ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update storage and Keycloak config

Browse Source
This commit is contained in:
Patrick Toal
2026-03-04 12:17:47 -05:00
parent d981b69669
commit d31b14cd72
28 changed files with 1433 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
playbooks/cvpublish.yml
View File

@@ -1,46 +0,0 @@
- name: Publish CVs
hosts: satellite1.mgmt.toal.ca
vars:
sat_env_name: Library
sat_org: Toal.ca
sat_publish_description: Automated CV Update
tasks:
- name: Pre-tasks | Find all CVs
redhat.satellite.resource_info:
username: "{{ satellite_admin_user }}"
password: "{{ satellite_admin_pass }}"
server_url: "{{ satellite_url }}"
organization: "{{ sat_org }}"
resource: content_views
validate_certs: no
register: raw_list_cvs
- name: Pre-tasks | Get resource information
set_fact:
list_all_cvs: "{{ raw_list_cvs['resources'] | json_query(jmesquery) | list }}"
vars:
jmesquery: "[*].{name: name, composite: composite, id: id}"
- name: Pre-tasks | Extract list of content views
set_fact:
sat6_content_views_list: "{{ sat6_content_views_list|default([]) }} + ['{{ item.name }}' ]"
loop: "{{ list_all_cvs | reject('search', 'Default Organization View') | list }}"
when: item.composite == false
- name: Publish content
redhat.satellite.content_view_version:
username: "{{ satellite_admin_user }}"
password: "{{ satellite_admin_pass }}"
server_url: "{{ satellite_url }}"
organization: "{{ sat_org }}"
content_view: "{{ item }}"
validate_certs: no
description: "{{ sat_publish_description }}"
lifecycle_environments:
- Library
- "{{ sat_env_name }}"
loop: "{{ sat6_content_views_list | list }}"
loop_control:
loop_var: "item"
register: cv_publish_sleeper

219
playbooks/deploy_aap.yml Normal file
View File

@@ -0,0 +1,219 @@
---
# Deploy Ansible Automation Platform on OpenShift
#
# Authenticates via the aap-deployer ServiceAccount token (not kubeadmin).
# The token is stored in 1Password and loaded via vault_aap_deployer_token.
#
# Prerequisites:
# - OpenShift cluster deployed (deploy_openshift.yml)
# - aap-deployer ServiceAccount provisioned:
# ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_service_accounts
# - SA token saved to 1Password as vault_aap_deployer_token
#
# Keycloak OIDC prerequisites (--tags aap_configure_keycloak,aap_configure_oidc):
# - Keycloak realm exists (configured via deploy_openshift.yml)
# - vault_aap_oidc_client_secret in 1Password (or it will be generated and displayed)
# - In host_vars for the aap host:
# aap_gateway_url: "https://aap.apps.<cluster>.<domain>"
# aap_oidc_client_id: aap
# aap_oidc_issuer: "https://keycloak.example.com/realms/<realm>"
# aap_oidc_public_key: "<RS256 public key from Keycloak realm Keys tab>"
#
# Play order:
# Play 0: aap_configure_keycloak — Create Keycloak OIDC client for AAP Gateway
# Play 1: (default) — Install AAP via aap_operator role
# Play 2: aap_configure_oidc — Configure OIDC Authentication Method in AAP Gateway
#
# Usage:
# ansible-navigator run playbooks/deploy_aap.yml
# ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_keycloak
# ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_oidc
# ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_keycloak,aap_configure_oidc
# ---------------------------------------------------------------------------
# Play 0: Create Keycloak OIDC client for AAP (optional)
# Runs on openshift hosts to access keycloak_url/keycloak_realm host vars.
# Creates the OIDC client in Keycloak with the correct AAP Gateway callback URI.
# ---------------------------------------------------------------------------
- name: Configure Keycloak OIDC client for AAP
hosts: openshift
gather_facts: false
connection: local
tags:
- never
- aap_configure_keycloak
vars:
__aap_keycloak_api_url: "{{ keycloak_url }}{{ keycloak_context | default('') }}"
__aap_oidc_client_id: "{{ aap_oidc_client_id | default('aap') }}"
# AAP operator generates the Gateway route as {platform_name}-{namespace}.apps.{cluster}.{domain}
# e.g. platform 'aap' in namespace 'aap' → aap-aap.apps.openshift.toal.ca
__aap_platform_name: "{{ aap_operator_platform_name | default('aap') }}"
__aap_namespace: "{{ aap_operator_namespace | default('aap') }}"
__aap_oidc_redirect_uris:
- "https://{{ __aap_platform_name }}-{{ __aap_namespace }}.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}/accounts/profile/callback/"
module_defaults:
middleware_automation.keycloak.keycloak_client:
auth_client_id: admin-cli
auth_keycloak_url: "{{ __aap_keycloak_api_url }}"
auth_realm: master
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ vault_keycloak_admin_password }}"
validate_certs: "{{ keycloak_validate_certs | default(true) }}"
tasks:
- name: Set AAP OIDC client secret (vault value or generated)
ansible.builtin.set_fact:
__aap_oidc_client_secret: "{{ vault_aap_oidc_client_secret | default(lookup('community.general.random_string', length=32, special=false)) }}"
__aap_oidc_secret_generated: "{{ vault_aap_oidc_client_secret is not defined }}"
no_log: true
- name: Create AAP OIDC client in Keycloak
middleware_automation.keycloak.keycloak_client:
realm: "{{ keycloak_realm }}"
client_id: "{{ __aap_oidc_client_id }}"
name: "Ansible Automation Platform"
description: "OIDC client for AAP Gateway on {{ ocp_cluster_name }}.{{ ocp_base_domain }}"
enabled: true
protocol: openid-connect
public_client: false
standard_flow_enabled: true
implicit_flow_enabled: false
direct_access_grants_enabled: false
service_accounts_enabled: false
secret: "{{ __aap_oidc_client_secret }}"
redirect_uris: "{{ __aap_oidc_redirect_uris }}"
web_origins:
- "+"
protocol_mappers:
- name: groups
protocol: openid-connect
protocolMapper: oidc-group-membership-mapper
config:
full.path: "false"
id.token.claim: "true"
access.token.claim: "true"
userinfo.token.claim: "true"
claim.name: groups
state: present
no_log: "{{ keycloak_no_log | default(true) }}"
- name: Display generated client secret (save this to vault!)
ansible.builtin.debug:
msg:
- "*** GENERATED AAP OIDC CLIENT SECRET — SAVE THIS TO VAULT ***"
- "vault_aap_oidc_client_secret: {{ __aap_oidc_client_secret }}"
- ""
- "Save to 1Password and reference as vault_aap_oidc_client_secret."
when: __aap_oidc_secret_generated | bool
- name: Display Keycloak AAP OIDC configuration summary
ansible.builtin.debug:
msg:
- "Keycloak AAP OIDC client configured:"
- " Realm : {{ keycloak_realm }}"
- " Client : {{ __aap_oidc_client_id }}"
- " Issuer : {{ __aap_keycloak_api_url }}/realms/{{ keycloak_realm }}"
- " Redirect : {{ __aap_oidc_redirect_uris | join(', ') }}"
- ""
- "Set in host_vars for the aap host:"
- " aap_gateway_url: https://{{ __aap_platform_name }}-{{ __aap_namespace }}.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
- " aap_oidc_issuer: {{ __aap_keycloak_api_url }}/realms/{{ keycloak_realm }}"
- ""
- "Then run: --tags aap_configure_oidc to register the authenticator in AAP."
verbosity: 1
# ---------------------------------------------------------------------------
# Play 1: Install Ansible Automation Platform
# ---------------------------------------------------------------------------
- name: Install Ansible Automation Platform
hosts: aap
gather_facts: false
connection: local
pre_tasks:
- name: Verify aap-deployer token is available
ansible.builtin.assert:
that:
- vault_aap_deployer_token is defined
- vault_aap_deployer_token | length > 0
fail_msg: >-
vault_aap_deployer_token is not set. Provision the ServiceAccount with:
ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_service_accounts
Then save the displayed token to 1Password as vault_aap_deployer_token.
# environment:
# K8S_AUTH_HOST: "{{ aap_k8s_api_url }}"
# K8S_AUTH_API_KEY: "{{ vault_aap_deployer_token }}"
roles:
- role: aap_operator
# ---------------------------------------------------------------------------
# Play 2: Configure Keycloak OIDC Authentication Method in AAP Gateway (optional)
# Uses infra.aap_configuration.gateway_authenticators to register the OIDC
# provider via the AAP Gateway API. Run after Play 1 (AAP must be Running).
#
# Requires in host_vars for the aap host:
# aap_gateway_url: "https://aap.apps.<cluster>.<domain>"
# aap_oidc_issuer: "https://keycloak.example.com/realms/<realm>"
# aap_oidc_client_id: aap (optional, default: aap)
# aap_oidc_public_key: "<RS256 public key from Keycloak realm Keys tab>"
# Vault:
# vault_aap_oidc_client_secret — OIDC client secret from Keycloak
# ---------------------------------------------------------------------------
- name: Configure Keycloak OIDC Authentication in AAP Gateway
hosts: aap
gather_facts: false
connection: local
tags:
- never
- aap_configure_oidc
vars:
__aap_namespace: "{{ aap_operator_namespace | default('aap') }}"
__aap_platform_name: "{{ aap_operator_platform_name | default('aap') }}"
environment:
K8S_AUTH_HOST: "{{ aap_k8s_api_url }}"
K8S_AUTH_API_KEY: "{{ vault_aap_deployer_token }}"
pre_tasks:
- name: Fetch AAP admin password from K8s secret
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
namespace: "{{ __aap_namespace }}"
name: "{{ __aap_platform_name }}-admin-password"
register: __aap_admin_secret
no_log: false
- name: Set AAP admin password fact
ansible.builtin.set_fact:
__aap_admin_password: "{{ __aap_admin_secret.resources[0].data.password | b64decode }}"
no_log: true
tasks:
- name: Configure Keycloak OIDC authenticator in AAP Gateway
ansible.builtin.include_role:
name: infra.aap_configuration.gateway_authenticators
vars:
aap_hostname: "{{ aap_gateway_url }}"
aap_username: "{{ aap_operator_admin_user | default('admin') }}"
aap_password: "{{ __aap_admin_password }}"
gateway_authenticators:
- name: Keycloak
type: ansible_base.authentication.authenticator_plugins.keycloak
slug: keycloak
enabled: true
configuration:
KEY: "{{ aap_oidc_client_id | default('aap') }}"
SECRET: "{{ vault_aap_oidc_client_secret }}"
PUBLIC_KEY: "{{ aap_oidc_public_key }}"
ACCESS_TOKEN_URL: "{{ aap_oidc_issuer }}/protocol/openid-connect/token"
AUTHORIZATION_URL: "{{ aap_oidc_issuer }}/protocol/openid-connect/auth"
GROUPS_CLAIM: "groups"
state: present

87
playbooks/deploy_openshift.yml
View File

@@ -8,11 +8,14 @@
# Inventory requirements:
# sno.openshift.toal.ca - in 'openshift' group
# host_vars: ocp_cluster_name, ocp_base_domain, ocp_version, sno_ip,
# sno_gateway, sno_nameserver, sno_prefix_length, sno_vm_name,
# sno_bridge, sno_vlan, proxmox_node, keycloak_url, keycloak_realm,
# sno_gateway, sno_nameserver, sno_prefix_length, sno_machine_network,
# sno_vm_name, sno_vnet, sno_storage_ip, sno_storage_ip_prefix_length,
# sno_storage_vnet, proxmox_node, keycloak_url, keycloak_realm,
# oidc_admin_groups, sno_deploy_letsencrypt_email, ...
# secrets: vault_ocp_pull_secret, vault_keycloak_admin_password,
# vault_oidc_client_secret (optional)
# optional: ocp_kubeconfig (defaults to ~/.kube/config; set to
# sno_install_dir/auth/kubeconfig for fresh installs)
# proxmox_api - inventory host (ansible_host, ansible_port)
# proxmox_host - inventory host (ansible_host, ansible_connection: ssh)
# gate.toal.ca - in 'opnsense' group
@@ -27,6 +30,11 @@
# Play 4: sno_deploy_install — Generate ISO, boot VM, wait for install
# Play 5: keycloak — Configure Keycloak OIDC client
# Play 6: sno_deploy_oidc / sno_deploy_certmanager / sno_deploy_delete_kubeadmin
# Play 7: sno_deploy_lvms — Install LVM Storage for persistent volumes
# Play 8: sno_deploy_nfs — Deploy in-cluster NFS provisioner (RWX StorageClass)
# Play 9: sno_deploy_service_accounts — Provision ServiceAccounts for app deployers
#
# AAP deployment is in a separate playbook: deploy_aap.yml
#
# Usage:
# ansible-navigator run playbooks/deploy_openshift.yml
@@ -35,6 +43,9 @@
# ansible-navigator run playbooks/deploy_openshift.yml --tags opnsense,dns
# ansible-navigator run playbooks/deploy_openshift.yml --tags keycloak,sno_deploy_oidc
# ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_certmanager
# ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_lvms
# ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_nfs
# ansible-navigator run playbooks/deploy_openshift.yml --tags sno_deploy_service_accounts
# ---------------------------------------------------------------------------
# Play 1: Create SNO VM in Proxmox
@@ -244,7 +255,7 @@
connection: local
environment:
KUBECONFIG: "{{ sno_install_dir }}/auth/kubeconfig"
KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
K8S_AUTH_VERIFY_SSL: "false"
tags:
@@ -274,20 +285,80 @@
- sno_deploy_delete_kubeadmin
# ---------------------------------------------------------------------------
# Play 7: Install Ansible Automation Platform (opt-in via --tags aap)
# Play 7: Install LVM Storage for persistent volumes
# ---------------------------------------------------------------------------
- name: Install Ansible Automation Platform
- name: Configure LVM Storage for persistent volumes
hosts: sno.openshift.toal.ca
gather_facts: false
connection: local
tags: sno_deploy_lvms
environment:
KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
K8S_AUTH_VERIFY_SSL: "false"
roles:
- role: lvms_operator
# ---------------------------------------------------------------------------
# Play 8: Deploy NFS provisioner for ReadWriteMany storage
# Set nfs_provisioner_external_server / nfs_provisioner_external_path to use
# a pre-existing NFS share (e.g. 192.168.129.100:/mnt/BIGPOOL/NoBackups/OCPNFS).
# When those are unset, an in-cluster NFS server is deployed; LVMS (Play 7) must
# have run first to provide the backing RWO PVC.
# ---------------------------------------------------------------------------
- name: Deploy in-cluster NFS provisioner
hosts: sno.openshift.toal.ca
gather_facts: false
connection: local
tags: sno_deploy_nfs
environment:
KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
K8S_AUTH_VERIFY_SSL: "false"
roles:
- role: nfs_provisioner
# ---------------------------------------------------------------------------
# Play 9: Provision ServiceAccounts for application deployers
# ---------------------------------------------------------------------------
- name: Provision OpenShift service accounts
hosts: sno.openshift.toal.ca
gather_facts: false
connection: local
environment:
KUBECONFIG: "{{ sno_install_dir }}/auth/kubeconfig"
KUBECONFIG: "{{ ocp_kubeconfig | default('~/.kube/config') }}"
K8S_AUTH_VERIFY_SSL: "false"
tags:
- never
- aap
- sno_deploy_service_accounts
roles:
- role: aap_operator
- role: ocp_service_account
ocp_service_account_name: aap-deployer
ocp_service_account_namespace: aap
ocp_service_account_cluster_role_rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "patch"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["operators.coreos.com"]
resources: ["operatorgroups", "subscriptions", "clusterserviceversions"]
verbs: ["get", "list", "create", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["aap.ansible.com"]
resources: ["ansibleautomationplatforms"]
verbs: ["get", "list", "create", "patch", "watch"]