Add passthrough route for keycloak

Author: xek

roles/federation/tasks/run_keycloak_setup.yml

@@ -86,18 +86,56 @@
         ADMIN_USERNAME: "{{ cifmw_federation_keycloak_admin_username | b64encode }}"
         ADMIN_PASSWORD: "{{ cifmw_federation_keycloak_admin_password | b64encode }}"
 
-- name: Read federation sso template
-  ansible.builtin.template:
-    src: sso.yaml.j2
-    dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}"
-    mode: "0644"
+- name: Install federation Keycloak instance
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: keycloak.org/v1alpha1
+      kind: Keycloak
+      metadata:
+        name: sso
+        namespace: "{{ cifmw_federation_keycloak_namespace }}"
+        labels:
+          app: sso
+      spec:
+        instances: 1
+        externalAccess:
+          enabled: true
 
-- name: Install federation sso pod
-  environment:
-    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
-    PATH: "{{ cifmw_path }}"
-  ansible.builtin.command:
-    cmd: "oc apply -n {{ cifmw_federation_keycloak_namespace }} -f {{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}"
+- name: Wait for Keycloak service to be created
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_version: v1
+    kind: Service
+    name: keycloak
+    namespace: "{{ cifmw_federation_keycloak_namespace }}"
+  register: keycloak_service
+  until: keycloak_service.resources | length > 0
+  retries: 30
+  delay: 10
+
+- name: Create Route for Keycloak
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: route.openshift.io/v1
+      kind: Route
+      metadata:
+        name: keycloak
+        namespace: "{{ cifmw_federation_keycloak_namespace }}"
+      spec:
+        host: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}"
+        port:
+          targetPort: 8443
+        tls:
+          termination: passthrough
+        to:
+          kind: Service
+          name: keycloak
+          weight: 100
+        wildcardPolicy: None
 
 - name: Grant privileged SCC to namespace default serviceaccount for Keycloak
   environment:
@@ -120,7 +158,7 @@
     block: |
       {{ hostvars['crc'].ansible_host }} api.crc.testing
       {{ hostvars['crc'].ansible_host }} oauth-openshift.apps-crc.testing
-      {{ hostvars['crc'].ansible_host }} keycloak-openstack.apps-crc.testing
+      {{ hostvars['crc'].ansible_host }} keycloak-{{ cifmw_federation_operator_namespace }}.{{ cifmw_federation_domain }}
   when: cifmw_federation_deploy_type == "crc"
 
 - name: Wait for SSO pod to be avalable