146 lines
5.0 KiB
YAML
146 lines
5.0 KiB
YAML
---
|
|
# Configure OpenShift OAuth with Keycloak OIDC.
|
|
#
|
|
# Prerequisites:
|
|
# - SNO cluster installed and accessible
|
|
# - Keycloak OIDC client created (Play 5 in deploy_openshift.yml)
|
|
# - KUBECONFIG environment variable set or oc_kubeconfig defined
|
|
|
|
# ------------------------------------------------------------------
|
|
# Secret: Keycloak client secret in openshift-config namespace
|
|
# ------------------------------------------------------------------
|
|
- name: Set OIDC client secret value
|
|
ansible.builtin.set_fact:
|
|
__sno_deploy_oidc_client_secret_value: >-
|
|
{{ hostvars[inventory_hostname]['__oidc_client_secret']
|
|
| default(vault_oidc_client_secret) }}
|
|
no_log: true
|
|
|
|
- name: Create Keycloak client secret in openshift-config
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: "{{ __sno_deploy_oidc_secret_name }}"
|
|
namespace: openshift-config
|
|
type: Opaque
|
|
stringData:
|
|
clientSecret: "{{ __sno_deploy_oidc_client_secret_value }}"
|
|
no_log: false
|
|
|
|
# ------------------------------------------------------------------
|
|
# CA bundle: only needed when Keycloak uses a private/internal CA
|
|
# ------------------------------------------------------------------
|
|
- name: Create CA bundle ConfigMap for Keycloak TLS
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: "{{ __sno_deploy_oidc_ca_configmap_name }}"
|
|
namespace: openshift-config
|
|
data:
|
|
ca.crt: "{{ lookup('ansible.builtin.file', oidc_ca_cert_file) }}"
|
|
when: oidc_ca_cert_file | default('') | length > 0
|
|
|
|
# ------------------------------------------------------------------
|
|
# OAuth cluster resource: add/replace Keycloak IdP entry
|
|
# ------------------------------------------------------------------
|
|
- name: Get current OAuth cluster configuration
|
|
kubernetes.core.k8s_info:
|
|
api_version: config.openshift.io/v1
|
|
kind: OAuth
|
|
name: cluster
|
|
register: __sno_deploy_current_oauth
|
|
|
|
- name: Build Keycloak OIDC identity provider definition
|
|
ansible.builtin.set_fact:
|
|
__sno_deploy_new_idp: >-
|
|
{{
|
|
{
|
|
'name': oidc_provider_name,
|
|
'mappingMethod': 'claim',
|
|
'type': 'OpenID',
|
|
'openID': (
|
|
{
|
|
'clientID': oidc_client_id,
|
|
'clientSecret': {'name': __sno_deploy_oidc_secret_name},
|
|
'issuer': __sno_deploy_oidc_issuer,
|
|
'claims': {
|
|
'preferredUsername': ['preferred_username'],
|
|
'name': ['name'],
|
|
'email': ['email'],
|
|
'groups': ['groups']
|
|
}
|
|
} | combine(
|
|
(oidc_ca_cert_file | default('') | length > 0) | ternary(
|
|
{'ca': {'name': __sno_deploy_oidc_ca_configmap_name}}, {}
|
|
)
|
|
)
|
|
)
|
|
}
|
|
}}
|
|
|
|
- name: Build updated identity providers list
|
|
ansible.builtin.set_fact:
|
|
__sno_deploy_updated_idps: >-
|
|
{{
|
|
(__sno_deploy_current_oauth.resources[0].spec.identityProviders | default([])
|
|
| selectattr('name', '!=', oidc_provider_name) | list)
|
|
+ [__sno_deploy_new_idp]
|
|
}}
|
|
|
|
- name: Apply updated OAuth cluster configuration
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
merge_type: merge
|
|
definition:
|
|
apiVersion: config.openshift.io/v1
|
|
kind: OAuth
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
identityProviders: "{{ __sno_deploy_updated_idps }}"
|
|
|
|
- name: Wait for OAuth deployment to roll out
|
|
ansible.builtin.command:
|
|
cmd: "{{ __sno_deploy_oc }} rollout status deployment/oauth-openshift -n openshift-authentication --timeout=300s --insecure-skip-tls-verify"
|
|
changed_when: false
|
|
|
|
# ------------------------------------------------------------------
|
|
# ClusterRoleBinding: grant cluster-admin to OIDC admin groups
|
|
# ------------------------------------------------------------------
|
|
- name: Create ClusterRoleBinding for OIDC admin groups
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: "{{ item }}"
|
|
loop: "{{ oidc_admin_groups }}"
|
|
when: oidc_admin_groups | length > 0
|
|
|
|
- name: Display post-configuration summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "OpenShift OIDC configuration complete!"
|
|
- " Provider : {{ oidc_provider_name }}"
|
|
- " Issuer : {{ __sno_deploy_oidc_issuer }}"
|
|
- " Console : https://console-openshift-console.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
|
|
- " Login : https://oauth-openshift.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
|
|
- ""
|
|
- "Note: OAuth pods are restarting — login may be unavailable for ~2 minutes."
|
|
verbosity: 1
|