Add Keycloak setup to featureset039
featureset039 is primarily used when TLS everywhere, novajoin and IPA are needed. We want to round out this functionality with support for federated authentication by installing the Keycloak IdP on the supplemental node. The keycloak-setup role is being added in tripleo-quickstart-extras as a consequence those patches appear elsewhere in a different repository. This patch adds the necessary configuration parameters to featureset039 to invoke the keycloak-setup role in tripleo-quickstart-extras and adds a dependency in quickstart-extras-requirements.txt on an Ansible role (nkinder.keycloak) used to install Keycloak. Partial-Bug: 1836415 Change-Id: I59eaa2dfe7b5a3a16be18ec5d3cc03f1e68a2661 Signed-off-by: John Dennis <jdennis@redhat.com>
This commit is contained in:
parent
88b75a410d
commit
98d7a4a9cd
|
@ -185,3 +185,46 @@ supplemental_image_url: https://cloud.centos.org/centos/7/images/CentOS-7-x86_64
|
|||
undercloud_custom_env_files: "{{ working_dir }}/undercloud-parameter-defaults.yaml"
|
||||
undercloud_resource_registry_args:
|
||||
"OS::TripleO::Undercloud::Net::SoftwareConfig": "{{ undercloud_templates_path }}/net-config-undercloud.yaml"
|
||||
|
||||
### Keycloak IdP ###
|
||||
|
||||
# Turn on federation support
|
||||
enable_federation: true
|
||||
|
||||
# For simplicity in development and testing scenarios share the admin
|
||||
# password with IPA. Do not do this in a production environment!
|
||||
keycloak_admin_password: "{{ freeipa_admin_password }}"
|
||||
|
||||
# Locate the Keycloak cert/key on the supplemental node, this offers
|
||||
# the potential for certmonger to manage cert renewal and simplifies
|
||||
# obtaining the cert from IPA.
|
||||
keycloak_tls_files_on_target: true
|
||||
|
||||
# Download the keycloak archive directly to the supplemental node as
|
||||
# opposed to caching it on the host running oooq which then incurs the
|
||||
# penalty of Ansible unpacking it over a (typically) slow SSH connection.
|
||||
keycloak_archive_on_target: true
|
||||
|
||||
# Both the PKI certificate server in IPA and Keycloak default their
|
||||
# http and https port to 8080 and 8443 respectively. Because IPA is
|
||||
# installed first ports 8080 and 8443 are already in use, bump the
|
||||
# Keycloak ports by 1 to avoid port conflicts.
|
||||
keycloak_http_port: 8081
|
||||
keycloak_https_port: 8444
|
||||
|
||||
# IPA installs first on the supplemental and does not enable the
|
||||
# firewall. If keycloak were to install later and enabled the
|
||||
# firewall opening only the Keycloak ports then the IPA ports would
|
||||
# be blocked. Therefore turn off Keycloak's configuration of the
|
||||
# firewall. The IPA install should enable the firewall but when this
|
||||
# was attempted a bug in Ansible prevented it from working. If the IPA
|
||||
# install gains the ability to enable the firewall then
|
||||
# keycloak_configure_firewall should be turned on.
|
||||
keycloak_configure_firewall: false
|
||||
|
||||
# Limit the JVM max heap size to 512 MB
|
||||
keycloak_java_opts: "-Xms64m -Xmx512m"
|
||||
|
||||
# Extend the CLI connect timeout to account for slow startup of Keycloak
|
||||
# with our small heap size.
|
||||
keycloak_jboss_config_connect_timeout: 90000
|
||||
|
|
|
@ -5,3 +5,8 @@ git+https://opendev.org/openstack/openstack-ansible-os_tempest/#egg=openstack-an
|
|||
git+https://opendev.org/openstack/ansible-role-python_venv_build/#egg=ansible-role-python_venv_build
|
||||
git+https://opendev.org/openstack/ansible-config_template/#egg=ansible-config_template
|
||||
git+https://opendev.org/openstack/ansible-role-collect-logs/#egg=ansible-role-collect-logs
|
||||
# let's experiment with an alternative method to include the role
|
||||
# See:
|
||||
# https://review.opendev.org/673926
|
||||
# https://review.rdoproject.org/r/21670
|
||||
# git+https://github.com/nkinder/ansible-keycloak
|
||||
|
|
|
@ -88,7 +88,7 @@ virsh vol-upload --pool $POOL_NAME $IMG_NAME $VMIMGIPA
|
|||
virt-install \
|
||||
--import \
|
||||
--name ipa \
|
||||
--ram 8086 \
|
||||
--ram 10240 \
|
||||
--disk path=$VOL_IMG_PATH,format=qcow2 \
|
||||
--vcpus 4 \
|
||||
--os-type linux \
|
||||
|
|
Loading…
Reference in New Issue