From f61c85f148e325887140a631f5b97d07f81b3690 Mon Sep 17 00:00:00 2001 From: Jeremy Agee Date: Mon, 11 Nov 2024 18:17:33 -0500 Subject: [PATCH] Add federation role to ci-framework This role will setup keycloak as and OpenID provider for user access to openstack. --- .../federation-controlplane-config.yml | 96 +++++++++++++++ hooks/playbooks/federation-post-deploy.yml | 41 +++++++ hooks/playbooks/federation-pre-deploy.yml | 41 +++++++ roles/federation/README.md | 4 + roles/federation/defaults/main.yml | 24 ++++ .../tasks/run_keycloak_realm_setup.yml | 112 ++++++++++++++++++ roles/federation/tasks/run_keycloak_setup.yml | 100 ++++++++++++++++ .../tasks/run_keycloak_setup.yml.bak | 103 ++++++++++++++++ .../tasks/run_openstack_auth_test.yml | 62 ++++++++++ .../federation/tasks/run_openstack_setup.yml | 84 +++++++++++++ roles/federation/tasks/run_osp_cmd.yml | 28 +++++ 11 files changed, 695 insertions(+) create mode 100644 hooks/playbooks/federation-controlplane-config.yml create mode 100644 hooks/playbooks/federation-post-deploy.yml create mode 100644 hooks/playbooks/federation-pre-deploy.yml create mode 100644 roles/federation/README.md create mode 100644 roles/federation/defaults/main.yml create mode 100644 roles/federation/tasks/run_keycloak_realm_setup.yml create mode 100644 roles/federation/tasks/run_keycloak_setup.yml create mode 100644 roles/federation/tasks/run_keycloak_setup.yml.bak create mode 100644 roles/federation/tasks/run_openstack_auth_test.yml create mode 100644 roles/federation/tasks/run_openstack_setup.yml create mode 100644 roles/federation/tasks/run_osp_cmd.yml diff --git a/hooks/playbooks/federation-controlplane-config.yml b/hooks/playbooks/federation-controlplane-config.yml new file mode 100644 index 0000000000..d5037e53e7 --- /dev/null +++ b/hooks/playbooks/federation-controlplane-config.yml @@ -0,0 +1,96 @@ +--- +- name: Create kustomization to update Keystone to use Federation + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create file to customize keystone for Federation resources deployed in the control plane + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + - namespace: {{ namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/tls/caBundleSecretName + value: keycloakca + - op: add + path: /spec/keystone/template/httpdCustomization + value: + customConfigSecret: keystone-httpd-override + - op: add + path: /spec/keystone/template/customServiceConfig + value: | + [federation] + trusted_dashboard={{ '{{ .KeystoneEndpointPublic }}' }}/dashboard/auth/websso/ + [openid] + remote_id_attribute=HTTP_OIDC_ISS + [auth] + methods = password,token,oauth1,mapped,application_credential,openid + + - name: Get SSO pod CA cert + ansible.builtin.command: "cat {{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt" + register: federation_sso_ca + + - name: Add Keycloak CA secret + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: keycloakca + namespace: "openstack" + data: + KeyCloakCA: "{{ federation_sso_ca.stdout | b64encode }}" + + - name: Create Keystone HTTPD override secret for Federation + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: keystone-httpd-override + namespace: openstack + type: Opaque + stringData: + federation.conf: | + OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}" + OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}" + OIDCScope "{{ cifmw_keystone_OIDC_Scope }}" + OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}" + OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}" + OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}" + OIDCCacheType "{{ cifmw_keystone_OIDC_CacheType }}" + OIDCMemCacheServers "{{ cifmw_keystone_OIDC_MemCacheServers }}" + OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}" + OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}" + OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}" + OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}" + OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}" + OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}" + OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}" + OIDCRedirectURI "{{ '{{ .KeystoneEndpointPublic }}' }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso" + + + AuthType "openid-connect" + Require valid-user + + + + AuthType oauth20 + Require valid-user + + + + AuthType "openid-connect" + Require valid-user + diff --git a/hooks/playbooks/federation-post-deploy.yml b/hooks/playbooks/federation-post-deploy.yml new file mode 100644 index 0000000000..fab51cd08e --- /dev/null +++ b/hooks/playbooks/federation-post-deploy.yml @@ -0,0 +1,41 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation setup one openstack post reproducer deploy + hosts: "{{ cifmw_target_host | default('localhost') }}" + gather_facts: true + tasks: + - name: Set urls for install type uni + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' + when: cifmw_federation_deploy_type == "uni" + + - name: Set urls for install type crc + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' + when: cifmw_federation_deploy_type == "crc" + + - name: Run federation setup on OSP + ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_setup.yml + + - name: Run federation OSP User Auth test + ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_auth_test.yml diff --git a/hooks/playbooks/federation-pre-deploy.yml b/hooks/playbooks/federation-pre-deploy.yml new file mode 100644 index 0000000000..ea532a1c4c --- /dev/null +++ b/hooks/playbooks/federation-pre-deploy.yml @@ -0,0 +1,41 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation SSO setup on reproducer + hosts: "{{ cifmw_target_host | default('localhost') }}" + gather_facts: true + tasks: + - name: Set urls for install type uni + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://sso-openstack.apps.ocp.openstack.lab' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' + when: cifmw_federation_deploy_type == "uni" + + - name: Set urls for install type crc + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://sso-openstack.apps-crc.testing' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' + when: cifmw_federation_deploy_type == "crc" + + - name: Run SSO pod setup on Openshift + ansible.builtin.import_role: + name: federation + tasks_from: run_keycloak_setup.yml + + - name: Run SSO realm setup for OSP + ansible.builtin.import_role: + name: federation + tasks_from: run_keycloak_realm_setup.yml diff --git a/roles/federation/README.md b/roles/federation/README.md new file mode 100644 index 0000000000..21ce43cec7 --- /dev/null +++ b/roles/federation/README.md @@ -0,0 +1,4 @@ +federation +========= + +This role will setup Openstack for user federation. The keycloak system will be used for the IdP provider. diff --git a/roles/federation/defaults/main.yml b/roles/federation/defaults/main.yml new file mode 100644 index 0000000000..a7ae928b2e --- /dev/null +++ b/roles/federation/defaults/main.yml @@ -0,0 +1,24 @@ +--- +# defaults file for federation +# +cifmw_federation_keycloak_realm: openstack +cifmw_federation_keycloak_admin_username: admin +cifmw_federation_keycloak_admin_password: nomoresecrets +cifmw_federation_keycloak_testuser1_username: kctestuser1 +cifmw_federation_keycloak_testuser1_password: nomoresecrets1 +cifmw_federation_keycloak_testuser2_username: kctestuser2 +cifmw_federation_keycloak_testuser2_password: nomoresecrets2 +cifmw_federation_keycloak_testgroup1_name: kctestgroup1 +cifmw_federation_keycloak_testgroup2_name: kctestgroup2 +cifmw_federation_keycloak_client_id: rhoso +cifmw_federation_keycloak_client_secret: COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f +cifmw_federation_keycloak_url_validate_certs: false +cifmw_federation_run_osp_cmd_namespace: openstack +cifmw_federation_domain: SSO +cifmw_federation_IdpName: kcIDP +cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/realms/{{ cifmw_federation_keycloak_realm }}' +cifmw_federation_project_name: SSOproject +cifmw_federation_group_name: SSOgroup +cifmw_federation_mapping_name: SSOmap +cifmw_federation_rules_file: rules.json +cifmw_federation_clame_id: OIDC-preferred_username diff --git a/roles/federation/tasks/run_keycloak_realm_setup.yml b/roles/federation/tasks/run_keycloak_realm_setup.yml new file mode 100644 index 0000000000..bf1f0ff9e8 --- /dev/null +++ b/roles/federation/tasks/run_keycloak_realm_setup.yml @@ -0,0 +1,112 @@ +- name: Create a Keycloak realm + community.general.keycloak_realm: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + id: "{{ cifmw_federation_keycloak_realm }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + enabled: true + state: present + +- name: Create Keycloak client + community.general.keycloak_client: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + client_id: "{{ cifmw_federation_keycloak_client_id }}" + id: 3fb4f68d-ad2c-46e7-a579-ea418f5d150b + name: 'RHOSO Client' + description: 'RHOSO client for keystone federation' + root_url: "{{ cifmw_federation_keystone_url }}" + admin_url: "{{ cifmw_federation_keystone_url }}" + base_url: '/projects/dashboard' + enabled: true + client_authenticator_type: client-secret + secret: "{{ cifmw_federation_keycloak_client_secret }}" + redirect_uris: + - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso" + - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid" + web_origins: + - "{{ cifmw_federation_keystone_url }}" + bearer_only: false + protocol: openid-connect + +- name: Create a Keycloak group1 + community.general.keycloak_group: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + name: "{{ cifmw_federation_keycloak_testgroup1_name }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + +- name: Create a Keycloak group2 + community.general.keycloak_group: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + name: "{{ cifmw_federation_keycloak_testgroup2_name }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + +- name: Create keycloak user1 + community.general.keycloak_user: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + username: "{{ cifmw_federation_keycloak_testuser1_username }}" + firstName: firstname1 + lastName: lastname1 + email: "{{ cifmw_federation_keycloak_testuser1_username }}@ocp.openstack.lab" + enabled: true + emailVerified: false + credentials: + - type: password + value: "{{ cifmw_federation_keycloak_testuser1_password }}" + temporary: false + groups: + - name: "{{ cifmw_federation_keycloak_testgroup1_name }}" + state: present + +- name: Create keycloak user2 + community.general.keycloak_user: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + username: "{{ cifmw_federation_keycloak_testuser2_username }}" + firstName: firstname2 + lastName: lastname2 + email: "{{ cifmw_federation_keycloak_testuser2_username }}@ocp.openstack.lab" + enabled: true + emailVerified: false + credentials: + - type: password + value: "{{ cifmw_federation_keycloak_testuser2_password }}" + temporary: false + groups: + - name: "{{ cifmw_federation_keycloak_testgroup2_name }}" + state: present diff --git a/roles/federation/tasks/run_keycloak_setup.yml b/roles/federation/tasks/run_keycloak_setup.yml new file mode 100644 index 0000000000..97a31b2724 --- /dev/null +++ b/roles/federation/tasks/run_keycloak_setup.yml @@ -0,0 +1,100 @@ +- name: Download sso76-image-stream.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/sso76-image-stream.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json" + +- name: Download sso76-ocp4-https.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-https.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json" + +- name: Download sso76-ocp4-postgresql.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json" + +- name: Download sso76-ocp4-postgresql-persistent.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json" + +- name: Download sso76-ocp4-x509-https.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json" + +- name: Download sso76-ocp4-x509-postgresql-persistent.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json" + +- name: Update the core set of SSO resources + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json + register: federation_create_resource_templates + +- name: Install the sso OpenShift image streams + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm + register: federation_install_sso_image + +- name: Deploy SSO on OpenShift + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc new-app -n {{ cifmw_federation_run_osp_cmd_namespace }} --template=sso76-ocp4-x509-https -p SSO_ADMIN_USERNAME={{ cifmw_federation_keycloak_admin_username }} -p SSO_ADMIN_PASSWORD={{ cifmw_federation_keycloak_admin_password }} + register: federation_deploy_sso + +- name: Add CRC IP address to hosts + become: true + ansible.builtin.blockinfile: + path: /etc/hosts + block: | + {{ hostvars['crc'].ansible_host }} api.crc.testing + {{ hostvars['crc'].ansible_host }} oauth-openshift.apps-crc.testing + {{ hostvars['crc'].ansible_host }} sso-openstack.apps-crc.testing + when: cifmw_federation_deploy_type == "crc" + +- name: Wait for SSO pod to be avalable + ansible.builtin.uri: + url: "{{ cifmw_federation_keycloak_url }}" + follow_redirects: none + method: GET + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + register: _result + until: _result.status == 200 + retries: 24 # wait at least 2 min for pod then fail + delay: 5 + +- name: Get SSO pod CA cert + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc get configmap sso-service-ca -n {{ cifmw_federation_run_osp_cmd_namespace }} -o "jsonpath={ .data['service-ca\.crt']}" + register: federation_sso_ca + +- name: Write SSO pod CA cert to file for openstackclient pod + ansible.builtin.copy: + content: "{{ federation_sso_ca.stdout }}" + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt" + +- name: Setting SSO pod CA fact + ansible.builtin.set_fact: + cifmw_federation_sso_ca: "{{ federation_sso_ca.stdout }}" diff --git a/roles/federation/tasks/run_keycloak_setup.yml.bak b/roles/federation/tasks/run_keycloak_setup.yml.bak new file mode 100644 index 0000000000..9fdc559bcd --- /dev/null +++ b/roles/federation/tasks/run_keycloak_setup.yml.bak @@ -0,0 +1,103 @@ +- name: Download sso76-image-stream.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/sso76-image-stream.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json" + +- name: Download sso76-ocp4-https.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-https.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json" + +- name: Download sso76-ocp4-postgresql.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json" + +- name: Download sso76-ocp4-postgresql-persistent.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/passthrough/ocp-4.x/sso76-ocp4-postgresql-persistent.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json" + +- name: Download sso76-ocp4-x509-https.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-https.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json" + +- name: Download sso76-ocp4-x509-postgresql-persistent.json + ansible.builtin.get_url: + url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso76-dev/templates/reencrypt/ocp-4.x/sso76-ocp4-x509-postgresql-persistent.json + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json" + +- name: Update the core set of SSO resources + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-image-stream.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-https.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-postgresql-persistent.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-https.json + oc replace -n openshift -f {{ ansible_user_dir }}/ci-framework-data/tmp/sso76-ocp4-x509-postgresql-persistent.json + register: federation_create_resource_templates + +- name: Install the sso OpenShift image streams + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm + register: federation_install_sso_image + +- name: Deploy SSO on OpenShift + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc new-app -n {{ cifmw_federation_run_osp_cmd_namespace }} --template=sso76-ocp4-x509-https -p SSO_ADMIN_USERNAME={{ cifmw_federation_keycloak_admin_username }} -p SSO_ADMIN_PASSWORD={{ cifmw_federation_keycloak_admin_password }} + register: federation_deploy_sso + failed_when: > + ( '"deploymentconfigs.apps.openshift.io \"sso\" already exists" not in federation_deploy_sso.stderr' ) or + ( '"deploymentconfigs.apps.openshift.io \"sso\" created" not in federation_deploy_sso.stderr' ) + +- name: Add CRC IP address to hosts + become: true + ansible.builtin.blockinfile: + path: /etc/hosts + block: | + {{ hostvars['crc'].ansible_host }} api.crc.testing + {{ hostvars['crc'].ansible_host }} oauth-openshift.apps-crc.testing + {{ hostvars['crc'].ansible_host }} sso-openstack.apps-crc.testing + when: cifmw_federation_deploy_type == "crc" + +- name: Wait for SSO pod to be avalable + ansible.builtin.uri: + url: "{{ cifmw_federation_keycloak_url }}" + follow_redirects: none + method: GET + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + register: _result + until: _result.status == 200 + retries: 24 # wait at least 2 min for pod then fail + delay: 5 + +- name: Get SSO pod CA cert + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc get configmap sso-service-ca -n {{ cifmw_federation_run_osp_cmd_namespace }} -o "jsonpath={ .data['service-ca\.crt']}" + register: federation_sso_ca + +- name: Write SSO pod CA cert to file for openstackclient pod + ansible.builtin.copy: + content: "{{ federation_sso_ca.stdout }}" + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt" + +- name: Setting SSO pod CA fact + ansible.builtin.set_fact: + cifmw_federation_sso_ca: "{{ federation_sso_ca.stdout }}" diff --git a/roles/federation/tasks/run_openstack_auth_test.yml b/roles/federation/tasks/run_openstack_auth_test.yml new file mode 100644 index 0000000000..ead2c4feec --- /dev/null +++ b/roles/federation/tasks/run_openstack_auth_test.yml @@ -0,0 +1,62 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Generate federation test user1 cloudrc file + ansible.builtin.copy: + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_keycloak_testuser1_username }}rc" + content: | + unset OS_CLOUD + export OS_CACERT=/home/cloud-admin/sso-service-ca.crt + export OS_PROJECT_NAME="{{ cifmw_federation_project_name }}" + export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_domain }}" + export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" + export OS_IDENTITY_API_VERSION=3 + export OS_AUTH_PLUGIN=openid + export OS_AUTH_TYPE=v3oidcpassword + export OS_USERNAME="{{ cifmw_federation_keycloak_testuser1_username }}" + export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser1_password }}" + export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName }}" + export OS_CLIENT_ID="{{ cifmw_federation_keycloak_client_id }}" + export OS_CLIENT_SECRET="{{ cifmw_federation_keycloak_client_secret }}" + export OS_OPENID_SCOPE="openid profile email" + export OS_PROTOCOL=openid + export OS_ACCESS_TOKEN_TYPE=access_token + export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/.well-known/openid-configuration" + +- name: Copy federation test user1 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}rc" + local_path: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_keycloak_testuser1_username }}rc" + +- name: Copy SSO CA file into openstackclient pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/sso-service-ca.crt" + local_path: "{{ ansible_user_dir }}/ci-framework-data/tmp/sso-service-ca.crt" + +- name: Get testuser1 token + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc rsh openstackclient + source /home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}rc + openstack token issue -f yaml + register: federation_sso_testuser1_token diff --git a/roles/federation/tasks/run_openstack_setup.yml b/roles/federation/tasks/run_openstack_setup.yml new file mode 100644 index 0000000000..1e8a25a17c --- /dev/null +++ b/roles/federation/tasks/run_openstack_setup.yml @@ -0,0 +1,84 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation create domain + vars: + cifmw_federation_run_osp_cmd: "openstack domain create {{ cifmw_federation_domain }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation identity provider create + vars: + cifmw_federation_run_osp_cmd: "openstack identity provider create --remote-id {{ cifmw_federation_remote_id }} --domain {{ cifmw_federation_domain }} {{ cifmw_federation_IdpName }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Setup federation create rules json file + ansible.builtin.copy: + dest: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_rules_file }}" + content: | + [ + { + "local": [ + { + "user": { + "name": "{0}" + }, + "group": { + "name": "{{ cifmw_federation_group_name }}", + "domain": { + "name": "{{ cifmw_federation_domain }}" + } + } + } + ], + "remote": [ + { + "type": "{{ cifmw_federation_clame_id }}" + } + ] + } + ] + +- name: Copy federation create rules json file to remote pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_rules_file }}" + local_path: "{{ ansible_user_dir }}/ci-framework-data/tmp/{{ cifmw_federation_rules_file }}" + +- name: Run federation mapping create + vars: + cifmw_federation_run_osp_cmd: "openstack mapping create --rules {{ cifmw_federation_rules_file }} {{ cifmw_federation_mapping_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation group create + vars: + cifmw_federation_run_osp_cmd: "openstack group create --domain {{ cifmw_federation_domain }} {{ cifmw_federation_group_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation project create + vars: + cifmw_federation_run_osp_cmd: "openstack project create --domain {{ cifmw_federation_domain }} {{ cifmw_federation_project_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation rule add + vars: + cifmw_federation_run_osp_cmd: "openstack role add --group {{ cifmw_federation_group_name }} --group-domain {{ cifmw_federation_domain }} --project {{ cifmw_federation_project_name }} --project-domain {{ cifmw_federation_domain }} member" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation protocol create + vars: + cifmw_federation_run_osp_cmd: "openstack federation protocol create openid --mapping {{ cifmw_federation_mapping_name }} --identity-provider {{ cifmw_federation_IdpName }}" + ansible.builtin.include_tasks: run_osp_cmd.yml diff --git a/roles/federation/tasks/run_osp_cmd.yml b/roles/federation/tasks/run_osp_cmd.yml new file mode 100644 index 0000000000..53bf4f7961 --- /dev/null +++ b/roles/federation/tasks/run_osp_cmd.yml @@ -0,0 +1,28 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation OCP CMD + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc exec + -n {{ cifmw_federation_run_osp_cmd_namespace }} + -t openstackclient + -- + {{ cifmw_federation_run_osp_cmd }} + register: federation_run_ocp_cmd