Merge pull request #683 from IBM/redhat-sso

Implement demo LDAP and IdP
IBM · Jun 7, 2024 · 94143f2 · 94143f2
2 parents f826be8 + 4b75933
commit 94143f2
Show file tree

Hide file tree

Showing 103 changed files with 2,597 additions and 1,035 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,6 @@
 # Container image including olm-utils
 ARG CPD_OLM_UTILS_V2_IMAGE
 
-FROM registry.access.redhat.com/ubi8/ubi
-
 FROM ${CPD_OLM_UTILS_V2_IMAGE}
 
 LABEL authors="Arthur Laimbock, \

diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le
@@ -1,8 +1,6 @@
 # Container image including olm-utils
 ARG CPD_OLM_UTILS_V2_IMAGE
 
-FROM registry.access.redhat.com/ubi8/ubi
-
 FROM ${CPD_OLM_UTILS_V2_IMAGE}
 
 LABEL authors="Arthur Laimbock, \

diff --git a/...on-generators/generic/cp4d_role/main.yaml → ...enerators/generic/demo_openldap/main.yaml b/...on-generators/generic/cp4d_role/main.yaml → ...enerators/generic/demo_openldap/main.yaml
diff --git a/automation-generators/generic/demo_openldap/preprocessor.py b/automation-generators/generic/demo_openldap/preprocessor.py
@@ -0,0 +1,19 @@
+from generatorPreProcessor import GeneratorPreProcessor
+import sys
+
+# Validating:
+# ---
+# openshift_sso:
+# - openshift_cluster_name: {{ env_id }}
+
+def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
+    g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
+
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
+    g('state').isRequired()
+
+    result = {
+        'attributes_updated': g.getExpandedAttributes(),
+        'errors': g.getErrors()
+    }
+    return result
diff --git a/...c/cp4d_user_group_configuration/main.yaml → ...rs/generic/openshift_redhat_sso/main.yaml b/...c/cp4d_user_group_configuration/main.yaml → ...rs/generic/openshift_redhat_sso/main.yaml
diff --git a/automation-generators/generic/openshift_redhat_sso/preprocessor.py b/automation-generators/generic/openshift_redhat_sso/preprocessor.py
@@ -0,0 +1,18 @@
+from generatorPreProcessor import GeneratorPreProcessor
+import sys
+
+# Validating:
+# ---
+# openshift_sso:
+# - openshift_cluster_name: {{ env_id }}
+
+def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
+    g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
+
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
+
+    result = {
+        'attributes_updated': g.getExpandedAttributes(),
+        'errors': g.getErrors()
+    }
+    return result
diff --git a/automation-generators/generic/zen_access_control/main.yaml b/automation-generators/generic/zen_access_control/main.yaml
@@ -0,0 +1 @@
+---
diff --git a/automation-generators/generic/zen_access_control/preprocessor.py b/automation-generators/generic/zen_access_control/preprocessor.py
@@ -0,0 +1,64 @@
+from generatorPreProcessor import GeneratorPreProcessor
+import sys
+
+# Validating:
+# ---
+# zen_access_control:
+# - project: cpd
+#   openshift_cluster_name: "{{ env_id }}"
+#   keycloak_name: cp-keycloak
+#   user_groups:
+#   - name: cp4d-admins
+#     description: Cloud Pak for Data Administrators
+#     roles:
+#     - zen_administrator_role
+#     keycloak_groups:
+#     - kc-cp4d-admins
+#   - name: cp4d-data-engineers
+#     description: Cloud Pak for Data Data Engineers
+#     roles:
+#     - zen_user_role
+#     keycloak_groups:
+#     - kc-cp4d-data-engineers
+#   - name: cp4d-data-scientists
+#     description: Cloud Pak for Data Data Scientists
+#     roles:
+#     - zen_user_role
+#     keycloak_groups:
+#     - kc-cp4d-data-scientists
+
+def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
+    g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
+
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
+    g('project').expandWith('cp4d[*]',remoteIdentifier='project')
+    g('user_groups').isRequired()
+
+    # Now that we have reached this point, we can check the attribute details if the previous checks passed
+    if len(g.getErrors()) == 0:
+        fc = g.getFullConfig()
+        ge=g.getExpandedAttributes()
+
+        if 'keycloak_name' in ge and 'demo_openldap_name' in ge:
+             g.appendError(msg="If keycloak_name is defined, demo_openldap_name must not be defined. You cannot reference more than 1 external IdP.")
+
+        for user_group in ge['user_groups']:
+            if 'name' not in user_group:
+                g.appendError(msg="The name attribute is mandatory for each user_group")
+
+            if 'roles' not in user_group:
+                g.appendError(msg="The roles attribute is mandatory for each user_group")
+            elif not (isinstance(user_group['roles'], list)):
+                g.appendError(msg="Every user group must have at least one role")
+
+            if 'keycloak_groups' in user_group and 'keycloak_name' not in ge:
+                g.appendError(msg="If keycloak_groups are defined, the zen_access_control must reference a keycloak_name")
+
+            if 'ldap_groups' in user_group and 'demo_openldap_name' not in ge:
+                g.appendError(msg="If ldap_groups are defined, the zen_access_control must reference a demo_openldap_name")
+
+    result = {
+        'attributes_updated': g.getExpandedAttributes(),
+        'errors': g.getErrors()
+    }
+    return result
diff --git a/automation-generators/generic/zen_role/main.yaml b/automation-generators/generic/zen_role/main.yaml
@@ -0,0 +1 @@
+---
diff --git a/...erators/generic/cp4d_role/preprocessor.py → ...nerators/generic/zen_role/preprocessor.py b/...erators/generic/cp4d_role/preprocessor.py → ...nerators/generic/zen_role/preprocessor.py
@@ -3,7 +3,7 @@
 
 # Validating:
 # ---
-# cp4d_role:
+# zen_role:
 # - project: cpd
 #   openshift_cluster_name: {{ env_id }}
 #   name: My Test Role
@@ -17,19 +17,22 @@
 def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
     g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
 
-    g('openshift_cluster_name').isRequired()
-    g('project').isRequired()
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
+    g('project').expandWith('cp4d[*]',remoteIdentifier='project')
     g('name').isRequired()
-    g('state').isRequired()
+    g('state').mustBeOneOf(['installed', 'removed'])
     g('description').isRequired()
     g('permissions').isRequired()
 
     # Now that we have reached this point, we can check the attribute details if the previous checks passed
     if len(g.getErrors()) == 0:
         ge=g.getExpandedAttributes()
 
+        if not (isinstance(ge['permissions'], list)):
+            g.appendError(msg="Every role must at least have 1 permission")
+
         if ge['state'] not in ['installed','removed']:
-            g.appendError(msg='cp4d_role state must be "installed" or "removed"')
+            g.appendError(msg='zen_role state must be "installed" or "removed"')
 
     result = {
         'attributes_updated': g.getExpandedAttributes(),

diff --git a/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml b/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml
@@ -21,6 +21,25 @@
   vars:
     _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
 
+- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role:
+    name: prepare-openshift-storage
+  loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}"
+  loop_control:
+    loop_var: current_openshift_storage
+
+- name: Get OpenShift storage classes to use for OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role: 
+    name: get-openshift-storage
+  vars:
+    _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
+
+- name: Configure Multi-Cloud Object Gateway
+  include_role:
+    name: openshift-mcg
+  vars:
+    _p_openshift_cluster: "{{ current_openshift_cluster }}"
+
 - name: OpenShift Advanced Data Protection operator
   include_role:
     name: openshift-adp
@@ -45,26 +64,31 @@
   vars:
     _p_upstream_dns: "{{ current_openshift_cluster.upstream_dns | default([]) }}"
 
-- name: Configure logging for OpenShift cluster {{ current_openshift_cluster.name }}
+- name: Configure Red Hat SSO (Keycloak) for OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
-    name: openshift-logging
+    name: openshift-redhat-sso
+  loop: "{{ all_config.openshift_redhat_sso | default([]) }}"
+  loop_control:
+    loop_var: _current_openshift_redhat_sso
+  vars:
+    _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
 
-- name: Configure monitoring for OpenShift cluster {{ current_openshift_cluster.name }}
+- name: Install OpenLDAP on OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
-    name: openshift-monitoring
+    name: demo-openldap
+  loop: "{{ all_config.demo_openldap | default([]) }}"
+  loop_control:
+    loop_var: _current_demo_openldap
+  vars:
+    _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
 
-- name: Prepare storage for OpenShift cluster {{ current_openshift_cluster.name }}
+- name: Configure logging for OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
-    name: prepare-openshift-storage
-  loop: "{{ current_openshift_cluster.openshift_storage | default([]) }}"
-  loop_control:
-    loop_var: current_openshift_storage
+    name: openshift-logging
 
-- name: Configure Multi-Cloud Object Gateway
+- name: Configure monitoring for OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
-    name: openshift-mcg
-  vars:
-    _p_openshift_cluster: "{{ current_openshift_cluster }}"
+    name: openshift-monitoring
 
 - name: Configure GPU for the OpenShift cluster
   include_role:

diff --git a/automation-roles/40-configure-infra/demo-openldap/tasks/install-openldap.yml b/automation-roles/40-configure-infra/demo-openldap/tasks/install-openldap.yml
@@ -0,0 +1,77 @@
+- set_fact:
+    _openldap_bind_password_new: ''
+
+- name: Retrieve OpenLDAP bind password from vault secret {{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-bind-password
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "{{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-bind-password"
+    secret_group: "{{ environment_name }}" 
+    _p_secret_variable: _openldap_bind_password
+
+- set_fact:
+    _openldap_bind_password_new: "{{ global_config.universal_password | default('') }}"
+  when: _openldap_bind_password==''
+
+- name: Generate new bind password if none is available yet
+  block:
+  - ansible.builtin.include_role:
+      name: generate-password
+  - set_fact:
+      _openldap_bind_password_new: "{{ _p_generated_password }}"
+  when: 
+  - _openldap_bind_password==''
+  - _openldap_bind_password_new==''
+
+- name: Set OpenLDAP bind password into secret {{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-bind-password
+  include_role:
+    name: vault-set-secret
+  vars:
+    secret_name: "{{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-bind-password"
+    secret_group: "{{ environment_name }}"
+    secret_payload: "{{ _openldap_bind_password_new }}"
+  when: _openldap_bind_password_new!=''
+
+- set_fact:
+    _openldap_bind_password: "{{ _openldap_bind_password_new }}"
+  when: _openldap_bind_password_new!=''
+
+- name: Create {{ _v_openldap_base_dir }} directory for generated files
+  ansible.builtin.file:
+    path: "{{ _v_openldap_base_dir }}"
+    state: directory
+    mode: u+rwx
+
+- name: Create Project {{ _openldap_project_name }}
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: create-project
+  vars:
+    common_namespace_name: "{{ _openldap_project_name }}"
+    common_output_directory: "{{ _v_openldap_base_dir }}"
+
+- name: Prepare OpenLDAP yaml file for cluster {{ current_openshift_cluster.name }}
+  ansible.builtin.template:
+    src: "{{ item }}.yaml.j2"
+    dest: "{{ _v_openldap_base_dir }}/{{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-{{ item }}.yaml"
+    mode: u+rwx
+  with_items:
+    - configmaps
+    - secrets
+    - persistentvolumeclaims
+    - deployments
+    - services
+
+- name: Add OpenLDAP item {{ item.name }}
+  kubernetes.core.k8s:
+    state: present
+    src: "{{ _v_openldap_base_dir }}/{{ current_openshift_cluster.name }}-{{ _current_demo_openldap.name }}-openldap-{{ item.name }}.yaml"
+    wait: true
+    wait_sleep: "{{ item.wait_sleep }}"
+    wait_timeout: "{{ item.wait_timeout }}"
+  with_items:
+    - {name: configmaps, wait_sleep: 15, wait_timeout: 15}
+    - {name: secrets, wait_sleep: 15, wait_timeout: 15}
+    - {name: persistentvolumeclaims, wait_sleep: 15, wait_timeout: 300}
+    - {name: deployments, wait_sleep: 15, wait_timeout: 600}
+    - {name: services, wait_sleep: 15, wait_timeout: 15}
diff --git a/automation-roles/40-configure-infra/demo-openldap/tasks/main.yml b/automation-roles/40-configure-infra/demo-openldap/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- set_fact:
+    _openldap_project_name: "{{ _current_demo_openldap.openldap_project | default(_current_demo_openldap.name) }}"
+
+- ansible.builtin.include_tasks: install-openldap.yml
+  when:
+  - _current_demo_openldap.openshift_cluster_name == _p_openshift_cluster_name
+  - _current_demo_openldap.state | default('installed') == 'installed'
+
+- ansible.builtin.include_tasks: remove-openldap.yml
+  when: 
+  - _current_demo_openldap.openshift_cluster_name == _p_openshift_cluster_name
+  - _current_demo_openldap.state | default('installed') != 'installed'
diff --git a/automation-roles/40-configure-infra/demo-openldap/tasks/remove-openldap.yml b/automation-roles/40-configure-infra/demo-openldap/tasks/remove-openldap.yml
@@ -0,0 +1,9 @@
+- name: Remove OpenShift project {{ _openldap_project_name }}
+  kubernetes.core.k8s:
+    state: absent
+    api_version: project.openshift.io/v1
+    kind: Project
+    name: "{{ _openldap_project_name }}"
+    wait: true
+    wait_sleep: 15
+    wait_timeout: 120