Skip to content

Commit

Permalink
Configure temporary access to the Keycloak admin interface as long as…
Browse files Browse the repository at this point in the history
… he_pause_host is set to true

Resolve issue: oVirt/ovirt-engine-keycloak#54

Signed-off-by: Denis Kvist <[email protected]>
  • Loading branch information
Denis Kvist committed Dec 19, 2024
1 parent 18107de commit 8636773
Show file tree
Hide file tree
Showing 4 changed files with 143 additions and 0 deletions.
49 changes: 49 additions & 0 deletions roles/hosted_engine_setup/files/keycloak_he_pause_host.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#!/bin/bash

# This file is a part of the hosted-engine deployment process
# The goal is to add a temporary URI to the ovirt-engine-internal client, and return the original value on the second pass.

# KEYCLOAK_URL get from ENV: "https://{{ he_fqdn }}/ovirt-engine-auth"
# HOST_FQDN get from ENV: "{{ he_host_name }}"
# PASSWORD get from ENV: "{{ he_admin_password }}"

KEYCLOAK_REALM=ovirt-internal
KEYCLOAK_CLIENT_ID=ovirt-engine-internal
USERNAME="admin"
REDIRECT_URIS_TMPFILE=/tmp/keycloak_redirect_uris.tmp

TKN=$(curl --insecure --silent -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
--header "content-type: application/x-www-form-urlencoded" \
--data-urlencode "client_id=admin-cli" \
--data-urlencode "username=${USERNAME}" \
--data-urlencode "password=${PASSWORD}" \
--data-urlencode "grant_type=password" | jq --raw-output '.access_token' )

CLIENT_DATA=$(curl --insecure --silent -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/clients?clientId=${KEYCLOAK_CLIENT_ID}" \
--header "Accept: application/json" \
--header "Authorization: Bearer $TKN")

CLIENT_ID=$(echo $CLIENT_DATA | jq -r '.[0].id')

if [ -f "$REDIRECT_URIS_TMPFILE" ]; then
# Second pass
# Restore original redirectUris parameters
NEW_URI=$(<$REDIRECT_URIS_TMPFILE)
UPDATED_CLIENT_DATA=$(echo $CLIENT_DATA | jq --argjson new_uri "$NEW_URI" '.[0] | .redirectUris = $new_uri')
rm -rf $REDIRECT_URIS_TMPFILE
else
# First pass
# Save original redirectUris parameters
REDIRECT_URIS=$(echo $CLIENT_DATA | jq -r '.[0].redirectUris')
echo "$REDIRECT_URIS" > $REDIRECT_URIS_TMPFILE

# Add a temporary URI to redirectUris
NEW_URI="https://${HOST_FQDN}:6900*"
UPDATED_CLIENT_DATA=$(echo $CLIENT_DATA | jq --arg new_uri "$NEW_URI" '.[0] | .redirectUris += [$new_uri]')
fi

# Update client data
curl --insecure --silent --http1.0 -X PUT "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/clients/${CLIENT_ID}" \
--header "Authorization: Bearer $TKN" \
--header "Content-Type: application/json" \
--data-raw "$UPDATED_CLIENT_DATA"
14 changes: 14 additions & 0 deletions roles/hosted_engine_setup/tasks/bootstrap_local_vm/05_add_host.yml
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,13 @@
loop_control:
loop_var: after_add_host_item
register: include_after_add_host_results
- name: Configure the Keycloak to be accessed over the first host
block:
- include_tasks: ../keycloak_config_for_he_pause_host.yml
when:
- he_pause_host|bool
- he_enable_keycloak|bool
delegate_to: "{{ groups.engine[0] }}"
- name: Pause the execution to let the user interactively reconfigure the host
block:
- name: Let the user connect to the bootstrap engine VM to manually fix host configuration
Expand All @@ -130,6 +137,13 @@
eventually remediate it, please continue only when the host is listed as 'up'
- include_tasks: ../pause_execution.yml
when: he_pause_host|bool
- name: Configure the Keycloak to be accessed over the Engine FQDN
block:
- include_tasks: ../keycloak_restore_after_he_pause_host.yml
when:
- he_pause_host|bool
- he_enable_keycloak|bool
delegate_to: "{{ groups.engine[0] }}"
# refresh the auth token after a long operation to avoid having it expired
- include_tasks: ../auth_revoke.yml
- include_tasks: ../auth_sso.yml
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
- name: Configure Apache
block:
- name: Replace OIDCProviderMetadataURL value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCProviderMetadataURL https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_host_address }}:6900\g<2>'
- name: Replace OIDCRedirectURI value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCRedirectURI https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_host_address }}:6900\g<2>'
- name: Replace OIDCDefaultURL value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCDefaultURL https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_host_address }}:6900\g<2>'
- name: Replace OIDCOAuthIntrospectionEndpoint value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCOAuthIntrospectionEndpoint https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_host_address }}:6900\g<2>'
- name: Configure Keycloak
block:
- name: Copy keycloak_he_pause_host.sh
ansible.builtin.copy:
src: /usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/files/keycloak_he_pause_host.sh
dest: /tmp/keycloak_he_pause_host.sh
mode: '0644'
- name: Run keycloak_he_pause_host.sh
shell: /bin/bash /tmp/keycloak_he_pause_host.sh
environment:
KEYCLOAK_URL: "https://{{ he_fqdn }}/ovirt-engine-auth"
HOST_FQDN: "{{ he_host_name }}"
PASSWORD: "{{ he_admin_password }}"
- name: Restart httpd service
ansible.builtin.service:
name: httpd
state: restarted
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
- name: Configure Apache
block:
- name: Restore original OIDCProviderMetadataURL value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCProviderMetadataURL https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_fqdn }}\g<2>'
- name: Restore original OIDCRedirectURI value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCRedirectURI https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_fqdn }}\g<2>'
- name: Restore original OIDCDefaultURL value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCDefaultURL https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_fqdn }}\g<2>'
- name: Restore original OIDCOAuthIntrospectionEndpoint value
ansible.builtin.replace:
path: /etc/httpd/conf.d/internalsso-openidc.conf
regexp: '(^\s+OIDCOAuthIntrospectionEndpoint https:\/\/).+(\/ovirt-engine.*)'
replace: '\g<1>{{ he_fqdn }}\g<2>'
- name: Configure Keycloak
block:
- name: Copy keycloak_he_pause_host.sh
ansible.builtin.copy:
src: /usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/files/keycloak_he_pause_host.sh
dest: /tmp/keycloak_he_pause_host.sh
mode: '0644'
- name: Run keycloak_he_pause_host.sh
shell: /bin/bash /tmp/keycloak_he_pause_host.sh
environment:
KEYCLOAK_URL: "https://{{ he_fqdn }}/ovirt-engine-auth"
HOST_FQDN: "{{ he_host_name }}"
PASSWORD: "{{ he_admin_password }}"
- name: Restart httpd service
ansible.builtin.service:
name: httpd
state: restarted

0 comments on commit 8636773

Please sign in to comment.