- name: Create Route for Keycloak
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: route.openshift.io/v1
+      kind: Route
+      metadata:
+        name: keycloak
+        namespace: "{{ cifmw_federation_keycloak_namespace }}"
+      spec:
+        host: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}"
+        to:
+          kind: Service
+          name: keycloak
+        port:
+          targetPort: 8443
+        tls:
+          termination: passthrough
+  register: _keycloak_route
+  until: _keycloak_route is succeeded
+  retries: 30
+  delay: 10
+
+- name: Grant privileged SCC to namespace default serviceaccount for Keycloak
   environment:
     KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
     PATH: "{{ cifmw_path }}"
   ansible.builtin.command:
-    cmd: "oc apply -n {{ cifmw_federation_keycloak_namespace }} -f {{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}"
+    cmd: >-
+      oc adm policy add-scc-to-user privileged
+      -n {{ cifmw_federation_keycloak_namespace }}
+      -z default
+  register: _scc_assignment
+  changed_when: >-
+    'clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added:'
+    in _scc_assignment.stdout
 
 - name: Add CRC IP address to hosts
   become: true
@@ -109,7 +167,7 @@
     block: |
       {{ hostvars['crc'].ansible_host }} api.crc.testing
       {{ hostvars['crc'].ansible_host }} oauth-openshift.apps-crc.testing
-      {{ hostvars['crc'].ansible_host }} keycloak-openstack.apps-crc.testing
+      {{ hostvars['crc'].ansible_host }} keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}
   when: cifmw_federation_deploy_type == "crc"
 
 - name: Wait for SSO pod to be avalable

roles/federation/tasks/run_osp17_oidc_setup.yml

@@ -0,0 +1,93 @@
+---
+- name: Render enable-federation-openidc.yaml to undercloud
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  ansible.builtin.template:
+    src: "enable-federation-openidc.yaml.j2"
+    dest: "{{ ansible_user_dir }}/enable-federation-openidc.yaml"
+    mode: "0644"
+
+- name: Create federation mapping file on undercloud
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  ansible.builtin.copy:
+    dest: "{{ ansible_user_dir }}/mapping.json"
+    mode: "0644"
+    content: |
+      [
+        {
+          "local": [
+            {
+              "user": {"name": "{0}"},
+              "group": {
+                "domain": {"name": "{{ cifmw_federation_keystone_domain }}"},
+                "name": "{{ cifmw_federation_group_name }}"
+              }
+            }
+          ],
+          "remote": [
+            {"type": "OIDC-preferred_username"}
+          ]
+        }
+      ]
+
+- name: Ensure federation domain exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack domain show {{ cifmw_federation_keystone_domain }} >/dev/null 2>&1 || \
+    openstack domain create {{ cifmw_federation_keystone_domain }}
+
+- name: Ensure identity provider exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    IDP_URL="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}"
+    openstack identity provider show {{ cifmw_federation_IdpName }} >/dev/null 2>&1 || \
+    openstack identity provider create --remote-id ${IDP_URL} --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_IdpName }}
+
+- name: Ensure mapping exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack mapping show {{ cifmw_federation_mapping_name }} >/dev/null 2>&1 || \
+    openstack mapping create --rules {{ ansible_user_dir }}/mapping.json {{ cifmw_federation_mapping_name }}
+
+- name: Ensure federated group exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack group show {{ cifmw_federation_group_name }} --domain {{ cifmw_federation_keystone_domain }} >/dev/null 2>&1 || \
+    openstack group create --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_group_name }}
+
+- name: Ensure project exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack project show {{ cifmw_federation_project_name }} --domain {{ cifmw_federation_keystone_domain }} >/dev/null 2>&1 || \
+    openstack project create --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_project_name }}
+
+- name: Ensure role binding exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack role add --group {{ cifmw_federation_group_name }} --group-domain {{ cifmw_federation_keystone_domain }} --project {{ cifmw_federation_project_name }} --project-domain {{ cifmw_federation_keystone_domain }} member || true
+
+- name: Ensure federation protocol exists (OSP 17.1)
+  delegate_to: "{{ cifmw_federation_undercloud_host | default('osp-undercloud-0') }}"
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack federation protocol show openid --identity-provider {{ cifmw_federation_IdpName }} >/dev/null 2>&1 || \
+    openstack federation protocol create openid --mapping {{ cifmw_federation_mapping_name }} --identity-provider {{ cifmw_federation_IdpName }}

roles/federation/templates/enable-federation-openidc.yaml.j2

@@ -0,0 +1,9 @@
+parameter_defaults:
+  KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid
+  KeystoneOpenIdcClientId: {{ cifmw_keystone_OIDC_ClientID | quote }}
+  KeystoneOpenIdcClientSecret: {{ cifmw_keystone_OIDC_ClientSecret | quote }}
+  KeystoneOpenIdcCryptoPassphrase: {{ cifmw_keystone_OIDC_CryptoPassphrase | default('openstack') | quote }}
+  KeystoneOpenIdcIdpName: {{ cifmw_keystone_OIDC_provider_name | default('kcIDP') | quote }}
+  KeystoneOpenIdcIntrospectionEndpoint: {{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint | quote }}
+  KeystoneOpenIdcProviderMetadataUrl: {{ cifmw_keystone_OIDC_ProviderMetadataURL | quote }}
+  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS

roles/federation/templates/rhsso-operator-olm.yaml.j2

@@ -2,6 +2,7 @@ apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
   name: rhsso-operator-group
+  namespace: {{ cifmw_federation_operator_namespace }}
 spec:
   targetNamespaces:
   - {{ cifmw_federation_keycloak_namespace }}
@@ -10,6 +11,7 @@ apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: rhsso-operator
+  namespace: {{ cifmw_federation_operator_namespace }}
 spec:
   channel: stable
   installPlanApproval: Manual