forked from aerogearcatalog/keycloak-apb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
provision-keycloak.yml
271 lines (237 loc) · 7.99 KB
/
provision-keycloak.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
- name: create persistent volume claim to copy the SPI provider
k8s_v1_persistent_volume_claim:
name: keycloak-metrics
state: present
namespace: '{{ namespace }}'
access_modes: [ReadWriteMany]
spec_resources_requests:
storage: 10M
register: create_volume_claim
- name: update_last_op
asb_last_operation:
description: "created pvc"
- name: create deployment config
openshift_v1_deployment_config:
name: keycloak
namespace: '{{ namespace }}'
labels:
app: keycloak
service: keycloak
name: keycloak
mobile: enabled
replicas: 1
selector:
app: keycloak
service: keycloak
spec_template_metadata_labels:
app: keycloak
service: keycloak
volumes:
- name: keycloak-metrics
persistent_volume_claim:
claim_name: keycloak-metrics
containers:
- env:
- name: KEYCLOAK_USER
value: '{{ ADMIN_NAME }}'
- name: KEYCLOAK_PASSWORD
value: '{{ ADMIN_PASSWORD }}'
- name: PROXY_ADDRESS_FORWARDING
value: 'true'
- name: POSTGRES_USER
value_from:
secret_key_ref:
name: '{{ postgres_secret_name }}'
key: database-user
- name: POSTGRES_PASSWORD
value_from:
secret_key_ref:
name: '{{ postgres_secret_name }}'
key: database-password
- name: POSTGRES_DATABASE
value_from:
secret_key_ref:
name: '{{ postgres_secret_name }}'
key: database-name
image: 'docker.io/jboss/keycloak-openshift:{{ keycloak_image_tag }}'
name: keycloak
ports:
- container_port: 8080
protocol: TCP
volume_mounts:
- mount_path: /opt/jboss/keycloak/providers/
name: keycloak-metrics
sub_path: providers/
- name: update_last_op
asb_last_operation:
description: "created keycloak deploymentconfig"
- name: create keycloak service
k8s_v1_service:
name: keycloak
namespace: '{{ namespace }}'
annotations:
# this only works with the custom JAR (SPI impl) https://github.com/aerogear/keycloak-metrics-spi
org.aerogear.metrics/plain_endpoint: /auth/realms/master/metrics
labels:
app: keycloak
service: keycloak
mobile: enabled
selector:
app: keycloak
service: keycloak
ports:
- name: web
port: 80
target_port: 8080
- name: update_last_op
asb_last_operation:
description: "created keycloak route"
- name: create keycloak http route
openshift_v1_route:
name: keycloak
namespace: '{{ namespace }}'
labels:
app: keycloak
service: keycloak
mobile: enabled
to_name: keycloak
spec_port_target_port: web
when: keycloak_protocol == 'http'
- name: create keycloak https route
openshift_v1_route:
name: keycloak
namespace: '{{ namespace }}'
labels:
app: keycloak
service: keycloak
mobile: enabled
tls_termination: edge
tls_insecure_edge_termination_policy: Redirect
to_name: keycloak
spec_port_target_port: web
when: keycloak_protocol == 'https'
- name: update_last_op
asb_last_operation:
description: "created keycloak route"
- name: "Retrieve route to keycloak"
shell: "oc get routes keycloak -n '{{ namespace }}' | grep -v NAME | awk '{print $2}'"
register: keycloak_route
- copy:
src: keycloak-metrics-spi-1.0-SNAPSHOT.jar
dest: /tmp/keycloak-metrics-spi-1.0-SNAPSHOT.jar
- shell: oc get pods --namespace {{ namespace }} --selector="deploymentconfig=keycloak" | awk 'NR > 1 {print $1}'
register: get_pods
- name: Copy jar into keycloaks metrics
shell: oc cp /tmp/keycloak-metrics-spi-1.0-SNAPSHOT.jar {{ namespace }}/{{ get_pods.stdout }}:/opt/jboss/keycloak/providers/
register: copy_jar
retries: 60
until: copy_jar.rc == 0
delay: 5
- name: "Generate keycloak auth token"
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username={{ ADMIN_NAME }}&password={{ ADMIN_PASSWORD }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 600
delay: 2
- name: Generate namespace specific realm
template:
src: namespace_realm.json.j2
dest: /tmp/namespace_realm.json
- name: "Create {{ namespace }} realm"
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/admin/realms"
method: POST
body: "{{ lookup('file','/tmp/namespace_realm.json') }}"
validate_certs: no
body_format: json
headers:
Authorization: "bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
- name: update_last_op
asb_last_operation:
description: "created new realm in keycloak"
-
name: Generate Username
shell: tr -d -c "a-zA-Z" < /dev/urandom | head -c 20
register: generated_username
-
name: Generate Password
shell: tr -d -c "a-zA-Z0-9" < /dev/urandom | head -c 20
register: generated_password
-
name: "Create {{ generated_username.stdout }} client in realm {{ namespace }}"
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/admin/realms/{{ namespace }}/clients"
method: POST
body: "{\"id\": \"{{ generated_username.stdout }}\", \"secret\": \"{{ generated_password.stdout }}\", \"redirectUris\":[\"http://localhost:*\"], \"webOrigins\":[\"http://localhost:8100\"] }"
validate_certs: no
body_format: json
headers:
Authorization: "bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
- name: update_last_op
asb_last_operation:
description: "created public client in keycloak realm"
-
name: "Create {{ generated_username.stdout }}-bearer client in realm {{ namespace }}"
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/admin/realms/{{ namespace }}/clients"
method: POST
body: "{\"id\": \"{{ generated_username.stdout }}-bearer\", \"secret\": \"{{ generated_password.stdout }}\",\"bearerOnly\":true}"
validate_certs: no
body_format: json
headers:
Authorization: "bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
-
name: Get installation details bearer
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/admin/realms/{{ namespace }}/clients/{{ generated_username.stdout }}-bearer/installation/providers/keycloak-oidc-keycloak-json"
method: GET
validate_certs: no
headers:
Authorization: "bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 200
return_content: yes
register: installation_bearer
-
name: Get installation details
uri:
url: "{{ keycloak_protocol }}://{{ keycloak_route.stdout }}/auth/admin/realms/{{ namespace }}/clients/{{ generated_username.stdout }}/installation/providers/keycloak-oidc-keycloak-json"
method: GET
validate_certs: no
headers:
Authorization: "bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 200
return_content: yes
register: installation_text
- set_fact: installation="{{ installation_text.content | from_json }}"
- name: Create client config from template
template:
src: installation.json.j2
dest: /tmp/installation.json
- name: Retrieve client config
shell: cat /tmp/installation.json
register: installation_text
- set_fact: installation="{{ installation_text.stdout | from_json }}"
- set_fact: installationbearer="{{ installation_bearer.content | from_json }}"
- name: Create keycloak bearer client template
template:
src: secret.yml.j2
dest: /tmp/secret.yaml
- name: Create keycloak public client secret
shell: oc create -f /tmp/secret.yaml -n {{ namespace }}
- name: update_last_op
asb_last_operation:
description: "created client config"
- name: delete secret template file
file: path=/tmp/secret.yaml state=absent
- name: encode admin user credentials
asb_encode_binding:
fields:
ADMIN_NAME: "{{ ADMIN_NAME }}"
ADMIN_PASSWORD: "{{ ADMIN_PASSWORD }}"