Switch to using upstream OIDC support

This has been cherry-picked back to victoria. This should make
maintaining the config a little easier.

See: https://review.opendev.org/c/openstack/kolla-ansible/+/695432

etc/kayobe/environments/preprod/kolla/globals.yml

@@ -9,3 +9,18 @@ designate_ns_record: "cpu-e-1041.iris.staging.cumulus.local"
 
 # We have pre-generated certificates
 octavia_auto_configure: false
+
+{% raw %}
+keystone_identity_providers:
+  - name: "iris-iam"
+    # Auto generated federated domain for Identity Provider: iris-iam
+    openstack_domain: "da9fd730ad7f44afb3ca49b17ca172c3"
+    protocol: "openid"
+    identifier: "https://iris-iam.stfc.ac.uk"
+    public_name: "Federated Login"
+    attribute_mapping: "attribute_mapping_iris_iam"
+    metadata_folder: "{{ node_custom_config }}/keystone/identity-metadata-iris-iam"
+keystone_identity_mappings:
+  - name: "attribute_mapping_keycloak_openstack"
+    file: "{{ node_custom_config }}/keystone/identity-mappings-iris-iam.json"
+{% endraw %}

etc/kayobe/environments/preprod/kolla/keystone/identity-mappings-iris-iam.json

@@ -0,0 +1,97 @@
+[
+    {
+      "local": [
+        {
+          "user": {
+            "email": "{1}",
+            "name": "{2} {3} (Iris)"
+          },
+          "projects": [
+            {
+              "name": "iris",
+              "roles": [
+                {
+                  "name": "reader"
+                }
+              ]
+            }
+          ]
+        }
+      ],
+      "remote": [
+        {
+          "type": "OIDC-sub"
+        },
+        {
+          "type": "OIDC-email"
+        },
+        {
+          "type": "OIDC-given_name"
+        },
+        {
+          "type": "OIDC-family_name"
+        },
+        {
+          "type": "OIDC-preferred_username"
+        },
+        {
+          "type": "HTTP_OIDC_ISS",
+          "any_one_of": [
+            "https://iris-iam.stfc.ac.uk/"
+          ]
+        }
+      ]
+    },
+    {
+      "local": [
+        {
+          "user": {
+            "email": "{1}",
+            "name": "{2} {3} (Iris)"
+          },
+          "projects": [
+            {
+              "name": "euclid-test",
+              "roles": [
+                {
+                  "name": "member"
+                }
+              ]
+            }
+          ]
+        }
+      ],
+      "remote": [
+        {
+          "type": "OIDC-sub"
+        },
+        {
+          "type": "OIDC-email"
+        },
+        {
+          "type": "OIDC-given_name"
+        },
+        {
+          "type": "OIDC-family_name"
+        },
+        {
+          "type": "OIDC-preferred_username"
+        },
+        {
+          "type": "HTTP_OIDC_ISS",
+          "any_one_of": [
+            "https://iris-iam.stfc.ac.uk/"
+          ]
+        },
+        {
+          "regex": true,
+          "type": "OIDC-groups",
+          "any_one_of": [
+            "euclid/stfccloud",
+            "euclid",
+            "euclid/camcloud"
+          ]
+        }
+      ]
+    }
+  ]

etc/kayobe/environments/preprod/kolla/keystone/identity-metadata-iris-iam/iris-iam.stfc.ac.uk.client

@@ -0,0 +1,4 @@
+{
+    "client_id":"{{ secrets_alaska_iris_iam_clientid }}",
+    "client_secret":"{{ secrets_alaska_iris_iam_client_secret }}"
+}

etc/kayobe/environments/preprod/kolla/keystone/identity-metadata-iris-iam/iris-iam.stfc.ac.uk.conf

@@ -0,0 +1,4 @@
+{
+    "client_jwks_uri": "https://iris-iam.stfc.ac.uk/jwk",
+    "scopes": "openid email profile preferred_username"
+}

etc/kayobe/environments/preprod/kolla/keystone/identity-metadata-iris-iam/iris-iam.stfc.ac.uk.provider

@@ -0,0 +1,187 @@
+{
+  "request_parameter_supported": true,
+  "claims_parameter_supported": false,
+  "introspection_endpoint": "https://iris-iam.stfc.ac.uk/introspect",
+  "scopes_supported": [
+    "openid",
+    "profile",
+    "email",
+    "address",
+    "phone",
+    "offline_access",
+    "preferred_username",
+    "eduperson_scoped_affiliation",
+    "eduperson_entitlement"
+  ],
+  "issuer": "https://iris-iam.stfc.ac.uk/",
+  "userinfo_encryption_enc_values_supported": [
+    "A256CBC+HS512",
+    "A256GCM",
+    "A192GCM",
+    "A128GCM",
+    "A128CBC-HS256",
+    "A192CBC-HS384",
+    "A256CBC-HS512",
+    "A128CBC+HS256"
+  ],
+  "id_token_encryption_enc_values_supported": [
+    "A256CBC+HS512",
+    "A256GCM",
+    "A192GCM",
+    "A128GCM",
+    "A128CBC-HS256",
+    "A192CBC-HS384",
+    "A256CBC-HS512",
+    "A128CBC+HS256"
+  ],
+  "authorization_endpoint": "https://iris-iam.stfc.ac.uk/authorize",
+  "service_documentation": "https://iris-iam.stfc.ac.uk/about",
+  "request_object_encryption_enc_values_supported": [
+    "A256CBC+HS512",
+    "A256GCM",
+    "A192GCM",
+    "A128GCM",
+    "A128CBC-HS256",
+    "A192CBC-HS384",
+    "A256CBC-HS512",
+    "A128CBC+HS256"
+  ],
+  "device_authorization_endpoint": "https://iris-iam.stfc.ac.uk/devicecode",
+  "userinfo_signing_alg_values_supported": [
+    "HS256",
+    "HS384",
+    "HS512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "claims_supported": [
+    "sub",
+    "name",
+    "preferred_username",
+    "given_name",
+    "family_name",
+    "middle_name",
+    "nickname",
+    "profile",
+    "picture",
+    "website",
+    "gender",
+    "zoneinfo",
+    "locale",
+    "updated_at",
+    "birthdate",
+    "email",
+    "email_verified",
+    "phone_number",
+    "phone_number_verified",
+    "address",
+    "organisation_name",
+    "groups",
+    "external_authn"
+  ],
+  "claim_types_supported": [
+    "normal"
+  ],
+  "op_policy_uri": "https://iris-iam.stfc.ac.uk/about",
+  "token_endpoint_auth_methods_supported": [
+    "client_secret_post",
+    "client_secret_basic",
+    "none"
+  ],
+  "token_endpoint": "https://iris-iam.stfc.ac.uk/token",
+  "response_types_supported": [
+    "code",
+    "token"
+  ],
+  "request_uri_parameter_supported": false,
+  "userinfo_encryption_alg_values_supported": [
+    "RSA-OAEP",
+    "RSA-OAEP-256",
+    "RSA1_5"
+  ],
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "refresh_token",
+    "client_credentials",
+    "password",
+    "urn:ietf:params:oauth:grant-type:jwt-bearer",
+    "urn:ietf:params:oauth:grant_type:redelegate",
+    "urn:ietf:params:oauth:grant-type:token-exchange",
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ],
+  "revocation_endpoint": "https://iris-iam.stfc.ac.uk/revoke",
+  "userinfo_endpoint": "https://iris-iam.stfc.ac.uk/userinfo",
+  "token_endpoint_auth_signing_alg_values_supported": [
+    "HS256",
+    "HS384",
+    "HS512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "op_tos_uri": "https://iris-iam.stfc.ac.uk/about",
+  "require_request_uri_registration": false,
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ],
+  "id_token_encryption_alg_values_supported": [
+    "RSA-OAEP",
+    "RSA-OAEP-256",
+    "RSA1_5"
+  ],
+  "jwks_uri": "https://iris-iam.stfc.ac.uk/jwk",
+  "subject_types_supported": [
+    "public",
+    "pairwise"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "HS256",
+    "HS384",
+    "HS512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "PS256",
+    "PS384",
+    "PS512",
+    "none"
+  ],
+  "registration_endpoint": "https://iris-iam.stfc.ac.uk/register",
+  "request_object_signing_alg_values_supported": [
+    "HS256",
+    "HS384",
+    "HS512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "request_object_encryption_alg_values_supported": [
+    "RSA-OAEP",
+    "RSA-OAEP-256",
+    "RSA1_5"
+  ]
+}