eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this to render OpenShift OAuth/OIDC and readiness evidence without applying cluster configuration.

Boundary
Render-only
Authority
idm, kubernetes, collection
Evidence
review-manifest

Render OpenShift identity evidence

When To Use This

Use this to render OpenShift OAuth/OIDC and readiness evidence without applying cluster configuration.

Required Authority

IdM and Keycloak own identity inputs. OpenShift enforces only after reviewed configuration is applied.

Safety Boundary

This workflow is render-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Inputs

  • Named target objects
  • Credentials with the required IdM or platform authority
  • A reviewed output path or downstream task

Steps

  1. Confirm the target objects and authority before running.
  2. Run the command or task with review-friendly output.
  3. Inspect the returned evidence before continuing to any mutating step.
ansible-playbook playbooks/render-openshift-oidc-config.yml

Example OpenShift Identity Evidence

This vars file renders OAuth/OIDC configuration and a readiness report from local evidence; it does not contact the cluster.

render-openshift-identity-vars.yml

---
eigenstate_oidc_issuer_url: https://keycloak.example.com/realms/openshift
eigenstate_oidc_client_id: openshift
eigenstate_oidc_client_secret_name: openid-client-secret
eigenstate_oidc_expected_groups:
  - ocp-platform-admins
  - ocp-developers
eigenstate_oidc_idm_known_groups:
  - ocp-platform-admins
  - ocp-developers
eigenstate_oidc_output_dir: ./artifacts
eigenstate_oidc_render_config: true
eigenstate_oidc_render_report: true

Run It

ansible-playbook playbooks/render-openshift-oidc-config.yml \
  -e @render-openshift-identity-vars.yml

Expected Evidence

The role renders review configuration plus readiness evidence artifacts. A captured render run produced:

PLAY [Render OpenShift OAuth OIDC configuration] ***********************

TASK [openshift_idm_oidc_validation : Validate OpenShift OIDC inputs]
ok: [localhost]

TASK [openshift_idm_oidc_validation : Render OpenShift OAuth OIDC configuration example]
changed: [localhost]

TASK [openshift_idm_oidc_validation : Render OpenShift OIDC JSON report]
changed: [localhost]

PLAY RECAP ************************************************************
localhost                  : ok=12   changed=4    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

The OAuth review artifact has the concrete OpenShift API shape:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - mappingMethod: claim
    name: openshift
    openID:
      clientID: openshift
      clientSecret:
        name: openid-client-secret
      issuer: https://keycloak.example.com/realms/openshift
    type: OpenID

Troubleshooting

  • Permission failure: verify the account and delegated authority.
  • Unexpected empty result: verify target names and source records.
  • Unsafe output: redact payloads and add no_log: true where secret material is present.