Add support for federation in the horizon UI

jagee · jagee · commit 7937d3f2710f · 2025-04-17T15:28:30.000-04:00
This adds a openidc dropbox to the horizon login
screen so a user can select openidc as a login type.
The horzion UI will the be redirected to the keycloak
server for the user authentication and then be passed
back to the horizon dashboard as the federated user.
diff --git a/hooks/playbooks/federation-controlplane-config.yml b/hooks/playbooks/federation-controlplane-config.yml
@@ -2,6 +2,20 @@
 - name: Create kustomization to update Keystone to use Federation
   hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
   tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
     - name: Create file to customize keystone for Federation resources deployed in the control plane
       ansible.builtin.copy:
         dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml"
@@ -32,7 +46,7 @@
                   insecure_debug=true
                   debug=true
                   [federation]
-                  trusted_dashboard={{ '{{ .KeystoneEndpointPublic }}' }}/dashboard/auth/websso/
+                  trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
                   [openid]
                   remote_id_attribute=HTTP_OIDC_ISS
                   [auth]
@@ -85,7 +99,7 @@
               OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}"
               OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
               OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
-              OIDCRedirectURI "{{ '{{ .KeystoneEndpointPublic }}' }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso"
+              OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso"
 
               <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
                 AuthType "openid-connect"
diff --git a/hooks/playbooks/federation-horizon-controlplane-config.yml b/hooks/playbooks/federation-horizon-controlplane-config.yml
@@ -0,0 +1,49 @@
+---
+- name: Create kustomization to update Horizon to use Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Create file to customize horizon for Federation resources deployed in the control plane
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/horizon_federation.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          - namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/horizon/enabled
+                value: true
+              - op: add
+                path: /spec/horizon/template/memcachedInstance
+                value: memcached
+              - op: add
+                path: /spec/horizon/template/customServiceConfig
+                value: |
+                  OPENSTACK_KEYSTONE_URL = "{{ cifmw_federation_keystone_url }}/v3"
+                  WEBSSO_ENABLED = True
+                  WEBSSO_CHOICES = (
+                    ("credentials", _("Keystone Credentials")),
+                    ("OIDC", _("OpenID Connect")),
+                  )
+                  WEBSSO_IDP_MAPPING = {
+                    "OIDC": ("{{ cifmw_keystone_OIDC_provider_name }}", "openid"),
+                  }
diff --git a/hooks/playbooks/federation-post-deploy.yml b/hooks/playbooks/federation-post-deploy.yml
@@ -22,12 +22,14 @@
       ansible.builtin.set_fact:
         cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
         cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
       when: cifmw_federation_deploy_type == "uni"
 
     - name: Set urls for install type crc
       ansible.builtin.set_fact:
         cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
         cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
       when: cifmw_federation_deploy_type == "crc"
 
     - name: Run federation setup on OSP
diff --git a/hooks/playbooks/federation-pre-deploy.yml b/hooks/playbooks/federation-pre-deploy.yml
@@ -22,12 +22,14 @@
       ansible.builtin.set_fact:
         cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
         cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps.ocp.openstack.lab'
       when: cifmw_federation_deploy_type == "uni"
 
     - name: Set urls for install type crc
       ansible.builtin.set_fact:
         cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
         cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+        cifmw_federation_horizon_url: 'https://horizon-openstack.apps-crc.testing'
       when: cifmw_federation_deploy_type == "crc"
 
     - name: Run SSO pod setup on Openshift
diff --git a/roles/federation/tasks/run_keycloak_realm_setup.yml b/roles/federation/tasks/run_keycloak_realm_setup.yml
@@ -50,8 +50,10 @@
     redirect_uris:
       - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcIDP/protocols/openid/websso"
       - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid"
+      - "{{ cifmw_federation_horizon_url }}/dashboard/auth/websso/"
     web_origins:
       - "{{ cifmw_federation_keystone_url }}"
+      - "{{ cifmw_federation_horizon_url }}"
     bearer_only: false
     public_client: false
     protocol: openid-connect
