diff --git a/hooks/playbooks/federation-controlplane-config.yml b/hooks/playbooks/federation-controlplane-config.yml index afaad2c767..1ec734dc65 100644 --- a/hooks/playbooks/federation-controlplane-config.yml +++ b/hooks/playbooks/federation-controlplane-config.yml @@ -2,20 +2,21 @@ - name: Create kustomization to update Keystone to use Federation hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: - - name: Set urls for install type uni + - name: Read uni vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab' + cifmw_federation_domain: "apps.ocp.openstack.lab" when: cifmw_federation_deploy_type == "uni" - - name: Set urls for install type crc + - name: Read crc vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing' + cifmw_federation_domain: "apps-crc.testing" when: cifmw_federation_deploy_type == "crc" + - name: Read all vars from federation role + ansible.builtin.import_role: + name: federation + vars_from: all-vars.yml + - name: Create file to customize keystone for Federation resources deployed in the control plane ansible.builtin.copy: dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml" @@ -23,7 +24,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace: {{ namespace }} + - namespace: {{ cifmw_federation_run_osp_cmd_namespace }} patches: - target: kind: OpenStackControlPlane @@ -47,7 +48,6 @@ debug=true [federation] trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/ - sso_callback_template=/etc/keystone/sso_callback_template.html [openid] remote_id_attribute=HTTP_OIDC_ISS [auth] @@ -69,7 +69,7 @@ type: Opaque metadata: name: keycloakca - namespace: "openstack" + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" data: KeyCloakCA: "{{ federation_sso_ca.content }}" @@ -82,32 +82,32 @@ kind: Secret metadata: name: keystone-httpd-override - namespace: openstack + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" type: Opaque stringData: federation.conf: | - OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}" - OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}" - OIDCScope "{{ cifmw_keystone_OIDC_Scope }}" - OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}" - OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}" - OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}" - OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}" - OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}" - OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}" - OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}" - OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}" - OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}" - OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}" - OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso/" + OIDCClaimPrefix "{{ cifmw_federation_keystone_OIDC_ClaimPrefix }}" + OIDCResponseType "{{ cifmw_federation_keystone_OIDC_ResponseType }}" + OIDCScope "{{ cifmw_federation_keystone_OIDC_Scope }}" + OIDCClaimDelimiter "{{ cifmw_federation_keystone_OIDC_ClaimDelimiter }}" + OIDCPassUserInfoAs "{{ cifmw_federation_keystone_OIDC_PassUserInfoAs }}" + OIDCPassClaimsAs "{{ cifmw_federation_keystone_OIDC_PassClaimsAs }}" + OIDCProviderMetadataURL "{{ cifmw_federation_keystone_OIDC_ProviderMetadataURL }}" + OIDCClientID "{{ cifmw_federation_keystone_OIDC_ClientID }}" + OIDCClientSecret "{{ cifmw_federation_keystone_OIDC_ClientSecret }}" + OIDCCryptoPassphrase "{{ cifmw_federation_keystone_OIDC_CryptoPassphrase }}" + OIDCOAuthClientID "{{ cifmw_federation_keystone_OIDC_ClientID }}" + OIDCOAuthClientSecret "{{ cifmw_federation_keystone_OIDC_ClientSecret }}" + OIDCOAuthIntrospectionEndpoint "{{ cifmw_federation_keystone_OIDC_OAuthIntrospectionEndpoint }}" + OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName }}/protocols/openid/websso/" LogLevel debug - + AuthType "openid-connect" Require valid-user - + AuthType oauth20 Require valid-user diff --git a/hooks/playbooks/federation-horizon-controlplane-config.yml b/hooks/playbooks/federation-horizon-controlplane-config.yml index f363fb21e2..b2cda37faf 100644 --- a/hooks/playbooks/federation-horizon-controlplane-config.yml +++ b/hooks/playbooks/federation-horizon-controlplane-config.yml @@ -2,20 +2,32 @@ - name: Create kustomization to update Horizon to use Federation hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: - - name: Set urls for install type uni + - name: Read uni vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab' + cifmw_federation_domain: "apps.ocp.openstack.lab" when: cifmw_federation_deploy_type == "uni" - - name: Set urls for install type crc + - name: Read crc vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing' + cifmw_federation_domain: "apps-crc.testing" when: cifmw_federation_deploy_type == "crc" + - name: Read all vars from federation role + ansible.builtin.import_role: + name: federation + vars_from: all-vars.yml + + - name: Set websso settings for single IdP + ansible.builtin.set_fact: + cifmw_federation_websso_choices: '("OIDC", _("OpenID Connect")),' + cifmw_federation_websso_idp_mapping: '"OIDC": ("{{ cifmw_federation_IdpName }}", "openid"),' + + - name: Set websso settings for multiple IdP + ansible.builtin.set_fact: + cifmw_federation_websso_choices: '("OIDC1", _("OpenID Connect IdP1")),("OIDC2", _("OpenID Connect IdP2")),' + cifmw_federation_websso_idp_mapping: '"OIDC1": ("{{ cifmw_federation_IdpName }}", "openid"),"OIDC2": ("{{ cifmw_federation_IdpName2 }}", "openid"),' + when: cifmw_federation_deploy_multirealm is true + - name: Create file to customize horizon for Federation resources deployed in the control plane ansible.builtin.copy: dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/horizon_federation.yaml" @@ -43,8 +55,8 @@ WEBSSO_ENABLED = True WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), - ("OIDC", _("OpenID Connect")), + {{ cifmw_federation_websso_choices }} ) WEBSSO_IDP_MAPPING = { - "OIDC": ("{{ cifmw_keystone_OIDC_provider_name }}", "openid"), + {{ cifmw_federation_websso_idp_mapping }} } diff --git a/hooks/playbooks/federation-multirealm-controlplane-config.yml b/hooks/playbooks/federation-multirealm-controlplane-config.yml new file mode 100644 index 0000000000..ad215b13dc --- /dev/null +++ b/hooks/playbooks/federation-multirealm-controlplane-config.yml @@ -0,0 +1,203 @@ +--- +- name: Create kustomization to update Keystone to use MultiRealm Federation + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Read uni vars from federation role + ansible.builtin.set_fact: + cifmw_federation_domain: "apps.ocp.openstack.lab" + when: cifmw_federation_deploy_type == "uni" + + - name: Read crc vars from federation role + ansible.builtin.set_fact: + cifmw_federation_domain: "apps-crc.testing" + when: cifmw_federation_deploy_type == "crc" + + - name: Read all vars from federation role + ansible.builtin.import_role: + name: federation + vars_from: all-vars.yml + + - name: Create file to customize keystone for IPA deployed in the control plane + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_multirealm_federation.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + - namespace: {{ cifmw_federation_run_osp_cmd_namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/tls + value: {} + - op: add + path: /spec/tls/caBundleSecretName + value: keycloakca + - op: add + path: /spec/keystone/template/httpdCustomization + value: + customConfigSecret: keystone-httpd-override + - op: add + path: /spec/keystone/template/federatedRealmConfig + value: federation-realm-data + - op: add + path: /spec/keystone/template/customServiceConfig + value: | + [DEFAULT] + insecure_debug=true + debug=true + [federation] + trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/ + [openid] + remote_id_attribute=HTTP_OIDC_ISS + [auth] + methods = password,token,oauth1,mapped,application_credential,openid + mode: "0644" + + - name: Get ingress operator CA cert + ansible.builtin.slurp: + src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" + register: federation_sso_ca + + - name: Add Keycloak CA secret + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: keycloakca + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + data: + KeyCloakCA: "{{ federation_sso_ca.content }}" + + - name: Create Keystone httpd override secret for Federation + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: keystone-httpd-override + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + type: Opaque + stringData: + federation.conf: | + OIDCClaimPrefix "{{ cifmw_federation_keystone_OIDC_ClaimPrefix }}" + OIDCResponseType "{{ cifmw_federation_keystone_OIDC_ResponseType }}" + OIDCScope "{{ cifmw_federation_keystone_OIDC_Scope }}" + OIDCClaimDelimiter "{{ cifmw_federation_keystone_OIDC_ClaimDelimiter }}" + OIDCPassUserInfoAs "{{ cifmw_federation_keystone_OIDC_PassUserInfoAs }}" + OIDCPassClaimsAs "{{ cifmw_federation_keystone_OIDC_PassClaimsAs }}" + OIDCCryptoPassphrase "{{ cifmw_federation_keystone_OIDC_CryptoPassphrase }}" + OIDCMetadataDir "/etc/httpd/conf/" + OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/redirect_uri" + LogLevel debug + + + AuthType "openid-connect" + Require valid-user + + + + AuthType oauth20 + Require valid-user + + + + AuthType "openid-connect" + Require valid-user + + + + AuthType oauth20 + Require valid-user + + + + Require valid-user + AuthType openid-connect + + + + AuthType "openid-connect" + Require valid-user + + + - name: Download realm1 OpenID configuration + ansible.builtin.uri: + url: "{{ cifmw_federation_keystone_OIDC_ProviderMetadataURL }}" + method: GET + return_content: true + validate_certs: false + register: openid_wellknown_config1 + + - name: Download realm2 OpenID configuration + ansible.builtin.uri: + url: "{{ cifmw_federation_keystone_OIDC_ProviderMetadataURL2 }}" + method: GET + return_content: true + validate_certs: false + register: openid_wellknown_config2 + + - name: Set federation_config_items + ansible.builtin.set_fact: + federation_config_items: + - filename: "{{ cifmw_federation_keystone_idp1_conf_filename }}" + contents: | + { + "scope" : "openid email profile" + } + - filename: "{{ cifmw_federation_keystone_idp1_client_filename }}" + contents: "{{ {'client_id': cifmw_federation_keystone_OIDC_ClientID, 'client_secret': cifmw_federation_keystone_OIDC_ClientSecret } | to_json }}" + - filename: "{{ cifmw_federation_keystone_idp1_provider_filename }}" + contents: | + {{ openid_wellknown_config1.content }} + - filename: "{{ cifmw_federation_keystone_idp2_conf_filename }}" + contents: | + { + "scope" : "openid email profile" + } + - filename: "{{ cifmw_federation_keystone_idp2_client_filename }}" + contents: "{{ {'client_id': cifmw_federation_keystone_OIDC_ClientID2, 'client_secret': cifmw_federation_keystone_OIDC_ClientSecret2 } | to_json }}" + - filename: "{{ cifmw_federation_keystone_idp2_provider_filename }}" + contents: | + {{ openid_wellknown_config2.content }} + + - name: Generate the final federation_config.json string (as a dictionary) + ansible.builtin.set_fact: + _raw_federation_config_json_value: | + { + {% for item in federation_config_items %} + "{{ item.filename }}": {{ item.contents }}{% if not loop.last %},{% endif %} + {% endfor %} + } + + # IMPORTANT FIX: Apply `to_json` one final time to the _raw_federation_config_json_value + # to ensure it's a single, valid JSON string for stringData. + - name: Final JSON string for Secret stringData + ansible.builtin.set_fact: + federation_config_json_string: "{{ _raw_federation_config_json_value }}" + + - name: Print the generated JSON string for verification + ansible.builtin.debug: + var: federation_config_json_string + + - name: Create a Kubernetes Secret with federation metadata + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: federation-realm-data + namespace: openstack + stringData: + federation-config.json: "{{ federation_config_json_string }}" diff --git a/hooks/playbooks/federation-post-deploy.yml b/hooks/playbooks/federation-post-deploy.yml index bcd45e7754..aab6ed0af8 100644 --- a/hooks/playbooks/federation-post-deploy.yml +++ b/hooks/playbooks/federation-post-deploy.yml @@ -18,26 +18,61 @@ hosts: "{{ cifmw_target_host | default('localhost') }}" gather_facts: true tasks: - - name: Set urls for install type uni + - name: Read uni vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab' + cifmw_federation_domain: "apps.ocp.openstack.lab" when: cifmw_federation_deploy_type == "uni" - - name: Set urls for install type crc + - name: Read crc vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing' + cifmw_federation_domain: "apps-crc.testing" when: cifmw_federation_deploy_type == "crc" + - name: Read all vars from federation role + ansible.builtin.import_role: + name: federation + vars_from: all-vars.yml + - name: Run federation setup on OSP ansible.builtin.import_role: name: federation tasks_from: run_openstack_setup.yml - - name: Run federation OSP User Auth test + - name: Run federation setup for OSP for second realm + ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_setup.yml + vars: + cifmw_federation_keystone_domain: "{{ cifmw_federation_keystone_domain2 }}" + cifmw_federation_remote_id: "{{ cifmw_federation_remote_id2 }}" + cifmw_federation_IdpName: "{{ cifmw_federation_IdpName2 }}" + cifmw_federation_mapping_name: "{{ cifmw_federation_mapping_name2 }}" + cifmw_federation_group_name: "{{ cifmw_federation_group_name2 }}" + cifmw_federation_project_name: "{{ cifmw_federation_project_name2 }}" + when: cifmw_federation_deploy_multirealm is true + + - name: Run federation OSP User Auth setup ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_auth_setup.yml + + - name: Run federation OSP User Auth test for first realm + ansible.builtin.include_role: + name: federation + tasks_from: run_openstack_auth_test.yml + vars: + cifmw_federation_keycloak_testuser_username: "{{ item }}" + loop: + - "{{ cifmw_federation_keycloak_testuser1_username }}" + - "{{ cifmw_federation_keycloak_testuser2_username }}" + + - name: Run federation OSP User Auth test for second realm + ansible.builtin.include_role: name: federation tasks_from: run_openstack_auth_test.yml + vars: + cifmw_federation_keycloak_testuser_username: "{{ item }}" + loop: + - "{{ cifmw_federation_keycloak_testuser3_username }}" + - "{{ cifmw_federation_keycloak_testuser4_username }}" + when: cifmw_federation_deploy_multirealm is true diff --git a/hooks/playbooks/federation-pre-deploy.yml b/hooks/playbooks/federation-pre-deploy.yml index 791c48624c..86ae26ba97 100644 --- a/hooks/playbooks/federation-pre-deploy.yml +++ b/hooks/playbooks/federation-pre-deploy.yml @@ -18,20 +18,21 @@ hosts: "{{ cifmw_target_host | default('localhost') }}" gather_facts: true tasks: - - name: Set urls for install type uni + - name: Read uni vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab' + cifmw_federation_domain: "apps.ocp.openstack.lab" when: cifmw_federation_deploy_type == "uni" - - name: Set urls for install type crc + - name: Read crc vars from federation role ansible.builtin.set_fact: - cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' - cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' - cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing' + cifmw_federation_domain: "apps-crc.testing" when: cifmw_federation_deploy_type == "crc" + - name: Read all vars from federation role + ansible.builtin.import_role: + name: federation + vars_from: all-vars.yml + - name: Run SSO pod setup on Openshift ansible.builtin.import_role: name: federation @@ -41,3 +42,18 @@ ansible.builtin.import_role: name: federation tasks_from: run_keycloak_realm_setup.yml + + - name: Run SSO second realm setup for OSP + ansible.builtin.import_role: + name: federation + tasks_from: run_keycloak_realm_setup.yml + vars: + cifmw_federation_keycloak_realm: '{{ cifmw_federation_keycloak_realm2 }}' + cifmw_federation_keycloak_testuser1_username: '{{ cifmw_federation_keycloak_testuser3_username }}' + cifmw_federation_keycloak_testuser1_password: '{{ cifmw_federation_keycloak_testuser3_password }}' + cifmw_federation_keycloak_testuser2_username: '{{ cifmw_federation_keycloak_testuser4_username }}' + cifmw_federation_keycloak_testuser2_password: '{{ cifmw_federation_keycloak_testuser4_password }}' + cifmw_federation_keycloak_testgroup1_name: '{{ cifmw_federation_keycloak_testgroup3_name }}' + cifmw_federation_keycloak_testgroup2_name: '{{ cifmw_federation_keycloak_testgroup4_name }}' + cifmw_federation_IdpName: '{{ cifmw_federation_IdpName2 }}' + when: cifmw_federation_deploy_multirealm is true diff --git a/roles/federation/defaults/main.yml b/roles/federation/defaults/main.yml index 44a835be2a..57f3653482 100644 --- a/roles/federation/defaults/main.yml +++ b/roles/federation/defaults/main.yml @@ -1,25 +1,3 @@ --- # defaults file for federation # -cifmw_federation_keycloak_namespace: openstack -cifmw_federation_keycloak_realm: openstack -cifmw_federation_keycloak_admin_username: admin -cifmw_federation_keycloak_admin_password: nomoresecrets -cifmw_federation_keycloak_testuser1_username: kctestuser1 -cifmw_federation_keycloak_testuser1_password: nomoresecrets1 -cifmw_federation_keycloak_testuser2_username: kctestuser2 -cifmw_federation_keycloak_testuser2_password: nomoresecrets2 -cifmw_federation_keycloak_testgroup1_name: kctestgroup1 -cifmw_federation_keycloak_testgroup2_name: kctestgroup2 -cifmw_federation_keycloak_client_id: rhoso -cifmw_federation_keycloak_client_secret: COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f -cifmw_federation_keycloak_url_validate_certs: false -cifmw_federation_run_osp_cmd_namespace: openstack -cifmw_federation_domain: SSO -cifmw_federation_IdpName: kcIDP -cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}' -cifmw_federation_project_name: SSOproject -cifmw_federation_group_name: SSOgroup -cifmw_federation_mapping_name: SSOmap -cifmw_federation_rules_file: rules.json -cifmw_federation_clame_id: OIDC-preferred_username diff --git a/roles/federation/tasks/run_keycloak_realm_setup.yml b/roles/federation/tasks/run_keycloak_realm_setup.yml index b001e5ebff..b34d53e616 100644 --- a/roles/federation/tasks/run_keycloak_realm_setup.yml +++ b/roles/federation/tasks/run_keycloak_realm_setup.yml @@ -37,8 +37,7 @@ auth_password: "{{ cifmw_federation_keycloak_admin_password }}" state: present realm: "{{ cifmw_federation_keycloak_realm }}" - client_id: "{{ cifmw_federation_keycloak_client_id }}" - id: 3fb4f68d-ad2c-46e7-a579-ea418f5d150b + client_id: "{{ cifmw_federation_keystone_OIDC_ClientID }}" name: 'RHOSO Client' description: 'RHOSO client for keystone federation' root_url: "{{ cifmw_federation_keystone_url }}" @@ -46,9 +45,9 @@ base_url: '/dashboard/project' enabled: true client_authenticator_type: client-secret - secret: "{{ cifmw_federation_keycloak_client_secret }}" + secret: "{{ cifmw_federation_keystone_OIDC_ClientSecret }}" redirect_uris: - - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcIDP/protocols/openid/websso/" + - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName }}/protocols/openid/websso/" - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid" - "{{ cifmw_federation_horizon_url }}/dashboard/auth/websso/" web_origins: diff --git a/roles/federation/tasks/run_openstack_auth_setup.yml b/roles/federation/tasks/run_openstack_auth_setup.yml new file mode 100644 index 0000000000..7e63b93ef1 --- /dev/null +++ b/roles/federation/tasks/run_openstack_auth_setup.yml @@ -0,0 +1,103 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Read federation get token script + ansible.builtin.template: + src: get-token.sh.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" + mode: '0755' + +- name: Copy federation get token script file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/get-token.sh" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" + +- name: Read federation test user1 cloudrc template + ansible.builtin.template: + src: kctestuser1.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" + mode: "0644" + +- name: Read federation test user2 cloudrc template + ansible.builtin.template: + src: kctestuser2.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser2_username ] | path_join }}" + mode: "0644" + +- name: Read federation test user3 cloudrc template + ansible.builtin.template: + src: kctestuser3.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser3_username ] | path_join }}" + mode: "0644" + +- name: Read federation test user4 cloudrc template + ansible.builtin.template: + src: kctestuser4.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser4_username ] | path_join }}" + mode: "0644" + +- name: Copy federation test user1 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" + +- name: Copy federation test user2 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser2_username }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser2_username ] | path_join }}" + +- name: Copy federation test user3 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser3_username }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser3_username ] | path_join }}" + +- name: Copy federation test user4 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser4_username }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser4_username ] | path_join }}" + +- name: Copy system CA bundle + ansible.builtin.copy: + src: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" + mode: "0444" + +- name: Get ingress operator CA cert + ansible.builtin.slurp: + src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" + register: federation_sso_ca + +- name: Add ingress operator CA to bundle + ansible.builtin.blockinfile: + path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" + block: "{{ federation_sso_ca.content | b64decode }}" + +- name: Copy CA bundle to openstackclient pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/full-ca-list.crt" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" diff --git a/roles/federation/tasks/run_openstack_auth_test.yml b/roles/federation/tasks/run_openstack_auth_test.yml index f87b2d9a53..0bd505ed93 100644 --- a/roles/federation/tasks/run_openstack_auth_test.yml +++ b/roles/federation/tasks/run_openstack_auth_test.yml @@ -14,71 +14,22 @@ # License for the specific language governing permissions and limitations # under the License. -- name: Read federation get token script - ansible.builtin.template: - src: get-token.sh.j2 - dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" - mode: '0755' - -- name: Copy federation get token script file into pod - kubernetes.core.k8s_cp: - namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" - pod: openstackclient - remote_path: "/home/cloud-admin/get-token.sh" - local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" - -- name: Read federation test user1 cloudrc template - ansible.builtin.template: - src: kctestuser1.j2 - dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" - mode: "0644" - -- name: Copy federation test user1 cloudrc file into pod - kubernetes.core.k8s_cp: - namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" - pod: openstackclient - remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}" - local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" - -- name: Copy system CA bundle - ansible.builtin.copy: - src: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" - dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" - mode: "0444" - -- name: Get ingress operator CA cert - ansible.builtin.slurp: - src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" - register: federation_sso_ca - -- name: Add ingress operator CA to bundle - ansible.builtin.blockinfile: - path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" - block: "{{ federation_sso_ca.content | b64decode }}" - -- name: Copy CA bundle to openstackclient pod - kubernetes.core.k8s_cp: - namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" - pod: openstackclient - remote_path: "/home/cloud-admin/full-ca-list.crt" - local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" - -- name: Get test user1 token +- name: Get test user token vars: - _osp_cmd: "/home/cloud-admin/get-token.sh {{ cifmw_federation_keycloak_testuser1_username }}" + _osp_cmd: "/home/cloud-admin/get-token.sh {{ cifmw_federation_keycloak_testuser_username }}" ansible.builtin.include_tasks: run_osp_cmd.yml -- name: Read test user1 token info +- name: Read test user token info ansible.builtin.set_fact: - federation_sso_testuser1_token_json: "{{ federation_run_ocp_cmd.stdout | from_json }}" + federation_sso_testuser_token_json: "{{ federation_run_ocp_cmd.stdout | from_json }}" -- name: Output test user1 token info +- name: Output test user token info ansible.builtin.debug: - msg: "{{ federation_sso_testuser1_token_json }}" + msg: "{{ federation_sso_testuser_token_json }}" - name: Get openstack project vars: - _osp_cmd: "openstack project show {{ federation_sso_testuser1_token_json.project_id}} -f json" + _osp_cmd: "openstack project show {{ federation_sso_testuser_token_json.project_id}} -f json" ansible.builtin.include_tasks: run_osp_cmd.yml - name: Read openstack project info @@ -89,8 +40,8 @@ ansible.builtin.debug: msg: "{{ federation_sso_ssoproject_json }}" -- name: Test user1 successful token +- name: Test user successful token ansible.builtin.assert: that: - "cifmw_federation_project_name in federation_sso_ssoproject_json.name" - - federation_sso_testuser1_token_json.id|length >= 180 + - federation_sso_testuser_token_json.id|length >= 180 diff --git a/roles/federation/tasks/run_openstack_setup.yml b/roles/federation/tasks/run_openstack_setup.yml index a4abd325c4..4affbde457 100644 --- a/roles/federation/tasks/run_openstack_setup.yml +++ b/roles/federation/tasks/run_openstack_setup.yml @@ -23,14 +23,14 @@ - name: Run federation create domain vars: - _osp_cmd: "openstack domain create {{ cifmw_federation_domain }}" + _osp_cmd: "openstack domain create {{ cifmw_federation_keystone_domain }}" ansible.builtin.include_tasks: run_osp_cmd.yml - name: Run federation identity provider create vars: _osp_cmd: "openstack identity provider create --remote-id {{ cifmw_federation_remote_id }} - --domain {{ cifmw_federation_domain }} + --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_IdpName }}" ansible.builtin.include_tasks: run_osp_cmd.yml @@ -57,14 +57,14 @@ - name: Run federation group create vars: _osp_cmd: "openstack group create - --domain {{ cifmw_federation_domain }} + --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_group_name }}" ansible.builtin.include_tasks: run_osp_cmd.yml - name: Run federation project create vars: _osp_cmd: "openstack project create - --domain {{ cifmw_federation_domain }} + --domain {{ cifmw_federation_keystone_domain }} {{ cifmw_federation_project_name }}" ansible.builtin.include_tasks: run_osp_cmd.yml @@ -72,9 +72,9 @@ vars: _osp_cmd: "openstack role add --group {{ cifmw_federation_group_name }} - --group-domain {{ cifmw_federation_domain }} + --group-domain {{ cifmw_federation_keystone_domain }} --project {{ cifmw_federation_project_name }} - --project-domain {{ cifmw_federation_domain }} + --project-domain {{ cifmw_federation_keystone_domain }} member" ansible.builtin.include_tasks: run_osp_cmd.yml diff --git a/roles/federation/templates/kctestuser1.j2 b/roles/federation/templates/kctestuser1.j2 index c64e21cb4c..fcd123812c 100644 --- a/roles/federation/templates/kctestuser1.j2 +++ b/roles/federation/templates/kctestuser1.j2 @@ -1,7 +1,7 @@ unset OS_CLOUD export OS_CACERT=/home/cloud-admin/full-ca-list.crt export OS_PROJECT_NAME="{{ cifmw_federation_project_name }}" -export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_domain }}" +export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_keystone_domain }}" export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" export OS_IDENTITY_API_VERSION=3 export OS_AUTH_PLUGIN=openid @@ -9,8 +9,8 @@ export OS_AUTH_TYPE=v3oidcpassword export OS_USERNAME="{{ cifmw_federation_keycloak_testuser1_username }}" export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser1_password }}" export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName }}" -export OS_CLIENT_ID="{{ cifmw_federation_keycloak_client_id }}" -export OS_CLIENT_SECRET="{{ cifmw_federation_keycloak_client_secret }}" +export OS_CLIENT_ID="{{ cifmw_federation_keystone_OIDC_ClientID }}" +export OS_CLIENT_SECRET="{{ cifmw_federation_keystone_OIDC_ClientSecret }}" export OS_OPENID_SCOPE="openid profile email" export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_TYPE=access_token diff --git a/roles/federation/templates/kctestuser2.j2 b/roles/federation/templates/kctestuser2.j2 new file mode 100644 index 0000000000..269a2d1233 --- /dev/null +++ b/roles/federation/templates/kctestuser2.j2 @@ -0,0 +1,17 @@ +unset OS_CLOUD +export OS_CACERT=/home/cloud-admin/full-ca-list.crt +export OS_PROJECT_NAME="{{ cifmw_federation_project_name }}" +export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_keystone_domain }}" +export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_PLUGIN=openid +export OS_AUTH_TYPE=v3oidcpassword +export OS_USERNAME="{{ cifmw_federation_keycloak_testuser2_username }}" +export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser2_password }}" +export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName }}" +export OS_CLIENT_ID="{{ cifmw_federation_keystone_OIDC_ClientID }}" +export OS_CLIENT_SECRET="{{ cifmw_federation_keystone_OIDC_ClientSecret }}" +export OS_OPENID_SCOPE="openid profile email" +export OS_PROTOCOL=openid +export OS_ACCESS_TOKEN_TYPE=access_token +export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/.well-known/openid-configuration" diff --git a/roles/federation/templates/kctestuser3.j2 b/roles/federation/templates/kctestuser3.j2 new file mode 100644 index 0000000000..09d4675f66 --- /dev/null +++ b/roles/federation/templates/kctestuser3.j2 @@ -0,0 +1,17 @@ +unset OS_CLOUD +export OS_CACERT=/home/cloud-admin/full-ca-list.crt +export OS_PROJECT_NAME="{{ cifmw_federation_project_name2 }}" +export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_keystone_domain2 }}" +export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_PLUGIN=openid +export OS_AUTH_TYPE=v3oidcpassword +export OS_USERNAME="{{ cifmw_federation_keycloak_testuser3_username }}" +export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser3_password }}" +export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName2 }}" +export OS_CLIENT_ID="{{ cifmw_federation_keystone_OIDC_ClientID2 }}" +export OS_CLIENT_SECRET="{{ cifmw_federation_keystone_OIDC_ClientSecret2 }}" +export OS_OPENID_SCOPE="openid profile email" +export OS_PROTOCOL=openid +export OS_ACCESS_TOKEN_TYPE=access_token +export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}/.well-known/openid-configuration" diff --git a/roles/federation/templates/kctestuser4.j2 b/roles/federation/templates/kctestuser4.j2 new file mode 100644 index 0000000000..8907493c72 --- /dev/null +++ b/roles/federation/templates/kctestuser4.j2 @@ -0,0 +1,17 @@ +unset OS_CLOUD +export OS_CACERT=/home/cloud-admin/full-ca-list.crt +export OS_PROJECT_NAME="{{ cifmw_federation_project_name2 }}" +export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_keystone_domain2 }}" +export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_PLUGIN=openid +export OS_AUTH_TYPE=v3oidcpassword +export OS_USERNAME="{{ cifmw_federation_keycloak_testuser4_username }}" +export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser4_password }}" +export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName2 }}" +export OS_CLIENT_ID="{{ cifmw_federation_keystone_OIDC_ClientID2 }}" +export OS_CLIENT_SECRET="{{ cifmw_federation_keystone_OIDC_ClientSecret2 }}" +export OS_OPENID_SCOPE="openid profile email" +export OS_PROTOCOL=openid +export OS_ACCESS_TOKEN_TYPE=access_token +export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}/.well-known/openid-configuration" diff --git a/roles/federation/templates/rules.json.j2 b/roles/federation/templates/rules.json.j2 index 444f4e315d..65c7d15fe0 100644 --- a/roles/federation/templates/rules.json.j2 +++ b/roles/federation/templates/rules.json.j2 @@ -8,7 +8,7 @@ "group": { "name": "{{ cifmw_federation_group_name }}", "domain": { - "name": "{{ cifmw_federation_domain }}" + "name": "{{ cifmw_federation_keystone_domain }}" } } } diff --git a/roles/federation/vars/all-vars.yml b/roles/federation/vars/all-vars.yml new file mode 100644 index 0000000000..c46e06f02a --- /dev/null +++ b/roles/federation/vars/all-vars.yml @@ -0,0 +1,59 @@ +--- +# vars for all for federation runs +# +cifmw_federation_keycloak_url: 'https://keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}' +cifmw_federation_keystone_url: 'https://keystone-public-{{ cifmw_federation_run_osp_cmd_namespace }}.{{ cifmw_federation_domain }}' +cifmw_federation_horizon_url: 'https://horizon-{{ cifmw_federation_run_osp_cmd_namespace }}.{{ cifmw_federation_domain }}' +cifmw_federation_keycloak_namespace: openstack +cifmw_federation_run_osp_cmd_namespace: openstack +cifmw_federation_keycloak_realm: openstack +cifmw_federation_keycloak_realm2: openstack2 +cifmw_federation_keycloak_admin_username: admin +cifmw_federation_keycloak_admin_password: nomoresecrets +cifmw_federation_keycloak_testuser1_username: kctestuser1 +cifmw_federation_keycloak_testuser1_password: nomoresecrets1 +cifmw_federation_keycloak_testuser2_username: kctestuser2 +cifmw_federation_keycloak_testuser2_password: nomoresecrets2 +cifmw_federation_keycloak_testgroup1_name: kctestgroup1 +cifmw_federation_keycloak_testgroup2_name: kctestgroup2 +cifmw_federation_keycloak_testuser3_username: kctestuser3 +cifmw_federation_keycloak_testuser3_password: nomoresecrets3 +cifmw_federation_keycloak_testuser4_username: kctestuser4 +cifmw_federation_keycloak_testuser4_password: nomoresecrets4 +cifmw_federation_keycloak_testgroup3_name: kctestgroup3 +cifmw_federation_keycloak_testgroup4_name: kctestgroup4 +cifmw_federation_keycloak_url_validate_certs: false +cifmw_federation_IdpName: kcIDP +cifmw_federation_IdpName2: kcIDP2 +cifmw_federation_keystone_domain: SSO +cifmw_federation_keystone_domain2: SSO2 +cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}' +cifmw_federation_remote_id2: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}' +cifmw_federation_project_name: SSOproject +cifmw_federation_project_name2: SSOproject2 +cifmw_federation_group_name: SSOgroup +cifmw_federation_group_name2: SSOgroup2 +cifmw_federation_mapping_name: SSOmap +cifmw_federation_mapping_name2: SSOmap2 +cifmw_federation_rules_file: rules.json +cifmw_federation_clame_id: OIDC-preferred_username +cifmw_federation_keystone_OIDC_ClaimDelimiter: ";" +cifmw_federation_keystone_OIDC_ClaimPrefix: "OIDC-" +cifmw_federation_keystone_OIDC_PassClaimsAs: "both" +cifmw_federation_keystone_OIDC_PassUserInfoAs: "claims" +cifmw_federation_keystone_OIDC_ResponseType: "id_token" +cifmw_federation_keystone_OIDC_Scope: "openid email profile" +cifmw_federation_keystone_OIDC_CryptoPassphrase: "openstack" +cifmw_federation_keystone_OIDC_ProviderMetadataURL: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/.well-known/openid-configuration" +cifmw_federation_keystone_OIDC_ProviderMetadataURL2: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}/.well-known/openid-configuration" +cifmw_federation_keystone_OIDC_OAuthIntrospectionEndpoint: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/protocol/openid-connect/token/introspect" +cifmw_federation_keystone_OIDC_ClientID: "rhoso" +cifmw_federation_keystone_OIDC_ClientSecret: "COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f" +cifmw_federation_keystone_OIDC_ClientID2: "rhoso2" +cifmw_federation_keystone_OIDC_ClientSecret2: "DOX8bmlKAWn56XCGNrKQJj7dgHNAOl6g" +cifmw_federation_keystone_idp1_conf_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.conf" +cifmw_federation_keystone_idp1_client_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.client" +cifmw_federation_keystone_idp1_provider_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.provider" +cifmw_federation_keystone_idp2_conf_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.conf" +cifmw_federation_keystone_idp2_client_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.client" +cifmw_federation_keystone_idp2_provider_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.provider"