Updated Keystone and Horizon config:

Keystone: OIDC Keycloak integrations and secrets
Horizon: Custom images and fav-icons over-riding defaults in container image

etc/kayobe/kolla.yml

@@ -91,6 +91,10 @@ kolla_openstack_release: 8.0.1.1
 
 # Dict mapping Jinja2 block names in kolla's Docker images to their contents.
 kolla_build_blocks:
+  horizon_footer: |
+    ADD https://object.vss.cloud.cam.ac.uk/swift/v1/AUTH_4a8139220b424e7d810a3cf364a89ee2/arcus-images/logo-splash.svg /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo-splash.svg
+    ADD https://object.vss.cloud.cam.ac.uk/swift/v1/AUTH_4a8139220b424e7d810a3cf364a89ee2/arcus-images/favicon.ico /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/favicon.ico
+    ADD https://object.vss.cloud.cam.ac.uk/swift/v1/AUTH_4a8139220b424e7d810a3cf364a89ee2/arcus-images/logo.svg /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/logo.svg
   neutron_server_footer: |
     RUN pip install git+https://github.com/stackhpc/networking-generic-switch@stackhpc/1.3.1.1
   prometheus_server_repository_version: |
@@ -99,12 +103,11 @@ kolla_build_blocks:
   ironic_inspector_footer: |
     # Install our custom inspector plugins.
     RUN pip install stackhpc-inspector-plugins==1.1.1
-#  keystone_footer: |
-    # May still need this for SSO/Federation
-    #RUN pip install -U --no-deps git+https://github.com/RSE-Cambridge/keystone@stable/stein
-    #RUN yum remove -y mod_auth_openidc
-    #RUN rpm -i https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.11/cjose-0.6.1.4-1.el7.x86_64.rpm
-    #RUN rpm -i https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.11/mod_auth_openidc-2.3.11-1.el7.x86_64.rpm
+  keystone_footer: |
+    RUN pip install -U --no-deps git+https://github.com/RSE-Cambridge/keystone@stable/stein
+    RUN yum remove -y mod_auth_openidc
+    RUN rpm -i https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.0/cjose-0.6.1.5-1.el7.x86_64.rpm
+    RUN rpm -i https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.0/mod_auth_openidc-2.4.0-1.el7.x86_64.rpm
   magnum_api_footer: |
     # This branch fixes k8s FailedNodeAllocatableEnforcement warning
     RUN pip install -U --no-deps git+https://github.com/stackhpc/magnum@stackhpc/8.2.0.2

etc/kayobe/kolla/config/keystone/keystone.conf

+[DEFAULT]
+notification_opt_out: None
+
+[oslo_messaging_notifications]
+driver = log
+
+[federation]
+remote_id_attribute = HTTP_OIDC_ISS
+trusted_dashboard = https://{% raw %}{{ kolla_external_fqdn }}{% endraw %}/auth/websso/

etc/kayobe/kolla/config/keystone/wsgi-keystone.conf

+{% raw %}
+{% set keystone_log_dir = '/var/log/kolla/keystone' %}
+{% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
+Listen {{ api_interface_address }}:{{ keystone_public_port }}
+Listen {{ api_interface_address }}:{{ keystone_admin_port }}
+
+TraceEnable off
+
+<VirtualHost *:{{ keystone_public_port }}>
+    WSGIDaemonProcess keystone-public processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ python_path }}
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log"
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat
+{% endraw %}
+    # OpenID Connect configuration for EGI Check-in AAI
+    OIDCResponseType "id_token"
+    OIDCClaimPrefix "OIDC-"
+    OIDCClaimDelimiter ;
+    OIDCScope "openid profile email refeds_edu"
+    OIDCProviderMetadataURL https://id.hpc.cam.ac.uk/auth/realms/arcus/.well-known/openid-configuration
+    OIDCClientID cumulus-keystone
+    OIDCClientSecret {{ secrets_arcus_keycloak_client_secret }}
+    OIDCCryptoPassphrase {{ secrets_arcus_keycloak_crypto_passphrase }}
+    OIDCRedirectURI https://{% raw %}{{ kolla_external_fqdn }}:{{ keystone_public_port }}{% endraw %}/v3/auth/OS-FEDERATION/websso/mapped/redirect
+    OIDCSessionType client-cookie
+
+    # OAuth for CLI access
+    OIDCOAuthIntrospectionEndpoint  https://id.hpc.cam.ac.uk/auth/realms/arcus/protocol/openid-connect/token/introspect
+    OIDCOAuthClientID cumulus-keystone
+    OIDCOAuthClientSecret {{ secrets_arcus_keycloak_client_secret }}
+
+    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
+      AuthType openid-connect
+      Require valid-user
+      LogLevel debug
+    </LocationMatch>
+
+    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+      AuthType openid-connect
+      Require valid-user
+    </Location>
+    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/mapped/websso">
+      AuthType openid-connect
+      Require valid-user
+    </Location>
+</VirtualHost>
+
+{% raw %}
+<VirtualHost *:{{ keystone_admin_port }}>
+    WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ python_path }}
+    WSGIProcessGroup keystone-admin
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log"
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat
+</VirtualHost>
+{% endraw %}