ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
update_2025
toallab-automation/docs/summaries/2026-02-26-aap-keycloak-oidc.md

2.7 KiB
Raw Permalink Blame History

Session Summary: AAP Keycloak OIDC Configuration

Date: 2026-02-26

Work Done

Added Keycloak OIDC authentication support for AAP 2.6 using the correct approach: infra.aap_configuration.gateway_authenticators (AAP Gateway API) instead of CR extra_settings (wrong for 2.6).

Files Changed

  • collections/requirements.yml — Added infra.aap_configuration
  • playbooks/deploy_aap.yml — Full rewrite:
    • Play 0 (aap_configure_keycloak): Creates Keycloak OIDC client with correct callback URI /accounts/profile/callback/
    • Play 1: Unchanged (installs AAP via aap_operator role)
    • Play 2 (aap_configure_oidc): Fetches admin password from K8s secret, calls infra.aap_configuration.gateway_authenticators
  • roles/aap_operator/defaults/main.yml — Removed OIDC vars (not role responsibility)
  • roles/aap_operator/meta/argument_specs.yml — Removed OIDC var docs
  • roles/aap_operator/tasks/main.yml — Removed OIDC include task (was wrong approach)
  • roles/aap_operator/tasks/configure_oidc.yml — Replaced with redirect comment

Key Decisions

  • OIDC must be configured via AAP Gateway API (not CR extra_settings). AAP 2.5+ Gateway uses Django-based auth with ansible_base.authentication plugins.
  • authenticator type: ansible_base.authentication.authenticator_plugins.generic_oidc
  • Callback URL: {aap_gateway_url}/accounts/profile/callback/ (not /social/complete/oidc/)
  • Admin password: Fetched dynamically from K8s secret {platform_name}-admin-password (not stored separately in vault)
  • OIDC not in aap_operator role: Kept as a separate playbook play (post-install concern)

Variables Required in aap host_vars

aap_gateway_url: "https://aap.apps.<cluster>.<domain>"
aap_oidc_issuer: "https://keycloak.toal.ca/realms/<realm>"
aap_oidc_client_id: aap   # optional, default: aap

Vault Variables

vault_aap_oidc_client_secret  — OIDC client secret from Keycloak
vault_aap_deployer_token      — K8s SA token (already required)
vault_keycloak_admin_password — required for Play 0

Usage

# Step 1: Create Keycloak client (once, idempotent)
ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_keycloak

# Step 2: Deploy AAP
ansible-navigator run playbooks/deploy_aap.yml

# Step 3: Register OIDC authenticator in AAP Gateway
ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_oidc

Open Items

  • ASSUMED: infra.aap_configuration + its dependency ansible.platform are available or installable in aap.toal.ca/ee-demo:latest. If not, a custom EE rebuild is needed.
  • The aap-deployer SA has get on secrets in aap namespace — confirmed via RBAC in deploy_openshift.yml Play 9.