feat: add user-facing sso (#529)

* feat: add user-facing rhsso

* fix: allow override the user_sso flag from an inventory file

inventories/group_vars/all/common.yml

@@ -17,6 +17,8 @@ eval_nexus_namespace: "{{ns_prefix | default('')}}nexus"
 eval_managed_fuse_namespace: "{{ns_prefix | default('')}}fuse"
 eval_enmasse_namespace: "{{ ns_prefix | default('')}}enmasse"
 
+eval_user_rhsso_namespace:  "{{ns_prefix | default('')}}user-sso"
+
 eval_seed_users_count: 50
 eval_webapp_url_prefix: tutorial-web-app-webapp
 
@@ -57,4 +59,11 @@ create_cluster_admin: true
 #     - openshift_master_url (master url for oauth use)
 # - after install, add the relevant cors rule to the master-config.yaml based on the webapp route
 # - add the cluster SSO identity provider to the master-config.yaml
-# - restart the master(s)
+# - restart the master(s)
+
+#user_rhsso: (boolean)
+#
+# Default is set to true inline in various places.
+# No default is set here, as it wouldn't be overwriteable in an inventory file
+# If true, a separate RH-SSO instance will be provisioned to a separate namespace.
+# This instance can be used by user applications to provide identity management services.

inventories/group_vars/all/manifest.yaml

@@ -61,7 +61,7 @@ rhsso_version: '7.2.6.GA'
 #below vars not currently used but will be used to pull in the new versions of RH-SSO once we decouple the resources from the installer.
 rhsso_imagestream_name: redhat-sso72-openshift:1.4
 rhsso_imagestream_image: registry.access.redhat.com/redhat-sso-7/sso72-openshift:1.4
-rhsso_operator_release_tag: 'v1.3.0'
+rhsso_operator_release_tag: 'v1.3.2'
 rhsso_operator_resources: 'https://raw.githubusercontent.com/integr8ly/keycloak-operator/{{rhsso_operator_release_tag}}/deploy/'
 rhsso_namespace: 'sso'
 

inventories/managed.template

@@ -17,3 +17,8 @@ aws_s3_backup_secret_name=s3-credentials
 # See group_vars/all/common.yml & relevant SOP for more info when 
 # setting this to false.
 run_master_tasks=false
+
+# Don't setup the rh-sso instance for user applications
+# See group_vars/all/common.yml & relevant SOP for more info when 
+# setting this to false.
+user_rhsso=false

playbooks/install.yml

@@ -45,10 +45,12 @@
 - import_playbook: "./install_services.yml"
 - import_playbook: "./install_webapp.yml"
 - import_playbook: "./install_middleware_monitoring.yml"
+- import_playbook: "./install_user_rhsso.yml"
 - import_playbook: "./generate-customisation-inventory.yml"
 - import_playbook: "./customise_web_console_install.yml"
 - import_playbook: "./apply_ocp_roles.yml"
 
+
 - hosts: master
   gather_facts: no
   tasks:

playbooks/install_backups.yml

@@ -20,7 +20,17 @@
       include_role:
         name: rhsso
         tasks_from: backup.yaml
+      vars:
+        sso_namespace: "{{ eval_rhsso_namespace }}"
       tags: ['rhsso']
+    -
+      include_role:
+        name: rhsso
+        tasks_from: backup.yaml
+      vars:
+        sso_namespace: "{{ eval_user_rhsso_namespace }}"
+      tags: ['user_rhsso']
+      when: user_rhsso | default(true) | bool
     - include_role:
         name: backup
         tasks_from: monitoring.yml

playbooks/install_user_rhsso.yml

@@ -0,0 +1,17 @@
+---
+- hosts: localhost
+  gather_facts: true
+  tasks:
+    - name: Include vars from rhsso
+      include_vars: "../roles/rhsso/defaults/main.yml"
+    -
+      name: Install user rhsso
+      include_role:
+        name: rhsso
+        tasks_from: install_sso.yml
+      vars:
+        sso_namespace: "{{ eval_user_rhsso_namespace }}"
+        sso_namespace_display_name: "User Facing Red Hat Single Sign-On"
+        rhsso_provision_immediately: true
+      tags: ['user_rhsso']
+      when: user_rhsso | default(true) | bool

playbooks/uninstall.yml

@@ -105,6 +105,15 @@
         tasks_from: uninstall
       tags: ['che']
       when: che | default(true) | bool
+    -
+      name: Uninstall user-sso
+      include_role:
+        name: rhsso
+        tasks_from: uninstall_sso.yml
+      vars:
+        sso_namespace: "{{ eval_user_rhsso_namespace }}"
+      tags: ['user_rhsso']
+      when: user_rhsso | default(true) | bool
     -
       name: Reboot template broker
       include_role:

playbooks/upgrades/install_user_rhsso.yml

@@ -0,0 +1,25 @@
+---
+- hosts: localhost
+  gather_facts: true
+  tasks:
+    - name: Include vars from rhsso
+      include_vars: "../../roles/rhsso/defaults/main.yml"
+    -
+      name: Install user rhsso
+      include_role:
+        name: rhsso
+        tasks_from: install_sso.yml
+      vars:
+        sso_namespace: "{{ eval_user_rhsso_namespace }}"
+        sso_namespace_display_name: "User Facing Red Hat Single Sign-On"
+      tags: ['user_rhsso']
+      when: user_rhsso | default(true) | bool
+    -
+      name: Setup backup for user rhsso
+      include_role:
+        name: rhsso
+        tasks_from: backup.yaml
+      vars:
+        sso_namespace: "{{ eval_user_rhsso_namespace }}"
+      tags: ['user_rhsso']
+      when: user_rhsso | default(true) | bool

roles/backup/tasks/monitoring.yml

@@ -1,4 +1,9 @@
 ---
+- name: Update expected cronjobs
+  set_fact:
+    backup_expected_cronjobs: "{{ backup_expected_cronjobs | combine({'user-sso': ['daily-at-midnight']}) }}"
+  when: user_rhsso | default(true) | bool
+
 - template:
     src: backup-monitoring-alerts.yml.j2
     dest: /tmp/backup-monitoring-alerts.yml

roles/rhsso/defaults/main.yml

@@ -44,6 +44,8 @@ rhsso_plugins:
   - keycloak-metrics-spi
 original_identityprovider_config_path: /etc/origin/master/idp-config.integreatly-original.yaml
 
+rhsso_provision_immediately: false
+
 rhsso_backups:
   - name: "daily-at-midnight"
     schedule: "{{ backup_schedule }}"

roles/rhsso/tasks/backup.yaml

@@ -1,7 +1,7 @@
 ---
 -
   name: "check keycloak namespace exists"
-  shell: "oc get project {{ eval_rhsso_namespace }} | grep {{ eval_rhsso_namespace }} | wc -l"
+  shell: "oc get project {{ sso_namespace }} | grep {{ sso_namespace }} | wc -l"
   register: "sso_namespace_exists"
 
 - name: Create ServiceAccount and role binding
@@ -10,13 +10,13 @@
     tasks_from: _setup_service_account.yml
   vars:
     binding_name: rhsso-backup-binding
-    serviceaccount_namespace: '{{ eval_rhsso_namespace }}'
+    serviceaccount_namespace: '{{ sso_namespace }}'
 
 -
   name: "Add backups to keycloak CR"
   when: sso_namespace_exists.stdout != "0"
   block:
     -
       name: "patch Keycloak CR"
-      shell: oc patch keycloak rhsso -n {{ eval_rhsso_namespace }} --patch '{"spec":{"backups":{{ rhsso_backups | to_json }}}}' --type=merge
+      shell: oc patch keycloak rhsso -n {{ sso_namespace }} --patch '{"spec":{"backups":{{ rhsso_backups | to_json }}}}' --type=merge
 

roles/rhsso/tasks/install_sso.yml

@@ -0,0 +1,46 @@
+---
+- include_role:
+    name: namespace
+  vars:
+    namespace: "{{ sso_namespace }}"
+    display_name: "{{ sso_namespace_display_name | default('Red Hat Single Sign-On')}}"
+
+- name: Add labels to namespace
+  shell: oc patch ns {{ sso_namespace }} --patch '{"metadata":{"labels":{"{{ monitoring_label_name }}":"{{ monitoring_label_value }}", "integreatly-middleware-service":"true"}}}'
+  register: namespace_patch
+  failed_when: namespace_patch.stderr != '' and 'not patched' not in namespace_patch.stderr
+  changed_when: namespace_patch.rc == 0
+
+- name: "Ensure {{ rhsso_imagestream_name }} tag is present for redhat sso in openshift namespace"
+  shell: oc tag --source=docker {{ rhsso_imagestream_image }} openshift/{{ rhsso_imagestream_name }}
+  register: result
+  until: result.stdout
+  retries: 50
+  delay: 1
+  failed_when: not result.stdout
+  changed_when: False
+
+- name: "Ensure {{ rhsso_imagestream_name }} tag has an imported image in openshift namespace"
+  shell: oc -n openshift import-image {{ rhsso_imagestream_name }}
+  register: result
+  until: result.stdout
+  retries: 50
+  delay: 1
+  failed_when: not result.stdout
+  changed_when: False
+
+- name: "Create required objects"
+  shell: "oc create -f {{ item }} -n {{ sso_namespace }}"
+  with_items: "{{ rhsso_operator_resource_items }}"
+  register: rhsso_operator_resources_result
+  failed_when: rhsso_operator_resources_result.stderr != '' and 'AlreadyExists' not in rhsso_operator_resources_result.stderr
+
+- name: "Create keycloak resource template"
+  template:
+    src: "keycloak.json.j2"
+    dest: "/tmp/keycloak.json"
+
+- name: "Create keycloak resource"
+  shell: oc create -f /tmp/keycloak.json -n {{ sso_namespace }}
+  register: rhsso_keycloak
+  failed_when: rhsso_keycloak.stderr != '' and 'AlreadyExists' not in rhsso_keycloak.stderr

roles/rhsso/tasks/main.yml

@@ -1,50 +1,9 @@
 ---
-- include_role:
-    name: namespace
+- name: Provision RH-SSO
+  include_tasks: install_sso.yml
   vars:
-    namespace: "{{ rhsso_namespace }}"
-    display_name: "Red Hat Single Sign-On"
-
-- name: Add labels to namespace
-  shell: oc patch ns {{ rhsso_namespace }} --patch '{"metadata":{"labels":{"{{ monitoring_label_name }}":"{{ monitoring_label_value }}", "integreatly-middleware-service":"true"}}}'
-  register: namespace_patch
-  failed_when: namespace_patch.stderr != '' and 'not patched' not in namespace_patch.stderr
-  changed_when: namespace_patch.rc == 0
-
-- name: "Ensure {{ rhsso_imagestream_name }} tag is present for redhat sso in openshift namespace"
-  shell: oc tag --source=docker {{ rhsso_imagestream_image }} openshift/{{ rhsso_imagestream_name }}
-  register: result
-  until: result.stdout
-  retries: 50
-  delay: 1
-  failed_when: not result.stdout
-  changed_when: False
-
-- name: "Ensure {{ rhsso_imagestream_name }} tag has an imported image in openshift namespace"
-  shell: oc -n openshift import-image {{ rhsso_imagestream_name }}
-  register: result
-  until: result.stdout
-  retries: 50
-  delay: 1
-  failed_when: not result.stdout
-  changed_when: False
-
-- name: "Create required objects"
-  shell: "oc create -f {{ item }} -n {{ rhsso_namespace }}"
-  with_items: "{{ rhsso_operator_resource_items }}"
-  register: rhsso_operator_resources_result
-  failed_when: rhsso_operator_resources_result.stderr != '' and 'AlreadyExists' not in rhsso_operator_resources_result.stderr
-
-- name: "Create keycloak resource template"
-  template:
-    src: "keycloak.json.j2"
-    dest: "/tmp/keycloak.json"
-
-- name: "Create keycloak resource"
-  shell: oc create -f /tmp/keycloak.json -n {{ rhsso_namespace }}
-  register: rhsso_keycloak
-  failed_when: rhsso_keycloak.stderr != '' and 'AlreadyExists' not in rhsso_keycloak.stderr
-
+    sso_namespace: "{{ rhsso_namespace }}"
+
 - name: "Generate secret for rhsso client"
   set_fact:
     rhsso_client_secret: "{{ (ansible_date_time.epoch + rhsso_namespace) | hash('sha512') }}"

roles/rhsso/tasks/uninstall.yml

@@ -1,40 +1,8 @@
 ---
-- name: "Delete keycloak realm"
-  shell: "oc delete keycloakrealm {{ rhsso_realm }} -n {{ eval_rhsso_namespace }}"
-  register: output
-  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr and "the server doesn't have a resource type" not in output.stderr
-  changed_when: output.rc == 0
-
-- name: "Delete keycloak"
-  shell: "oc delete keycloak rhsso -n {{ eval_rhsso_namespace }}"
-  register: output
-  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr and "the server doesn't have a resource type" not in output.stderr
-  changed_when: output.rc == 0
-
-- name: "Wait for keycloak resources to be removed"
-  shell: oc get keycloak rhsso -n {{ eval_rhsso_namespace }}
-  register: result
-  until: not result.stdout
-  retries: 50
-  delay: 10
-  failed_when: result.stdout
-  changed_when: False
-
-- name: "Wait for keycloakrealms to be removed"
-  shell: oc get keycloakrealm {{ rhsso_realm }} -n {{ eval_rhsso_namespace }}
-  register: result
-  until: not result.stdout
-  retries: 50
-  delay: 10
-  failed_when: result.stdout
-  changed_when: False
-
-
-- name: "Delete project namespace: {{ eval_rhsso_namespace }}"
-  shell: oc delete project {{ eval_rhsso_namespace }}
-  register: output
-  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr
-  changed_when: output.rc == 0
+- name: Deprovision RH-SSO
+  include_tasks: uninstall_sso.yml
+  vars:
+    sso_namespace: "{{ rhsso_namespace }}"
 
 - name: Get RHSSO Identities
   shell: oc get identities | grep 'rh_sso' | awk '{print $1}'

roles/rhsso/tasks/uninstall_sso.yml

@@ -0,0 +1,37 @@
+---
+- name: "Delete keycloak realm"
+  shell: "oc delete keycloakrealm {{ rhsso_realm }} -n {{ sso_namespace }}"
+  register: output
+  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr and "the server doesn't have a resource type" not in output.stderr
+  changed_when: output.rc == 0
+
+- name: "Delete keycloak"
+  shell: "oc delete keycloak rhsso -n {{ sso_namespace }}"
+  register: output
+  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr and "the server doesn't have a resource type" not in output.stderr
+  changed_when: output.rc == 0
+
+- name: "Wait for keycloak resources to be removed"
+  shell: oc get keycloak rhsso -n {{ sso_namespace }}
+  register: result
+  until: not result.stdout
+  retries: 50
+  delay: 10
+  failed_when: result.stdout
+  changed_when: False
+
+- name: "Wait for keycloakrealms to be removed"
+  shell: oc get keycloakrealm {{ rhsso_realm }} -n {{ sso_namespace }}
+  register: result
+  until: not result.stdout
+  retries: 50
+  delay: 10
+  failed_when: result.stdout
+  changed_when: False
+
+
+- name: "Delete project namespace: {{ sso_namespace }}"
+  shell: oc delete project {{ sso_namespace }}
+  register: output
+  failed_when: output.stderr != '' and 'not found' not in output.stderr and 'The system is ensuring all content is removed from this namespace.' not in output.stderr
+  changed_when: output.rc == 0

roles/rhsso/templates/keycloak.json.j2

@@ -7,6 +7,7 @@
   "spec": {
     "adminCredentials": "",
     "plugins": ["{{ rhsso_plugins | join('","') }}"],
-    "backups": []
+    "backups": [],
+    "provision": {{ rhsso_provision_immediately|bool|to_json }}
   }
 }