feat: add SAML federation support

This change documents the process of setting up federation support
within Keystone and Skyline.

Documentation has been added highlighting how to setup SAML using
Auth-0 as an example. Additional examples to be added later.

Depends-On: rackerlabs#992
Signed-off-by: Kevin Carter <[email protected]>

Author: cloudnull

base-helm-configs/keystone/keystone-helm-overrides-saml.yaml.example

@@ -0,0 +1,85 @@
+---
+conf:
+  software:
+    apache2:
+      a2enmod:
+        - shib
+  keystone:
+    auth:
+      methods: "password,token,saml2,application_credential,totp"
+    saml2:
+      remote_id_attribute: Shib-Identity-Provider
+    federation:
+      trusted_dashboard:
+        type: multistring
+        values:
+          - https://skyline.api.example.com/api/openstack/skyline/api/v1/websso
+          - https://horizon.api.example.com/auth/websso
+  wsgi_keystone: |
+    {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+    Listen 0.0.0.0:{{ $portInt }}
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog /dev/stdout combined env=!forwarded
+    CustomLog /dev/stdout proxy env=forwarded
+
+    <VirtualHost *:{{ $portInt }}>
+        ServerName https://keystone.api.example.com:443
+        UseCanonicalName On
+
+        WSGIDaemonProcess keystone-public processes={{ .Values.conf.keystone_api_wsgi.wsgi.processes }} threads={{ .Values.conf.keystone_api_wsgi.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP}
+        WSGIProcessGroup keystone-public
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+        WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/IDENTITY_PROVIDER_NAME/protocols/saml2/auth)$ /var/www/cgi-bin/keystone/keystone-wsgi-public/$1
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        LimitRequestBody 114688
+
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+
+        <Location /Shibboleth.sso>
+            SetHandler shib
+        </Location>
+        <Location /v3/OS-FEDERATION/identity_providers/IDENTITY_PROVIDER_NAME/protocols/saml2/auth>
+            Require valid-user
+            AuthType shibboleth
+            ShibRequestSetting requireSession 1
+            ShibExportAssertion off
+            <IfVersion < 2.4>
+                ShibRequireSession On
+                ShibRequireAll On
+            </IfVersion>
+        </Location>
+        RedirectMatch ^/v3/auth/OS-FEDERATION/websso/IDENTITY_PROVIDER_NAME$ /v3/auth/OS-FEDERATION/websso/saml2
+        <Location /v3/auth/OS-FEDERATION/websso/saml2>
+            Require valid-user
+            AuthType shibboleth
+            ShibRequestSetting requireSession 1
+            ShibExportAssertion off
+            <IfVersion < 2.4>
+                ShibRequireSession On
+                ShibRequireAll On
+            </IfVersion>
+        </Location>
+        <Location /v3/auth/OS-FEDERATION/identity_providers/IDENTITY_PROVIDER_NAME/protocols/saml2/websso>
+            Require valid-user
+            AuthType shibboleth
+            ShibRequestSetting requireSession 1
+            ShibExportAssertion off
+            <IfVersion < 2.4>
+                ShibRequireSession On
+                ShibRequireAll On
+            </IfVersion>
+        </Location>
+    </VirtualHost>

base-helm-configs/keystone/keystone-helm-overrides.yaml

@@ -6,14 +6,14 @@ images:
     db_init: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy"
     dep_check: "quay.io/rackspace/rackerlabs-kubernetes-entrypoint:latest-ubuntu_jammy"
     image_repo_sync: "quay.io/rackspace/rackerlabs-docker:17.07.0"
-    keystone_api: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
+    keystone_api: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
     keystone_credential_cleanup: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy"
-    keystone_credential_rotate: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
-    keystone_credential_setup: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
-    keystone_db_sync: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
-    keystone_domain_manage: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
-    keystone_fernet_rotate: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
-    keystone_fernet_setup: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747934956"
+    keystone_credential_rotate: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
+    keystone_credential_setup: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
+    keystone_db_sync: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
+    keystone_domain_manage: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
+    keystone_fernet_rotate: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
+    keystone_fernet_setup: "quay.io/rackspace/rackerlabs-keystone-rxt:2024.1-ubuntu_jammy-1747958291"
     ks_user: "quay.io/rackspace/rackerlabs-heat:2024.1-ubuntu_jammy"
     rabbit_init: "quay.io/rackspace/rackerlabs-rabbitmq:3.13-management"
     test: "quay.io/rackspace/rackerlabs-xrally-openstack:2.0.0"
@@ -111,6 +111,7 @@ conf:
         WSGIApplicationGroup %{GLOBAL}
         WSGIPassAuthorization On
         LimitRequestBody 114688
+
         <IfVersion >= 2.4>
           ErrorLogFormat "%{cu}t %M"
         </IfVersion>

base-kustomize/keystone/federation/kustomization.yaml

@@ -0,0 +1,89 @@
+---
+sortOptions:
+  order: fifo
+resources:
+  - ../base
+
+images:
+  - name: keystone-shib
+    newName: ghcr.io/rackerlabs/keystone-rxt/shibd
+    newTag: "1747958286"
+
+patches:
+  - target:
+      kind: Service
+      name: keystone-api
+    patch: |-
+      - op: add
+        path: /spec/sessionAffinity
+        value: ClientIP
+      - op: add
+        path: /spec/sessionAffinityConfig
+        value:
+          clientIP:
+            timeoutSeconds: 28800
+  - target:
+      kind: Deployment
+      name: keystone-api
+    patch: |-
+      - op: add
+        path: /spec/template/spec/volumes/-
+        value:
+          name: keystone-shibd-etc
+          secret:
+            secretName: keystone-shibd-etc
+      - op: add
+        path: /spec/template/spec/volumes/-
+        value:
+          name: run-shibd
+          emptyDir: {}
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          mountPath: "/etc/shibboleth"
+          name: keystone-shibd-etc
+          readOnly: true
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          mountPath: "/var/run/shibboleth"
+          name: run-shibd
+      - op: add
+        path: /spec/template/spec/containers/-
+        value:
+          command:
+            - /usr/sbin/shibd
+            - -f
+            - -c
+            - /etc/shibboleth/shibboleth2.xml
+            - -p
+            - /var/run/shibboleth/shibd.pid
+            - -F
+          name: keystone-shib
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          image: keystone-shib
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: "/etc/shibboleth"
+              name: keystone-shibd-etc
+              readOnly: true
+            - mountPath: /var/run/shibboleth
+              name: run-shibd
+          livenessProbe:
+            exec:
+              command:
+              - stat
+              - /var/run/shibboleth/shibd.sock
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+              - stat
+              - /var/run/shibboleth/shibd.sock
+            initialDelaySeconds: 10
+            periodSeconds: 10

base-kustomize/skyline/base/configmap-bin.yaml

@@ -53,6 +53,9 @@ data:
     yq -yi ".openstack.system_project_domain=\"${SERVICE_PROJECT_DOMAIN}\"" /etc/skyline/skyline.yaml
     yq -yi ".openstack.keystone_url=\"${SKYLINE_KEYSTONE_ENDPOINT}\"" /etc/skyline/skyline.yaml
     yq -yi ".openstack.default_region=\"${SKYLINE_DEFAULT_REGION}\"" /etc/skyline/skyline.yaml
+    yq -yi ".openstack.sso_enabled=${SKYLINE_SSO_ENABLED:-false}" /etc/skyline/skyline.yaml
+    yq -yi ".openstack.sso_protocols=${SKYLINE_SSO_PROTOCOLS:-[]}" /etc/skyline/skyline.yaml
+    yq -yi ".openstack.sso_region=\"${SKYLINE_SSO_REGION:-RegionOne}\"" /etc/skyline/skyline.yaml
     yq -yi ".default.secret_key=\"${SKYLINE_SECRET_KEY}\"" /etc/skyline/skyline.yaml
     yq -yi ".default.database_url=\"mysql://${DB_USERNAME}:${DB_PASSWORD}@${DB_ENDPOINT}/${DB_NAME}\"" /etc/skyline/skyline.yaml
     yq -yi ".default.prometheus_basic_auth_password=\"${PROMETHEUS_BASIC_AUTH_PASSWORD}\"" /etc/skyline/skyline.yaml
@@ -91,24 +94,26 @@ data:
       reclaim_instance_interval: 604800
       service_mapping:
         baremetal: ironic
+        block-storage: cinder
         compute: nova
         container: zun
         container-infra: magnum
         database: trove
+        dns: designate
         identity: keystone
         image: glance
+        instance-ha: masakari
         key-manager: barbican
         load-balancer: octavia
         network: neutron
         object-store: swift
         orchestration: heat
         placement: placement
         sharev2: manilav2
-        volumev3: cinder
-        cloudformation: heat-cfn
       sso_enabled: false
       sso_protocols:
       - openid
+      sso_region: RegionOne
       system_admin_roles:
       - admin
       system_project: 'service'