-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
automate sso integration #50
Comments
I have done a ansible playbook to configure keycloak (sso.coe) to an OpenShift Cluster. Here my development version:- hosts: localhost
connection: local
# gather_facts true because we need the public ip address
gather_facts: false
# vars_files:
# - ../cluster.yml
tasks:
# At HCP it's empty
- name: Fetch cluster information - oauth url
kubernetes.core.k8s_info:
validate_certs: false
host: https://api....:6443
api_key: ...
api_version: "config.openshift.io/v1"
kind: "Ingress"
name: "cluster"
register: ff
- ansible.builtin.set_fact:
oauth_hostname: "{{ ff.resources | first | community.general.json_query(oauth_url_query) | first }}"
client_secret: "{{ ff | ansible.builtin.to_uuid }}"
vars:
oauth_url_query: "status.componentRoutes[?name=='oauth-openshift'].defaultHostname"
- name: Check oauth_hostname
fail:
msg: "Can not findout oauth url"
when: oauth_hostname | length == 0
- name: Create clients
with_items:
- coe-sso
- coe-sso-admin
community.general.keycloak_client:
validate_certs: false
auth_keycloak_url: https://sso.coe...
auth_realm: master
auth_username: admin
auth_password: ...
realm: "{{ item }}"
client_id: "{{ oauth_hostname }}"
secret: "{{ client_secret }}"
name: "{{ oauth_hostname }}"
redirect_uris:
- "https://{{ oauth_hostname }}/oauth2callback/*"
web_origins:
- "https://{{ oauth_hostname }}/"
public_client: false
frontchannel_logout: true
protocol_mappers:
- name: "groups"
protocol: "openid-connect"
protocolMapper: "oidc-group-membership-mapper"
consentRequired: false
config:
"full.path": false
"userinfo.token.claim": false
"multivalued": true
"id.token.claim": true
"access.token.claim": true
"claim.name": groups
state: present
delegate_to: localhost
- name: Create clientSecret k8s secret
kubernetes.core.k8s:
validate_certs: false
host: https://api...:6443
api_key:..
state: present
definition:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: "openid-client-secret-coe-sso"
namespace: "openshift-config"
data:
clientSecret: "{{ client_secret | b64encode }}"
- name: Fetch oauth
kubernetes.core.k8s_info:
validate_certs: false
host: https://api....:6443
api_key: ...
api_version: "config.openshift.io/v1"
kind: "OAuth"
name: "cluster"
register: ff
- ansible.builtin.set_fact:
identity_providers: "{{ ff.resources | first | community.general.json_query(ip_query) }}"
ip_coe_sso:
mappingMethod: add
name: COE-SSO
openID:
ca:
name: redhat-current-it-root-cas
claims:
email:
- email
groups:
- groups
name:
- name
preferredUsername:
- preferred_username
clientID: "{{ oauth_hostname }}"
clientSecret:
name: openid-client-secret-coe-sso
issuer: https://sso.coe.../realms/coe-sso
type: OpenID
ip_coe_sso_admin:
mappingMethod: add
name: COE-SSO-Admin
openID:
ca:
name: redhat-current-it-root-cas
claims:
email:
- email
groups:
- groups
name:
- name
preferredUsername:
- preferred_username
clientID: "{{ oauth_hostname }}"
clientSecret:
name: openid-client-secret-coe-sso
issuer: https://sso.coe..../realms/coe-sso-admin
type: OpenID
vars:
ip_query: "spec.identityProviders"
- ansible.builtin.set_fact:
identity_providers: []
when: identity_providers | length == 0
- debug:
var: identity_providers
- ansible.builtin.set_fact:
final_identity_providers: "{{ [ ip_coe_sso, ip_coe_sso_admin ] + identity_providers }}"
- ansible.builtin.debug:
var: final_identity_providers
- name: Patch oauth
ignore_errors: true
kubernetes.core.k8s:
validate_certs: false
host: https://api....:6443
api_key: ...
merge_type: merge
definition:
apiVersion: "config.openshift.io/v1"
kind: "OAuth"
metadata:
name: "cluster"
spec:
identityProviders: "{{ final_identity_providers }}"
- name: Add cluster role
kubernetes.core.k8s:
validate_certs: false
host: https://api....:6443
api_key: ...
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: coe-sso-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: coe-sso-admin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: