openstack-k8s-operators
diff --git a/‎docs/dictionary/en-custom.txt‎
Lines changed: 3 additions & 0 deletions b/‎docs/dictionary/en-custom.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎hooks/playbooks/federation-controlplane-config.yml‎
Lines changed: 8 additions & 108 deletions b/‎hooks/playbooks/federation-controlplane-config.yml‎
Lines changed: 8 additions & 108 deletions
diff --git a/‎hooks/playbooks/federation-horizon-controlplane-config.yml‎
Lines changed: 8 additions & 40 deletions b/‎hooks/playbooks/federation-horizon-controlplane-config.yml‎
Lines changed: 8 additions & 40 deletions
diff --git a/‎hooks/playbooks/federation-multirealm-controlplane-config.yml‎
Lines changed: 18 additions & 0 deletions b/‎hooks/playbooks/federation-multirealm-controlplane-config.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎hooks/playbooks/federation-post-deploy.yml‎
Lines changed: 6 additions & 15 deletions b/‎hooks/playbooks/federation-post-deploy.yml‎
Lines changed: 6 additions & 15 deletions
diff --git a/‎hooks/playbooks/federation-pre-deploy.yml‎
Lines changed: 6 additions & 15 deletions b/‎hooks/playbooks/federation-pre-deploy.yml‎
Lines changed: 6 additions & 15 deletions
@@ -389,6 +389,7 @@ nwy
 nzgdh
 oauth
 observability
+oidc
 oc
 ocp
 ocpbm
@@ -399,6 +400,7 @@ ol
 olm
 oob
 opendev
+openid
 openrc
 openscap
 openshift
@@ -617,6 +619,7 @@ vvvv
 vxlan
 vynxgdagahaac
 vzcg
+websso
 wget
 whitebox
 wljewmdozmzawlzasdje
 
@@ -2,117 +2,17 @@
 - name: Create kustomization to update Keystone to use Federation
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
-    - name: Set urls for install type uni
+    - name: Set uni domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_domain: "apps.ocp.openstack.lab"
       when: cifmw_federation_deploy_type == "uni"
 
-    - name: Set urls for install type crc
+    - name: Set crc domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+        cifmw_federation_domain: "apps-crc.testing"
       when: cifmw_federation_deploy_type == "crc"
 
-    - name: Create file to customize keystone for Federation resources deployed in the control plane
-      ansible.builtin.copy:
-        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml"
-        content: |-
-          apiVersion: kustomize.config.k8s.io/v1beta1
-          kind: Kustomization
-          resources:
-          - namespace: {{ namespace }}
-          patches:
-          - target:
-              kind: OpenStackControlPlane
-              name: .*
-            patch: |-
-              - op: add
-                path: /spec/tls
-                value: {}
-              - op: add
-                path: /spec/tls/caBundleSecretName
-                value: keycloakca
-              - op: add
-                path: /spec/keystone/template/httpdCustomization
-                value:
-                  customConfigSecret: keystone-httpd-override
-              - op: add
-                path: /spec/keystone/template/customServiceConfig
-                value: |
-                  [DEFAULT]
-                  insecure_debug=true
-                  debug=true
-                  [federation]
-                  trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
-                  sso_callback_template=/etc/keystone/sso_callback_template.html
-                  [openid]
-                  remote_id_attribute=HTTP_OIDC_ISS
-                  [auth]
-                  methods = password,token,oauth1,mapped,application_credential,openid
-        mode: "0644"
-
-    - name: Get ingress operator CA cert
-      ansible.builtin.slurp:
-        src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}"
-      register: federation_sso_ca
-
-    - name: Add Keycloak CA secret
-      kubernetes.core.k8s:
-        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
-        state: present
-        definition:
-          apiVersion: v1
-          kind: Secret
-          type: Opaque
-          metadata:
-            name: keycloakca
-            namespace: "openstack"
-          data:
-            KeyCloakCA: "{{ federation_sso_ca.content }}"
-
-    - name: Create Keystone httpd override secret for Federation
-      kubernetes.core.k8s:
-        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
-        state: present
-        definition:
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: keystone-httpd-override
-            namespace: openstack
-          type: Opaque
-          stringData:
-            federation.conf: |
-              OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}"
-              OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}"
-              OIDCScope "{{ cifmw_keystone_OIDC_Scope }}"
-              OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}"
-              OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}"
-              OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}"
-              OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}"
-              OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}"
-              OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}"
-              OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}"
-              OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}"
-              OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
-              OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
-              OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso/"
-              LogLevel debug
-
-              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
-                AuthType "openid-connect"
-                Require valid-user
-              </LocationMatch>
-
-              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/auth">
-                AuthType oauth20
-                Require valid-user
-              </Location>
-
-              <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
-                AuthType "openid-connect"
-                Require valid-user
-              </LocationMatch>
+    - name: Run SSO controlplane setup
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: hook_controlplane_config.yml
@@ -2,49 +2,17 @@
 - name: Create kustomization to update Horizon to use Federation
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
-    - name: Set urls for install type uni
+    - name: Read uni vars from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_domain: "apps.ocp.openstack.lab"
       when: cifmw_federation_deploy_type == "uni"
 
-    - name: Set urls for install type crc
+    - name: Read crc vars from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+        cifmw_federation_domain: "apps-crc.testing"
       when: cifmw_federation_deploy_type == "crc"
 
-    - name: Create file to customize horizon for Federation resources deployed in the control plane
-      ansible.builtin.copy:
-        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/horizon_federation.yaml"
-        mode: preserve
-        content: |-
-          apiVersion: kustomize.config.k8s.io/v1beta1
-          kind: Kustomization
-          resources:
-          - namespace: {{ namespace }}
-          patches:
-          - target:
-              kind: OpenStackControlPlane
-              name: .*
-            patch: |-
-              - op: add
-                path: /spec/horizon/enabled
-                value: true
-              - op: add
-                path: /spec/horizon/template/memcachedInstance
-                value: memcached
-              - op: add
-                path: /spec/horizon/template/customServiceConfig
-                value: |
-                  OPENSTACK_KEYSTONE_URL = "{{ cifmw_federation_keystone_url }}/v3"
-                  WEBSSO_ENABLED = True
-                  WEBSSO_CHOICES = (
-                    ("credentials", _("Keystone Credentials")),
-                    ("OIDC", _("OpenID Connect")),
-                  )
-                  WEBSSO_IDP_MAPPING = {
-                    "OIDC": ("{{ cifmw_keystone_OIDC_provider_name }}", "openid"),
-                  }
+    - name: Run SSO MultiRealm controlplane setup
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: hook_horizon_controlplane_config.yml
@@ -0,0 +1,18 @@
+---
+- name: Create kustomization to update Keystone to use MultiRealm Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Set uni domain name var from federation role
+      ansible.builtin.set_fact:
+        cifmw_federation_domain: "apps.ocp.openstack.lab"
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set crc domain name var from federation role
+      ansible.builtin.set_fact:
+        cifmw_federation_domain: "apps-crc.testing"
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run SSO MultiRealm controlplane setup
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: hook_multirealm_controlplane_config.yml
@@ -18,26 +18,17 @@
   hosts: "{{ cifmw_target_host | default('localhost') }}"
   gather_facts: true
   tasks:
-    - name: Set urls for install type uni
+    - name: Set uni domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_domain: "apps.ocp.openstack.lab"
       when: cifmw_federation_deploy_type == "uni"
 
-    - name: Set urls for install type crc
+    - name: Set crc domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+        cifmw_federation_domain: "apps-crc.testing"
       when: cifmw_federation_deploy_type == "crc"
 
-    - name: Run federation setup on OSP
+    - name: Run federation post hook setup on OSP
       ansible.builtin.import_role:
         name: federation
-        tasks_from: run_openstack_setup.yml
-
-    - name: Run federation OSP User Auth test
-      ansible.builtin.import_role:
-        name: federation
-        tasks_from: run_openstack_auth_test.yml
+        tasks_from: hook_post_deploy.yml
@@ -18,26 +18,17 @@
   hosts: "{{ cifmw_target_host | default('localhost') }}"
   gather_facts: true
   tasks:
-    - name: Set urls for install type uni
+    - name: Set uni domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_domain: "apps.ocp.openstack.lab"
       when: cifmw_federation_deploy_type == "uni"
 
-    - name: Set urls for install type crc
+    - name: Set crc domain name var from federation role
       ansible.builtin.set_fact:
-        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
-        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
-        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+        cifmw_federation_domain: "apps-crc.testing"
       when: cifmw_federation_deploy_type == "crc"
 
-    - name: Run SSO pod setup on Openshift
+    - name: Run SSO pre deploy setup
       ansible.builtin.import_role:
         name: federation
-        tasks_from: run_keycloak_setup.yml
-
-    - name: Run SSO realm setup for OSP
-      ansible.builtin.import_role:
-        name: federation
-        tasks_from: run_keycloak_realm_setup.yml
+        tasks_from: hook_pre_deploy.yml