Add support for multiple IdP providers in Federation

jagee · jagee · commit eda4b8f7ee51 · 2025-05-20T18:10:43.000-04:00
This patch will setup two realms in keycloak. Keystone will be configured to work with these two realms as different IdPs. Each realm will get its own mapping in openstack. It will also enable these two IdP choices to the horizon UI. Jira: https://issues.redhat.com/browse/OSPRH-14033
diff --git a/hooks/playbooks/federation-multirealm-controlplane-config.yml b/hooks/playbooks/federation-multirealm-controlplane-config.yml
@@ -0,0 +1,201 @@
+---
+- name: Create kustomization to update Keystone to use MultiRealm Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Create file to customize keystone for IPA deployed in the control plane
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_multirealm_federation.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          - namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/keystone/template/extraMounts
+                value:
+                  - name: v1
+                    region: r1
+                    extraVol:
+                      - propagation:
+                        - Keystone
+                        extraVolType: Conf
+                        volumes:
+                        - name: keystone-OIDCMetadataDir
+                          secret: keystone-OIDCMetadataDir
+                        mounts:
+                        - name: keystone-OIDCMetadataDir
+                          mountPath: "/etc/keystone/OIDCMetadataDir"
+                          readOnly: true
+              - op: add
+                path: /spec/keystone/template/customServiceConfig
+                value: |
+                  [DEFAULT]
+                  insecure_debug=true
+                  debug=true
+                  [federation]
+                  trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
+                  sso_callback_template=/etc/keystone/sso_callback_template.html
+                  [openid]
+                  remote_id_attribute=HTTP_OIDC_ISS
+                  [auth]
+                  methods = password,token,oauth1,mapped,application_credential,openid
+        mode: "0644"
+
+    - name: Get ingress operator CA cert
+      ansible.builtin.slurp:
+        src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}"
+      register: federation_sso_ca
+
+    - name: Add Keycloak CA secret
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: keycloakca
+            namespace: "openstack"
+          data:
+            KeyCloakCA: "{{ federation_sso_ca.content }}"
+
+    - name: Create Keystone httpd override secret for Federation
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: keystone-httpd-override
+            namespace: openstack
+          type: Opaque
+          stringData:
+            federation.conf: |
+              OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}"
+              OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}"
+              OIDCScope "{{ cifmw_keystone_OIDC_Scope }}"
+              OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}"
+              OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}"
+              OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}"
+              OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}"
+              OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
+              OIDCMetadataDir "/etc/keystone/OIDCMetadataDir"
+              OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/redirect_uri"
+              LogLevel debug
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/auth">
+                AuthType oauth20
+                Require valid-user
+              </Location>
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name2 }}/protocols/openid/websso">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name2 }}/protocols/openid/auth">
+                AuthType oauth20
+                Require valid-user
+              </Location>
+
+              <Location ~ "/redirect_uri">
+                Require valid-user
+                AuthType openid-connect
+              </Location>
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+    - name: Set Keystone metadata config key names
+      ansible.builtin.set_fact:
+        keystone_idp1_conf_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name }}.conf"
+        keystone_idp1_client_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name }}.client"
+        keystone_idp1_provider_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name }}.provider"
+        keystone_idp2_conf_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name2 }}.conf"
+        keystone_idp2_client_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name2 }}.client"
+        keystone_idp2_provider_key: "keycloak-openstack.apps-crc.testing%2Fauth%2Frealms%2F{{ cifmw_keystone_OIDC_provider_name2 }}.provider"
+
+    - name: Download realm1 OpenID configuration
+      ansible.builtin.uri:
+        url: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_keystone_OIDC_provider_name }}/.well-known/openid-configuration"
+        method: GET
+        return_content: true
+        validate_certs: false
+      register: openid_wellknow_config1
+
+    - name: Download realm2 OpenID configuration
+      ansible.builtin.uri:
+        url: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_keystone_OIDC_provider_name2 }}/.well-known/openid-configuration"
+        method: GET
+        return_content: true
+        validate_certs: false
+      register: openid_wellknow_config2
+
+    - name: Create Keystone domain config secret for LDAP
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: keystone-OIDCMetadataDir
+            namespace: openstack
+          type: Opaque
+          stringData: "{{ {keystone_idp1_conf_key: keystone_idp1_conf_content,
+            keystone_idp1_client_key: keystone_idp1_client_content,
+            keystone_idp1_provider_key: keystone_idp1_provider_content,
+            keystone_idp2_conf_key: keystone_idp2_conf_content,
+            keystone_idp2_client_key: keystone_idp2_client_content,
+            keystone_idp2_provider_key: keystone_idp2_provider_content} }}"
+      vars:
+        keystone_idp1_conf_content: |
+          {
+            "scope" : "openid email profile"
+          }
+        keystone_idp1_client_content: |
+          {
+            "client_id":"{{ cifmw_keystone_OIDC_OAuthClientID }}",
+            "client_secret":"{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
+          }
+        keystone_idp1_provider_content: |
+          {{ openid_wellknow_config1.content }}
+        keystone_idp1_conf_content: |
+          {
+            "scope" : "openid email profile"
+          }
+        keystone_idp1_client_content: |
+          {
+            "client_id":"{{ cifmw_keystone_OIDC_OAuthClientID }}",
+            "client_secret":"{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
+          }
+        keystone_idp1_provider_content: |
+          {{ openid_wellknow_config2.content }}
