diff options
author | Nick Bartos <flamingo@2thebatcave.com> | 2017-12-05 15:02:52 +1100 |
---|---|---|
committer | Nick Bartos <flamingo@2thebatcave.com> | 2018-01-08 07:44:35 +1100 |
commit | 6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7 (patch) | |
tree | 217ed334a99474d8307a65c75a4c864acbabf7d8 /roles/contiv_auth_proxy/tasks/main.yml | |
parent | a5eee09d02120bb16d7f81d1b05982e1a69df4dc (diff) | |
download | openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.gz openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.bz2 openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.tar.xz openshift-6daf71565fd69e9ddb2ac20e787d49f74cf7a9d7.zip |
Contiv multi-master and other fixes
Contiv's etcd was not being deployed correctly when using more than
one master. To make it easier to manage, it has been moved into a
k8s container.
The api proxy was hardcoded to an old version (1.1.1), and in some
environments would run into a docker error. This has been moved into
a k8s container for easier management.
The firewall was too permissive on several ports. Many were open to
the world when they should have only been accessible inside the
cluster.
Many of the contiv role variables were not prefixed with 'contiv',
which may end up clobbering variables from another role. Now all the
contiv specific role variables start with 'contiv_'.
The api proxy's default self-signed certificate was bundled with the
role. This means someone with read-only MITM access and this key
could decrypt traffic. Granted a user defined certificate from a
trusted CA should be used in a production environment, it is still
better to generate one in each environment when one is not provided.
Diffstat (limited to 'roles/contiv_auth_proxy/tasks/main.yml')
-rw-r--r-- | roles/contiv_auth_proxy/tasks/main.yml | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/roles/contiv_auth_proxy/tasks/main.yml b/roles/contiv_auth_proxy/tasks/main.yml deleted file mode 100644 index 74e7bf794..000000000 --- a/roles/contiv_auth_proxy/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# tasks file for auth_proxy -- name: setup iptables for auth proxy - shell: > - ( iptables -L INPUT | grep "{{ auth_proxy_rule_comment }} ({{ item }})" ) || \ - iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "{{ auth_proxy_rule_comment }} ({{ item }})" - become: true - with_items: - - "{{ auth_proxy_port }}" - -# Load the auth-proxy-image from local tar. Ignore any errors to handle the -# case where the image is not built in -- name: copy auth-proxy image - copy: src={{ auth_proxy_binaries }}/auth-proxy-image.tar dest=/tmp/auth-proxy-image.tar - when: auth_proxy_local_install == True - -- name: load auth-proxy image - shell: docker load -i /tmp/auth-proxy-image.tar - when: auth_proxy_local_install == True - -- name: create cert folder for proxy - file: path=/var/contiv/certs state=directory - -- name: copy shell script for starting auth-proxy - template: src=auth_proxy.j2 dest=/usr/bin/auth_proxy.sh mode=u=rwx,g=rx,o=rx - -- name: copy cert for starting auth-proxy - copy: src=cert.pem dest=/var/contiv/certs/auth_proxy_cert.pem mode=u=rw,g=r,o=r - -- name: copy key for starting auth-proxy - copy: src=key.pem dest=/var/contiv/certs/auth_proxy_key.pem mode=u=rw,g=r,o=r - -- name: copy systemd units for auth-proxy - copy: src=auth-proxy.service dest=/etc/systemd/system/auth-proxy.service - -- name: start auth-proxy container - systemd: name=auth-proxy daemon_reload=yes state=started enabled=yes |