Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion infra/ansible/group_vars/all/all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ keycloak_realm:
display_name: "ISIS Analytics Data Platform"
keycloak_realm_url: "{{ keycloak_url }}/realms/{{ keycloak_realm.name }}"
keycloak_bootstrap:
admin_user: "{{ secrets_keycloak['bootstrap_admin_user'] }}"
admin_user: "temp-admin"
admin_password: "{{ secrets_keycloak['bootstrap_admin_password'] }}"

lakekeeper_base_path: /iceberg
Expand Down
4 changes: 4 additions & 0 deletions infra/ansible/group_vars/keycloak.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ keycloak_db_name: "{{ secrets_keycloak['db_name'] }}"
keycloak_db_user: "{{ secrets_keycloak['db_user'] }}"
keycloak_db_password: "{{ secrets_keycloak['db_password'] }}"

keycloak_local_admin:
user: "{{ secrets_keycloak['master_local_admin_user'] }}"
password: "{{ secrets_keycloak['master_local_admin_password'] }}"

# Eveything is assigned to the realm defined by keycloak_realm.name in all/all.yml
keycloak_client_scopes:
- name: lakekeeper
Expand Down
70 changes: 68 additions & 2 deletions infra/ansible/roles/keycloak/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,24 @@
path: "{{ keycloak_working_dir }}"
rebuild: always

- name: Check if we need to bootstrap an admin
no_log: "{{ not (keycloak_bootstrap_logging | default(false)) }}"
ansible.builtin.uri:
url: "{{ keycloak_url }}/realms/master/protocol/openid-connect/token"
method: POST
body_format: form-urlencoded
body:
client_id: "admin-cli"
username: "{{ keycloak_local_admin.user }}"
password: "{{ keycloak_local_admin.password }}"
grant_type: "password"
ignore_errors: true
register: keycloak_token_response

- name: Set admin required fact
ansible.builtin.set_fact:
local_admin_user_exists: "{{ keycloak_token_response['status'] == 200 }}"

- name: Bootstrap Keycloak admin
no_log: "{{ not (keycloak_bootstrap_logging | default(false)) }}"
community.docker.docker_container:
Expand All @@ -53,7 +71,6 @@
[
"bootstrap-admin",
"user",
"--username={{ keycloak_bootstrap.admin_user }}",
"--password:env=KC_BOOTSTRAP_ADMIN_PASSWORD",
"--optimized",
"--no-prompt",
Expand All @@ -69,6 +86,7 @@
KC_DB_URL: "jdbc:postgresql://{{ keycloak_db_host }}:{{ keycloak_db_port }}/{{ keycloak_db_name }}"
KC_DB_USERNAME: "{{ keycloak_db_user }}"
KC_DB_PASSWORD: "{{ keycloak_db_password }}"
when: not local_admin_user_exists

- name: Run Keycloak
community.docker.docker_container:
Expand Down Expand Up @@ -105,6 +123,54 @@
timeout: 2s
retries: 15

- ansible.builtin.import_tasks: setup-realm.yml
# Configure master realm admin
- name: Create permanent admin user
no_log: true
community.general.keycloak_user:
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: master
auth_username: "{{ keycloak_bootstrap.admin_user }}"
auth_password: "{{ keycloak_bootstrap.admin_password }}"
realm: master
username: "{{ keycloak_local_admin.user }}"
enabled: true
emailVerified: true
credentials:
- type: password
value: "{{ keycloak_local_admin.password }}"
temporary: false
state: present
register: kc_new_admin
when: not local_admin_user_exists

- name: Assign admin realm role to permanent user
no_log: "{{ not (keycloak_bootstrap_logging | default(false)) }}"
community.general.keycloak_user_rolemapping:
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: master
auth_username: "{{ keycloak_bootstrap.admin_user }}"
auth_password: "{{ keycloak_bootstrap.admin_password }}"
realm: master
uid: "{{ kc_new_admin.end_state.id }}"
roles:
- name: "admin"
state: present
when: not local_admin_user_exists

- name: Disable temp-admin bootstrap account
no_log: "{{ not (keycloak_bootstrap_logging | default(false)) }}"
community.general.keycloak_user:
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "master"
auth_username: "{{ keycloak_local_admin.user }}"
auth_password: "{{ keycloak_local_admin.password }}"
realm: master
username: "{{ keycloak_bootstrap.admin_user }}"
enabled: false
state: present
when: not local_admin_user_exists

# Configure custom realm
- ansible.builtin.import_tasks: setup-target-realm.yml
vars:
target_realm: "{{ keycloak_realm.name }}"
4 changes: 2 additions & 2 deletions infra/ansible/roles/keycloak/tasks/setup-ldap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
auth_client_id: admin-cli
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: master
auth_username: "{{ keycloak_bootstrap.admin_user }}"
auth_password: "{{ keycloak_bootstrap.admin_password }}"
auth_username: "{{ keycloak_local_admin.user }}"
auth_password: "{{ keycloak_local_admin.password }}"
realm: "{{ target_realm }}"
name: "STFC LDAP"
state: present
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
auth_client_id: admin-cli
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: master
auth_username: "{{ keycloak_bootstrap.admin_user }}"
auth_password: "{{ keycloak_bootstrap.admin_password }}"
auth_username: "{{ keycloak_local_admin.user }}"
auth_password: "{{ keycloak_local_admin.password }}"
when: false

- name: Create Keycloak realm
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ renamed as (
select

date_time as power_measured_at,
isis_elec_total_power_mwx as total_isis_power_mw
isis_elec_total_power_mw as total_isis_power_mw

from source

Expand Down
Loading
Loading