[federation] Add OIDC federation configuration on OSP17

[afaranha]

Add Ansible playbooks and role tasks to configure OSP 17.1 for OIDC federation, enabling adoption testing with Keycloak as the identity provider.

Changes:

• Add federation-osp17-pre-deploy hook playbook that renders the Heat environment file and configures Keystone for OIDC
• Add run_osp17_oidc_setup.yml tasks to create the federation domain, identity provider, mapping, group, project and protocol on OSP 17.1
• Add enable-federation-openidc.yaml.j2 Heat template for OIDC params
• Refactor Keycloak operator deployment to use kubernetes.core.k8s instead of oc apply with a template file
• Make operator namespace configurable via cifmw_federation_operator_namespace variable
• Add passthrough Route for Keycloak and grant privileged SCC
• Conditionally include the OIDC env file in overcloud deploy

Original Patch: #3307

Jira: https://issues.redhat.com/browse/OSPRH-19960

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tosky for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/26034762f48a48fca288e7e854787c5e

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 06m 43s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 05s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 34m 23s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 1h 52m 00s
✔️ cifmw-pod-zuul-files SUCCESS in 5m 06s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 9m 22s
❌ cifmw-pod-pre-commit FAILURE in 8m 02s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 32s
✔️ cifmw-molecule-federation SUCCESS in 2m 12s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/dae0701d12884153b6f006c8aa172cf8

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 21m 31s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 27m 13s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 45m 11s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 07m 06s
✔️ cifmw-pod-zuul-files SUCCESS in 5m 19s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 11m 17s
❌ cifmw-pod-pre-commit FAILURE in 6m 59s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 21s
✔️ cifmw-molecule-federation SUCCESS in 2m 04s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/102768d2db2046618e2df2abea191087

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 17m 13s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 23m 02s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 31m 30s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 02m 25s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 48s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 9m 09s
❌ cifmw-pod-pre-commit FAILURE in 7m 36s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 31s
✔️ cifmw-molecule-federation SUCCESS in 2m 17s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6b63548911024fcca24385452213899b

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 10m 31s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 26m 09s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 34m 26s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 1h 58m 23s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 51s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 16s
❌ cifmw-pod-pre-commit FAILURE in 6m 42s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 38s
✔️ cifmw-molecule-federation SUCCESS in 2m 05s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/81d4d0c7435840dc9203c85d5a6f872f

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 45m 21s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 27m 18s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 32m 54s
❌ cifmw-crc-podified-edpm-baremetal-minor-update RETRY_LIMIT in 27m 04s
✔️ cifmw-pod-zuul-files SUCCESS in 5m 29s
✔️ noop SUCCESS in 0s
❌ cifmw-pod-ansible-test FAILURE in 4m 30s
❌ cifmw-pod-pre-commit FAILURE in 9m 33s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 35s
✔️ cifmw-molecule-federation SUCCESS in 2m 05s

[afaranha]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/53bfedc8e1734c589c90d309603d550a

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 20m 30s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 25m 57s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 28m 50s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 07m 06s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 43s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 39s
❌ cifmw-pod-pre-commit FAILURE in 8m 22s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 3m 32s
✔️ cifmw-molecule-federation SUCCESS in 1m 36s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/fac472f1014a4d1f8cce26c1ca856514

❌ openstack-k8s-operators-content-provider RETRY_LIMIT in 2m 42s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal-minor-update SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
❌ cifmw-pod-zuul-files FAILURE in 9m 48s
✔️ noop SUCCESS in 0s
❌ cifmw-pod-ansible-test FAILURE in 4m 34s
❌ cifmw-pod-pre-commit FAILURE in 4m 31s
❌ cifmw-molecule-adoption_osp_deploy RETRY_LIMIT in 2m 10s
✔️ cifmw-molecule-federation SUCCESS in 2m 14s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3f61f7b075e64a3a907272d315f0f8da

❌ openstack-k8s-operators-content-provider RETRY_LIMIT in 2m 56s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal-minor-update SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
❌ cifmw-pod-zuul-files FAILURE in 5m 11s
✔️ noop SUCCESS in 0s
❌ cifmw-pod-ansible-test FAILURE in 4m 52s
❌ cifmw-pod-pre-commit FAILURE in 4m 45s
❌ cifmw-molecule-adoption_osp_deploy RETRY_LIMIT in 2m 30s
✔️ cifmw-molecule-federation SUCCESS in 2m 01s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/2e78e38282b64fe48a7163bb9d24d466

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 24m 48s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 25m 37s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 27m 18s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 1h 58m 55s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 43s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 59s
❌ cifmw-pod-pre-commit FAILURE in 8m 07s
✔️ cifmw-molecule-adoption_osp_deploy SUCCESS in 4m 19s
✔️ cifmw-molecule-federation SUCCESS in 1m 59s

[xek]

The cifmw-pod-pre-commit failure is caused by missing trailing newlines in three files added by this PR — not by any pre-existing issue.

The end-of-file-fixer hook reports:

Fixing roles/federation/tasks/run_osp17_oidc_setup.yml
Fixing hooks/playbooks/federation-osp17-post-deploy.yml
Fixing roles/federation/templates/enable-federation-openidc.yaml.j2

Fix: run pre-commit run --all-files locally, commit the changes, and push. That will add the missing newlines and the check will pass.

[xek]

The cifmw-pod-pre-commit failure is caused by missing trailing newlines in three files added by this PR — not a pre-existing issue.

The end-of-file-fixer hook reports:

Fixing roles/federation/tasks/run_osp17_oidc_setup.yml
Fixing hooks/playbooks/federation-osp17-post-deploy.yml
Fixing roles/federation/templates/enable-federation-openidc.yaml.j2

Fix: run pre-commit run --all-files locally, commit the result, and push.