You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
324 lines
9.3 KiB
YAML
324 lines
9.3 KiB
YAML
---
|
|
|
|
- name: "Do some stuff with keycloak as OIDC provider"
|
|
block:
|
|
- name: "Login with keycloak-admin"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _authenticate
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Setup keycloak-realm for argocd"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _configure_realm
|
|
vars:
|
|
current_realm_name: '{{ argo_realm_name }}'
|
|
current_realm_display_name: '{{ argo_realm_display_name }}'
|
|
create_client: False
|
|
current_realm_password_policy: ''
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Create a Keycloak group, authentication with credentials"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _create_realm_groups
|
|
vars:
|
|
current_realm_name: '{{ argo_realm_name }}'
|
|
current_realm_display_name: '{{ argo_realm_display_name }}'
|
|
current_realm_groups:
|
|
- name: "{{ argo_realm_group }}"
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Create keycloak user(s)"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _create_realm_users
|
|
vars:
|
|
current_realm_name: '{{ argo_realm_name }}'
|
|
current_realm_users: '{{ argo_realm_users }}'
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "ADD user group mapping"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _configure_user_groupmembership_crud
|
|
vars:
|
|
username: '{{ argocd_admin_username }}'
|
|
destination_group: '{{ argo_realm_group }}'
|
|
realm_name: '{{ argo_realm_name }}'
|
|
bearer_token: '{{ access_token }}'
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Create keycloak clientscope"
|
|
delegate_to: localhost
|
|
become: False
|
|
community.general.keycloak_clientscope:
|
|
auth_client_id: admin-cli
|
|
auth_keycloak_url: "{{ keycloak_server_url }}/auth"
|
|
auth_realm: 'master'
|
|
auth_username: "{{ keycloak_admin_username }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
name: '{{ argo_keycloak_clientscope_name }}'
|
|
realm: '{{ argo_realm_name }}'
|
|
protocol: '{{ argo_keycloak_clientscope_protocol }}'
|
|
protocol_mappers:
|
|
- config:
|
|
access.token.claim: True
|
|
claim.name: '{{ argo_keycloak_clientscope_name }}'
|
|
full.path: False # set it to true and you will be DAMNED => groupname for argo k8s configmap argocd-rbac-cm will be "/{{ group_name }}" !!!! instead of "{{ group_name }}"
|
|
id.token.claim: True
|
|
userinfo.token.claim: True
|
|
name: '{{ argo_keycloak_clientscope_name }}'
|
|
protocol: openid-connect
|
|
protocolMapper: oidc-group-membership-mapper
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
# using template from exported keycloak client object
|
|
# due to needed params but missing in community.general.keycloak_client
|
|
# e.g. defaultClientScopes
|
|
- name: "Create json object as VAR from template"
|
|
set_fact:
|
|
keycloak_realm_create_client: "{{ lookup('template','keycloak-realm-create-client-argocd.json.j2') }}"
|
|
vars:
|
|
client_redirect_uri: '{{ argo_client_redirect_uris }}'
|
|
client_web_origins: '{{ argo_client_web_origins }}'
|
|
client_id: '{{ argo_client_id }}'
|
|
realm_name: '{{ argo_realm_name }}'
|
|
client_root_url: '{{ argo_client_root_url }}'
|
|
client_admin_url: '{{ argo_client_admin_url }}'
|
|
client_base_url: '{{ argo_client_base_url }}'
|
|
keycloak_clientscope_name: '{{ argo_keycloak_clientscope_name }}'
|
|
keycloak_clientscope_protocol: '{{ argo_keycloak_clientscope_protocol }}'
|
|
keycloak_client_secret: '{{ argo_keycloak_client_secret }}'
|
|
tags:
|
|
- argo-cd
|
|
|
|
# throw needed VARs against keycloak API
|
|
# to CRUD
|
|
- name: "Create client"
|
|
include_role:
|
|
name: keycloak
|
|
tasks_from: _configure_client_crud
|
|
vars:
|
|
client_id: '{{ argo_client_id }}'
|
|
realm_name: '{{ argo_realm_name }}'
|
|
keycloak_client_object: '{{ keycloak_realm_create_client }}'
|
|
bearer_token: '{{ access_token }}'
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
args:
|
|
apply:
|
|
tags:
|
|
- argo-cd
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "GET available clients from <<{{ argo_realm_name }}>>-realm"
|
|
delegate_to: localhost
|
|
become: False
|
|
uri:
|
|
url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients"
|
|
method: GET
|
|
headers:
|
|
Content-Type: "application/json"
|
|
Authorization: "Bearer {{ access_token }}"
|
|
status_code: [200]
|
|
register: argo_realm_clients
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
# available clients: get needed ID
|
|
- name: "Get ID of client by paring argo_realm_clients object"
|
|
set_fact:
|
|
id_of_client: '{{ ( argo_realm_clients.json | selectattr("clientId","equalto",argo_client_id ) | first ).id }}'
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "GET client-secret for client <<{{ argo_client_id }}>> in realm <<{{ argo_realm_name }}>>"
|
|
delegate_to: localhost
|
|
become: False
|
|
uri:
|
|
url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients/{{ id_of_client }}/client-secret"
|
|
method: GET
|
|
headers:
|
|
Content-Type: "application/json"
|
|
Authorization: "Bearer {{ access_token }}"
|
|
status_code: [200]
|
|
register: client_secret
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "DEBUG"
|
|
debug:
|
|
msg: "DEBUGGING: {{ client_secret.json.value }}"
|
|
when:
|
|
- debug
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
when:
|
|
- k8s_argocd_with_keycloak
|
|
# end of block statement
|
|
|
|
- name: "Create namespace <{{ k8s_argocd_helm__release_namespace }}>"
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
name: "{{ k8s_argocd_helm__release_namespace }}"
|
|
api_version: v1
|
|
kind: Namespace
|
|
state: present
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Create a k8s Secret containing GPG key"
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
data:
|
|
gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private | string | b64encode }}'
|
|
kind: Secret
|
|
metadata:
|
|
name: sops-gpg
|
|
namespace: '{{ k8s_argocd_helm__release_namespace }}'
|
|
type: Opaque
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Create VAR to overwrite specific helm value - prepare combining dicts"
|
|
set_fact:
|
|
additional_helm_values:
|
|
configs:
|
|
secret:
|
|
extra:
|
|
oidc.keycloak.clientSecret: '{{ client_secret.json.value }}'
|
|
when:
|
|
- k8s_argocd_with_keycloak
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "Combining helm release values"
|
|
set_fact:
|
|
combined_helm__release_values: '{{ k8s_argocd_helm__release_values | combine(additional_helm_values| default({}), recursive=True) }}'
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: "DEBUG"
|
|
debug:
|
|
msg: "DEBUGGING: {{ combined_helm__release_values }}"
|
|
when:
|
|
- debug
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: Deploy argo-cd inside argo-cd namespace
|
|
become: yes
|
|
kubernetes.core.helm:
|
|
name: "{{ k8s_argocd_helm__name }}"
|
|
chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
|
|
chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
|
|
release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
|
|
chart_version: 5.6.0
|
|
create_namespace: yes
|
|
release_values: "{{ combined_helm__release_values }}"
|
|
when:
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: Setup gitea Secret
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
template: 'gitea-secret.j2'
|
|
when:
|
|
- argocd_bootstrap_infrastructure
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: Setup Harbor Secret
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
template: 'harbor-secret.j2'
|
|
when:
|
|
- argocd_bootstrap_infrastructure
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: Setup argo-cd application for bootstrap
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
template: 'bootstrap-application.j2'
|
|
when:
|
|
- argocd_bootstrap_infrastructure
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|
|
|
|
- name: Setup argo-cd infrastructure project
|
|
become: yes
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
template: 'project-infrastructure.j2'
|
|
when:
|
|
- argocd_bootstrap_infrastructure
|
|
- inventory_hostname == groups['kube_control_plane'][0]
|
|
tags:
|
|
- argo-cd
|