---
# =============================================================================
# CI Framework - Federation Role Default Variables
# =============================================================================
# This file contains all default variables for the federation role, which
# configures OpenStack Keystone federation with Keycloak (Red Hat SSO).
#

# =============================================================================
# INFRASTRUCTURE CONFIGURATION
# =============================================================================
# Basic namespace and domain settings for the federation deployment

# Kubernetes namespaces
cifmw_federation_keycloak_namespace: openstack
cifmw_federation_run_osp_cmd_namespace: openstack

# Service URLs - dynamically constructed based on domain
cifmw_federation_keycloak_url: 'https://keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}'
cifmw_federation_keystone_url: 'https://keystone-public-{{ cifmw_federation_run_osp_cmd_namespace }}.{{ cifmw_federation_domain }}'
cifmw_federation_horizon_url: 'https://horizon-{{ cifmw_federation_run_osp_cmd_namespace }}.{{ cifmw_federation_domain }}'

# =============================================================================
# KEYCLOAK REALM CONFIGURATION
# =============================================================================
# Keycloak realm names and administrative credentials

# Realm names
cifmw_federation_keycloak_realm: openstack
cifmw_federation_keycloak_realm2: openstack2

# Keycloak admin credentials
cifmw_federation_keycloak_admin_username: admin
cifmw_federation_keycloak_admin_password: nomoresecrets

# URL validation settings
cifmw_federation_keycloak_url_validate_certs: false

# Deploy one realm by default. Add true to job vars for multirealm deploys.
cifmw_federation_deploy_multirealm: false

# =============================================================================
# CA CERTIFICATE HANDLING
# =============================================================================
# When set to a non-empty string, the federation role will look for an existing
# Kubernetes Secret with this name in cifmw_federation_run_osp_cmd_namespace.
# If the secret exists, the Keycloak CA certificate is added as a new key
# (keycloak-ca.crt) without disturbing existing keys.  If the secret does not
# exist it is created with just the Keycloak CA.  In both cases the kustomization
# patch does NOT override spec.tls.caBundleSecretName, assuming the control plane
# CR already points to this secret.
#
# When left empty (the default) the original behaviour is preserved: a dedicated
# 'keycloakca' secret is created and the kustomization patch sets
# spec.tls.caBundleSecretName to 'keycloakca'.
cifmw_custom_ca_certs_secret_name: ""

# =============================================================================
# KEYCLOAK TEST USERS AND GROUPS - REALM 1
# =============================================================================
# Test users and groups for the first Keycloak realm

cifmw_federation_keycloak_testuser1_username: kctestuser1
cifmw_federation_keycloak_testuser1_password: nomoresecrets1
cifmw_federation_keycloak_testuser2_username: kctestuser2
cifmw_federation_keycloak_testuser2_password: nomoresecrets2
cifmw_federation_keycloak_testgroup1_name: kctestgroup1
cifmw_federation_keycloak_testgroup2_name: kctestgroup2

# =============================================================================
# KEYCLOAK TEST USERS AND GROUPS - REALM 2 (MULTIREALM)
# =============================================================================
# Test users and groups for the second Keycloak realm (multirealm deployments)

cifmw_federation_keycloak_testuser3_username: kctestuser3
cifmw_federation_keycloak_testuser3_password: nomoresecrets3
cifmw_federation_keycloak_testuser4_username: kctestuser4
cifmw_federation_keycloak_testuser4_password: nomoresecrets4
cifmw_federation_keycloak_testgroup3_name: kctestgroup3
cifmw_federation_keycloak_testgroup4_name: kctestgroup4

# =============================================================================
# OPENSTACK KEYSTONE INTEGRATION - REALM 1
# =============================================================================
# Identity Provider and domain configuration for the first realm

# Identity Provider settings
cifmw_federation_IdpName: kcIDP
cifmw_federation_keystone_domain: SSO
cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}'

# Keystone mapping and project configuration
cifmw_federation_mapping_name: SSOmap
cifmw_federation_project_name: SSOproject
cifmw_federation_group_name: SSOgroup
cifmw_federation_rules_file: rules.json
cifmw_federation_clame_id: OIDC-preferred_username

# =============================================================================
# OPENSTACK KEYSTONE INTEGRATION - REALM 2 (MULTIREALM)
# =============================================================================
# Identity Provider and domain configuration for the second realm

# Identity Provider settings
cifmw_federation_IdpName2: kcIDP2
cifmw_federation_keystone_domain2: SSO2
cifmw_federation_remote_id2: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}'

# Keystone mapping and project configuration
cifmw_federation_mapping_name2: SSOmap2
cifmw_federation_project_name2: SSOproject2
cifmw_federation_group_name2: SSOgroup2

# =============================================================================
# OIDC CONFIGURATION FOR KEYSTONE
# =============================================================================
# OpenID Connect settings for Apache mod_auth_openidc in Keystone

# OIDC Protocol settings
cifmw_federation_keystone_OIDC_ClaimDelimiter: ";"
cifmw_federation_keystone_OIDC_ClaimPrefix: "OIDC-"
cifmw_federation_keystone_OIDC_PassClaimsAs: "both"
cifmw_federation_keystone_OIDC_PassUserInfoAs: "claims"
cifmw_federation_keystone_OIDC_ResponseType: "id_token"
cifmw_federation_keystone_OIDC_Scope: "openid email profile"
cifmw_federation_keystone_OIDC_CryptoPassphrase: "openstack"

# OIDC Provider URLs
cifmw_federation_keystone_OIDC_ProviderMetadataURL: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/.well-known/openid-configuration"
cifmw_federation_keystone_OIDC_ProviderMetadataURL2: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm2 }}/.well-known/openid-configuration"
cifmw_federation_keystone_OIDC_OAuthIntrospectionEndpoint: "{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/protocol/openid-connect/token/introspect"

# =============================================================================
# OIDC CLIENT CREDENTIALS - REALM 1
# =============================================================================
# OIDC client credentials for the first realm

cifmw_federation_keystone_OIDC_ClientID: "rhoso"
cifmw_federation_keystone_OIDC_ClientSecret: "COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f"

# =============================================================================
# OIDC CLIENT CREDENTIALS - REALM 2 (MULTIREALM)
# =============================================================================
# OIDC client credentials for the second realm

cifmw_federation_keystone_OIDC_ClientID2: "rhoso2"
cifmw_federation_keystone_OIDC_ClientSecret2: "U0nM9j2qyDp1Qc3uytXleJrFI1SntJWF"

# =============================================================================
# KEYSTONE FEDERATION METADATA FILES - REALM 1
# =============================================================================
# File names for Keystone federation metadata configuration (URL encoded)

cifmw_federation_keystone_idp1_conf_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.conf"
cifmw_federation_keystone_idp1_client_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.client"
cifmw_federation_keystone_idp1_provider_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm }}.provider"

# =============================================================================
# KEYSTONE FEDERATION METADATA FILES - REALM 2 (MULTIREALM)
# =============================================================================
# File names for Keystone federation metadata configuration for second realm

cifmw_federation_keystone_idp2_conf_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.conf"
cifmw_federation_keystone_idp2_client_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.client"
cifmw_federation_keystone_idp2_provider_filename: "keycloak-{{ cifmw_federation_keycloak_namespace }}.{{ cifmw_federation_domain }}%2Fauth%2Frealms%2F{{ cifmw_federation_keycloak_realm2 }}.provider"