automate sso integration

[DanielFroehlich]

No description provided.

[rbo]

I have done a ansible playbook to configure keycloak (sso.coe) to an OpenShift Cluster.

Here my development version:

- hosts: localhost
  connection: local
  # gather_facts true because we need the public ip address
  gather_facts: false
  # vars_files:
  #   - ../cluster.yml

  tasks:

    # At HCP it's empty
    - name: Fetch cluster information - oauth url
      kubernetes.core.k8s_info:

        validate_certs: false
        host: https://api....:6443
        api_key: ...
        api_version: "config.openshift.io/v1"
        kind: "Ingress"
        name: "cluster"
      register: ff

    - ansible.builtin.set_fact:
        oauth_hostname: "{{ ff.resources | first | community.general.json_query(oauth_url_query) | first }}"
        client_secret: "{{ ff | ansible.builtin.to_uuid }}"
      vars:
        oauth_url_query: "status.componentRoutes[?name=='oauth-openshift'].defaultHostname"

    - name: Check oauth_hostname
      fail:
        msg: "Can not findout oauth url"
      when: oauth_hostname | length == 0

    - name: Create clients
      with_items:
        - coe-sso
        - coe-sso-admin
      community.general.keycloak_client:

        validate_certs: false
        auth_keycloak_url: https://sso.coe...
        auth_realm: master
        auth_username: admin
        auth_password: ...

        realm: "{{ item }}"
        client_id: "{{  oauth_hostname  }}"
        secret: "{{ client_secret }}"
        name: "{{   oauth_hostname }}"
        redirect_uris:
          - "https://{{ oauth_hostname }}/oauth2callback/*"
        web_origins:
          - "https://{{ oauth_hostname }}/"

        public_client: false
        frontchannel_logout: true
        protocol_mappers:
          - name: "groups"
            protocol: "openid-connect"
            protocolMapper: "oidc-group-membership-mapper"
            consentRequired: false
            config:
              "full.path": false
              "userinfo.token.claim": false
              "multivalued": true
              "id.token.claim": true
              "access.token.claim": true
              "claim.name": groups

        state: present
      delegate_to: localhost

    - name: Create clientSecret k8s secret
      kubernetes.core.k8s:

        validate_certs: false
        host: https://api...:6443
        api_key:..
        state: present
        definition:
          apiVersion: v1
          kind: Secret
          type: Opaque
          metadata:
            name: "openid-client-secret-coe-sso"
            namespace: "openshift-config"
          data:
            clientSecret: "{{ client_secret | b64encode }}"

    - name: Fetch oauth
      kubernetes.core.k8s_info:

        validate_certs: false
        host: https://api....:6443
        api_key: ...
        api_version: "config.openshift.io/v1"
        kind: "OAuth"
        name: "cluster"
      register: ff

    - ansible.builtin.set_fact:
        identity_providers: "{{ ff.resources | first | community.general.json_query(ip_query) }}"
        ip_coe_sso:
          mappingMethod: add
          name: COE-SSO
          openID:
            ca:
              name: redhat-current-it-root-cas
            claims:
              email:
              - email
              groups:
              - groups
              name:
              - name
              preferredUsername:
              - preferred_username
            clientID: "{{  oauth_hostname  }}"
            clientSecret:
              name: openid-client-secret-coe-sso
            issuer: https://sso.coe.../realms/coe-sso
          type: OpenID
        ip_coe_sso_admin:
          mappingMethod: add
          name: COE-SSO-Admin
          openID:
            ca:
              name: redhat-current-it-root-cas
            claims:
              email:
              - email
              groups:
              - groups
              name:
              - name
              preferredUsername:
              - preferred_username
            clientID: "{{  oauth_hostname  }}"
            clientSecret:
              name: openid-client-secret-coe-sso
            issuer: https://sso.coe..../realms/coe-sso-admin
          type: OpenID
      vars:
        ip_query: "spec.identityProviders"

    - ansible.builtin.set_fact:
        identity_providers: []
      when: identity_providers | length == 0

    - debug:
        var: identity_providers

    - ansible.builtin.set_fact:
        final_identity_providers: "{{ [ ip_coe_sso, ip_coe_sso_admin ] + identity_providers }}"

    - ansible.builtin.debug:
        var: final_identity_providers

    - name: Patch oauth
      ignore_errors: true
      kubernetes.core.k8s:

        validate_certs: false
        host: https://api....:6443
        api_key: ...
        merge_type: merge
        definition:
          apiVersion: "config.openshift.io/v1"
          kind: "OAuth"
          metadata:
            name: "cluster"
          spec:
            identityProviders: "{{ final_identity_providers }}"

    - name: Add cluster role
      kubernetes.core.k8s:

        validate_certs: false
        host: https://api....:6443
        api_key: ...
        definition:
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            name: coe-sso-admin
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: cluster-admin
          subjects:
          - apiGroup: rbac.authorization.k8s.io
            kind: Group
            name: coe-sso-admin