Add federation role to ci-framework

This role will setup keycloak as and OpenID provider for user access
to openstack.

hooks/playbooks/federation-post-deploy.yml

@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation setup one openstack post reproducer deploy
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run federation setup on OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_setup.yml
+
+    - name: Run federation OSP User Auth test
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_auth_test.yml

hooks/playbooks/federation-pre-deploy.yml

@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation SSO setup on reproducer
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run SSO pod setup on Openshift
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_setup.yml
+
+    - name: Run SSO realm setup for OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_realm_setup.yml

roles/federation/README.md

@@ -0,0 +1,4 @@
+federation
+=========
+
+This role will setup Openstack for user federation. The keycloak system will be used for the IdP provider.

roles/federation/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+# defaults file for federation
+#
+cifmw_federation_keycloak_realm: openstack
+cifmw_federation_keycloak_admin_username: admin
+cifmw_federation_keycloak_admin_password: nomoresecrets
+cifmw_federation_keycloak_testuser1_username: kctestuser1
+cifmw_federation_keycloak_testuser1_password: nomoresecrets1
+cifmw_federation_keycloak_testuser2_username: kctestuser2
+cifmw_federation_keycloak_testuser2_password: nomoresecrets2
+cifmw_federation_keycloak_testgroup1_name: kctestgroup1
+cifmw_federation_keycloak_testgroup2_name: kctestgroup2
+cifmw_federation_keycloak_client_id: rhoso
+cifmw_federation_keycloak_client_secret: COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f
+cifmw_federation_keycloak_url_validate_certs: false
+cifmw_federation_run_osp_cmd_namespace: openstack
+cifmw_federation_domain: SSO
+cifmw_federation_IdpName: kcIDP
+cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/realms/{{ cifmw_federation_keycloak_realm }}'
+cifmw_federation_project_name: SSOproject
+cifmw_federation_group_name: SSOgroup
+cifmw_federation_mapping_name: SSOmap
+cifmw_federation_rules_file: rules.json
+cifmw_federation_clame_id: OIDC-preferred_username

roles/federation/tasks/run_keycloak_realm_setup.yml

@@ -0,0 +1,112 @@
+- name: Create a Keycloak realm
+  community.general.keycloak_realm:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    id: "{{ cifmw_federation_keycloak_realm }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    enabled: true
+    state: present
+
+- name: Create Keycloak client
+  community.general.keycloak_client:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    client_id: "{{ cifmw_federation_keycloak_client_id }}"
+    id: 3fb4f68d-ad2c-46e7-a579-ea418f5d150b
+    name: 'RHOSO Client'
+    description: 'RHOSO client for keystone federation'
+    root_url: "{{ cifmw_federation_keystone_url }}"
+    admin_url: "{{ cifmw_federation_keystone_url }}"
+    base_url: '/projects/dashboard'
+    enabled: true
+    client_authenticator_type: client-secret
+    secret: "{{ cifmw_federation_keycloak_client_secret }}"
+    redirect_uris:
+      - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso"
+      - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid"
+    web_origins:
+      - "{{ cifmw_federation_keystone_url }}"
+    bearer_only: false
+    protocol: openid-connect
+
+- name: Create a Keycloak group1
+  community.general.keycloak_group:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    name: "{{ cifmw_federation_keycloak_testgroup1_name }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+
+- name: Create a Keycloak group2
+  community.general.keycloak_group:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    name: "{{ cifmw_federation_keycloak_testgroup2_name }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+
+- name: Create keycloak user1
+  community.general.keycloak_user:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    username: "{{ cifmw_federation_keycloak_testuser1_username }}"
+    firstName: firstname1
+    lastName: lastname1
+    email: "{{ cifmw_federation_keycloak_testuser1_username }}@ocp.openstack.lab"
+    enabled: true
+    emailVerified: false
+    credentials:
+      - type: password
+        value: "{{ cifmw_federation_keycloak_testuser1_password }}"
+        temporary: false
+    groups:
+      - name: "{{ cifmw_federation_keycloak_testgroup1_name }}"
+        state: present
+
+- name: Create keycloak user2
+  community.general.keycloak_user:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    username: "{{ cifmw_federation_keycloak_testuser2_username }}"
+    firstName: firstname2
+    lastName: lastname2
+    email: "{{ cifmw_federation_keycloak_testuser2_username }}@ocp.openstack.lab"
+    enabled: true
+    emailVerified: false
+    credentials:
+      - type: password
+        value: "{{ cifmw_federation_keycloak_testuser2_password }}"
+        temporary: false
+    groups:
+      - name: "{{ cifmw_federation_keycloak_testgroup2_name }}"
+        state: present

roles/federation/tasks/run_keycloak_setup.yml

@@ -0,0 +1,90 @@
+- name: Download sso76-image-stream.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/sso76-image-stream.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json"
+
+- name: Download sso76-ocp4-https.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-https.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json"
+
+- name: Download sso76-ocp4-postgresql.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json"
+
+- name: Download sso76-ocp4-postgresql-persistent.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json"
+
+- name: Download sso76-ocp4-x509-https.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json"
+
+- name: Download sso76-ocp4-x509-postgresql-persistent.json
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json"
+
+- name: Update the core set of SSO resources
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json
+      oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json
+  register: federation_create_resource_templates
+
+- name: Install the sso OpenShift image streams
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm
+  register: federation_install_sso_image
+
+- name: Deploy SSO on OpenShift
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc new-app -n {{ cifmw_federation_run_osp_cmd_namespace }} --template=sso76-ocp4-x509-https -p SSO_ADMIN_USERNAME={{ cifmw_federation_keycloak_admin_username }} -p SSO_ADMIN_PASSWORD={{ cifmw_federation_keycloak_admin_password }}
+  register: federation_deploy_sso
+
+- name: Wait for SSO pod to be avalable
+  ansible.builtin.uri:
+    url: "{{ cifmw_federation_keycloak_url }}"
+    follow_redirects: none
+    method: GET
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+  register: _result
+  until: _result.status == 200
+  retries: 24 # wait at least 2 min for pod then fail
+  delay: 5
+
+- name: Get SSO pod CA cert
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc get configmap sso-service-ca -o "jsonpath={ .data['service-ca\.crt']}"
+  register: federation_sso_ca
+
+- name: Write SSO pod CA cert to file for openstackclient pod
+  ansible.builtin.copy:
+    content: "{{ federation_sso_ca.stdout }}"
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt"
+
+- name: Setting SSO pod CA fact
+  ansible.builtin.set_fact:
+    cifmw_federation_sso_ca: "{{ federation_sso_ca.stdout }}"

roles/federation/tasks/run_openstack_auth_test.yml

@@ -0,0 +1,62 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Generate federation test user1 cloudrc file
+  ansible.builtin.copy:
+    dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_keycloak_testuser1_username }}rc"
+    content: |
+      unset OS_CLOUD
+      export OS_CACERT=/home/cloud-admin/sso-service-ca.crt
+      export OS_PROJECT_NAME="{{ cifmw_federation_project_name }}"
+      export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_domain }}"
+      export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3"
+      export OS_IDENTITY_API_VERSION=3
+      export OS_AUTH_PLUGIN=openid
+      export OS_AUTH_TYPE=v3oidcpassword
+      export OS_USERNAME="{{ cifmw_federation_keycloak_testuser1_username }}"
+      export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser1_password }}"
+      export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName }}"
+      export OS_CLIENT_ID="{{ cifmw_federation_keycloak_client_id }}"
+      export OS_CLIENT_SECRET="{{ cifmw_federation_keycloak_client_secret }}"
+      export OS_OPENID_SCOPE="openid profile email"
+      export OS_PROTOCOL=openid
+      export OS_ACCESS_TOKEN_TYPE=access_token
+      export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/.well-known/openid-configuration"
+
+- name: Copy federation test user1 cloudrc file into pod
+  kubernetes.core.k8s_cp:
+    namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}"
+    pod: openstackclient
+    remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}rc"
+    local_path: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_keycloak_testuser1_username }}rc"
+
+- name: Copy SSO CA file into openstackclient pod
+  kubernetes.core.k8s_cp:
+    namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}"
+    pod: openstackclient
+    remote_path: "/home/cloud-admin/sso-service-ca.crt"
+    local_path: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt"
+
+- name: Get testuser1 token
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc rsh openstackclient
+      source /home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}rc
+      openstack token issue -f yaml
+  register: federation_sso_testuser1_token