Configure OIDC, make idempotent, fix bugs. Claude.ai

roles/sno_deploy/tasks/configure_oidc.yml

@@ -0,0 +1,145 @@
+---
+# Configure OpenShift OAuth with Keycloak OIDC.
+#
+# Prerequisites:
+#   - SNO cluster installed and accessible
+#   - Keycloak OIDC client created (Play 5 in deploy_openshift.yml)
+#   - KUBECONFIG environment variable set or oc_kubeconfig defined
+
+# ------------------------------------------------------------------
+# Secret: Keycloak client secret in openshift-config namespace
+# ------------------------------------------------------------------
+- name: Set OIDC client secret value
+  ansible.builtin.set_fact:
+    __sno_deploy_oidc_client_secret_value: >-
+      {{ hostvars[inventory_hostname]['__oidc_client_secret']
+         | default(vault_oidc_client_secret) }}
+  no_log: true
+
+- name: Create Keycloak client secret in openshift-config
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: "{{ __sno_deploy_oidc_secret_name }}"
+        namespace: openshift-config
+      type: Opaque
+      stringData:
+        clientSecret: "{{ __sno_deploy_oidc_client_secret_value }}"
+  no_log: false
+
+# ------------------------------------------------------------------
+# CA bundle: only needed when Keycloak uses a private/internal CA
+# ------------------------------------------------------------------
+- name: Create CA bundle ConfigMap for Keycloak TLS
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: "{{ __sno_deploy_oidc_ca_configmap_name }}"
+        namespace: openshift-config
+      data:
+        ca.crt: "{{ lookup('ansible.builtin.file', oidc_ca_cert_file) }}"
+  when: oidc_ca_cert_file | default('') | length > 0
+
+# ------------------------------------------------------------------
+# OAuth cluster resource: add/replace Keycloak IdP entry
+# ------------------------------------------------------------------
+- name: Get current OAuth cluster configuration
+  kubernetes.core.k8s_info:
+    api_version: config.openshift.io/v1
+    kind: OAuth
+    name: cluster
+  register: __sno_deploy_current_oauth
+
+- name: Build Keycloak OIDC identity provider definition
+  ansible.builtin.set_fact:
+    __sno_deploy_new_idp: >-
+      {{
+        {
+          'name': oidc_provider_name,
+          'mappingMethod': 'claim',
+          'type': 'OpenID',
+          'openID': (
+            {
+              'clientID': oidc_client_id,
+              'clientSecret': {'name': __sno_deploy_oidc_secret_name},
+              'issuer': __sno_deploy_oidc_issuer,
+              'claims': {
+                'preferredUsername': ['preferred_username'],
+                'name': ['name'],
+                'email': ['email'],
+                'groups': ['groups']
+              }
+            } | combine(
+              (oidc_ca_cert_file | default('') | length > 0) | ternary(
+                {'ca': {'name': __sno_deploy_oidc_ca_configmap_name}}, {}
+              )
+            )
+          )
+        }
+      }}
+
+- name: Build updated identity providers list
+  ansible.builtin.set_fact:
+    __sno_deploy_updated_idps: >-
+      {{
+        (__sno_deploy_current_oauth.resources[0].spec.identityProviders | default([])
+         | selectattr('name', '!=', oidc_provider_name) | list)
+        + [__sno_deploy_new_idp]
+      }}
+
+- name: Apply updated OAuth cluster configuration
+  kubernetes.core.k8s:
+    state: present
+    merge_type: merge
+    definition:
+      apiVersion: config.openshift.io/v1
+      kind: OAuth
+      metadata:
+        name: cluster
+      spec:
+        identityProviders: "{{ __sno_deploy_updated_idps }}"
+
+- name: Wait for OAuth deployment to roll out
+  ansible.builtin.command:
+    cmd: "{{ __sno_deploy_oc }} rollout status deployment/oauth-openshift -n openshift-authentication --timeout=300s --insecure-skip-tls-verify"
+  changed_when: false
+
+# ------------------------------------------------------------------
+# ClusterRoleBinding: grant cluster-admin to OIDC admin groups
+# ------------------------------------------------------------------
+- name: Create ClusterRoleBinding for OIDC admin groups
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: cluster-admin
+      subjects:
+        - apiGroup: rbac.authorization.k8s.io
+          kind: Group
+          name: "{{ item }}"
+  loop: "{{ oidc_admin_groups }}"
+  when: oidc_admin_groups | length > 0
+
+- name: Display post-configuration summary
+  ansible.builtin.debug:
+    msg:
+      - "OpenShift OIDC configuration complete!"
+      - "  Provider : {{ oidc_provider_name }}"
+      - "  Issuer   : {{ __sno_deploy_oidc_issuer }}"
+      - "  Console  : https://console-openshift-console.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
+      - "  Login    : https://oauth-openshift.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
+      - ""
+      - "Note: OAuth pods are restarting — login may be unavailable for ~2 minutes."
+    verbosity: 1