From cfce28d583b6da72f1652b38adad9ddf7a3c58b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20H=C3=A4hnel?= <michael.haehnel@netgo.de>
Date: Tue, 24 Oct 2023 16:20:29 +0000
Subject: [PATCH] BUGFIX: grant k8s worker nodes admin access to keycloak

---
 roles/keycloak/tasks/_configure_traefik.yml | 42 ++++++++++-----------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/roles/keycloak/tasks/_configure_traefik.yml b/roles/keycloak/tasks/_configure_traefik.yml
index a56e71b..e722f9d 100644
--- a/roles/keycloak/tasks/_configure_traefik.yml
+++ b/roles/keycloak/tasks/_configure_traefik.yml
@@ -1,4 +1,24 @@
 ---
+# Neccessary for Trafik labels to allow POST method from AWX on k8s
+- name: "Get k8s_worker_node_ips"
+  block:
+    - name: "Lookup hetzner servers - smaradigo k8s worker nodes"
+      become: false
+      delegate_to: localhost
+      hcloud_server_info:
+        api_token: "{{ hetzner_authentication_ansible_vault }}"
+        label_selector: "service=kube_node,stage={{ stage }}"
+      register: found_servers
+    - name: "Initial VAR(s)"
+      set_fact:
+        k8s_worker_node_ips: []
+    - name: "Get IPs from k8s worker nodes"
+      set_fact:
+        k8s_worker_node_ips: '{{ k8s_worker_node_ips + [ item + "/32" ] }}'
+      loop: '{{ found_servers.hcloud_server_info | selectattr("ipv4_address","defined") | map(attribute="ipv4_address") }}'
+  tags:
+    - update_deployment
+
 - name: "Generate Traefik labels for custom admin access to specific realm(s)"
   ansible.builtin.set_fact:
     labels:
@@ -8,7 +28,7 @@
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls=true"'
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.tls.certresolver=letsencrypt-http"'
       - '"traefik.http.routers.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}.middlewares={{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}-ipwhitelist"'
-      - '"traefik.http.middlewares.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + (keycloak_accessible_realm.admin_ips) | default([])) | join(",") }}"'
+      - '"traefik.http.middlewares.{{ keycloak_id }}-admin-{{ keycloak_accessible_realm.name }}-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + (keycloak_accessible_realm.admin_ips) | default([])) | join(",") }}"'
   loop: "{{ keycloak_admin_realm_acls }}"
   register: keycloak_accessible_realms
   loop_control:
@@ -24,23 +44,3 @@
     loop_var: keycloak_accessible_realm
   tags:
     - update_deployment
-
-# Neccessary for Trafik labels to allow POST method from AWX on k8s
-- name: "Get k8s_worker_node_ips"
-  block:
-    - name: "Lookup hetzner servers - smaradigo k8s worker nodes"
-      become: false
-      delegate_to: localhost
-      hcloud_server_info:
-        api_token: "{{ hetzner_authentication_ansible_vault }}"
-        label_selector: "service=kube_node,stage={{ stage }}"
-      register: found_servers
-    - name: "Initial VAR(s)"
-      set_fact:
-        k8s_worker_node_ips: []
-    - name: "Get IPs from k8s worker nodes"
-      set_fact:
-        k8s_worker_node_ips: '{{ k8s_worker_node_ips + [ item + "/32" ] }}'
-      loop: '{{ found_servers.hcloud_server_info | selectattr("ipv4_address","defined") | map(attribute="ipv4_address") }}'
-  tags:
-    - update_deployment