Merge "Add Keycloak setup to featureset039"

openstack-archive · Jan 3, 2020 · 7d15b24 · 7d15b24
2 parents 2774c32 + 98d7a4a
commit 7d15b24
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 1 deletion.
diff --git a/config/general_config/featureset039.yml b/config/general_config/featureset039.yml
@@ -185,3 +185,46 @@ supplemental_image_url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64
 undercloud_custom_env_files: "{{ working_dir }}/undercloud-parameter-defaults.yaml"
 undercloud_resource_registry_args:
   "OS::TripleO::Undercloud::Net::SoftwareConfig": "{{ undercloud_templates_path }}/net-config-undercloud.yaml"
+
+### Keycloak IdP ###
+
+# Turn on federation support
+enable_federation: true
+
+# For simplicity in development and testing scenarios share the admin
+# password with IPA. Do not do this in a production environment!
+keycloak_admin_password: "{{ freeipa_admin_password }}"
+
+# Locate the Keycloak cert/key on the supplemental node, this offers
+# the potential for certmonger to manage cert renewal and simplifies
+# obtaining the cert from IPA.
+keycloak_tls_files_on_target: true
+
+# Download the keycloak archive directly to the supplemental node as
+# opposed to caching it on the host running oooq which then incurs the
+# penalty of Ansible unpacking it over a (typically) slow SSH connection.
+keycloak_archive_on_target: true
+
+# Both the PKI certificate server in IPA and Keycloak default their
+# http and https port to 8080 and 8443 respectively. Because IPA is
+# installed first ports 8080 and 8443 are already in use, bump the
+# Keycloak ports by 1 to avoid port conflicts.
+keycloak_http_port: 8081
+keycloak_https_port: 8444
+
+# IPA installs first on the supplemental and does not enable the
+# firewall. If keycloak were to install later and enabled the
+# firewall opening only the Keycloak ports then the IPA ports would
+# be blocked. Therefore turn off Keycloak's configuration of the
+# firewall. The IPA install should enable the firewall but when this
+# was attempted a bug in Ansible prevented it from working. If the IPA
+# install gains the ability to enable the firewall then
+# keycloak_configure_firewall should be turned on.
+keycloak_configure_firewall: false
+
+# Limit the JVM max heap size to 512 MB
+keycloak_java_opts: "-Xms64m -Xmx512m"
+
+# Extend the CLI connect timeout to account for slow startup of Keycloak
+# with our small heap size.
+keycloak_jboss_config_connect_timeout: 90000
diff --git a/quickstart-extras-requirements.txt b/quickstart-extras-requirements.txt
@@ -5,3 +5,8 @@ git+https://opendev.org/openstack/openstack-ansible-os_tempest/#egg=openstack-an
 git+https://opendev.org/openstack/ansible-role-python_venv_build/#egg=ansible-role-python_venv_build
 git+https://opendev.org/openstack/ansible-config_template/#egg=ansible-config_template
 git+https://opendev.org/openstack/ansible-role-collect-logs/#egg=ansible-role-collect-logs
+# let's experiment with an alternative method to include the role
+# See:
+# https://review.opendev.org/673926
+# https://review.rdoproject.org/r/21670
+# git+https://github.com/nkinder/ansible-keycloak
diff --git a/roles/libvirt/setup/supplemental/templates/tls_everywhere_provisioner.sh.j2 b/roles/libvirt/setup/supplemental/templates/tls_everywhere_provisioner.sh.j2
@@ -88,7 +88,7 @@ virsh vol-upload --pool $POOL_NAME $IMG_NAME $VMIMGIPA
 virt-install \
     --import \
     --name ipa \
-    --ram 8086 \
+    --ram 10240 \
     --disk path=$VOL_IMG_PATH,format=qcow2 \
     --vcpus 4 \
     --os-type linux \