Refactor Azimuth authentication configuration to match new values

galaxy.yml

@@ -11,7 +11,7 @@ license:
 repository: "https://github.com/azimuth-cloud/ansible-collection-azimuth-ops"
 
 dependencies:
-  ansible.posix: "1.6.2"
+  ansible.posix: "2.0.0"
   community.general: "7.4.0"
   kubernetes.core: "5.0.0"
   "git+https://github.com/azimuth-cloud/ansible-collection-terraform.git": "0.5.0"

roles/azimuth/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 azimuth_chart_repo: https://azimuth-cloud.github.io/azimuth
 azimuth_chart_name: azimuth
-azimuth_chart_version: 0.12.0
+azimuth_chart_version: 0.13.1-dev.0.feat-auth-refactor.7
 
 # Release information for the Azimuth release
 azimuth_release_namespace: azimuth
@@ -94,134 +94,116 @@ azimuth_curated_sizes: []
   #   description: >-
   #     {% raw %}{{ cpus }} CPUs, {{ ram }} RAM, {{ disk }} disk, {{ ephemeral_disk }} ephemeral disk{% endraw %}
 
-# Settings for the configured authenticators
-#   Configuration for the password authenticator
-azimuth_authenticator_password_enabled: true
-azimuth_authenticator_password_label: "Username + Password"
-azimuth_authenticator_password_hidden: false
-azimuth_authenticator_password_auth_url: "{{ azimuth_openstack_auth_url }}"
-azimuth_authenticator_password_domain: "{{ azimuth_openstack_domain }}"
-azimuth_authenticator_password_verify_ssl: "{{ azimuth_openstack_verify_ssl }}"
+# Settings for OpenStack authentication
+#   The Keystone auth URL
+azimuth_openstack_auth_url: "{{ undef(hint = 'azimuth_openstack_auth_url is required') }}"
+#   The domain to use when authenticating with OpenStack
+azimuth_openstack_domain: default
+#   The region to use when discovering OpenStack services
+azimuth_openstack_region:
+#   The interface - should rarely need to be changed from the default
+azimuth_openstack_interface: public
+#   Whether or not to verify SSL
+azimuth_openstack_verify_ssl: true
 #   Configuration for the appcred authenticator
-#     By default, the appcred authenticator is enabled but hidden
+#     The appcred authenticator is always enabled but hidden by default
 #     This is useful when using the SDK as automation can be given an appcred
 #     but the option is not presented to users in the choice form
-azimuth_authenticator_appcred_enabled: true
-azimuth_authenticator_appcred_label: "Application Credential"
 azimuth_authenticator_appcred_hidden: true
-azimuth_authenticator_appcred_auth_url: "{{ azimuth_openstack_auth_url }}"
-azimuth_authenticator_appcred_verify_ssl: "{{ azimuth_openstack_verify_ssl }}"
+#   Configuration for the password authenticator
+azimuth_authenticator_password_enabled: true
+#   Simplified configuration for a single domain
+#   These variables are not used if azimuth_authenticator_password_domains is specified
+azimuth_authenticator_password_domain: "{{ azimuth_openstack_domain }}"
+azimuth_authenticator_password_label: "Username + Password"
+#   The list of domains to make available as authentication options
+azimuth_authenticator_password_domains:
+  - # The name of the domain
+    name: "{{ azimuth_authenticator_password_domain }}"
+    # A human-readable label, used in the selection form
+    label: "{{ azimuth_authenticator_password_label }}"
 #   Configuration for the federated authenticator
 azimuth_authenticator_federated_enabled: false
-azimuth_authenticator_federated_hidden: false
-azimuth_authenticator_federated_auth_url: "{{ azimuth_openstack_auth_url }}"
 #   Simplified configuration for a single IDP
 #   These variables are not used if azimuth_authenticator_federated_identity_providers is specified
 azimuth_authenticator_federated_label: "Federated"
-azimuth_authenticator_federated_provider: >-
-  {{-
-    undef(hint = 'azimuth_authenticator_federated_provider is required')
-    if azimuth_authenticator_federated_enabled
-    else None
-  }}
 azimuth_authenticator_federated_protocol: >-
   {{-
     undef(hint = 'azimuth_authenticator_federated_protocol is required')
     if azimuth_authenticator_federated_enabled
     else None
   }}
+azimuth_authenticator_federated_provider:
 #   The list of identity providers to make available
 azimuth_authenticator_federated_identity_providers:
-    # A name to identify the identity provider within Azimuth
-  - name: "{{ azimuth_authenticator_federated_provider }}_{{ azimuth_authenticator_federated_protocol }}"
-    # A human-readble label for the identity provider, used in the selection form
-    label: "{{ azimuth_authenticator_federated_label }}"
-    # The Keystone identity provider and protocol to use
+  - # The Keystone identity provider and protocol to use
     # The provider is optional, and if it IS NOT given, URLs will be of the form:
     #   <auth url>/auth/OS-FEDERATION/websso/<protocol>
     # If a provider IS given, URLs will be of the following form:
     #   <auth_url>/auth/OS-FEDERATION/identity_providers/<provider>/protocols/<protocol>/websso
     # It is recommended to specify a provider if known, as it redirects straight to the IdP
-    # instead of via the ugly Keystone splash page
-    provider: "{{ azimuth_authenticator_federated_provider }}"
+    # instead of the Keystone selection page
     protocol: "{{ azimuth_authenticator_federated_protocol }}"
-#   List of authenticators in the order in which they should appear in the form
-
-# Additional authenticators to include
-azimuth_authenticators_extra: []
-# Example for authenticating with an additional Keystone domain:
-# - hidden: false
-#   label: "What shows up on login dropdown menu"
-#   name: a_unique_name
-#   type: openstack-password
-#   openstackPassword:
-#     authUrl: https://keystone.openstack.example.com/v3
-#     domain: my-domain
-#     verifySsl: true
-
-azimuth_authenticators: >-
+    provider: "{{ azimuth_authenticator_federated_provider }}"
+    # A human-readble label for the identity provider, used in the selection form
+    label: "{{ azimuth_authenticator_federated_label }}"
+# The authentication settings, structured as defaults + overrides
+azimuth_authentication_defaults:
+  type: openstack
+  openstack: >-
+    {{-
+      {
+        "authUrl": azimuth_openstack_auth_url,
+        "interface": azimuth_openstack_interface,
+        "verifySsl": azimuth_openstack_verify_ssl,
+        "appcred": {
+          "hidden": azimuth_authenticator_appcred_hidden,
+        },
+        "password": {
+          "enabled": azimuth_authenticator_password_enabled,
+        },
+        "federated": {
+          "enabled": azimuth_authenticator_federated_enabled,
+        },
+      } |
+        combine(
+          { "region": azimuth_openstack_region }
+          if azimuth_openstack_region
+          else {}
+        ) |
+        combine(
+          (
+            {
+              "password": {
+                "domains": azimuth_authenticator_password_domains,
+              },
+            }
+            if azimuth_authenticator_password_enabled
+            else {}
+          ),
+          recursive = True
+        ) |
+        combine(
+          (
+            {
+              "federated": {
+                "identityProviders": azimuth_authenticator_federated_identity_providers,
+              },
+            }
+            if azimuth_authenticator_federated_enabled
+            else {}
+          ),
+          recursive = True
+        )
+    }}
+azimuth_authentication_overrides: {}
+azimuth_authentication: >-
   {{-
-    [] +
-      (
-        [
-          {
-            "name": "federated",
-            "type": "openstack-federation",
-            "hidden": azimuth_authenticator_federated_hidden,
-            "openstackFederation": {
-              "authUrl": azimuth_authenticator_federated_auth_url,
-              "identityProviders": azimuth_authenticator_federated_identity_providers,
-            },
-          },
-        ]
-        if azimuth_authenticator_federated_enabled
-        else []
-      ) +
-      (
-        [
-          {
-            "name": "password",
-            "label": azimuth_authenticator_password_label,
-            "hidden": azimuth_authenticator_password_hidden,
-            "type": "openstack-password",
-            "openstackPassword": {
-              "authUrl": azimuth_authenticator_password_auth_url,
-              "domain": azimuth_authenticator_password_domain,
-              "verifySsl": azimuth_authenticator_password_verify_ssl,
-            },
-          },
-        ]
-        if azimuth_authenticator_password_enabled
-        else []
-      ) +
-      (
-        [
-          {
-            "name": "appcred",
-            "label": azimuth_authenticator_appcred_label,
-            "hidden": azimuth_authenticator_appcred_hidden,
-            "type": "openstack-application-credential",
-            "openstackApplicationCredential": {
-              "authUrl": azimuth_authenticator_appcred_auth_url,
-              "verifySsl": azimuth_authenticator_appcred_verify_ssl,
-            },
-          },
-        ]
-        if azimuth_authenticator_appcred_enabled
-        else []
-      ) + azimuth_authenticators_extra
+    azimuth_authentication_defaults |
+      combine(azimuth_authentication_overrides, recursive = True)
   }}
 
-
 # OpenStack provider settings
-#   The Keystone auth URL
-azimuth_openstack_auth_url: "{{ undef(hint = 'azimuth_openstack_auth_url is required') }}"
-#   The domain
-azimuth_openstack_domain: default
-#   The interface - should rarely need to be changed from the default
-azimuth_openstack_interface: public
-#   Whether or not to verify SSL
-azimuth_openstack_verify_ssl: true
 #   The template to use when searching for the internal network
 #   Only used if the internal network is not tagged
 #   If given, network auto-creation is disabled
@@ -245,10 +227,6 @@ azimuth_openstack_internal_net_dns_nameservers: []
 azimuth_openstack_provider: >-
   {{-
     {
-      "authUrl": azimuth_openstack_auth_url,
-      "domain": azimuth_openstack_domain,
-      "interface": azimuth_openstack_interface,
-      "verifySsl": azimuth_openstack_verify_ssl,
       "manilaProjectShareGB": azimuth_openstack_manila_project_share_gb,
       "createInternalNet": azimuth_openstack_create_internal_net,
       "internalNetCidr": azimuth_openstack_internal_net_cidr
@@ -388,7 +366,7 @@ azimuth_release_defaults:
     documentationUrl: "{{ azimuth_documentation_url }}"
     supportUrl: "{{ azimuth_support_url }}"
     curatedSizes: "{{ azimuth_curated_sizes }}"
-  authenticators: "{{ azimuth_authenticators }}"
+  authentication: "{{ azimuth_authentication }}"
   provider:
     openstack: "{{ azimuth_openstack_provider }}"
   apps: >-

roles/azimuth_caas_operator/defaults/main.yml

@@ -2,7 +2,7 @@
 # The chart to use
 azimuth_caas_operator_chart_repo: https://azimuth-cloud.github.io/azimuth-caas-operator
 azimuth_caas_operator_chart_name: azimuth-caas-operator
-azimuth_caas_operator_chart_version: 0.16.0
+azimuth_caas_operator_chart_version: 0.17.1
 
 # Release information for the operator release
 # Use the same namespace as Azimuth by default
@@ -205,7 +205,7 @@ azimuth_caas_workstation_git_url: >-
       default("https://github.com/azimuth-cloud/caas-workstation.git")
   }}
 # The git version for the workstation
-azimuth_caas_workstation_default_git_version: 0.9.0
+azimuth_caas_workstation_default_git_version: 0.10.0
 azimuth_caas_workstation_git_version: >-
   {{
     azimuth_caas_stackhpc_workstation_git_version |
@@ -406,7 +406,7 @@ azimuth_caas_repo2docker_git_url: >-
       default("https://github.com/azimuth-cloud/caas-repo2docker.git")
   }}
 # The git version for the repo2docker appliance
-azimuth_caas_repo2docker_default_git_version: 0.7.0
+azimuth_caas_repo2docker_default_git_version: 0.8.0
 azimuth_caas_repo2docker_git_version: >-
   {{
     azimuth_caas_stackhpc_repo2docker_git_version |

roles/azimuth_capi_operator/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 azimuth_capi_operator_chart_repo: https://azimuth-cloud.github.io/azimuth-capi-operator
 azimuth_capi_operator_chart_name: azimuth-capi-operator
-azimuth_capi_operator_chart_version: 0.8.1
+azimuth_capi_operator_chart_version: 0.8.2
 
 # Release information for the CAPI operator release
 # Use the same namespace as Azimuth by default

roles/azimuth_identity_operator/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 azimuth_identity_operator_chart_repo: https://azimuth-cloud.github.io/azimuth-identity-operator
 azimuth_identity_operator_chart_name: azimuth-identity-operator
-azimuth_identity_operator_chart_version: 0.8.1
+azimuth_identity_operator_chart_version: 0.8.4
 
 # Release information for the operator release
 # Use the same namespace as Azimuth by default

roles/azimuth_schedule_operator/defaults/main.yml

@@ -2,7 +2,7 @@
 # The chart to use
 azimuth_schedule_operator_chart_repo: https://azimuth-cloud.github.io/azimuth-schedule-operator
 azimuth_schedule_operator_chart_name: azimuth-schedule-operator
-azimuth_schedule_operator_chart_version: 0.6.1
+azimuth_schedule_operator_chart_version: 0.6.5
 
 # Release information for the operator release
 # Use the same namespace as Azimuth by default

roles/capi_cluster/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 capi_cluster_chart_repo: https://azimuth-cloud.github.io/capi-helm-charts
 capi_cluster_chart_name: openstack-cluster
-capi_cluster_chart_version: 0.11.2
+capi_cluster_chart_version: 0.12.0
 
 # Release information for the cluster release
 capi_cluster_release_namespace: default

roles/certmanager/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 certmanager_chart_repo: https://charts.jetstack.io
 certmanager_chart_name: cert-manager
-certmanager_chart_version: v1.16.1
+certmanager_chart_version: v1.16.2
 
 # Release information for the cert-manager release
 certmanager_release_namespace: cert-manager

roles/cloud_metrics/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use for Grafana
 cloud_metrics_grafana_chart_repo: https://grafana.github.io/helm-charts
 cloud_metrics_grafana_chart_name: grafana
-cloud_metrics_grafana_chart_version: 8.6.1
+cloud_metrics_grafana_chart_version: 8.6.4
 
 # Release information for the Grafana release
 # By default, deploy into the same namespace as Azimuth

roles/clusterapi/defaults/main.yml

@@ -7,7 +7,7 @@ clusterapi_core_components: "{{ clusterapi_core_repo }}/releases/download/{{ clu
 
 # The repo, version and manifest URL for the Cluster API OpenStack provider components
 clusterapi_openstack_repo: https://github.com/kubernetes-sigs/cluster-api-provider-openstack
-clusterapi_openstack_version: v0.11.1
+clusterapi_openstack_version: v0.11.3
 clusterapi_openstack_components: "{{ clusterapi_openstack_repo }}/releases/download/{{ clusterapi_openstack_version }}/infrastructure-components.yaml"
 
 # The diagnostics address for Cluster API components
@@ -121,7 +121,7 @@ clusterapi_watches:
 # Helm chart information for the Cluster API addon provider
 clusterapi_addon_provider_chart_repo: https://azimuth-cloud.github.io/cluster-api-addon-provider
 clusterapi_addon_provider_chart_name: cluster-api-addon-provider
-clusterapi_addon_provider_chart_version: 0.7.1
+clusterapi_addon_provider_chart_version: 0.7.2
 
 # Release information for the Cluster API addon provider release
 clusterapi_addon_provider_release_namespace: capi-addon-system
@@ -148,7 +148,7 @@ clusterapi_addon_provider_release_values: >-
 # Helm chart information for the Cluster API janitor
 clusterapi_janitor_openstack_chart_repo: https://azimuth-cloud.github.io/cluster-api-janitor-openstack
 clusterapi_janitor_openstack_chart_name: cluster-api-janitor-openstack
-clusterapi_janitor_openstack_chart_version: 0.6.2
+clusterapi_janitor_openstack_chart_version: 0.7.2
 
 # Release information for the Cluster API janitor release
 clusterapi_janitor_openstack_release_namespace: capi-janitor-system

roles/community_images/defaults/main.yml

@@ -33,7 +33,7 @@ community_images_disk_format: qcow2
 # The repository to use for azimuth-images
 community_images_azimuth_images_repo: https://github.com/azimuth-cloud/azimuth-images
 # The version of azimuth-images to use to populate the default community images
-community_images_azimuth_images_version: 0.15.0
+community_images_azimuth_images_version: 0.16.0
 # The azimuth-images manifest URL
 community_images_azimuth_images_manifest_url: >-
   {{ community_images_azimuth_images_repo }}/releases/download/{{ community_images_azimuth_images_version }}/manifest.json

roles/helm_dashboard/defaults/main.yml

@@ -2,7 +2,7 @@
 
 helm_dashboard_chart_repo: https://helm-charts.komodor.io
 helm_dashboard_chart_name: helm-dashboard
-helm_dashboard_chart_version: 0.1.10
+helm_dashboard_chart_version: 2.0.3
 
 helm_dashboard_release_namespace: monitoring-system
 helm_dashboard_release_name: helm-dashboard

roles/kube_prometheus_stack/defaults/main.yml

@@ -3,7 +3,7 @@
 # The chart to use
 kube_prometheus_stack_chart_repo: https://prometheus-community.github.io/helm-charts
 kube_prometheus_stack_chart_name: kube-prometheus-stack
-kube_prometheus_stack_chart_version: 66.2.2
+kube_prometheus_stack_chart_version: 66.3.1
 
 # Release information
 kube_prometheus_stack_release_namespace: monitoring-system

roles/velero/defaults/main.yml

@@ -89,7 +89,7 @@ velero_default_backup_storage_location: >-
 # Velero Helm chart config
 velero_chart_name: velero
 velero_chart_repo: https://vmware-tanzu.github.io/helm-charts
-velero_chart_version: 7.2.1
+velero_chart_version: 8.1.0
 velero_release_namespace: velero
 velero_release_name: velero
 velero_wait_timeout: 10m