DEV-279: added oidc/rbac for argocd setup (keycloak)

4 years ago · 3d304f4ec1
parent 20a2e8a2e3
commit 3d304f4ec1
10 changed files with 555 additions and 90 deletions
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -316,6 +316,9 @@ pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"
 gitea_admin_username: "gitea-admin"
 gitea_admin_password: "{{ gitea_admin_password_vault }}"

+argocd_admin_username: "argocd-admin"
+argocd_admin_password: "{{ argocd_admin_password_vault }}"
+
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

 docker_registry_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
--- a/group_vars/stage_qa/vault.yml
+++ b/group_vars/stage_qa/vault.yml
@ -1,74 +1,76 @@
 $ANSIBLE_VAULT;1.1;AES256
-39366430386363366135343934373164336233313763626331636632323163323339326563376232
-3734616230343030663564366339323139646437663064610a626265623062633631333461376537
-32663837333065613638646432343931636133326164613836623834326232633961646561613933
-3132623066633364390a613635636332393164663963623065373161313230383832336161323864
-32376533663166663839646330343733613339643762623665323534616466633662313430393766
-32393731376236356536633638633865396238333466303735303939333337313463363139346662
-35636330383262643839363065346232653139633863653330353837663964393138393564623966
-34373262643364313330616138623864666135383063373433666134326365313437396165363037
-39343561303638653837376362323066363235383233393035373064383363306663646431643932
-35646335386162346637663766663932373936383665323133626536306638373331316562386439
-38663962386238346130353033356663643330616563393035353030653331666466376436663837
-66636235396539396365323335653231626564663432363864636531313339306439343632333366
-61663963396366653661653764653337336535396338333461396337356435646336653266393364
-39626661646539656135393533326364363534313335636266636163396565363833613466336161
-36333037623734336664653164316337323931303261643663653637643537666236386165623033
-37383733633731303466396266336362386335356234646234313363363036633938303239346233
-31336435616133643437363664633762633935623264346264383164326135373330333035613264
-31316437343234323634373734363739373737643433373161323861363032623662356261663535
-36396338643833646461323461383032653066616332656536313939313362666539633339373936
-35623563353236643062376331616163383730353061353565373039376264643633333866396465
-66393635396133643531336437333366653034366535663031373832613162636265626139333066
-39316332366438633066643663346630386363366166316566306238313731326663336436653261
-37636362616662303063663230323837393938393338303738393535663239383030383061313236
-66313566323735323337633735323061383162393266326635363365633363623834646364633562
-37616530626536333834653363393936343731383631306265613463336638643038303162616533
-30323335323334613565616331613530383637396465323134646562633531396130353465616134
-36633263353936393331343436373565346434633434386265386133313939366433363633373363
-64613631656463613238626363643631656162393531313339613063343435376338356465356234
-30646431646237376365666432626431363161303638623136626439373862313965376534393533
-36343761646235333165393165626133326233656263613466356461393762393566626436643866
-61353064653036636566303637616433363964313462356263623132653161326632656434336532
-36366638333337383832373733303334643438343463646439313734316664313563373561663265
-37616534656637393938393739366239353761383139326532383062633664653333656663636237
-30373963636361653561393537386133383866363435613638333432626432306632323736363065
-31386136613337323263353635313330373534373835613434643066353063663066333638343830
-38303664613266626339396361643939356364626238333637373966376363663833613631366632
-64656631373233633063353731343730303439303637383965356231643331623936353139343462
-37323339616636336130363666616339316234383238383434363336336664646234393938366338
-35346261623363323164353537343632663236653232643137623230393133383736626462363065
-30633262353135633631663662373638346233323435306337323964353164626664633437363333
-34333462386361636662346636343261623134623466343465643835633832643937623235303635
-36343833373865643638343735363937306662306234366566346335626262383630616238316364
-36306138393531333061646232313962333330306564393031363139666361663466613163393236
-61366331333761306664643933346131643463653164376162386530343061656230363430343433
-35396330613764303539343833316236383362626565656639333331363137643536373064393435
-65373631396431336561313838643164336533636139343564346663316332623536383361323764
-33313033656437653162366265646132366336316661393138336532333636313236333066613738
-35336132313466353138336464643033633236346538356438616262653461623161613934326139
-35386561303734656335626663383639333130303665336536316435643164353232363235636163
-35653763356236356661383239363235653563333737373163366234396531376561343664653963
-33663839613634346461386239343333383561336462303936393935353735376166393831303737
-36353262356432336336613535306338326437313237636262313338373063303434373862303466
-65353065383233313230353164323034373461653865373839386462346635663631393239653837
-32303939383837363764393939633263333234613133366638623161656236643036306663323939
-65363235313762633136653930323536343734643337323937643332353561366566363534306566
-32313934353163633964353632356333383839303363643834366235333335303735656439353965
-36623638656435376332323264336439303963376536306366306335333466373637396164663936
-63396536633734613533333461356335363865323337643266303735316561643063636432656434
-37313834316437373238393535343237636465343439323061633762663465303932323030353931
-61633534346466396132663534383765613165306531383932346261643761326561623363643433
-31323166343563656165626538363964383930333035376233393136393431666237653464336533
-36346136643535306163393665623462623030306532666638383563383065356238376135336163
-61376439653966376631353766363733396337313665363865306362376133613161393564666364
-66366537643463326465333763346263396637376638363963663530313165613261633135636136
-37306161616262323336366365333935326632633262396536313937336239363535303439366134
-30626663623036616564656366353132613364336439386663616532316464376337656334343061
-38656564396566376463343464323161373034343037353535396337616364316463306430626232
-66636535343339333761613336633063613765333465333162316433396233303765373430663465
-31646434383565633331666362633362303630353738303634393834616433376333323431333530
-30353038616433653939383633383131633161383262326264613366333732623364636137353135
-33643566613632653130326432323465623733383462636335666366373133613437393538393734
-37333062383139616161366338646230353637643462316332383164616237356336396338653861
-6538
+31613430313266346137633461663535616661316564363933376133353833386532613038363337
+3663323432383863373061393032323966323635396562650a643831323731366161316437356437
+32343630363430616631613635366633373838336431303666323030393865356438643237363132
+3763306134333634390a643531393639353930653330666338323235663162383962656237316162
+62366361626230333337383136303464353032623139373365343333343237656530393637623334
+66343961643739343736363063306662643365343931336433656334333761343933353832616432
+64666439303761663836316230303232396537663433643438386332383963303538623239376539
+37643535346137373933303431623335643132323565303662313862663465633034666462636363
+65376662353431353133653462383934366539636661373030333536623433366334373931616438
+33333961373362333838646634643466313735663663653037383838643439353438373731396533
+63313362626534353731613733376133623238353733333639383034663333336137386130306238
+64306134653662383430616363666661366439323838636663356537353164336434663135363962
+38333734303661623639656565323863303864653936653430343331323264643030393266623965
+34613030346162636265366566663364316561376566653863623663633837326264636666326465
+65656265376336396637363163326333643235373464626530636634323965666163656566343934
+61613535643861633237366235393762643331663135343838346266376233393164363766343132
+61623139396534323465363165643739653866303236623232643639373936643035343433643439
+32613562323964663734623334393536393461313332353233626266373262373762366535373061
+31323663376630303662383866613264616365373237343832646565353135333361333366363633
+37316163333564326664616235656638643866663137613935356339343662326537363333353562
+65636263613061663834313937303633376134333530666665616533393336393961646565313564
+66333137323232616462653238326139623466616639333739353463333665376233663837313335
+36306335386430383337303963343537636633646166326139393364326436663131623830623763
+32623431656535326561656433623266666466393861333737363332336666643131343936346630
+35363330393334653731663462373837376265663162343034623338643338326532383466313366
+65613939386166656566383930386530393632633163366636616162303931663962303135656131
+39623134396634626239353561346237643162303263393665356238643362616165373866343961
+65656562383135363339393039393238333531326232343436666432613438326163666265326366
+65366163623938333730386563663436373839383536326538393934613539336665663762363930
+64346366626539343431303736333136666639633265303336303632646361616539616434616266
+64363962613265303865643365343036623939316533633361613630633434643132346631633139
+32396435613434343033643162333936636535376663333964646631333662363466303132303663
+30303038376638373263363063653037326161616436383130626562333863616262666562323734
+63343964653666633732313862366262346633383464633565363234633231376238623965356639
+36306635393564383261656239313835333035323165303134373763643635343865366166653266
+39356537376336306537306233323035663230623861396338313365616664383836396563353531
+65376236353339636433643038343932313662306535376634323636363336643035383437386131
+33636464646135396337653766626465616234393635306133356633626431393733373733616366
+32626533613538633134303836643935316239353833646362346162356336383466336336343432
+32343732666164666532373534396166333262636363373432653037366339323539623630373962
+66323435383561316635386361636466343763613963333261616530303838643433653334373161
+39613363313364626463313936393436643961623734613861366661613962383862636331386538
+61633238383434326362343161346138313064646135363537326434333231623033303662646430
+65356131376530373737383261643466616439646637313564363634393731373635626635373836
+35356534353262623265363564626265623434393037353735633536626536623661316635326234
+66663863373765623831633334386563363039653463666332303165616531653561633138373765
+32303965356636363235656331613165346534633366656364623636316430376336373438333233
+38383330393933393063366334356664393630343237623034323533323661643031626562323232
+62373438373937303866303632663030326338653135343961376666633263616636366533373133
+65633065383837396363313361393238323738396562393434346436356562383662633939623163
+32393431623861373930333237626335323962313133306365626334313539386366373936346461
+65656539366236623335353261643838373237643234366262636137326463353564646236313762
+34356665643635373535643031653166346361383565363136616230646233316433663463663836
+39376136633534633763393663306561626266303562626638643232313761663134353766653735
+35643033353731396431636631383839336130346138383465323835303130313339363839313537
+30633862363436363165366236393432643663376139373464616534333364383063333634333034
+65643830396462363565656633336331336530373064613637336661346263626261383762653630
+37303462343733353631663865333866383938633037343837393362363664666339633737613537
+33363233623630343766326363323762303262383266326133663831363035396436366138643261
+63363131353138356132646435643331396136303063626361316262613237303830633463666538
+34313162666233323434356162623763316631313437666466316335636332633433336437326231
+35336436373334343161353939643931616664613030323031386437623938363864383037336363
+34386235343339663034373335646164623836313661626338396330323430303465383932646239
+37653662653437353463303034376430353361353833313031666535363331336438326439303930
+33623162343235646135316663333837663331663865656232616135376436383762373333646434
+35373563623565376235316461343662366334356136336662643161646331333131373839653634
+39396535376435383935356533363336333062326532363035613737656139343262386131313538
+32363361306130376662383964313939306438386465646232653934303032356161346161363733
+31633236636137373830303437613233336633646634343164316233303065363536313064643733
+30303764623632396138383438366566303131316562356164326664646530616130383061353662
+32373734653162353137633766353066633964633165316335336166363561653863333238303765
+32626233656664303264346239363730636461636233353035336165653262343635623332663330
+36646339646132376566343439376132643333333339653563663236383239633139363532313139
+63326163633065353138326466636230336632613030323865353961376663373235663134616163
+653161616234333038343434326538303664
--- a/roles/keycloak/tasks/_configure_client_crud.yml
+++ b/roles/keycloak/tasks/_configure_client_crud.yml
@ -0,0 +1,62 @@
+---
+- name: "GETTING all clients for realm <<{{ realm_name }}>>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/clients"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [200]
+  register: get_all_clients
+
+- name: "CREATING client <{{ client_id }}> for realm <{{ realm_name }}>"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/clients"
+    method: POST
+    body_format: json
+    body: "{{ keycloak_client_object }}"
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [201]
+  changed_when: True
+  when:
+    - get_all_clients.json | selectattr('clientId', 'equalto', client_id) | list | length == 0
+  delegate_to: 127.0.0.1
+  become: false
+
+- set_fact:
+    id: '{{ ( get_all_clients.json | selectattr("clientId","equalto",argo_client_id) | first ).id }}'
+  when: 
+  - get_all_clients.json | selectattr('clientId', 'equalto', client_id) | list | length == 1
+
+- name: "UPDATING client <{{ client_id }}> for realm <{{ realm_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: '{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/clients/{{ id }}'
+    method: PUT
+    body_format: json
+    body: "{{ keycloak_client_object }}"
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [204]
+  changed_when: True
+  when: 
+  - get_all_clients.json | selectattr('clientId', 'equalto', client_id) | list | length == 1
+
+- name: "DELETING client <{{ client_id }}> for realm <{{ realm_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: '{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/clients/{{ id }}'
+    method: DELETE
+    body_format: json
+    body: "{{ keycloak_client_object }}"
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [204]
+  changed_when: True
+  when: 
+  - get_all_clients.json | selectattr('clientId', 'equalto', client_id) | list | length == 1
+  - remove_client | default(False) | bool
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@ -93,3 +93,4 @@
  with_items: "{{ current_realm_clients }}"
  loop_control:
    loop_var: client
+  when: create_client | default('True') | bool
--- a/roles/keycloak/tasks/_configure_user_groupmembership_crud.yml
+++ b/roles/keycloak/tasks/_configure_user_groupmembership_crud.yml
@ -0,0 +1,56 @@
+---
+- name: "GETTING all groups for realm <<{{ realm_name }}>>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/groups"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [200]
+  register: get_all_groups
+
+- name: "GETTING all users for realm <<{{ realm_name }}>>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/users"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [200]
+  register: get_all_users
+
+- set_fact:
+    group_id: '{{ ( get_all_groups.json | selectattr("name","equalto",destination_group) | first ).id }}'
+    user_id: '{{ ( get_all_users.json | selectattr("username","equalto",username) | first ).id }}'
+
+- name: "GETTING all group for user <<{{ username }}>> in realm<<{{ realm_name }}>>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/users/{{ user_id }}/groups/"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [200]
+  register: get_all_groups_for_current_user
+
+- set_fact:
+    already_in_group: '{{ get_all_groups_for_current_user.json | selectattr("name","equalto",destination_group) }}'
+
+- name: "ADDING USER <{{ client_id }}> for realm <{{ realm_name }}> to Group <<{{ destination_group }}>>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ realm_name }}/users/{{ user_id }}/groups/{{ group_id }}"
+    method: PUT
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ bearer_token }} "
+    status_code: [204]
+  changed_when: True
+  when:
+    - get_all_users.json | selectattr("username", "equalto", username) | list | length == 1
+    - get_all_groups.json | selectattr("name", "equalto", destination_group) | list | length == 1
+    - get_all_groups_for_current_user.json | selectattr("name", "equalto", destination_group) | list | length == 0 # do PUT-reqeust only if user is not member of group
--- a/roles/kubernetes/apps/defaults/main.yml
+++ b/roles/kubernetes/apps/defaults/main.yml
@ -6,6 +6,33 @@ k8s_prometheus_helm__release_namespace: "monitoring"
 k8s_argocd_helm__name: "argo-cd"
 k8s_argocd_helm__release_namespace: "argo-cd"

+argocd_client_admin_username: argocd-admin
+argocd_client_admin_password: argocd-admin
+
+argo_realm_name: &argoname 'argocd'
+argo_realm_display_name: *argoname
+
+k8s_argocd_helm__domain: &argourl "{{ stage }}-kube-argocd.{{ domain }}"
+argo_realm_group: ArgoCDAdmins
+argo_keycloak_clientscope_protocol: openid-connect
+argo_keycloak_clientscope_name: groups
+argo_client_id: *argoname
+
+argo_client_root_url: 'https://{{ k8s_argocd_helm__domain }}'
+argo_client_redirect_uris:
+  - 'https://{{ k8s_argocd_helm__domain }}/auth/callback'
+argo_client_base_url: '/applications'
+argo_client_admin_url: 'https://{{ k8s_argocd_helm__domain }}'
+argo_client_web_origins:
+  - 'https://{{ k8s_argocd_helm__domain }}'
+
+argo_realm_users: [
+  {
+    "username": "{{ argocd_client_admin_username }}",
+    "password": "{{ argocd_client_admin_password }}",
+  }
+]
+
 # https://github.com/grafana/helm-charts
 # https://github.com/prometheus-community/helm-charts
 k8s_prometheus_helm__release_values:
@ -105,7 +132,25 @@ k8s_argocd_helm__release_values:
        namespace: "{{ k8s_argocd_helm__release_namespace }}"
        additionalLabels:
          release: "{{ k8s_prometheus_helm__name }}"
+    env:
+      - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
+        value: "0"
+      - name: ARGOCD_EXEC_TIMEOUT
+        value: "300s"
  server:
+    config:
+      oidc.config: |
+        name: Keycloak
+        issuer: '{{ keycloak_server_url }}/auth/realms/argocd'
+        clientID: '{{ argo_client_id }}'
+        clientSecret: $oidc.keycloak.clientSecret
+        requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"]
+      url: 'https://{{ k8s_argocd_helm__domain }}'
+    rbacConfig:
+      policy.default: role:readonly
+      policy.csv: |
+        g, /{{ argo_realm_group }}, role:admin
+        g, admin, role:admin
    metrics:
      enabled: true
      serviceMonitor:
@ -113,6 +158,8 @@ k8s_argocd_helm__release_values:
        namespace: "{{ k8s_argocd_helm__release_namespace }}"
        additionalLabels:
          release: "{{ k8s_prometheus_helm__name }}"
+    service:
+      sessionAffinity: ClientIP
    ingress:
      enabled: true
      annotations:
@ -124,19 +171,13 @@ k8s_argocd_helm__release_values:
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      hosts:
-        - "{{ stage }}-kube-argocd.{{ domain }}"
+        - "{{ k8s_argocd_helm__domain }}"
      tls:
        - secretName: "{{ stage }}-kube-argocd-cert"
          hosts:
-            - "{{ stage }}-kube-argocd.{{ domain }}"
+            - "{{ k8s_argocd_helm__domain }}"
  dex:
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: false
-        namespace: "{{ k8s_argocd_helm__release_namespace }}"
-        additionalLabels:
-          release: "{{ k8s_prometheus_helm__name }}"
+    enabled: false
  redis:
    metrics:
      enabled: true
--- a/roles/kubernetes/apps/tasks/argocd.yml
+++ b/roles/kubernetes/apps/tasks/argocd.yml
@ -0,0 +1,185 @@
+---
+# I tried to create a realm via community.general.keycloak_realm
+# but every request failed with HTTP 500
+# but creating a group via community.general.keycloak_group
+# was successfully
+#  ¯\_(ツ)_/¯
+#
+- name: "Login with keycloak-admin"
+  include_role:
+    name: keycloak
+    tasks_from: _authenticate
+
+- name: "Setup keycloak-realm for argocd"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_realm
+  vars:
+    current_realm_name: '{{ argo_realm_name }}'
+    current_realm_display_name: '{{ argo_realm_display_name }}'
+    create_client: False
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "Create a Keycloak group, authentication with credentials"
+  delegate_to: localhost
+  become: False
+  community.general.keycloak_group:
+    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
+    auth_client_id: admin-cli
+    auth_realm: 'master'
+    auth_username: "{{ keycloak_admin_username }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    name: '{{ argo_realm_group }}'
+    realm: '{{ argo_realm_name }}'
+    state: present
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "Create keycloak user(s)"
+  include_role:
+    name: keycloak
+    tasks_from: _create_realm_users
+  vars:
+    current_realm_name: '{{ argo_realm_name }}'
+    current_realm_users: '{{ argo_realm_users }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "ADD user group mapping"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_user_groupmembership_crud
+  vars:
+    username: '{{ argocd_client_admin_username }}'
+    destination_group: '{{ argo_realm_group }}'
+    realm_name: '{{ argo_realm_name }}'
+    bearer_token: '{{ access_token }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "Create keycloak clientscope"
+  delegate_to: localhost
+  become: False
+  community.general.keycloak_clientscope:
+    auth_client_id: admin-cli
+    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
+    auth_realm: 'master'
+    auth_username: "{{ keycloak_admin_username }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    name: '{{ argo_keycloak_clientscope_name }}'
+    realm: '{{ argo_realm_name }}'
+    protocol: '{{ argo_keycloak_clientscope_protocol }}'
+    protocol_mappers:
+      - config:
+          access.token.claim: True
+          claim.name: '{{ argo_keycloak_clientscope_name }}'
+          full.path: True
+          id.token.claim: True
+          userinfo.token.claim: True
+        name: '{{ argo_keycloak_clientscope_name }}'
+        protocol: openid-connect
+        protocolMapper: oidc-group-membership-mapper
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+# using template from exported keycloak client object
+# due to needed params but missing in community.general.keycloak_client
+# e.g. defaultClientScopes
+- set_fact:
+    keycloak_realm_create_client: "{{ lookup('template','keycloak-realm-create-client-argocd.json.j2') }}"
+  vars:
+    client_redirect_uri: '{{ argo_client_redirect_uris }}'
+    client_web_origins: '{{ argo_client_web_origins }}'
+    client_id: '{{ argo_client_id }}'
+    realm_name: '{{ argo_realm_name }}'
+    client_root_url: '{{ argo_client_root_url }}'
+    client_admin_url: '{{ argo_client_admin_url }}'
+    client_base_url: '{{ argo_client_base_url }}'
+    keycloak_clientscope_name: '{{ argo_keycloak_clientscope_name }}'
+    keycloak_clientscope_protocol: '{{ argo_keycloak_clientscope_protocol }}'
+
+# throw needed VARs against keycloak API
+# to CRUD
+- name: "Create client"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_client_crud
+  vars:
+    client_id: '{{ argo_client_id }}'
+    realm_name: '{{ argo_realm_name }}'
+    keycloak_client_object: '{{ keycloak_realm_create_client }}'
+    bearer_token: '{{ access_token }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "GET available clients from <<{{ argo_realm_name }}>>-realm"
+  delegate_to: localhost
+  become: False
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients"
+    method: GET
+    headers:
+      Content-Type: "application/json"
+      Authorization: "Bearer {{ access_token }}"
+    status_code: [200]
+  register: argo_realm_clients
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+# available clients: get needed ID
+- set_fact:
+    id_of_client: '{{ ( argo_realm_clients.json | selectattr("clientId","equalto",argo_client_id ) | first ).id }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: "GET client-secret for client <<{{ argo_client_id }}>> in realm <<{{ argo_realm_name }}>>"
+  delegate_to: localhost
+  become: False
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients/{{ id_of_client }}/client-secret"
+    method: GET
+    headers:
+      Content-Type: "application/json"
+      Authorization: "Bearer {{ access_token }}"
+    status_code: [200]
+  register: client_secret
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- debug:
+    msg: "DEBUGGING: {{ client_secret.json.value }}"
+  when:
+  - debug
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- set_fact:
+    additional_helm_values:
+      configs:
+        secret:
+          extra:
+            oidc.keycloak.clientSecret: '{{ client_secret.json.value }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- set_fact:
+    combined_helm__release_values: '{{ k8s_argocd_helm__release_values | combine(additional_helm_values) }}'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- debug:
+    msg: "DEBUGGING: {{ combined_helm__release_values }}"
+  when:
+  - debug
+  - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: Deploy argo-cd inside argo-cd namespace
+  kubernetes.core.helm:
+    name: "{{ k8s_argocd_helm__name }}"
+    chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
+    chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
+    release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
+    create_namespace: yes
+    release_values: "{{ combined_helm__release_values }}"
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
--- a/roles/kubernetes/apps/tasks/main.yml
+++ b/roles/kubernetes/apps/tasks/main.yml
@ -17,14 +17,12 @@
  tags:
    - prometheus

- name: Deploy argo-cd inside argo-cd namespace
-  kubernetes.core.helm:
-    name: "{{ k8s_argocd_helm__name }}"
-    chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
-    chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
-    release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
-    create_namespace: yes
-    release_values: "{{ k8s_argocd_helm__release_values }}"
+- name: "Deploy argo-cd"
+  include_tasks: argocd.yml 
+  args:
+    apply:
+      tags:
+        - argo-cd
  when: 
  - inventory_hostname == groups['kube_control_plane'][0]
  tags:
--- a/roles/kubernetes/apps/templates/keycloak-realm-create-client-argocd.json.j2
+++ b/roles/kubernetes/apps/templates/keycloak-realm-create-client-argocd.json.j2
@ -0,0 +1,85 @@
+#jinja2: trim_blocks:False
+{
+    "clientId": "{{ client_id }}",
+    "rootUrl": "{{ client_root_url }}",
+    "adminUrl": "{{ client_admin_url }}",
+    "baseUrl": "{{ client_base_url | default('') }}",
+    "surrogateAuthRequired": false,
+    "enabled": true,
+    "alwaysDisplayInConsole": false,
+    "clientAuthenticatorType": "client-secret",
+    "redirectUris": [
+{% for uri in client_redirect_uri %}
+        "{{ uri }}",
+{% endfor %}
+    ],
+    "webOrigins": [
+{% for uri in client_web_origins %}
+        "{{ uri }}"
+{% endfor %}
+    ],
+    "notBefore": 0,
+    "bearerOnly": false,
+    "consentRequired": false,
+    "standardFlowEnabled": true,
+    "implicitFlowEnabled": false,
+    "directAccessGrantsEnabled": true,
+    "serviceAccountsEnabled": false,
+    "publicClient": false,
+    "frontchannelLogout": false,
+    "protocol": "{{ keycloak_clientscope_protocol }}",
+    "attributes": {
+        "saml.assertion.signature": "false",
+        "id.token.as.detached.signature": "false",
+        "access.token.lifespan": "{{ keycloak_accesstoken_ttl | default(3600) }}",
+        "saml.multivalued.roles": "false",
+        "saml.force.post.binding": "false",
+        "saml.encrypt": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "saml.server.signature": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "use.refresh.tokens": "true",
+        "exclude.session.state.from.auth.response": "false",
+        "oidc.ciba.grant.enabled": "false",
+        "saml.artifact.binding": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+    },
+    "authenticationFlowBindingOverrides": {},
+    "fullScopeAllowed": true,
+    "nodeReRegistrationTimeout": -1,
+    "protocolMappers": [
+        {
+            "name": "docker-v2-allow-all-mapper",
+            "protocol": "docker-v2",
+            "protocolMapper": "docker-v2-allow-all-mapper",
+            "consentRequired": false,
+            "config": {}
+        }
+    ],
+    "defaultClientScopes": [
+        "web-origins",
+        "profile",
+        "roles",
+        "{{ keycloak_clientscope_name }}",
+        "email"
+    ],
+    "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+    ],
+    "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+    }
+}
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@ -34,3 +34,35 @@
  - inventory_hostname == groups['kube_control_plane'][0]
  tags:
    - base
+
+- name: Install k9s on 1st k8s master
+  ansible.builtin.get_url:
+    url: 'https://github.com/derailed/k9s/releases/download/{{ kubernetes_tools_k9s_version | default("v0.25.18") }}/k9s_Linux_x86_64.tar.gz'
+    dest: '/tmp/k9s_Linux_x86_64_{{ kubernetes_tools_k9s_version | default("v0.25.18") }}.tar.gz'
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+  tags:
+    - base
+
+- name: Extract k9s binary
+  ansible.builtin.unarchive:
+    src: '/tmp/k9s_Linux_x86_64_{{ kubernetes_tools_k9s_version | default("v0.25.18") }}.tar.gz'
+    dest: "/tmp/"
+    remote_src: yes
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+  tags:
+    - base
+
+- name: Move extracted k9s binary
+  ansible.builtin.copy:
+    src: /tmp/k9s
+    dest: /usr/bin/k9s
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: yes
+  when:
+  - inventory_hostname == groups['kube_control_plane'][0]
+  tags:
+    - base