Add hook file for federation configuration

openstack-k8s-operators · Jan 26, 2025 · 68d511e · 68d511e
1 parent c6ada1f
commit 68d511e
Showing 1 changed file with 92 additions and 0 deletions.
diff --git a/hooks/playbooks/OpenStackControlPlane-federationPatch.yaml b/hooks/playbooks/OpenStackControlPlane-federationPatch.yaml
@@ -0,0 +1,92 @@
+---
+- name: Create kustomization to update Keystone to use Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize keystone for Federation resources deployed in the control plane
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          - namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/tls/caBundleSecretName
+                value: keycloakca
+              - op: add
+                path: /spec/keystone/template/httpdCustomization
+                value:
+                  customConfigSecret: keystone-httpd-override
+              - op: add
+                path: /spec/keystone/template/customServiceConfig
+                value: |
+                  [federation]
+                  trusted_dashboard={{ .KeystoneEndpointPublic }}/dashboard/auth/websso/
+                  [openid]
+                  remote_id_attribute=HTTP_OIDC_ISS
+                  [auth]
+                  methods = password,token,oauth1,mapped,application_credential,openid
+
+    - name: Add Keycloak CA secret
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: keycloakca
+            namespace: "openstack"
+          data:
+            KeyCloakCA: "{{ keycloakCaCert }}"
+
+    - name: Create Keystone HTTPD override secret for Federation
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: keystone-httpd-override
+            namespace: openstack
+          type: Opaque
+          stringData:
+            federation.conf: |
+              OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}"
+              OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}"
+              OIDCScope "{{ cifmw_keystone_OIDC_Scope }}"
+              OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}"
+              OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}"
+              OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}"
+              OIDCCacheType "{{ cifmw_keystone_OIDC_CacheType }}"
+              OIDCMemCacheServers "{{ cifmw_keystone_OIDC_MemCacheServers }}"
+              OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}"
+              OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}"
+              OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}"
+              OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}"
+              OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}"
+              OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
+              OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
+              OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso"
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/auth">
+                AuthType oauth20
+                Require valid-user
+              </Location>
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>