Sure! Here's a simplified translation of the provided text.

rh-sso-multi-realm

Overview

This role sets up a permanent Red Hat Single Sign-On (RH-SSO) installation on Red Hat's OpenShift Container Platform (OCP). It lets you manage multiple SSO realms (essentially separate environments) within that installation.

When to use this role:

1. Training and Workshops:

   • If you have a number of students needing RH-SSO, you can create a central installation where each student has their own realm.
   • Each student gets admin access to their realm.

2. Learning Goals:

   • Show how to install RH-SSO on OCP.
   • Integrate RH-SSO with an email provider for user self-registration.
   • Use RH-SSO’s REST Admin API with OAuth2 tokens.

Note: This Ansible role does not yet use the Keycloak operator mainly due to configuration issues.

References

• Keycloak Documentation
• RH-SSO for OCP Documentation

Assumptions and Requirements

1. Ansible must be installed on your local machine (tested with version 2.6.5-1 on Fedora 29).
2. A remote OCP cluster must exist with at least 6GB RAM and 2 CPUs (tested with OCP version 3.11.43).
3. The local oc client must be correctly installed and configured.
4. Ensure the local oc client is authenticated as a cluster-admin user.

Wildcard Certificate

This role assumes your OCP cluster uses a certificate from a recognized Certificate Authority (like Let's Encrypt). You can ignore this section if you obtained your cluster through certain Red Hat Partner Systems, as these typically come with Let's Encrypt certificates.

Tutorials to Get a Let's Encrypt Wildcard Certificate:

• Links to guides on purchasing a domain and creating a certificate can be found in the provided references.

RH-SSO Deployment

Environment Variables

You need to set certain environment variables for your local shell. These will be used throughout the role:

echo "export OCP_PROJECT_PREFIX=<your initials>" >> ~/.bashrc
echo "export ocp_sso_admin_id=sso0" >> ~/.bashrc
# And others as listed in the original text

Ansible Set-up

1. Install this role:

   ansible-galaxy install gpe_mw_ansible.rh_sso_multi_realm --force -p /etc/ansible/roles
   

2. Create a Playbook:

   echo "
   - hosts: all
     become: false
     gather_facts: False
     vars_files:
     roles:
       - gpe_mw_ansible.rh_sso_multi_realm
   " > /tmp/rh_sso_multi_realm.yml
   

Provision RH-SSO

Run the Ansible playbook to create your multi-realm application. Ensure that ImageStream exists in the openshift namespace before running the playbook.

After installation, check the certificate associated with the new RH-SSO server.

RH-SSO Admin Console

Access the admin console via the defined URL and log in with the site admin credentials you set earlier.

Deleting RH-SSO

Use the Ansible playbook to remove RH-SSO when no longer needed.

Realm Management

Create and Delete Realms

• You can create multiple autonomous realms using this role.
• For sending emails from RH-SSO, you can set SMTP details for each realm.

Generic Realms

• You can create a configurable number of generic SSO realms through the provided role.
• Each new realm can have users sign up and typically grants admin access to registered users.

Special Realms:

You can also create specialized realms for certain applications.

User Registration

Instructions for students to register as users of their SSO realms are provided.

Appendix

Adjust Logging (Optional)

You may want to set RH-SSO logs to DEBUG for troubleshooting.

This translation summarizes the original content while keeping it easy to understand. Let me know if you need any more help!