From 5aa154c669143be393a7a6b4e9c6ba2a1b88fbb7 Mon Sep 17 00:00:00 2001 From: Scott Poore Date: Thu, 30 Mar 2023 17:56:00 -0500 Subject: [PATCH] containers: add keycloak Adding new container for Keycloak. Container defined in separate docker-compose since it is unnecessary for general SSSD testing. Container build ansible role added and Makefile and scripts updated to reflect the new keycloak container. Signed-off-by: Scott Poore --- Makefile | 8 +- data/certs/master.keycloak.test.crt | 31 +++++ data/certs/master.keycloak.test.key | 52 ++++++++ data/configs/dnsmasq.conf | 2 + .../hosts/master.keycloak.test.ecdsa_key | 9 ++ .../hosts/master.keycloak.test.ecdsa_key.pub | 1 + .../hosts/master.keycloak.test.ed25519_key | 9 ++ .../master.keycloak.test.ed25519_key.pub | 1 + .../hosts/master.keycloak.test.rsa_key | 9 ++ .../hosts/master.keycloak.test.rsa_key.pub | 1 + docker-compose.keycloak.yml | 21 ++++ readme.md | 4 + src/ansible/group_vars/all | 5 + src/ansible/inventory.yml | 7 ++ src/ansible/playbook_image_service.yml | 5 + src/ansible/roles/common/tasks/main.yml | 9 ++ src/ansible/roles/facts/tasks/Debian.yml | 2 + src/ansible/roles/facts/tasks/Fedora.yml | 2 + src/ansible/roles/facts/tasks/Ubuntu.yml | 2 + src/ansible/roles/keycloak/defaults/main.yml | 1 + src/ansible/roles/keycloak/tasks/main.yml | 118 ++++++++++++++++++ src/ansible/roles/packages/tasks/Debian.yml | 13 ++ src/ansible/roles/packages/tasks/Fedora.yml | 11 ++ src/ansible/roles/packages/tasks/Ubuntu.yml | 13 ++ src/build.sh | 26 ++-- src/docker-compose.build.yml | 3 + src/push.sh | 24 ++-- src/tools/gen-certs.sh | 2 +- src/tools/gen-ssh-keys.sh | 2 +- 29 files changed, 367 insertions(+), 26 deletions(-) create mode 100644 data/certs/master.keycloak.test.crt create mode 100644 data/certs/master.keycloak.test.key create mode 100644 data/ssh-keys/hosts/master.keycloak.test.ecdsa_key create mode 100644 data/ssh-keys/hosts/master.keycloak.test.ecdsa_key.pub create mode 100644 data/ssh-keys/hosts/master.keycloak.test.ed25519_key create mode 100644 data/ssh-keys/hosts/master.keycloak.test.ed25519_key.pub create mode 100644 data/ssh-keys/hosts/master.keycloak.test.rsa_key create mode 100644 data/ssh-keys/hosts/master.keycloak.test.rsa_key.pub create mode 100644 docker-compose.keycloak.yml create mode 100644 src/ansible/roles/keycloak/defaults/main.yml create mode 100644 src/ansible/roles/keycloak/tasks/main.yml diff --git a/Makefile b/Makefile index 41a746de..f8df7081 100644 --- a/Makefile +++ b/Makefile @@ -14,11 +14,17 @@ up-passkey: && docker-compose -f docker-compose.yml -f docker-compose.passkey.yml up \ --no-recreate --detach ${LIMIT} +up-keycloak: + docker-compose -f docker-compose.yml -f docker-compose.keycloak.yml up \ + --no-recreate --detach ${LIMIT} + stop: docker-compose stop down: - docker-compose down + docker-compose -f docker-compose.yml \ + -f docker-compose.keycloak.yml \ + -f docker-compose.passkey.yml down update: docker-compose pull diff --git a/data/certs/master.keycloak.test.crt b/data/certs/master.keycloak.test.crt new file mode 100644 index 00000000..d0de0617 --- /dev/null +++ b/data/certs/master.keycloak.test.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFTzCCAzegAwIBAgITPJ2nsJjf6JgZjc5YZi1LZL1I4DANBgkqhkiG9w0BAQsF +ADArMQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQLDARzc3NkMQswCQYDVQQDDAJjYTAe +Fw0yMzAzMzAyMDE3MjFaFw00MjEyMTUyMDE3MjFaMD0xDTALBgNVBAoMBHRlc3Qx +DTALBgNVBAsMBHNzc2QxHTAbBgNVBAMMFG1hc3Rlci5rZXljbG9hay50ZXN0MIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo3v/0s0OAKNG8508BGXHb6pW +5NMatadps42KYSY+PKNd96ANMfOrSstFCDgxMM33abOZl4FyLCfsZv5++XCYiQ6x +KCgO/RYqH0YXUOw560RKOismA3fWbIsgwb8LecOR73LpOot/pIo5HAgKYjMu72Gy +GBpBeKeMhIdKwaAYdCkjy1VsDIdaCC0RrcR+ZP3PI4ksCzx6icICReM9UJmzvRvT +YPz/E99OvfVd+d2WQiSysePLygV0xYMI70YkTTDrZvAs4R3Qfe1DGYqLGu8dvLsd +awWNdJcASgu1ODV0hKRZLHd+8OkpmROG7SxWv5F+XzIplmMjy0N6hxXzQeUwx0Uh +/LE4QgW1Za0qS/SFkdaWBoP86SpjvXYvrAgiSQs3X+HLp6SlZCgk0fmhWzeLluYk +XyiGmTLnoV6+YoeXR79P2pPaoAMmyyeitDtLzAadnFmXaxV9ZqGETu1VSOZtjNRz +sBz8EpboPxputeDV3h5MlWMNR1mqjt8WCPH3vAP0IaXC26OpWumDjLV6x4UmcuBM +x7GWSnx4f94AMtapECahWbqlY/Zs8zRjUP3GoC8g4SA/Ck2DaIEcjABYH3YyXL/4 +MA6fSqyTJ8zwCsg0CIUckud8qmpAoy9laLGWcQY2/jbh8bE2cWh91jksc+SRQe1x +ppub9iP6mtksihb88XkCAwEAAaNaMFgwHwYDVR0jBBgwFoAUEjy3xbVnEZuxbtPG +ee5h0fTCBn0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFCR8rEJ+ ++3dGG+WhrodO9w2q3jAbMA0GCSqGSIb3DQEBCwUAA4ICAQAdTHDnLLtbdG9SVVpJ +zvajm4TeEqrB07BvTsY4N9eboTK/A3mj68E8gj1NsehYsbqyBDg7dUXOacFSFXBj +GB0+eaHPmerjokB0pJBxc0TCrlLL5sV1wd0LFziqPBUUEG2Q9Y85YZqOCfY9Ta3n +DJb1PIl5/AH76b+MT3+v/7OftyGmkDGL3H4l+S27ki87AeP4CuroNLfJ8L5tIKHk +nkCXF3MWcbhWQ3qnGx6K8jGby8lwGler91QCQSSOVswtAOcixXU24dVqZQDiE/nr +6lT97EE9rvWOc61BnL7Po8cADlH9uWBsAMjl3NHt9XdLGSlrjsfLSmqVHLbL8GUm +g5fp87K+ishQiWOXBz0KhLjbouFJZQgqmojF3d3SKP25F/gwpl2s2OTl3TiBShaa +a7qB4pOI4n7TEso05PvPUlvNe/52iBz4dfd8Alic4G+4ApExrjiPBK2VdgVun0bQ +qN6M4RW7cudTORnOENDGp9aO+AB4G1xcH4kiZa/FWvgPRT3FmMzeV8cYQg23vM9q +066Vu3gp+lRLHncoBxdJuXtaY6gT3cgptnQLvXhiZfwaPaNQLDi+UWZ9+rPMGkD6 +yBthELFTGw93h0RojVj+VKCUY6NnrNvbxhcQntwhNHt0ot7B280iR1eZnmlwbMCI +qpEVBfEoqIYxBQG/ksqYrICzsA== +-----END CERTIFICATE----- diff --git a/data/certs/master.keycloak.test.key b/data/certs/master.keycloak.test.key new file mode 100644 index 00000000..465d5e5a --- /dev/null +++ b/data/certs/master.keycloak.test.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCje//SzQ4Ao0bz +nTwEZcdvqlbk0xq1p2mzjYphJj48o133oA0x86tKy0UIODEwzfdps5mXgXIsJ+xm +/n75cJiJDrEoKA79FiofRhdQ7DnrREo6KyYDd9ZsiyDBvwt5w5Hvcuk6i3+kijkc +CApiMy7vYbIYGkF4p4yEh0rBoBh0KSPLVWwMh1oILRGtxH5k/c8jiSwLPHqJwgJF +4z1QmbO9G9Ng/P8T30699V353ZZCJLKx48vKBXTFgwjvRiRNMOtm8CzhHdB97UMZ +iosa7x28ux1rBY10lwBKC7U4NXSEpFksd37w6SmZE4btLFa/kX5fMimWYyPLQ3qH +FfNB5TDHRSH8sThCBbVlrSpL9IWR1pYGg/zpKmO9di+sCCJJCzdf4cunpKVkKCTR ++aFbN4uW5iRfKIaZMuehXr5ih5dHv0/ak9qgAybLJ6K0O0vMBp2cWZdrFX1moYRO +7VVI5m2M1HOwHPwSlug/Gm614NXeHkyVYw1HWaqO3xYI8fe8A/QhpcLbo6la6YOM +tXrHhSZy4EzHsZZKfHh/3gAy1qkQJqFZuqVj9mzzNGNQ/cagLyDhID8KTYNogRyM +AFgfdjJcv/gwDp9KrJMnzPAKyDQIhRyS53yqakCjL2VosZZxBjb+NuHxsTZxaH3W +OSxz5JFB7XGmm5v2I/qa2SyKFvzxeQIDAQABAoICAAm1RpkKR7tWdtNnIiYBtEDn +jN7sQVEJtr9sl4vS1U3NBrq6dKYjeefIX9pP2e3zwS4z9do3G+RO350zHi+qVciH +yJHhpRg23Xv7cc2CpaLYrI69OrXogyFxdpnCwkfyCuO8/2gUWhlXgvIs8Q7pSq94 +7fY78ujbDD9feFs8qk8VlVRRB4hL7lb/dCYNPdM59je+QNEO/5jYHkHvr1eutOt1 +ME15YJ1ZvKePn0vD8pUNcFYbeKHPxqIm+Jwa3nN+BPCZMRUSK+wab4pf/Yg1LF8l +fmb5Tq/eeqwq+1Ex7XAmAUygcPeV5Pw72l6RrDoWhfpZtHoDe5/pqyhD76zZUxbd +8gtHv7fJ+MPy0eNbYJgLqRuHvX+ro36wqLt3zP6rrBXibiwolgissNqUQUgwGjqE +5yw+ENn60W2QqIzZrIOpSxOodJ9yhhnTPNgFPVUzzVPQvpodgXUOAqxzi8qNwIkU +NSrnvduh1jBNvg3vHMg6Ux0n19rAeJdM7NwJoPdcX3Z7CS/AQPMHwMUksMJUpZWR +i8j3H0Edd9cSInxPHDZaksNLH8K51vt/9OtGdois0bUYwihKrQK3xoDgUdMQ8ZNk +rgBo/+jxIM+XZMJBULIK/Uj/a1lDe5a/gAA1XQHR1K3ay9WUyXhgauW7JSUJ7cX3 +4/lHthOHMvxrLjjMHmftAoIBAQDKsNUEjPfRjfyROJFY3nyLXagU9+TijQyx7elg +MMTabmQPGiF1TSn3ecJxFucg3mtzjyootIwFqj+TlqJ5Ui3NedmTqk/IK2UGncJW +jNZH2f2ldJS+U0+PGqXTC+uI8Ny5Z6VUYs+pnclChDAsP2jwCtwVp4aRoqZq9TeW +gz1hbH1//lV2U7UTUqxS/HdZTO4XwzacfVhAdzD0Z3qg5WR4FyLt7qadK1hZzZXC +SGKyWDRvTTEijs/h1NwtIzHNm5P5VhfQzTfzHfrfM6SFJEXoBIgQoCdrPsqH7ksa +Fz3N4uAZmRi1dcJSu/x+k/4b4//qhsJ1AkBi9JM5W9DVPVMNAoIBAQDOe2betiQe ++Bp605LTka1DHoE1YLhce5Rr87yaIc0H99T2W+fJJHlbcJ0aAaJr/7MLdbSIB1SW +HarNy5uqIOZzklop5C3iLPUx7h5fNJQmwrljpJ1E46K1e7QKZrIzywKkzrHWm+ak +Ftzs7P5vF9ucHrrme9UecYh6shiEBlR6+YQtruV/GkMz02B2GjHBD6h15OsPMhdv +VUH0mDamUBSuWfCveJIf3aVh90Bttl/eA8RkB+5C5WAEFwyBJjN7ptyf7a/IUO8e +UKL5Y421cKnq37PU4bJA+l11X68jrTvyUnX/koeKIWclMpJOJg5nz7eMv0z1llKv ++BfUAK3J5m0dAoIBAQDBQspZhG/mhxODBATST5FA8RQKqjK7MPIh1U7oQJfyDb+q +BqhQSDrzlE0pt0S5ulmJ3b+9ACliXWoxNzfDpe+2M7CZc5KOsZGqNVHPZIoMCHYp +BHeu4ZDCSg5CpOL3t3E99u1VAMIwYBo+KfwktHFCL5iZrRpKUmOLKDTQdmJYOjGP +kNm78SR+QB2/IqpJo2iBj8jKfVlgXkV3RBNQxmh9eNH9O8fxpBqhxbw9evdgRWn5 +lgh7guAD3Anzn9Mk0GrPGp+qn4HxdWx21a7QpD1jdK6n64yqXTyPT06cmfx8Cw7S +WX+NxbJ7YHLn3gQ0Y7jnzYYsOvFZaQnXbww3xjkhAoIBAQCFS9zJAcSnyXsut88d +jfnQTq0TDHF4Ir9aQWsMBa4a6r8sm4Aytb0ybqy80TlNhzDKwR3egvz0PAq7+Clx +1vNuwJg8WvXUATn5FcO9qm/J5gNQdECi7GFpz4YXAN0h2njGdDkSVmq6m5fby9Ml +XL2FN8FocaDPmnOE4dw5vuxixxmxdCrrtsSTfG3VUGu2OqmCElo84RWH5f5CLNF6 +5E+1jpJ2dNvAfpH5gGizavzQkpYCDayeuv0VJtwHs+WgecQL6qGEK9tyMpRDcyVU +cHsBCZFKaLlugTI8R50E5xy//sP2TV36qj2wIcmZca/zDIFt90Fzeau/teWMEzQe +FwdxAoIBAEZdO6/WwuXH7v5uKdInGmkxxswdnAaPCulSM6ruUHh2XvGFTa557OkT +p9zYDlMWrt7IZ55CaeLMbTqliY5/Ic+srBDw1111JJv1ARHg1+TrZ8AjgSzQSHX+ +lO1UnQlu6eQ5PkE4Ns6yoD9gJzxRgHxHkifhWzJfwqHJ7bAk7CA/6Jbpvuwe7y4j +X2xf4k7HRrVzAP/jwL1d9Nnzk2xEJ6WjNcmWNeYOJt5Wog9t1pyqnI5iwZDhRHKi +H25jt3nPjG1LQU+Bix2qeuKoqjP3bsAakrsrQKckopA70egSPpUpwD5246TcItty +wpmmCXuBcDn5+o3D4ZI7fZ9QVn9bi28= +-----END PRIVATE KEY----- diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf index 2c44093b..34a40a05 100644 --- a/data/configs/dnsmasq.conf +++ b/data/configs/dnsmasq.conf @@ -20,6 +20,7 @@ address=/master.ldap.test/172.16.100.20 address=/client.test/172.16.100.40 address=/nfs.test/172.16.100.50 address=/kdc.test/172.16.100.60 +address=/master.keycloak.test/172.16.100.70 # Add SRV record for LDAP srv-host=_ldap._tcp.ldap.test,master.ldap.test,389 @@ -30,3 +31,4 @@ ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test ptr-record=40.100.16.172.in-addr.arpa,client.test ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test +ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test diff --git a/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key b/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key new file mode 100644 index 00000000..f9250373 --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQo6x4yFjX+7NouHZzMyXid7gRR5C0W +UtZ8wzOyE8jMAmserl+FLtj5rh03iXnYNQyoM6e28YjFTW40S6QgGeEOAAAAuD0IGAs9CB +gLAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCjrHjIWNf7s2i4d +nMzJeJ3uBFHkLRZS1nzDM7ITyMwCax6uX4Uu2PmuHTeJedg1DKgzp7bxiMVNbjRLpCAZ4Q +4AAAAhAJEZoIsYYJM1zgrQBNpJ/nBQkUB0KX/edjVHvxTtLcj8AAAAG1dlbGwga25vd24g +a2V5IGZvciBzc3NkLWNpLgECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key.pub b/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key.pub new file mode 100644 index 00000000..68b9a94a --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCjrHjIWNf7s2i4dnMzJeJ3uBFHkLRZS1nzDM7ITyMwCax6uX4Uu2PmuHTeJedg1DKgzp7bxiMVNbjRLpCAZ4Q4= Well known key for sssd-ci. diff --git a/data/ssh-keys/hosts/master.keycloak.test.ed25519_key b/data/ssh-keys/hosts/master.keycloak.test.ed25519_key new file mode 100644 index 00000000..95b33d14 --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.ed25519_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQT5YcfqE2FEyZuoZAMuSoMl13D/SH4j +bYxbU/L7MWvpLeW2VvqQquJRGOzYCsGrWC5rSF1SjFm/dMilBJm2WhxsAAAAuCuqfD4rqn +w+AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPlhx+oTYUTJm6hk +Ay5KgyXXcP9IfiNtjFtT8vsxa+kt5bZW+pCq4lEY7NgKwatYLmtIXVKMWb90yKUEmbZaHG +wAAAAhAJi8m6d8fgyJSMNeKPf+U1BdH1PunSHV/VOpqPHSu4VsAAAAG1dlbGwga25vd24g +a2V5IGZvciBzc3NkLWNpLgECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.keycloak.test.ed25519_key.pub b/data/ssh-keys/hosts/master.keycloak.test.ed25519_key.pub new file mode 100644 index 00000000..a280fc6e --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.ed25519_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPlhx+oTYUTJm6hkAy5KgyXXcP9IfiNtjFtT8vsxa+kt5bZW+pCq4lEY7NgKwatYLmtIXVKMWb90yKUEmbZaHGw= Well known key for sssd-ci. diff --git a/data/ssh-keys/hosts/master.keycloak.test.rsa_key b/data/ssh-keys/hosts/master.keycloak.test.rsa_key new file mode 100644 index 00000000..741abba7 --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.rsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRIiqAbVB3EEMISmR5AGDh78F5/TK4l ++TrlOTvnye1/nx4kv/Nv2C3UDNsYENsePybKPiFNkd4i8UjCdjAIfgmGAAAAuDVOCT81Tg +k/AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEiKoBtUHcQQwhKZ +HkAYOHvwXn9MriX5OuU5O+fJ7X+fHiS/82/YLdQM2xgQ2x4/Jso+IU2R3iLxSMJ2MAh+CY +YAAAAhAM8elf2XwkTxqk2BecXGp9Vg5a+2Dnj2NU/m3zlB9fXjAAAAG1dlbGwga25vd24g +a2V5IGZvciBzc3NkLWNpLgECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.keycloak.test.rsa_key.pub b/data/ssh-keys/hosts/master.keycloak.test.rsa_key.pub new file mode 100644 index 00000000..dd02540f --- /dev/null +++ b/data/ssh-keys/hosts/master.keycloak.test.rsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEiKoBtUHcQQwhKZHkAYOHvwXn9MriX5OuU5O+fJ7X+fHiS/82/YLdQM2xgQ2x4/Jso+IU2R3iLxSMJ2MAh+CYY= Well known key for sssd-ci. diff --git a/docker-compose.keycloak.yml b/docker-compose.keycloak.yml new file mode 100644 index 00000000..2a7861d8 --- /dev/null +++ b/docker-compose.keycloak.yml @@ -0,0 +1,21 @@ +services: + keycloak: + image: ${REGISTRY}/ci-keycloak:${TAG} + container_name: keycloak + hostname: master.keycloak.test + dns: 172.16.100.2 + env_file: ./env.containers + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - AUDIT_WRITE + - AUDIT_CONTROL + - NET_ADMIN + - SYS_CHROOT + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + networks: + sssd: + ipv4_address: 172.16.100.70 diff --git a/readme.md b/readme.md index 123840b8..e396eb7f 100644 --- a/readme.md +++ b/readme.md @@ -79,6 +79,7 @@ perfoming an `ldapsearch`). | client | `172.16.100.40` | `client.test` | Client machine with configured SSSD | | nfs | `172.16.100.50` | `nfs.test` | NFS server | | kdc | `172.16.100.60` | `kdc.test` | Kerberos KDC | +| keycloak | `172.16.100.70` | `master.keycloak.test` | Keycloak IdP | ## Available user accounts @@ -278,6 +279,7 @@ are: base-ground --> base-samba base-ground --> base-nfs base-ground --> base-kdc + base-ground --> base-keycloak base-ldap --> base-ipa base-ldap --> ldap @@ -292,4 +294,6 @@ are: base-nfs --> nfs base-kdc --> kdc + + base-keycloak --> keycloak ``` diff --git a/src/ansible/group_vars/all b/src/ansible/group_vars/all index b9d4634e..6035093e 100644 --- a/src/ansible/group_vars/all +++ b/src/ansible/group_vars/all @@ -31,6 +31,11 @@ service: { fqn: kdc.test, master_password: Secret123 }, + keycloak: { + domain: keycloak.test, + fqn: master.keycloak.test, + admin_password: Secret123 + }, ad: { domain: ad.test, hostname: 'dc', diff --git a/src/ansible/inventory.yml b/src/ansible/inventory.yml index 7c3a47cf..0bff1011 100644 --- a/src/ansible/inventory.yml +++ b/src/ansible/inventory.yml @@ -26,6 +26,9 @@ all: base_kdc: hosts: base-kdc + base_keycloak: + hosts: + base-keycloak base_ground: hosts: base-ground @@ -62,6 +65,10 @@ all: hosts: kdc.test: ansible_host: sssd-wip-kdc + keycloak: + hosts: + master.keycloak.test: + ansible_host: sssd-wip-keycloak vars: ansible_connection: podman ansible_python_interpreter: /usr/bin/python3 diff --git a/src/ansible/playbook_image_service.yml b/src/ansible/playbook_image_service.yml index 62473d74..882ccdb9 100644 --- a/src/ansible/playbook_image_service.yml +++ b/src/ansible/playbook_image_service.yml @@ -37,6 +37,11 @@ roles: - kdc +- hosts: master.keycloak.test + gather_facts: no + roles: + - keycloak + - hosts: services gather_facts: no roles: diff --git a/src/ansible/roles/common/tasks/main.yml b/src/ansible/roles/common/tasks/main.yml index a1bec872..6eeda250 100644 --- a/src/ansible/roles/common/tasks/main.yml +++ b/src/ansible/roles/common/tasks/main.yml @@ -90,3 +90,12 @@ - { src: 'ci.id_rsa', dest: 'id_rsa' } - { src: 'ci.id_rsa.pub', dest: 'authorized_keys' } - { src: 'ci.id_rsa.pub', dest: 'id_rsa.pub' } + +- name: Copy CA certificate to local pki anchors + copy: + src: /data/certs/ca.crt + dest: "{{ ca_trust_dir }}" + remote_src: yes + +- name: Update system CA trusts to pick up new certificate + command: "{{ ca_trust_update }}" diff --git a/src/ansible/roles/facts/tasks/Debian.yml b/src/ansible/roles/facts/tasks/Debian.yml index 5ece01c0..1ddf7eae 100644 --- a/src/ansible/roles/facts/tasks/Debian.yml +++ b/src/ansible/roles/facts/tasks/Debian.yml @@ -6,3 +6,5 @@ krb5kdc: krb5-kdc.service sshd: ssh.service passkey_support: No + ca_trust_dir: /etc/ssl/certs + ca_trust_update: update-ca-certificates diff --git a/src/ansible/roles/facts/tasks/Fedora.yml b/src/ansible/roles/facts/tasks/Fedora.yml index 4934d003..ecfbb043 100644 --- a/src/ansible/roles/facts/tasks/Fedora.yml +++ b/src/ansible/roles/facts/tasks/Fedora.yml @@ -8,3 +8,5 @@ buildroot: yes debuginfo: yes passkey_support: Yes + ca_trust_dir: /etc/pki/ca-trust/source/anchors/ + ca_trust_update: update-ca-trust diff --git a/src/ansible/roles/facts/tasks/Ubuntu.yml b/src/ansible/roles/facts/tasks/Ubuntu.yml index 838c05a1..b295debb 100644 --- a/src/ansible/roles/facts/tasks/Ubuntu.yml +++ b/src/ansible/roles/facts/tasks/Ubuntu.yml @@ -6,3 +6,5 @@ krb5kdc: krb5-kdc.service sshd: ssh.service passkey_support: Yes + ca_trust_dir: /etc/ssl/certs + ca_trust_update: update-ca-certificates diff --git a/src/ansible/roles/keycloak/defaults/main.yml b/src/ansible/roles/keycloak/defaults/main.yml new file mode 100644 index 00000000..5edac98d --- /dev/null +++ b/src/ansible/roles/keycloak/defaults/main.yml @@ -0,0 +1 @@ +base_url: https://github.com/keycloak/keycloak/releases/download diff --git a/src/ansible/roles/keycloak/tasks/main.yml b/src/ansible/roles/keycloak/tasks/main.yml new file mode 100644 index 00000000..b5d812d0 --- /dev/null +++ b/src/ansible/roles/keycloak/tasks/main.yml @@ -0,0 +1,118 @@ +- name: Get Keycloak latest version info + uri: + url: https://api.github.com/repos/keycloak/keycloak/releases/latest + method: GET + return_content: yes + status_code: 200 + body_format: json + register: result + +- name: Set keycloak_url fact + set_fact: + keycloak_url: "{{ base_url }}/{{ result.json.tag_name }}/keycloak-{{ result.json.tag_name }}.tar.gz" + +- name: Print keycloak_url + debug: + msg: "keycloak_url={{ keycloak_url }}" + +- name: Create Keycloak user/group + user: + name: keycloak + home: /opt/keycloak + system: yes + create_home: yes + +- name: Download software zipfile + get_url: + url: "{{ keycloak_url }}" + dest: /tmp/keycloak.tgz + +- name: Unzip software + unarchive: + remote_src: yes + src: /tmp/keycloak.tgz + dest: /opt/keycloak + owner: keycloak + group: keycloak + extra_opts: + - --strip-components=1 + +- name: Change ownership of files in /data/certs + file: + path: /data/certs/master.keycloak.test.key + mode: 0644 + +- name: Add CA certificate to keystore + shell: | + keytool -noprompt -import \ + -keystore /data/certs/master.keycloak.test.keystore \ + -file /data/certs/ca.crt \ + -alias ca.crt \ + -trustcacerts -storepass {{ service.keycloak.admin_password }} + args: + creates: /data/certs/master.keycloak.test.keystore + +- name: Add Keycloak certificate to keystore + shell: | + keytool -noprompt -import \ + -keystore /data/certs/master.keycloak.test.keystore \ + -file /data/certs/master.keycloak.test.crt \ + -alias master.keycloak.test.crt \ + -trustcacerts -storepass {{ service.keycloak.admin_password }} + +- name: Run build step for Keycloak + shell: | + su - keycloak -c ''' + export KEYCLOAK_ADMIN=admin + export KEYCLOAK_ADMIN_PASSWORD={{ service.keycloak.admin_password }} + export KC_HOSTNAME=$(hostname):8443 + export KC_HTTPS_CERTIFICATE_FILE=/data/certs/master.keycloak.test.crt + export KC_HTTPS_CERTIFICATE_KEY_FILE=/data/certs/master.keycloak.test.key + export KC_HTTPS_TRUST_STORE_FILE=/data/certs/master.keycloak.test.keystore + export KC_HTTPS_TRUST_STORE_PASSWORD={{ service.keycloak.admin_password }} + export KC_HTTP_RELATIVE_PATH=/auth + /opt/keycloak/bin/kc.sh build + ''' + +- name: Create Keycloak service env file + copy: + content: | + KEYCLOAK_ADMIN=admin + KEYCLOAK_ADMIN_PASSWORD={{ service.keycloak.admin_password }} + KC_HOSTNAME={{ inventory_hostname }} + KC_HTTPS_CERTIFICATE_FILE=/data/certs/master.keycloak.test.crt + KC_HTTPS_CERTIFICATE_KEY_FILE=/data/certs/master.keycloak.test.key + KC_HTTPS_TRUST_STORE_FILE=/data/certs/master.keycloak.test.keystore + KC_HTTPS_TRUST_STORE_PASSWORD={{ service.keycloak.admin_password }} + KC_HTTP_RELATIVE_PATH=/auth + dest: /etc/keycloak.env + +- name: Create systemd Keycloak service file + copy: + content: | + [Unit] + Description=Keycloak Server + After=network.target + + [Service] + Type=idle + EnvironmentFile=/etc/keycloak.env + + User=keycloak + Group=keycloak + ExecStart=/opt/keycloak/bin/kc.sh start + TimeoutStartSec=600 + TimeoutStopSec=600 + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/keycloak.service + +- name: Reload systemd to pickup changes added for Keycloak + systemd: + daemon_reload: yes + +- name: Enable Keycloak service + systemd: + name: keycloak + enabled: yes diff --git a/src/ansible/roles/packages/tasks/Debian.yml b/src/ansible/roles/packages/tasks/Debian.yml index 24d6f5ef..23473ca8 100644 --- a/src/ansible/roles/packages/tasks/Debian.yml +++ b/src/ansible/roles/packages/tasks/Debian.yml @@ -85,6 +85,19 @@ - krb5-kdc when: "'base_kdc' in group_names" +- name: Install packages for Keycloak base image + block: + - name: Install Keycloak dependencies + apt: + state: present + update_cache: yes + name: + - openjdk-11-jre-headless + - openssl + - unzip + - ca-certificates + when: "'base_keycloak' in group_names" + - name: Install additional packages for client development image block: - name: Install SSSD build and integration tests dependencies diff --git a/src/ansible/roles/packages/tasks/Fedora.yml b/src/ansible/roles/packages/tasks/Fedora.yml index aca91869..d738bffe 100644 --- a/src/ansible/roles/packages/tasks/Fedora.yml +++ b/src/ansible/roles/packages/tasks/Fedora.yml @@ -142,6 +142,17 @@ when: passkey_support when: "'base_client' in group_names or 'base_ipa' in group_names" +- name: Install packages for Keycloak base image + block: + - name: Install Keycloak dependencies + dnf: + state: present + name: + - java-11-openjdk-headless + - openssl + - unzip + when: "'base_keycloak' in group_names" + - name: Install additional packages for client development image block: - name: Install SSSD build dependencies diff --git a/src/ansible/roles/packages/tasks/Ubuntu.yml b/src/ansible/roles/packages/tasks/Ubuntu.yml index fac0f644..ad6826f4 100644 --- a/src/ansible/roles/packages/tasks/Ubuntu.yml +++ b/src/ansible/roles/packages/tasks/Ubuntu.yml @@ -83,6 +83,19 @@ - krb5-kdc when: "'base_kdc' in group_names" +- name: Install packages for Keycloak base image + block: + - name: Install Keycloak dependencies + apt: + state: present + update_cache: yes + name: + - openjdk-11-jre-headless + - openssl + - unzip + - ca-certificates + when: "'base_keycloak' in group_names" + - name: Install additional packages for client development image block: - name: Install SSSD build and integration tests dependencies diff --git a/src/build.sh b/src/build.sh index a4e5a630..04ff1493 100755 --- a/src/build.sh +++ b/src/build.sh @@ -5,17 +5,17 @@ # ============== # # original image -# |-----------------------------------------------------------------| -# | base-ground | -# |-----------------------------------------------------------------| -# | base-ldap | base-client | base-samba | base-nfs | base-kdc | -# |------------------------------------ |--------------|------------|------------| -# | base-ipa | | | | | | -# |------------| | | | | | -# | ipa | ldap | client | samba | nfs | kdc | -# | | |---------------| | | | -# | | | client-dev | | | | -# |------------|--------|---------------|--------------|------------|------------| +# |------------------------------------------------------------------------------------------------| +# | base-ground | +# |------------------------------------------------------------------------------------------------| +# | base-ldap | base-client | base-samba | base-nfs | base-keycloak | base-kdc | +# |------------------------------------ |--------------|------------|-----------------|------------| +# | base-ipa | | | | | | | +# |------------| | | | | | | +# | ipa | ldap | client | samba | nfs | keycloak | kdc | +# | | |---------------| | | | | +# | | | client-dev | | | | | +# |------------|--------|---------------|--------------|------------|-----------------|------------| trap "cleanup &> /dev/null || :" EXIT pushd $(realpath `dirname "$0"`) &> /dev/null @@ -50,7 +50,7 @@ function cleanup { } function compose { - docker-compose -f "../docker-compose.yml" -f "./docker-compose.build.yml" $@ + docker-compose -f "../docker-compose.yml" -f "../docker-compose.keycloak.yml" -f "./docker-compose.build.yml" $@ } function base_exec { @@ -121,6 +121,7 @@ if [ "$SKIP_BASE" == 'no' ]; then build_base_image "ci-base-ldap:${TAG}" base-ipa build_base_image "ci-base-ground:${TAG}" base-nfs build_base_image "ci-base-ground:${TAG}" base-kdc + build_base_image "ci-base-ground:${TAG}" base-keycloak fi # Create services @@ -133,6 +134,7 @@ build_service_image sssd-wip-ldap ldap build_service_image sssd-wip-samba samba build_service_image sssd-wip-nfs nfs build_service_image sssd-wip-kdc kdc +build_service_image sssd-wip-keycloak keycloak compose down # Create development images with additional packages diff --git a/src/docker-compose.build.yml b/src/docker-compose.build.yml index 53a986d8..22211d28 100644 --- a/src/docker-compose.build.yml +++ b/src/docker-compose.build.yml @@ -20,3 +20,6 @@ services: kdc: image: localhost/sssd/ci-base-kdc:${TAG} container_name: sssd-wip-kdc + keycloak: + image: localhost/sssd/ci-base-keycloak:${TAG} + container_name: sssd-wip-keycloak diff --git a/src/push.sh b/src/push.sh index 00efd033..3b0eb46e 100755 --- a/src/push.sh +++ b/src/push.sh @@ -5,17 +5,17 @@ # ============== # # original image -# |----------------------------------------------------| -# | base-ground | -# |----------------------------------------------------| -# | base-ldap | base-client | base-samba | -# |------------------------------------ |--------------| -# | base-ipa | | | | -# |------------| | | | -# | ipa | ldap | client | samba | -# | | |---------------| | -# | | | client-dev | | -# |------------|--------|---------------|--------------| +# |------------------------------------------------------------------------------------------------| +# | base-ground | +# |------------------------------------------------------------------------------------------------| +# | base-ldap | base-client | base-samba | base-nfs | base-keycloak | base-kdc | +# |------------------------------------ |--------------|------------|-----------------|------------| +# | base-ipa | | | | | | | +# |------------| | | | | | | +# | ipa | ldap | client | samba | nfs | keycloak | kdc | +# | | |---------------| | | | | +# | | | client-dev | | | | | +# |------------|--------|---------------|--------------|------------|-----------------|------------| trap "cleanup &> /dev/null || :" EXIT pushd $(realpath `dirname "$0"`) &> /dev/null @@ -59,6 +59,7 @@ push ci-base-ldap "$TAG" "$EXTRA_TAGS" push ci-base-samba "$TAG" "$EXTRA_TAGS" push ci-base-nfs "$TAG" "$EXTRA_TAGS" push ci-base-kdc "$TAG" "$EXTRA_TAGS" +push ci-base-keycloak "$TAG" "$EXTRA_TAGS" # Push service images push ci-dns latest "" @@ -69,3 +70,4 @@ push ci-ldap "$TAG" "$EXTRA_TAGS" push ci-samba "$TAG" "$EXTRA_TAGS" push ci-nfs "$TAG" "$EXTRA_TAGS" push ci-kdc "$TAG" "$EXTRA_TAGS" +push ci-keycloak "$TAG" "$EXTRA_TAGS" diff --git a/src/tools/gen-certs.sh b/src/tools/gen-certs.sh index f13e2c92..a70869d4 100755 --- a/src/tools/gen-certs.sh +++ b/src/tools/gen-certs.sh @@ -23,7 +23,7 @@ mkdir -p $OUT openssl req -new -x509 -days 7200 -config "$REQ_CONFIG" -subj "$SUBJECT/CN=ca" -keyout "$OUT/ca.key" -out "$OUT/ca.crt" # Create certificates -for service in master.ldap.test dc.samba.test; do +for service in master.ldap.test dc.samba.test master.keycloak.test; do openssl req -new -config "$REQ_CONFIG" -subj "$SUBJECT/CN=$service" -keyout "$OUT/$service.key" -out "$OUT/$service.csr" openssl x509 -req -days 7200 -extfile "$X509_CONFIG" -CA "$OUT/ca.crt" -CAkey "$OUT/ca.key" -CAcreateserial -in "$OUT/$service.csr" -out "$OUT/$service.crt" rm -f "$OUT/$service.csr" diff --git a/src/tools/gen-ssh-keys.sh b/src/tools/gen-ssh-keys.sh index 69a3317e..11ddde34 100755 --- a/src/tools/gen-ssh-keys.sh +++ b/src/tools/gen-ssh-keys.sh @@ -16,7 +16,7 @@ set -xe mkdir -p $OUT mkdir -p $OUT/hosts -for name in client ldap ipa samba nfs kdc; do +for name in client ldap ipa samba nfs kdc master.keycloak.test; do for type in ecdsa ed25519 rsa; do ssh-keygen -C "Well known key for sssd-ci." -t ecdsa -f "$OUT/hosts/$name.${type}_key" -N "" <<< y done