Add OIDC federation configuration on OSP17

The new configuration will be used to test OIDC adoption.

Author: xek

hooks/playbooks/federation-osp17-pre-deploy.yml

@@ -0,0 +1,23 @@
+---
+- name: Configure OSP 17.1 for OIDC federation (render env + Keystone setup)
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  vars:
+    _cloud_name: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: OSP 17.1 OIDC setup via federation role
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_osp17_oidc_setup.yml
+
+

roles/adoption_osp_deploy/tasks/deploy_overcloud.yml

@@ -62,6 +62,12 @@
         dest: "{{ _private_overcloud_conf_file }}"
         mode: "0644"
 
+    - name: Check if OIDC federation env file exists
+      delegate_to: "osp-undercloud-0"
+      ansible.builtin.stat:
+        path: "{{ ansible_user_dir }}/enable-federation-openidc.yaml"
+      register: _oidc_env_stat
+
     - name: Run overcloud deploy
       delegate_to: "osp-undercloud-0"
       vars:
@@ -72,6 +78,7 @@
           --roles-file {{ _roles_file_dest }}
           -n {{ _network_data_file_dest }}
           --ntp-server {{ cifmw_adoption_osp_deploy_ntp_server }}
+          {{ _oidc_env_stat.stat.exists | ternary('-e ' ~ ansible_user_dir ~ '/enable-federation-openidc.yaml', '') }}
           -e {{ _overcloud_vars }}
           -e {{ ansible_user_dir }}/containers-prepare-parameters.yaml
           -e {{ ansible_user_dir }}/config_download_{{ _overcloud_name }}.yaml

roles/federation/tasks/run_osp17_oidc_setup.yml

@@ -0,0 +1,95 @@
+---
+- name: Render enable-federation-openidc.yaml to undercloud
+  delegate_to: osp-undercloud-0
+  ansible.builtin.template:
+    src: "enable-federation-openidc.yaml.j2"
+    dest: "{{ ansible_user_dir }}/enable-federation-openidc.yaml"
+    mode: "0644"
+
+- name: Create federation mapping file on undercloud
+  delegate_to: osp-undercloud-0
+  ansible.builtin.copy:
+    dest: "{{ ansible_user_dir }}/mapping.json"
+    mode: "0644"
+    content: |
+      [
+        {
+          "local": [
+            {
+              "user": {"name": "{0}"},
+              "group": {
+                "domain": {"name": "{{ cifmw_federation_domain }}"},
+                "name": "{{ cifmw_federation_group_name }}"
+              }
+            }
+          ],
+          "remote": [
+            {"type": "OIDC-preferred_username"}
+          ]
+        }
+      ]
+
+- name: Ensure federation domain exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack domain show {{ cifmw_federation_domain }} >/dev/null 2>&1 || \
+    openstack domain create {{ cifmw_federation_domain }}
+
+- name: Ensure identity provider exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    IDP_URL="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}"
+    openstack identity provider show {{ cifmw_federation_IdpName }} >/dev/null 2>&1 || \
+    openstack identity provider create --remote-id ${IDP_URL} --domain {{ cifmw_federation_domain }} {{ cifmw_federation_IdpName }}
+
+- name: Ensure mapping exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack mapping show {{ cifmw_federation_mapping_name }} >/dev/null 2>&1 || \
+    openstack mapping create --rules {{ ansible_user_dir }}/mapping.json {{ cifmw_federation_mapping_name }}
+
+- name: Ensure federated group exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack group show {{ cifmw_federation_group_name }} --domain {{ cifmw_federation_domain }} >/dev/null 2>&1 || \
+    openstack group create --domain {{ cifmw_federation_domain }} {{ cifmw_federation_group_name }}
+
+- name: Ensure project exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack project show {{ cifmw_federation_project_name }} --domain {{ cifmw_federation_domain }} >/dev/null 2>&1 || \
+    openstack project create --domain {{ cifmw_federation_domain }} {{ cifmw_federation_project_name }}
+
+- name: Ensure role binding exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack role add --group {{ cifmw_federation_group_name }} --group-domain {{ cifmw_federation_domain }} --project {{ cifmw_federation_project_name }} --project-domain {{ cifmw_federation_domain }} member || true
+
+- name: Ensure federation protocol exists (OSP 17.1)
+  delegate_to: osp-undercloud-0
+  environment:
+    OS_CLOUD: "{{ cifmw_adoption_osp_deploy_scenario.stacks[0].stackname | default('overcloud') }}"
+  ansible.builtin.shell: |
+    set -e
+    openstack federation protocol show openid --identity-provider {{ cifmw_federation_IdpName }} >/dev/null 2>&1 || \
+    openstack federation protocol create openid --mapping {{ cifmw_federation_mapping_name }} --identity-provider {{ cifmw_federation_IdpName }}
+
+

roles/federation/templates/enable-federation-openidc.yaml.j2

@@ -0,0 +1,10 @@
+parameter_defaults:
+  KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid
+  KeystoneOpenIdcClientId: {{ cifmw_keystone_OIDC_ClientID | quote }}
+  KeystoneOpenIdcClientSecret: {{ cifmw_keystone_OIDC_ClientSecret | quote }}
+  KeystoneOpenIdcCryptoPassphrase: {{ cifmw_keystone_OIDC_CryptoPassphrase | default('openstack') | quote }}
+  KeystoneOpenIdcIdpName: {{ cifmw_keystone_OIDC_provider_name | default('kcIDP') | quote }}
+  KeystoneOpenIdcIntrospectionEndpoint: {{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint | quote }}
+  KeystoneOpenIdcProviderMetadataUrl: {{ cifmw_keystone_OIDC_ProviderMetadataURL | quote }}
+  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS
+