Merge pull request sabre1041#9 from cooktheryan/keycloak

Removing keycloak requirement

Author: sallyom

roles/sigstore_scaffolding/defaults/main.yml

@@ -28,6 +28,10 @@ sigstore_trillian_templates:
   - manifests/trillian/trillian-logserver.yaml
   - manifests/trillian/trillian-logsigner.yaml
 
+ctlog_enabled: true
+tuf_enabled: true
+
+trillian_enabled: true
 trillian:
   mysql:
    user: mysql
@@ -74,7 +78,7 @@ remote_ctlog_public_key: "{{ certs_dir }}/{{ ctlog_public_key_filename }}"
 remote_rekor_signer: "{{ certs_dir }}/{{ rekor_signer_filename }}"
 remote_rekor_public_key: "{{ certs_dir }}/{{ rekor_public_key_filename }}"
 
-
+rekor_enabled: true
 rekor_public_key_retries: 5
 rekor_public_key_delay: 10
 fulcio_server_config: "{{ kube_configmap_dir }}/fulcio-config.yaml"
@@ -90,13 +94,16 @@ keycloak_certs_config: "{{ kube_configmap_dir }}/keycloak-certs.yaml"
 setup_host_dns: true
 base_hostname: ""
 
+fulcio_enabled: true
 fulcio_ca_passphrase: sigstore
 ctlog_ca_passphrase: sigstore
 rekor_ca_passphrase: sigstore
 ct_logprefix: sigstoreansible
 
 scaffolding_utils_image: quay.io/ablock/sigstore-scaffolding-helper:latest
 
+keycloak_enabled: true
+keycloak_url: keycloak.{{ base_hostname }}
 keycloak_wait_increment_seconds: 60
 keycloak_postgresql_user: "keycloak"
 keycloak_postgresql_password: "keycloak"
@@ -132,4 +139,4 @@ trillian_db_image: gcr.io/trillian-opensource-ci/db_server@sha256:22b7fddcb4bafc
 tuf_image: quay.io/rcook/tuf/server:latest
 netcat_image: quay.io/rcook/netcat:v1.0.0
 nginx_image: registry.access.redhat.com/ubi8/nginx-120@sha256:0d4543b4cf26eb46b1632006cc5b24a1925336973eb3ec17cdfb9fec372da5b8
-curl_image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+curl_image: registry.access.redhat.com/ubi9/ubi-minimal:latest

roles/sigstore_scaffolding/tasks/keycloak/setup.yml

@@ -8,15 +8,11 @@
 
 - name: Set Keycloak Hostname
   ansible.builtin.set_fact:
-    keycloak_hostname: "https://keycloak.{{ base_hostname }}"
-
-- name: Set Keycloak Hostname
-  ansible.builtin.set_fact:
-    keycloak_auth_url: "{{ keycloak_hostname }}{{ keycloak_auth_endpoint }}"
+    keycloak_auth_url: "https://{{ keycloak_url }}{{ keycloak_auth_endpoint }}"
 
 - name: "Wait until Keycloak becomes active and ready"
   ansible.builtin.uri:
-    url: "{{ keycloak_hostname }}/health/ready"
+    url: "https://{{ keycloak_url }}/health/ready"
     method: GET
     validate_certs: false
   register: keycloak_status

roles/sigstore_scaffolding/tasks/podman.yml

@@ -20,21 +20,28 @@
 
 - name: Configure/Deploy keycloak
   ansible.builtin.include_tasks: podman/keycloak.yml
+  when: keycloak_enabled | bool
 
 - name: Configure/Deploy Trillian
   ansible.builtin.include_tasks: podman/trillian.yml
+  when: trillian_enabled | bool
 
 - name: Setup Trillian Tree ID
   ansible.builtin.include_tasks: podman/createtree.yml
+  when: trillian_enabled | bool
 
 - name: Configure/Deploy Rekor
   ansible.builtin.include_tasks: podman/rekor.yml
+  when: rekor_enabled | bool
 
 - name: Configure/Deploy Fulcio
   ansible.builtin.include_tasks: podman/fulcio.yml
+  when: fulcio_enabled | bool
 
 - name: Configure/Deploy ctlog
   ansible.builtin.include_tasks: podman/ctlog.yml
+  when: ctlog_enabled | bool
 
 - name: Configure/Deploy tuf
-  ansible.builtin.include_tasks: podman/tuf.yml
+  ansible.builtin.include_tasks: podman/tuf.yml
+  when: tuf_enabled | bool

roles/sigstore_scaffolding/templates/configs/fulcio-oidc.conf.j2

@@ -1,8 +1,8 @@
 {
     "OIDCIssuers": {
-    "https://keycloak.{{ base_hostname }}{{ keycloak_auth_endpoint }}/realms/{{ keycloak_realm }}": {
+    "https://{{ keycloak_url }}{{ keycloak_auth_endpoint }}/realms/{{ keycloak_realm }}": {
         "ClientID": "{{ keycloak_sigstore_client }}",
-        "IssuerURL": "https://keycloak.{{ base_hostname }}{{ keycloak_auth_endpoint }}/realms/{{ keycloak_realm }}",
+        "IssuerURL": "https://{{ keycloak_url }}{{ keycloak_auth_endpoint }}/realms/{{ keycloak_realm }}",
         "Type": "email"
         }
     }

roles/sigstore_scaffolding/templates/configs/nginx.conf.j2

@@ -10,8 +10,10 @@ events {
     worker_connections  1024;
 }
 
-
 http {
+    map_hash_bucket_size 128;
+    map_hash_max_size 128;
+    server_names_hash_bucket_size  128;
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
@@ -41,25 +43,50 @@ http {
 
 stream {  
 
+  map_hash_bucket_size 128;
   map $ssl_server_name $targetBackend {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }}  rekor-server-pod:3000;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }}  tuf-pod:8080;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }}  fulcio-server-pod:5555;
-    keycloak.{{ base_hostname }}  keycloak:8080;
+{% endif %}
+{% if keycloak_enabled %}
+    {{ keycloak_url }}  keycloak:8080;
+{% endif %}
   }
 
   map $ssl_server_name $targetCert {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }} /certs/ingress-rekor.pem;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }} /certs/ingress-tuf.pem;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }} /certs/ingress-fulcio.pem;
-    keycloak.{{ base_hostname }} /certs/ingress-keycloak.pem;
+{% endif %}
+{% if keycloak_enabled %}
+    {{ keycloak_url }}  /certs/ingress-keycloak.pem;
+{% endif %}
   }
 
   map $ssl_server_name $targetCertKey {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }}  /certs/ingress-rekor.key;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }}  /certs/ingress-tuf.key;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }}  /certs/ingress-fulcio.key;
-    keycloak.{{ base_hostname }}  /certs/ingress-keycloak.key;
+{% endif %}
+{% if keycloak_enabled %}
+    {{ keycloak_url }}  /certs/ingress-keycloak.key;
+{% endif %}
   }
 
   server {
@@ -75,4 +102,4 @@ stream {
     proxy_pass $targetBackend;
   }
 
-}
+}

roles/sigstore_scaffolding/templates/manifests/keycloak/keycloak.yaml

@@ -46,9 +46,9 @@ spec:
         - name: KC_HEALTH_ENABLED
           value: "true"
         - name: KC_HOSTNAME_URL
-          value: "https://keycloak.{{ base_hostname }}"
+          value: "https://{{ keycloak_url }}"
         - name: KC_HOSTNAME_ADMIN_URL
-          value: "https://keycloak.{{ base_hostname }}"
+          value: "https://{{ keycloak_url }}"
       args:
         - start
       image: quay.io/keycloak/keycloak@sha256:b8f2a453a17a244a829fdafdb08dd77f719d3622bc3987c76a81771c0913b882