From c16d6047969d6aea213dc345745c7ac8989720f2 Mon Sep 17 00:00:00 2001 From: Christian Berendt Date: Sun, 2 Feb 2025 12:24:27 +0100 Subject: [PATCH] Remove keycloak specific configuration Keycloak integration is now made independent of this cookiecutter. Signed-off-by: Christian Berendt --- cookiecutter.json | 1 - hooks/post_gen_project.sh | 4 - .../environments/custom/configuration.yml | 21 --- .../environments/kolla/configuration.yml | 21 --- .../overlays/horizon/_9999-custom-settings.py | 17 --- .../overlays/horizon/custom_local_settings | 17 --- .../overlays/keystone/wsgi-keystone.conf | 141 ------------------ 7 files changed, 222 deletions(-) delete mode 100644 {{cookiecutter.project_name}}/environments/kolla/files/overlays/keystone/wsgi-keystone.conf diff --git a/cookiecutter.json b/cookiecutter.json index 6156caf1..61ed272a 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -1,6 +1,5 @@ { "with_ceph": 1, - "with_keycloak": 0, "ceph_network": "192.168.16.0/20", "ceph_version": "quincy", "domain": "osism.xyz", diff --git a/hooks/post_gen_project.sh b/hooks/post_gen_project.sh index 475eb41d..ab57d613 100755 --- a/hooks/post_gen_project.sh +++ b/hooks/post_gen_project.sh @@ -54,10 +54,6 @@ if [[ {{ cookiecutter.with_ceph }} == 0 ]]; then rm -rf environments/kolla/files/overlays/haproxy/services.d fi -if [[ {{ cookiecutter.with_keycloak }} == 0 ]]; then - rm -rf environments/kolla/files/overlays/keystone -fi - for script in $(find scripts.d -type f -perm -111 -print); do echo run additional script $script $script diff --git a/{{cookiecutter.project_name}}/environments/custom/configuration.yml b/{{cookiecutter.project_name}}/environments/custom/configuration.yml index 8521230b..601cb4d1 100644 --- a/{{cookiecutter.project_name}}/environments/custom/configuration.yml +++ b/{{cookiecutter.project_name}}/environments/custom/configuration.yml @@ -1,25 +1,4 @@ --- -{%- if cookiecutter.with_keycloak|int %} -# keycloak-oidc-client-config -{% raw -%} -keycloak_admin_id: "admin" -keycloak_key_provider_component_name: "rsa-for-keystone" - -keystone_client_id: "keystone" -keystone_redirect_uris: - - "https://{{ kolla_external_fqdn }}:5000/redirect_uri" - - "https://{{ kolla_external_fqdn }}" - - "https://{{ kolla_external_vip_address }}:5000/redirect_uri" - - "https://{{ kolla_external_vip_address }}" - -keycloak_private_key_file_path: "{{ configuration_directory }}/environments/custom/files/keycloak/private_key.pem" -keycloak_private_key_data: "{{ lookup('file', keycloak_private_key_file_path)| regex_replace('\n', '\\\\n') }}" - -keycloak_certificate_file_path: "{{ configuration_directory }}/environments/custom/files/keycloak/cert.crt" -keycloak_certificate_data: "{{ lookup('file', keycloak_certificate_file_path)| regex_replace('\n', '\\\\n') }}" -{%- endraw %} -{%- else %} # Dummy variable to avoid error because ansible does not recognize the # file as a good configuration file when no variable in it. dummy: -{%- endif %} diff --git a/{{cookiecutter.project_name}}/environments/kolla/configuration.yml b/{{cookiecutter.project_name}}/environments/kolla/configuration.yml index 9348a2d5..072f6a0e 100644 --- a/{{cookiecutter.project_name}}/environments/kolla/configuration.yml +++ b/{{cookiecutter.project_name}}/environments/kolla/configuration.yml @@ -74,27 +74,6 @@ ceph_nova_user: nova ceph_public_network: {{cookiecutter.ceph_network}} {%- endif %} -{%- if cookiecutter.with_keycloak|int %} -########################################################## -# keystone -keystone_identity_providers: - - name: "keycloak" - openstack_domain: "keycloak" - protocol: "openid" - identifier: "https://keycloak.{{cookiecutter.domain}}/auth/realms/osism" - public_name: "Authenticate via Keycloak" - attribute_mapping: "mappingId1" -{%- raw %} - metadata_folder: "{{ node_custom_config }}/keystone/federation/oidc/metadata" - certificate_file: "{{ node_custom_config }}/keystone/federation/oidc/kD9RIBcPiCOVO8wOM2VbZD5XnpgSkf-tWdSmhurxmJo.pem" -keystone_identity_mappings: - - name: "mappingId1" - file: "{{ node_custom_config }}/keystone/federation/oidc/attribute_maps/oidc_attribute_mappingId1.json" -# Keystone auth endpoint -keystone_logout_url: "https://{{ kolla_external_fqdn }}/auth/" -{%- endraw %} -{%- endif %} - ######################################################### # other diff --git a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/_9999-custom-settings.py b/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/_9999-custom-settings.py index 3e3a6873..da0db6ac 100644 --- a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/_9999-custom-settings.py +++ b/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/_9999-custom-settings.py @@ -26,20 +26,3 @@ "external": False, }, ] - -{%- if cookiecutter.with_keycloak|int %} -LOGOUT_URL = "https://keycloak.{{cookiecutter.domain}}/auth/realms/osism/protocol/openid-connect/logout/?client_id=keystone&post_logout_redirect_uri=https%3A%2F%2F{{ '{{' }} kolla_external_fqdn {{ '}}' }}%3A5000%2Fredirect_uri%3Flogout%3Dhttps%3A%2F%2F{{ '{{' }} kolla_external_fqdn {{ '}}' }}%3A5000%2Flogout" - -WEBSSO_ENABLED = False -{% raw -%} -WEBSSO_KEYSTONE_URL = "https://{{ kolla_external_fqdn }}:5000/v3" -{%- endraw %} -WEBSSO_CHOICES = ( - ("credentials", "Keystone Credentials"), - ("keycloak", "Authenticate via Keycloak"), -) - -WEBSSO_IDP_MAPPING = { - "keycloak": ("keycloak", "openid"), -} -{%- endif %} diff --git a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/custom_local_settings b/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/custom_local_settings index f089a0c1..5c713817 100644 --- a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/custom_local_settings +++ b/{{cookiecutter.project_name}}/environments/kolla/files/overlays/horizon/custom_local_settings @@ -26,20 +26,3 @@ USER_MENU_LINKS = [ "external": False, }, ] - -{%- if cookiecutter.with_keycloak|int %} -LOGOUT_URL = "https://keycloak.{{cookiecutter.domain}}/auth/realms/osism/protocol/openid-connect/logout/?client_id=keystone&post_logout_redirect_uri=https%3A%2F%2F{{ '{{' }} kolla_external_fqdn {{ '}}' }}%3A5000%2Fredirect_uri%3Flogout%3Dhttps%3A%2F%2F{{ '{{' }} kolla_external_fqdn {{ '}}' }}%3A5000%2Flogout" - -WEBSSO_ENABLED = False -{% raw -%} -WEBSSO_KEYSTONE_URL = "https://{{ kolla_external_fqdn }}:5000/v3" -{%- endraw %} -WEBSSO_CHOICES = ( - ("credentials", "Keystone Credentials"), - ("keycloak", "Authenticate via Keycloak"), -) - -WEBSSO_IDP_MAPPING = { - "keycloak": ("keycloak", "openid"), -} -{%- endif %} diff --git a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/keystone/wsgi-keystone.conf b/{{cookiecutter.project_name}}/environments/kolla/files/overlays/keystone/wsgi-keystone.conf deleted file mode 100644 index 39fb09d2..00000000 --- a/{{cookiecutter.project_name}}/environments/kolla/files/overlays/keystone/wsgi-keystone.conf +++ /dev/null @@ -1,141 +0,0 @@ -{% set keystone_log_dir = '/var/log/kolla/keystone' %} -{% set binary_path = '/var/lib/kolla/venv/bin' %} -{% if keystone_enable_tls_backend | bool %} -{% if kolla_base_distro in ['centos'] %} -LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so -{% else %} -LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so -{% endif %} -{% endif %} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }} - -ServerSignature Off -ServerTokens Prod -TraceEnable off -TimeOut {{ kolla_httpd_timeout }} -KeepAliveTimeout {{ kolla_httpd_keep_alive }} - -ErrorLog "{{ keystone_log_dir }}/apache-error.log" - - CustomLog "{{ keystone_log_dir }}/apache-access.log" common - - -{% if keystone_logging_debug | bool %} -LogLevel info -{% endif %} - - - - AllowOverride None - Options None - Require all granted - - - - - - WSGIDaemonProcess keystone-public processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-public - WSGIProcessGroup keystone-public - WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - - ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat - -{% if keystone_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/keystone/certs/keystone-cert.pem - SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem -{% endif %} - -{% if keystone_enable_federation_openid %} - OIDCXForwardedHeaders "{{ keystone_oidc_forward_header }}" - OIDCClaimPrefix "OIDC-" - OIDCClaimDelimiter "," - OIDCPKCEMethod S256 - OIDCResponseType "{{ keystone_federation_oidc_response_type }}" - OIDCScope "{{ keystone_federation_oidc_scopes }}" -# OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }} - {# Note: Let's use the Metadata instead of the static metadata files -#} - OIDCProviderMetadataURL https://keycloak.{{cookiecutter.domain}}/auth/realms/osism/.well-known/openid-configuration - OIDCClientID keystone -{% if keystone_federation_openid_certificate_key_ids | length > 0 %} - {# Note: OIDCOAuthVerifyCertFiles is a mod_openidc specific param for legacy oauth2 -#} - OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }} -{% endif %} - OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} - OIDCRedirectURI {{ keystone_public_url }}/redirect_uri -{% if enable_memcached | bool %} - OIDCCacheType memcache - OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}" -{% endif %} - - - Require valid-user - AuthType openid-connect - - - - Redirect 302 / {{ keystone_logout_url }} - - - {# WebSSO authentication endpoint -#} - - Require valid-user - AuthType openid-connect - - -{% for idp in keystone_identity_providers %} -{% if idp.protocol == 'openid' %} - - OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }} - Require valid-user - AuthType openid-connect - -{% endif %} -{% endfor %} - -{# CLI / API authentication endpoint -#} -{% for idp in keystone_identity_providers %} -{% if idp.protocol == 'openid' %} - - {# Note: This is the section for oauth2. For some reason the protocol_id needs to be the word "mapped" -#} - Require valid-user - {# For AuthType oauth2 see https://github.com/zmartzone/mod_oauth2/blob/master/README.md -#} - AuthType oauth2 - {# For OIDCUnAuthAction see https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L853 -#} - OIDCUnAuthAction pass - OAuth2TokenVerify jwks_uri https://keycloak.{{cookiecutter.domain}}/auth/realms/osism/protocol/openid-connect/certs jwks_uri.ssl_verify=false - {# For OAuth2TargetPass see https://github.com/zmartzone/mod_oauth2/blob/master/oauth2.conf -#} - OAuth2TargetPass prefix=OIDC- - -{% endif %} -{% endfor %} -{% endif %} - - - - WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin - WSGIProcessGroup keystone-admin - WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-admin - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - - ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat - -{% if keystone_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/keystone/certs/keystone-cert.pem - SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem -{% endif %} - -