Add Keycloak setup to featureset039

featureset039 is primarily used when TLS everywhere, novajoin and IPA
are needed. We want to round out this functionality with support for
federated authentication by installing the Keycloak IdP on the
supplemental node. The keycloak-setup role is being added in
tripleo-quickstart-extras as a consequence those patches appear
elsewhere in a different repository.

This patch adds the necessary configuration parameters to
featureset039 to invoke the keycloak-setup role in
tripleo-quickstart-extras and adds a dependency in
quickstart-extras-requirements.txt on an Ansible role
(nkinder.keycloak) used to install Keycloak.

Partial-Bug: 1836415

Change-Id: I59eaa2dfe7b5a3a16be18ec5d3cc03f1e68a2661
Signed-off-by: John Dennis <jdennis@redhat.com>

config/general_config/featureset039.yml

@@ -185,3 +185,46 @@ supplemental_image_url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64
 undercloud_custom_env_files: "{{ working_dir }}/undercloud-parameter-defaults.yaml"
 undercloud_resource_registry_args:
   "OS::TripleO::Undercloud::Net::SoftwareConfig": "{{ undercloud_templates_path }}/net-config-undercloud.yaml"
+
+### Keycloak IdP ###
+
+# Turn on federation support
+enable_federation: true
+
+# For simplicity in development and testing scenarios share the admin
+# password with IPA. Do not do this in a production environment!
+keycloak_admin_password: "{{ freeipa_admin_password }}"
+
+# Locate the Keycloak cert/key on the supplemental node, this offers
+# the potential for certmonger to manage cert renewal and simplifies
+# obtaining the cert from IPA.
+keycloak_tls_files_on_target: true
+
+# Download the keycloak archive directly to the supplemental node as
+# opposed to caching it on the host running oooq which then incurs the
+# penalty of Ansible unpacking it over a (typically) slow SSH connection.
+keycloak_archive_on_target: true
+
+# Both the PKI certificate server in IPA and Keycloak default their
+# http and https port to 8080 and 8443 respectively. Because IPA is
+# installed first ports 8080 and 8443 are already in use, bump the
+# Keycloak ports by 1 to avoid port conflicts.
+keycloak_http_port: 8081
+keycloak_https_port: 8444
+
+# IPA installs first on the supplemental and does not enable the
+# firewall. If keycloak were to install later and enabled the
+# firewall opening only the Keycloak ports then the IPA ports would
+# be blocked. Therefore turn off Keycloak's configuration of the
+# firewall. The IPA install should enable the firewall but when this
+# was attempted a bug in Ansible prevented it from working. If the IPA
+# install gains the ability to enable the firewall then
+# keycloak_configure_firewall should be turned on.
+keycloak_configure_firewall: false
+
+# Limit the JVM max heap size to 512 MB
+keycloak_java_opts: "-Xms64m -Xmx512m"
+
+# Extend the CLI connect timeout to account for slow startup of Keycloak
+# with our small heap size.
+keycloak_jboss_config_connect_timeout: 90000

quickstart-extras-requirements.txt

@@ -5,3 +5,8 @@ git+https://opendev.org/openstack/openstack-ansible-os_tempest/#egg=openstack-an
 git+https://opendev.org/openstack/ansible-role-python_venv_build/#egg=ansible-role-python_venv_build
 git+https://opendev.org/openstack/ansible-config_template/#egg=ansible-config_template
 git+https://opendev.org/openstack/ansible-role-collect-logs/#egg=ansible-role-collect-logs
+# let's experiment with an alternative method to include the role
+# See:
+# https://review.opendev.org/673926
+# https://review.rdoproject.org/r/21670
+# git+https://github.com/nkinder/ansible-keycloak

roles/libvirt/setup/supplemental/templates/tls_everywhere_provisioner.sh.j2

@@ -88,7 +88,7 @@ virsh vol-upload --pool $POOL_NAME $IMG_NAME $VMIMGIPA
 virt-install \
     --import \
     --name ipa \
-    --ram 8086 \
+    --ram 10240 \
     --disk path=$VOL_IMG_PATH,format=qcow2 \
     --vcpus 4 \
     --os-type linux \