add keycloak

2024-05-06 03:00:10 +03:00
parent 14c3ebe2cc
commit 3ac1b27b4c
6 changed files with 244 additions and 3 deletions
--- a/roles/keycloak/tasks/main.yaml
+++ b/roles/keycloak/tasks/main.yaml
@ -0,0 +1,96 @@
+- name: Import secret.yaml to obtain secrets
+  include_tasks: secrets.yaml
+  when:
+    - keycloak_use_external_db
+    - postgres_enabled is defined and postgres_enabled
+
+- set_fact:
+    keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values, recursive=true) }}"
+
+- name: Deploy Keycloak
+  kubernetes.core.helm:
+    release_namespace: "{{ keycloak_namespace | default(namespace) }}"
+    release_name: "{{ keycloak_name | default('keycloak') }}"
+    chart_ref: "{{ keycloak_chart_ref }}"
+    chart_version: "{{ keycloak_version | default(omit) }}"
+    release_values: "{{ keycloak_combined_values | from_yaml }}"
+
+- name: Wait Keycloak until HTTP status is 200
+  uri:
+    url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    return_content: yes
+    validate_certs: no
+    status_code:
+      - 200
+  until: uri_output.status == 200
+  retries: 24 # Retries for 24 * 5 seconds = 120 seconds = 2 minutes
+  delay: 5 # Every 5 seconds
+  register: uri_output
+
+- name: Create or update Keycloak client, authentication with credentials
+  community.general.keycloak_client:
+    client_id: admin-cli
+    auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    state: present
+- name: Create or update Keycloak realms
+  community.general.keycloak_realm:
+    auth_client_id: admin-cli
+    auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    id: "{{ item.id }}"
+    realm: "{{ item.realm }}"
+    state: "{{ item.state | default('present') }}"
+    enabled: "{{ item.enabled | default(true) }}"
+  loop: "{{ keycloak_realms }}"
+- name: Create or update Keycloak clients
+  community.general.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    client_id: "{{ item.client_id + '-public' if item.public_client else item.client_id }}"
+    realm: "{{ item.realm }}"
+    name: "{{ \"'${client_\" + item.client_id + \"'\" if item.public_client else \"'${client_\" + item.client_id + \"_public'\" }}"
+    protocol: openid-connect
+    public_client: "{{ item.public_client | default(false) }}"
+    standard_flow_enabled: "{{ item.standard_flow_enabled | default(true) }}"
+    implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(true) }}"
+    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(true) }}"
+    state: "{{ item.state | default('present') }}"
+    protocol_mappers: "{{ keycloak_clients_default_protocol_mappings }}"
+  loop: "{{ keycloak_clients }}"
+- name: Create Keycloak groups
+  community.general.keycloak_group:
+    auth_client_id: admin-cli
+    auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ item.realm }}"
+    name: "{{ item.name }}"
+    state: "{{ item.state | default('present') }}"
+  loop: "{{ keycloak_groups }}"
+- name: Create Keycloak users
+  community.general.keycloak_user:
+    auth_client_id: admin-cli
+    auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
+    auth_realm: master
+    auth_username: admin
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ item.realm }}"
+    state: "{{ item.state | default('present') }}"
+    username: "{{ item.username }}"
+    firstName: "{{ item.firstName }}"
+    lastName: "{{ item.lastName }}"
+    email: "{{ item.email | default( item.username + '@' + domain) }}"
+    enabled: "{{ item.enabled | default(true) }}"
+    emailVerified: "{{ item.emailVerified | default(true) }}"
+    credentials: "{{ item.credentials }}"
+    groups: "{{ item.groups }}"
+  loop: "{{ keycloak_users }}"
--- a/roles/keycloak/tasks/secrets.yaml
+++ b/roles/keycloak/tasks/secrets.yaml
@ -0,0 +1,25 @@
+- block:
+  - name: Set DB namespace for secret lookup
+    set_fact:
+      db_namespace: "{{ keycloak_db_namespace | default(postgres_db_namespace) | default(postgres_namespace) | default(postgres_operator_namespace) | default(namespace) }}"
+
+  - name: Set DB secret name for lookup
+    set_fact:
+      db_secret_name: "keycloak.{{ postgres_db_team | default(namespace) }}-postgres.credentials.postgresql.acid.zalan.do"
+
+  - name: Lookup Keycloak DB secret
+    set_fact:
+      keycloak_db_secret: "{{ lookup('k8s', kind='Secret', namespace=db_namespace, resource_name=db_secret_name) }}"
+
+  - debug:
+      msg: "{{ keycloak_db_secret }}"
+      verbosity: 2
+
+  - name: Set Keycloak DB username
+    set_fact:
+      keycloak_db_username: "{{ keycloak_db_secret.data.username | b64decode }}"
+
+  - name: Set Keycloak DB password
+    set_fact:
+      keycloak_db_password: "{{ keycloak_db_secret.data.password | b64decode }}"
+