55 lines
2.7 KiB
Markdown
55 lines
2.7 KiB
Markdown
# Session Summary: AAP Keycloak OIDC Configuration
|
|
Date: 2026-02-26
|
|
|
|
## Work Done
|
|
Added Keycloak OIDC authentication support for AAP 2.6 using the correct approach:
|
|
`infra.aap_configuration.gateway_authenticators` (AAP Gateway API) instead of CR extra_settings (wrong for 2.6).
|
|
|
|
## Files Changed
|
|
- `collections/requirements.yml` — Added `infra.aap_configuration`
|
|
- `playbooks/deploy_aap.yml` — Full rewrite:
|
|
- Play 0 (`aap_configure_keycloak`): Creates Keycloak OIDC client with correct callback URI `/accounts/profile/callback/`
|
|
- Play 1: Unchanged (installs AAP via `aap_operator` role)
|
|
- Play 2 (`aap_configure_oidc`): Fetches admin password from K8s secret, calls `infra.aap_configuration.gateway_authenticators`
|
|
- `roles/aap_operator/defaults/main.yml` — Removed OIDC vars (not role responsibility)
|
|
- `roles/aap_operator/meta/argument_specs.yml` — Removed OIDC var docs
|
|
- `roles/aap_operator/tasks/main.yml` — Removed OIDC include task (was wrong approach)
|
|
- `roles/aap_operator/tasks/configure_oidc.yml` — Replaced with redirect comment
|
|
|
|
## Key Decisions
|
|
- **OIDC must be configured via AAP Gateway API** (not CR extra_settings). AAP 2.5+ Gateway uses Django-based auth with `ansible_base.authentication` plugins.
|
|
- **authenticator type**: `ansible_base.authentication.authenticator_plugins.generic_oidc`
|
|
- **Callback URL**: `{aap_gateway_url}/accounts/profile/callback/` (not `/social/complete/oidc/`)
|
|
- **Admin password**: Fetched dynamically from K8s secret `{platform_name}-admin-password` (not stored separately in vault)
|
|
- **OIDC not in `aap_operator` role**: Kept as a separate playbook play (post-install concern)
|
|
|
|
## Variables Required in `aap` host_vars
|
|
```yaml
|
|
aap_gateway_url: "https://aap.apps.<cluster>.<domain>"
|
|
aap_oidc_issuer: "https://keycloak.toal.ca/realms/<realm>"
|
|
aap_oidc_client_id: aap # optional, default: aap
|
|
```
|
|
|
|
## Vault Variables
|
|
```
|
|
vault_aap_oidc_client_secret — OIDC client secret from Keycloak
|
|
vault_aap_deployer_token — K8s SA token (already required)
|
|
vault_keycloak_admin_password — required for Play 0
|
|
```
|
|
|
|
## Usage
|
|
```bash
|
|
# Step 1: Create Keycloak client (once, idempotent)
|
|
ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_keycloak
|
|
|
|
# Step 2: Deploy AAP
|
|
ansible-navigator run playbooks/deploy_aap.yml
|
|
|
|
# Step 3: Register OIDC authenticator in AAP Gateway
|
|
ansible-navigator run playbooks/deploy_aap.yml --tags aap_configure_oidc
|
|
```
|
|
|
|
## Open Items
|
|
- ASSUMED: `infra.aap_configuration` + its dependency `ansible.platform` are available or installable in `aap.toal.ca/ee-demo:latest`. If not, a custom EE rebuild is needed.
|
|
- The `aap-deployer` SA has `get` on secrets in `aap` namespace — confirmed via RBAC in `deploy_openshift.yml` Play 9.
|