federation
This role sets up OpenStack Keystone federation with Keycloak (Red Hat SSO) as the Identity Provider.
Overview
The federation role configures:
Keycloak realm(s) with test users and groups
Keystone Identity Provider and protocol configuration
OIDC authentication for OpenStack CLI
Comprehensive authentication testing
Supported OIDC Authentication Methods
This role supports testing all OIDC authentication methods available in keystoneauth1:
Plugin Name |
Description |
Status |
|---|---|---|
|
Resource Owner Password Credentials flow |
✅ Supported |
|
Client Credentials flow |
✅ Supported |
|
Reuse existing access token |
✅ Supported |
|
Authorization Code flow |
✅ Supported |
|
Device Authorization flow (RFC 8628) |
⚠️ Requires Python 3.10+ |
Variables
Infrastructure Configuration
Variable |
Default |
Description |
|---|---|---|
|
|
Kubernetes namespace for Keycloak |
|
|
Kubernetes namespace for openstackclient |
|
- |
Base domain for service URLs |
Keycloak Configuration
Variable |
Default |
Description |
|---|---|---|
|
|
Primary Keycloak realm name |
|
|
Secondary realm (multirealm mode) |
|
|
Keycloak admin username |
|
|
Keycloak admin password |
|
|
Deploy multiple realms |
Test Users
Variable |
Default |
Description |
|---|---|---|
|
|
Test user 1 username |
|
|
Test user 1 password |
|
|
Test user 2 username |
|
|
Test user 2 password |
Keystone Integration
Variable |
Default |
Description |
|---|---|---|
|
|
Identity Provider name in Keystone |
|
|
Keystone domain for federated users |
|
|
Keystone mapping name |
|
|
Project for federated users |
|
|
Group for federated users |
OIDC Client Configuration
Variable |
Default |
Description |
|---|---|---|
|
|
OIDC client ID |
|
|
OIDC client secret |
|
|
OIDC scopes |
Testing Configuration
Variable |
Default |
Description |
|---|---|---|
|
|
Run OIDC auth tests |
Task Files
Main Tasks
hook_pre_deploy.yml- Deploys Keycloak before OpenStackhook_post_deploy.yml- Configures federation after OpenStack deploymenthook_controlplane_config.yml- Adds federation config to control plane
Setup Tasks
run_keycloak_setup.yml- Deploy Keycloak operator and instancerun_keycloak_realm_setup.yml- Configure Keycloak realm, users, and clientrun_keycloak_client_setup.yml- Enable advanced client features (Service Accounts, Device Auth)run_openstack_setup.yml- Configure Keystone IdP and mappingsrun_openstack_auth_setup.yml- Deploy authentication scripts to openstackclient pod
Test Tasks
run_openstack_oidc_auth_tests.yml- Comprehensive OIDC authentication test suite
Authentication Scripts
The following scripts are deployed to /home/cloud-admin/ in the openstackclient pod:
Script |
Description |
|---|---|
|
Get token using v3oidcpassword |
|
Configure v3oidcclientcredentials auth |
|
Configure v3oidcaccesstoken auth |
|
Configure v3oidcauthcode auth |
|
Helper to obtain tokens from Keycloak |
Example Usage
# v3oidcpassword - Password flow
kubectl exec -n openstack openstackclient -- bash -c \
'source /home/cloud-admin/kctestuser1 && openstack token issue'
# v3oidcclientcredentials - Client Credentials flow
kubectl exec -n openstack openstackclient -- bash -c \
'source /home/cloud-admin/oidc-clientcredentials.sh && openstack token issue'
# v3oidcaccesstoken - Access Token flow
ACCESS_TOKEN=$(/home/cloud-admin/get-keycloak-token.sh access_token kctestuser1 nomoresecrets1)
kubectl exec -n openstack openstackclient -- bash -c \
"source /home/cloud-admin/oidc-accesstoken.sh '$ACCESS_TOKEN' && openstack token issue"
# v3oidcauthcode - Authorization Code flow
AUTH_CODE=$(/home/cloud-admin/get-keycloak-token.sh auth_code kctestuser1 nomoresecrets1)
kubectl exec -n openstack openstackclient -- bash -c \
"source /home/cloud-admin/oidc-authcode.sh '$AUTH_CODE' && openstack token issue"
Test Execution
The OIDC authentication tests are automatically run during the hook_post_deploy.yml phase when cifmw_federation_run_oidc_auth_tests is true (default).
To run the tests manually:
- name: Run OIDC authentication tests
ansible.builtin.include_role:
name: federation
tasks_from: run_openstack_oidc_auth_tests.yml
Notes
Device Authorization Flow: The
v3oidcdeviceauthzplugin requires keystoneauth1 with Python 3.10+ support. OSP18 ships with Python 3.9 and does not include this plugin.Multirealm: CLI-based OIDC authentication testing only works in single realm mode. Multirealm federation is supported for Horizon-based authentication.
Keycloak Client: The role automatically enables Service Accounts and Device Authorization on the Keycloak client to support all authentication methods.