#580 Deploy Red Hat SSO

automation-generators/generic/openshift_redhat_sso/main.yaml

@@ -0,0 +1 @@
+---

automation-generators/generic/openshift_redhat_sso/preprocessor.py

@@ -0,0 +1,18 @@
+from generatorPreProcessor import GeneratorPreProcessor
+import sys
+
+# Validating:
+# ---
+# openshift_sso:
+# - openshift_cluster_name: {{ env_id }}
+
+def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
+    g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
+
+    g('openshift_cluster_name').isRequired()
+
+    result = {
+        'attributes_updated': g.getExpandedAttributes(),
+        'errors': g.getErrors()
+    }
+    return result

automation-roles/40-configure-infra/configure-openshift/tasks/main.yml

@@ -21,6 +21,19 @@
   vars:
     _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
 
+- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role:
+    name: prepare-openshift-storage
+  loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}"
+  loop_control:
+    loop_var: current_openshift_storage
+
+- name: Configure Multi-Cloud Object Gateway
+  include_role:
+    name: openshift-mcg
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
+
 - name: OpenShift Advanced Data Protection operator
   include_role:
     name: openshift-adp
@@ -45,6 +58,10 @@
   vars:
     _p_upstream_dns: "{{ current_openshift_cluster.upstream_dns | default([]) }}"
 
+- name: Configure Red Hat SSO for OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role:
+    name: openshift-redhat-sso
+
 - name: Configure logging for OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
     name: openshift-logging
@@ -53,19 +70,6 @@
   include_role:
     name: openshift-monitoring
 
-- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }}
-  include_role:
-    name: prepare-openshift-storage
-  loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}"
-  loop_control:
-    loop_var: current_openshift_storage
-
-- name: Configure Multi-Cloud Object Gateway
-  include_role:
-    name: openshift-mcg
-  vars:
-    _p_openshift_cluster: "{{ current_openshift_cluster }}"
-
 - name: Configure GPU for the OpenShift cluster
   include_role:
     name: openshift-gpu

automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloak.yml

@@ -0,0 +1,23 @@
+---
+- name: Generate yaml for Keycloak {{ _current_keycloak.name }}
+  template:
+    src: redhat-sso-keycloak.j2
+    dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml"
+
+- name: Create Keycloak from YAML file {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-{{ _current_keycloak.name }}-keycloak.yaml
+
+- name: Wait until Keycloak {{ _current_keycloak.name }} is ready
+  shell: |
+    oc get Keycloak -n {{ _v_redhat_sso_project }} {{ _current_keycloak.name }} \
+      -o jsonpath='{.status.ready}'
+  register: _keycloak_status
+  retries: 30
+  delay: 30
+  until: (_keycloak_status.stdout | lower) == "true"
+  vars:
+    ansible_callback_diy_runner_retry_msg: >-
+      {%- set result = ansible_callback_diy.result.output -%}
+      {%- set retries_left = result.retries - result.attempts -%}
+      Retrying: {{ ansible_callback_diy.task.name }} ({{ retries_left }} Retries left) ...

automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-keycloaks.yml

@@ -0,0 +1,6 @@
+---
+- name: Provision Keycloak CRs
+  include_tasks: configure-keycloak.yml
+  loop: "{{ _p_openshift_redhat_sso.keycloak | default([]) }}"
+  loop_control:
+    loop_var: _current_keycloak

automation-roles/40-configure-infra/openshift-redhat-sso/tasks/configure-openshift-redhat-sso.yml

@@ -0,0 +1,44 @@
+---
+- name: Generate yaml for redhat-sso namespace
+  template:
+    src: redhat-sso-namespace.j2
+    dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-namespace.yaml"
+- name: Create redhat-sso namespace
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-namespace.yaml
+
+- name: Generate yaml for Red Hat SSO operator group
+  template:
+    src: redhat-sso-operatorgroup.j2
+    dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-operatorgroup.yaml"
+
+- name: Create redhat-sso operatorgroup
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-operatorgroup.yaml
+
+- name: Generate yaml for Red Hat SSO subscription
+  template:
+    src: redhat-sso-subscription.j2
+    dest: "{{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-subscription.yaml"
+
+- name: Create redhat-sso operator
+  shell: |
+    oc apply -f {{ status_dir }}/openshift/{{ current_openshift_cluster.name }}-redhat-sso-subscription.yaml
+
+# Wait until subscription has been successfully created
+- name: Wait until Red Hat SSO has status Succeeded
+  shell: |
+    oc get csv -n {{ _v_redhat_sso_project }} \
+      -l operators.coreos.com/rhsso-operator.redhat-sso \
+      --no-headers \
+      -o custom-columns='name:metadata.name,phase:status.phase' | \
+      grep -i succeeded | wc -l
+  register: _redhat_sso_csv_status
+  retries: 30
+  delay: 30
+  until: _redhat_sso_csv_status.stdout == "1"
+  vars:
+    ansible_callback_diy_runner_retry_msg: >-
+      {%- set result = ansible_callback_diy.result.output -%}
+      {%- set retries_left = result.retries - result.attempts -%}
+      Retrying: {{ ansible_callback_diy.task.name }} ({{ retries_left }} Retries left) ...

automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- set_fact:
+    _p_openshift_redhat_sso: {}
+
+- when: "all_config.openshift_redhat_sso is defined"
+  block:
+  - debug:
+      var: all_config.openshift_redhat_sso
+  - set_fact:
+      _p_openshift_redhat_sso: "{{ all_config.openshift_redhat_sso | json_query(query) | first | default({}) }}"
+    vars:
+      query: >-
+        [?openshift_cluster_name=='{{ current_openshift_cluster.name }}']
+  - name: Show OpenShift Red Hat SSO for current cluster
+    debug:
+      var: _p_openshift_redhat_sso
+
+- include_tasks: configure-openshift-redhat-sso.yml
+  when: _p_openshift_redhat_sso != {}
+
+- include_tasks: configure-keycloaks.yml
+  when: _p_openshift_redhat_sso != {}

automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-keycloak.j2

@@ -0,0 +1,16 @@
+---
+apiVersion: keycloak.org/v1alpha1
+kind: Keycloak
+metadata:
+  name: {{ _current_keycloak.name }}
+  labels:
+    app: sso
+  namespace: {{ _v_redhat_sso_project }}
+spec:
+  externalAccess:
+    enabled: true
+  keycloakDeploymentSpec:
+    imagePullPolicy: Always
+  postgresDeploymentSpec:
+    imagePullPolicy: Always
+  instances: 1

automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-namespace.j2

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ _v_redhat_sso_project }}
+  annotations:
+    openshift.io/node-selector: ""

automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-operatorgroup.j2

@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: redhat-sso-og
+  namespace: {{ _v_redhat_sso_project }}
+spec:
+  targetNamespaces:
+  - {{ _v_redhat_sso_project }}

automation-roles/40-configure-infra/openshift-redhat-sso/templates/redhat-sso-subscription.j2

@@ -0,0 +1,11 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: redhat-sso
+  namespace: {{ _v_redhat_sso_project }}
+spec:
+  channel: stable
+  name: rhsso-operator
+  source: redhat-operators 
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Automatic

automation-roles/40-configure-infra/openshift-redhat-sso/vars/main.yml

@@ -0,0 +1 @@
+_v_redhat_sso_project: redhat-sso