DEV-309: added keycloak PW-policy stuff

4 years ago · 4b8a80a4ef
parent 2b86dfc20c
commit 4b8a80a4ef
6 changed files with 11 additions and 3 deletions
--- a/roles/connect_realm/defaults/main.yml
+++ b/roles/connect_realm/defaults/main.yml
@ -2,10 +2,10 @@

 # TODO inject by management portal
 connect_client_admin_username: "connect-admin"
-connect_client_admin_password: "connect-admin"
+connect_client_admin_password: "C0nnect-Admin!"
 # TODO inject by management portal
 connect_realm_admin_username: "connect-realm-admin"
-connect_realm_admin_password: "connect-realm-admin"
+connect_realm_admin_password: "C0nnect-Realm-Admin!"

 current_realm_clients: [
  {
--- a/roles/gitea_realm/tasks/main.yml
+++ b/roles/gitea_realm/tasks/main.yml
@ -11,6 +11,8 @@
  include_role:
    name: keycloak
    tasks_from: _configure_realm
+  vars:
+    current_realm_password_policy: ''

 - name: "Create realm users"
  include_role:
--- a/roles/harbor_realm/tasks/main.yml
+++ b/roles/harbor_realm/tasks/main.yml
@ -9,6 +9,8 @@
  include_role:
    name: keycloak
    tasks_from: _configure_realm
+  vars:
+    current_realm_password_policy: ''

 - name: "Create realm users"
  include_role:
@ -36,4 +38,4 @@
    destination_group: '{{ item.destination_group }}'
  loop: "{{ current_user_groupmembership }}"
  loop_control:
-    label: "{{ item.username }} >> {{ item.destination_group }}"
+    label: "{{ item.username }} >> {{ item.destination_group }}"
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@ -19,6 +19,7 @@
    duplicate_emails_allowed: yes
    internationalization_enabled: yes
    default_locale: "de"
+    password_policy: "{{ current_realm_password_policy | default('forceExpiredPasswordChange(60) and passwordHistory(3) and length(8) and notUsername(undefined) and upperCase(2) and lowerCase(2) and specialChars(2) and digits(1)') }}"
    supported_locales:
    - "de"
    - "en"
--- a/roles/kubernetes/argocd/tasks/main.yml
+++ b/roles/kubernetes/argocd/tasks/main.yml
@ -18,6 +18,7 @@
    current_realm_name: '{{ argo_realm_name }}'
    current_realm_display_name: '{{ argo_realm_display_name }}'
    create_client: False
+    current_realm_password_policy: ''
  when:
  - inventory_hostname == groups['kube_control_plane'][0]
  args:
--- a/roles/workflow_proxy_realm/tasks/main.yml
+++ b/roles/workflow_proxy_realm/tasks/main.yml
@ -11,6 +11,8 @@
  include_role:
    name: keycloak
    tasks_from: _configure_realm
+  vars:
+    current_realm_password_policy: ''

 - name: "Create realm users"
  include_role: