Add federation role to ci-framework

This role will setup keycloak as and OpenID provider for user access
to openstack.

hooks/playbooks/federation-controlplane-config.yml

@@ -0,0 +1,96 @@
+---
+- name: Create kustomization to update Keystone to use Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize keystone for Federation resources deployed in the control plane
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          - namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/tls/caBundleSecretName
+                value: keycloakca
+              - op: add
+                path: /spec/keystone/template/httpdCustomization
+                value:
+                  customConfigSecret: keystone-httpd-override
+              - op: add
+                path: /spec/keystone/template/customServiceConfig
+                value: |
+                  [federation]
+                  trusted_dashboard={{ '{{ .KeystoneEndpointPublic }}' }}/dashboard/auth/websso/
+                  [openid]
+                  remote_id_attribute=HTTP_OIDC_ISS
+                  [auth]
+                  methods = password,token,oauth1,mapped,application_credential,openid
+
+    - name: Get SSO pod CA cert
+      ansible.builtin.command: "cat {{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt"
+      register: federation_sso_ca
+
+    - name: Add Keycloak CA secret
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: keycloakca
+            namespace: "openstack"
+          data:
+            KeyCloakCA: "{{ federation_sso_ca.stdout | b64encode }}"
+
+    - name: Create Keystone HTTPD override secret for Federation
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: keystone-httpd-override
+            namespace: openstack
+          type: Opaque
+          stringData:
+            federation.conf: |
+              OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}"
+              OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}"
+              OIDCScope "{{ cifmw_keystone_OIDC_Scope }}"
+              OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}"
+              OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}"
+              OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}"
+              OIDCCacheType "{{ cifmw_keystone_OIDC_CacheType }}"
+              OIDCMemCacheServers "{{ cifmw_keystone_OIDC_MemCacheServers }}"
+              OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}"
+              OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}"
+              OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}"
+              OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}"
+              OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}"
+              OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
+              OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
+              OIDCRedirectURI "{{ '{{ .KeystoneEndpointPublic }}' }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso"
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/auth">
+                AuthType oauth20
+                Require valid-user
+              </Location>
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>

hooks/playbooks/federation-post-deploy.yml

@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation setup one openstack post reproducer deploy
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run federation setup on OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_setup.yml
+
+    - name: Run federation OSP User Auth test
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_auth_test.yml

hooks/playbooks/federation-pre-deploy.yml

@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation SSO setup on reproducer
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run SSO pod setup on Openshift
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_setup.yml
+
+    - name: Run SSO realm setup for OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_realm_setup.yml

roles/federation/README.md

@@ -0,0 +1,4 @@
+federation
+=========
+
+This role will setup Openstack for user federation. The keycloak system will be used for the IdP provider.

roles/federation/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+# defaults file for federation
+#
+cifmw_federation_keycloak_realm: openstack
+cifmw_federation_keycloak_admin_username: admin
+cifmw_federation_keycloak_admin_password: nomoresecrets
+cifmw_federation_keycloak_testuser1_username: kctestuser1
+cifmw_federation_keycloak_testuser1_password: nomoresecrets1
+cifmw_federation_keycloak_testuser2_username: kctestuser2
+cifmw_federation_keycloak_testuser2_password: nomoresecrets2
+cifmw_federation_keycloak_testgroup1_name: kctestgroup1
+cifmw_federation_keycloak_testgroup2_name: kctestgroup2
+cifmw_federation_keycloak_client_id: rhoso
+cifmw_federation_keycloak_client_secret: COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f
+cifmw_federation_keycloak_url_validate_certs: false
+cifmw_federation_run_osp_cmd_namespace: openstack
+cifmw_federation_domain: SSO
+cifmw_federation_IdpName: kcIDP
+cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/realms/{{ cifmw_federation_keycloak_realm }}'
+cifmw_federation_project_name: SSOproject
+cifmw_federation_group_name: SSOgroup
+cifmw_federation_mapping_name: SSOmap
+cifmw_federation_rules_file: rules.json
+cifmw_federation_clame_id: OIDC-preferred_username

roles/federation/tasks/run_keycloak_realm_setup.yml

@@ -0,0 +1,112 @@
+- name: Create a Keycloak realm
+  community.general.keycloak_realm:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    id: "{{ cifmw_federation_keycloak_realm }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    enabled: true
+    state: present
+
+- name: Create Keycloak client
+  community.general.keycloak_client:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    client_id: "{{ cifmw_federation_keycloak_client_id }}"
+    id: 3fb4f68d-ad2c-46e7-a579-ea418f5d150b
+    name: 'RHOSO Client'
+    description: 'RHOSO client for keystone federation'
+    root_url: "{{ cifmw_federation_keystone_url }}"
+    admin_url: "{{ cifmw_federation_keystone_url }}"
+    base_url: '/projects/dashboard'
+    enabled: true
+    client_authenticator_type: client-secret
+    secret: "{{ cifmw_federation_keycloak_client_secret }}"
+    redirect_uris:
+      - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso"
+      - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid"
+    web_origins:
+      - "{{ cifmw_federation_keystone_url }}"
+    bearer_only: false
+    protocol: openid-connect
+
+- name: Create a Keycloak group1
+  community.general.keycloak_group:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    name: "{{ cifmw_federation_keycloak_testgroup1_name }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+
+- name: Create a Keycloak group2
+  community.general.keycloak_group:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    name: "{{ cifmw_federation_keycloak_testgroup2_name }}"
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+
+- name: Create keycloak user1
+  community.general.keycloak_user:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    username: "{{ cifmw_federation_keycloak_testuser1_username }}"
+    firstName: firstname1
+    lastName: lastname1
+    email: "{{ cifmw_federation_keycloak_testuser1_username }}@ocp.openstack.lab"
+    enabled: true
+    emailVerified: false
+    credentials:
+      - type: password
+        value: "{{ cifmw_federation_keycloak_testuser1_password }}"
+        temporary: false
+    groups:
+      - name: "{{ cifmw_federation_keycloak_testgroup1_name }}"
+        state: present
+
+- name: Create keycloak user2
+  community.general.keycloak_user:
+    auth_client_id: admin-cli
+    validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}"
+    auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth"
+    auth_realm: master
+    auth_username: "{{ cifmw_federation_keycloak_admin_username }}"
+    auth_password: "{{ cifmw_federation_keycloak_admin_password }}"
+    state: present
+    realm: "{{ cifmw_federation_keycloak_realm }}"
+    username: "{{ cifmw_federation_keycloak_testuser2_username }}"
+    firstName: firstname2
+    lastName: lastname2
+    email: "{{ cifmw_federation_keycloak_testuser2_username }}@ocp.openstack.lab"
+    enabled: true
+    emailVerified: false
+    credentials:
+      - type: password
+        value: "{{ cifmw_federation_keycloak_testuser2_password }}"
+        temporary: false
+    groups:
+      - name: "{{ cifmw_federation_keycloak_testgroup2_name }}"
+        state: present