summaryrefslogtreecommitdiffstats
path: root/roles/openshift_management/files
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-01-24 09:17:57 -0800
committerGitHub <noreply@github.com>2018-01-24 09:17:57 -0800
commit9a2bf772cc5a54bb3461ee1947f2885c69e95239 (patch)
tree7056c977f13776c341ed077900cfed10fad134aa /roles/openshift_management/files
parent362a248d5d09707625070f158022fa7e3be00df0 (diff)
parente96a2afb1a1993349c69adcb9b76f91177bdb48e (diff)
downloadopenshift-9a2bf772cc5a54bb3461ee1947f2885c69e95239.tar.gz
openshift-9a2bf772cc5a54bb3461ee1947f2885c69e95239.tar.bz2
openshift-9a2bf772cc5a54bb3461ee1947f2885c69e95239.tar.xz
openshift-9a2bf772cc5a54bb3461ee1947f2885c69e95239.zip
Merge pull request #6786 from simaishi/cf_46_beta
Automatic merge from submit-queue. CF 4.6 Beta templates for OpenShift v3.7 and v3.9 cc @sdodson @Loicavenel
Diffstat (limited to 'roles/openshift_management/files')
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml2
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml2
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml219
-rw-r--r--roles/openshift_management/files/templates/cloudforms/cfme-template.yaml221
4 files changed, 415 insertions, 29 deletions
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
index c3bc1d20c..48d1d4e26 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-backup-job.yaml
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: postgresql
- image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
command:
- "/opt/rh/cfme-container-scripts/backup_db"
env:
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
index 8b23f8a33..7fd4fc2e1 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-restore-job.yaml
@@ -9,7 +9,7 @@ spec:
spec:
containers:
- name: postgresql
- image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql:latest
+ image: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql:latest
command:
- "/opt/rh/cfme-container-scripts/restore_db"
env:
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
index 4a04f3372..9866c29c3 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-template-ext-db.yaml
@@ -31,6 +31,7 @@ objects:
name: "${NAME}-secrets"
stringData:
pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
v2-key: "${V2_KEY}"
- apiVersion: v1
@@ -90,15 +91,15 @@ objects:
- name: cloudforms
image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 80
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: "/"
+ tcpSocket:
port: 80
- scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
@@ -126,6 +127,11 @@ objects:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
@@ -433,18 +439,173 @@ objects:
<VirtualHost *:80>
KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
ProxyPreserveHost on
- ProxyPass /ws/ ws://${NAME}/ws/
- ProxyPassReverse /ws/ ws://${NAME}/ws/
- ProxyPass / http://${NAME}/
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
</VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
+ auth-kerberos-realms: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -464,6 +625,20 @@ objects:
selector:
name: httpd
- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${HTTPD_SERVICE_NAME}"
@@ -497,6 +672,9 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
livenessProbe:
exec:
command:
@@ -526,6 +704,11 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
lifecycle:
postStart:
exec:
@@ -581,6 +764,11 @@ parameters:
displayName: Application Database Region
description: Database region that will be used for application.
value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
- name: ANSIBLE_DATABASE_NAME
displayName: Ansible PostgreSQL database name
required: true
@@ -678,7 +866,7 @@ parameters:
- name: MEMCACHED_IMG_NAME
displayName: Memcached Image Name
description: This is the Memcached image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
- name: MEMCACHED_IMG_TAG
displayName: Memcached Image Tag
description: This is the Memcached image tag/version requested to deploy.
@@ -686,11 +874,11 @@ parameters:
- name: FRONTEND_APPLICATION_IMG_NAME
displayName: Frontend Application Image Name
description: This is the Frontend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
- name: BACKEND_APPLICATION_IMG_NAME
displayName: Backend Application Image Name
description: This is the Backend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
- name: FRONTEND_APPLICATION_IMG_TAG
displayName: Front end Application Image Tag
description: This is the CloudForms Frontend Application image tag/version requested to deploy.
@@ -702,7 +890,7 @@ parameters:
- name: ANSIBLE_IMG_NAME
displayName: Ansible Image Name
description: This is the Ansible image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
- name: ANSIBLE_IMG_TAG
displayName: Ansible Image Tag
description: This is the Ansible image tag/version requested to deploy.
@@ -730,10 +918,15 @@ parameters:
displayName: Apache httpd Service Name
description: The name of the OpenShift Service exposed for the httpd container.
value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
- name: HTTPD_IMG_NAME
displayName: Apache httpd Image Name
description: This is the httpd image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
- name: HTTPD_IMG_TAG
displayName: Apache httpd Image Tag
description: This is the httpd image tag/version requested to deploy.
diff --git a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
index d7c9f5af7..5c757b6c2 100644
--- a/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
+++ b/roles/openshift_management/files/templates/cloudforms/cfme-template.yaml
@@ -31,6 +31,7 @@ objects:
name: "${NAME}-secrets"
stringData:
pg-password: "${DATABASE_PASSWORD}"
+ admin-password: "${APPLICATION_ADMIN_PASSWORD}"
database-url: postgresql://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE_SERVICE_NAME}/${DATABASE_NAME}?encoding=utf8&pool=5&wait_timeout=5
v2-key: "${V2_KEY}"
- apiVersion: v1
@@ -128,18 +129,173 @@ objects:
<VirtualHost *:80>
KeepAlive on
+ # Without ServerName mod_auth_mellon compares against http:// and not https:// from the IdP
+ ServerName https://%{REQUEST_HOST}
+
ProxyPreserveHost on
- ProxyPass /ws/ ws://${NAME}/ws/
- ProxyPassReverse /ws/ ws://${NAME}/ws/
- ProxyPass / http://${NAME}/
+
+ RewriteCond %{REQUEST_URI} ^/ws [NC]
+ RewriteCond %{HTTP:UPGRADE} ^websocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
+ RewriteRule .* ws://${NAME}%{REQUEST_URI} [P,QSA,L]
+
+ # For httpd, some ErrorDocuments must by served by the httpd pod
+ RewriteCond %{REQUEST_URI} !^/proxy_pages
+
+ # For SAML /saml2 is only served by mod_auth_mellon in the httpd pod
+ RewriteCond %{REQUEST_URI} !^/saml2
+ RewriteRule ^/ http://${NAME}%{REQUEST_URI} [P,QSA,L]
ProxyPassReverse / http://${NAME}/
+
+ # Ensures httpd stdout/stderr are seen by docker logs.
+ ErrorLog "| /usr/bin/tee /proc/1/fd/2 /var/log/httpd/error_log"
+ CustomLog "| /usr/bin/tee /proc/1/fd/1 /var/log/httpd/access_log" common
</VirtualHost>
+ authentication.conf: |
+ # Load appropriate authentication configuration files
+ #
+ Include "conf.d/configuration-${HTTPD_AUTH_TYPE}-auth"
+ configuration-internal-auth: |
+ # Internal authentication
+ #
+ configuration-external-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/http.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-active-directory-auth: |
+ Include "conf.d/external-auth-load-modules-conf"
+
+ <Location /dashboard/kerberos_authenticate>
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate On
+ KrbMethodK5Passwd Off
+ KrbAuthRealms ${HTTPD_AUTH_KERBEROS_REALMS}
+ Krb5KeyTab /etc/krb5.keytab
+ KrbServiceName Any
+ Require pam-account httpd-auth
+
+ ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
+ </Location>
+
+ Include "conf.d/external-auth-login-form-conf"
+ Include "conf.d/external-auth-application-api-conf"
+ Include "conf.d/external-auth-lookup-user-details-conf"
+ Include "conf.d/external-auth-remote-user-conf"
+ configuration-saml-auth: |
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+ <Location />
+ MellonEnable "info"
+
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/sp-key.key"
+ MellonSPCertFile "/etc/httpd/saml2/sp-cert.cert"
+ MellonSPMetadataFile "/etc/httpd/saml2/sp-metadata.xml"
+
+ MellonVariable "sp-cookie"
+ MellonSecureCookie On
+ MellonCookiePath "/"
+
+ MellonIdP "IDP"
+
+ MellonEndpointPath "/saml2"
+
+ MellonUser username
+ MellonMergeEnvVars On
+
+ MellonSetEnvNoPrefix "REMOTE_USER" username
+ MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
+ MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" firstname
+ MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" lastname
+ MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" fullname
+ MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" groups
+ </Location>
+
+ <Location /saml_login>
+ AuthType "Mellon"
+ MellonEnable "auth"
+ Require valid-user
+ </Location>
+
+ Include "conf.d/external-auth-remote-user-conf"
+ external-auth-load-modules-conf: |
+ LoadModule authnz_pam_module modules/mod_authnz_pam.so
+ LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+ LoadModule lookup_identity_module modules/mod_lookup_identity.so
+ LoadModule auth_kerb_module modules/mod_auth_kerb.so
+ external-auth-login-form-conf: |
+ <Location /dashboard/external_authenticate>
+ InterceptFormPAMService httpd-auth
+ InterceptFormLogin user_name
+ InterceptFormPassword user_password
+ InterceptFormLoginSkip admin
+ InterceptFormClearRemoteUserForSkipped on
+ </Location>
+ external-auth-application-api-conf: |
+ <LocationMatch ^/api>
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+
+ AuthType Basic
+ AuthName "External Authentication (httpd) for API"
+ AuthBasicProvider PAM
+
+ AuthPAMService httpd-auth
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Satisfy Any
+ </LocationMatch>
+ external-auth-lookup-user-details-conf: |
+ <LocationMatch ^/dashboard/external_authenticate$|^/dashboard/kerberos_authenticate$|^/api>
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ LookupUserAttr displayname REMOTE_USER_FULLNAME
+ LookupUserAttr domainname REMOTE_USER_DOMAIN
+
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ LookupDbusTimeout 5000
+ </LocationMatch>
+ external-auth-remote-user-conf: |
+ RequestHeader unset X_REMOTE_USER
+
+ RequestHeader set X_REMOTE_USER %{REMOTE_USER}e env=REMOTE_USER
+ RequestHeader set X_EXTERNAL_AUTH_ERROR %{EXTERNAL_AUTH_ERROR}e env=EXTERNAL_AUTH_ERROR
+ RequestHeader set X_REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e env=REMOTE_USER_EMAIL
+ RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e env=REMOTE_USER_FIRSTNAME
+ RequestHeader set X_REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e env=REMOTE_USER_LASTNAME
+ RequestHeader set X_REMOTE_USER_FULLNAME %{REMOTE_USER_FULLNAME}e env=REMOTE_USER_FULLNAME
+ RequestHeader set X_REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e env=REMOTE_USER_GROUPS
+ RequestHeader set X_REMOTE_USER_DOMAIN %{REMOTE_USER_DOMAIN}e env=REMOTE_USER_DOMAIN
- apiVersion: v1
kind: ConfigMap
metadata:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
data:
auth-type: internal
+ auth-kerberos-realms: undefined
auth-configuration.conf: |
# External Authentication Configuration File
#
@@ -203,15 +359,15 @@ objects:
- name: cloudforms
image: "${FRONTEND_APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
- tcpSocket:
- port: 80
+ exec:
+ command:
+ - pidof
+ - MIQ Server
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
- httpGet:
- path: "/"
+ tcpSocket:
port: 80
- scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
@@ -239,6 +395,11 @@ objects:
secretKeyRef:
name: "${NAME}-secrets"
key: v2-key
+ - name: APPLICATION_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: "${NAME}-secrets"
+ key: admin-password
- name: ANSIBLE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
@@ -611,6 +772,20 @@ objects:
selector:
name: httpd
- apiVersion: v1
+ kind: Service
+ metadata:
+ name: "${HTTPD_DBUS_API_SERVICE_NAME}"
+ annotations:
+ description: Exposes the httpd server dbus api
+ service.alpha.openshift.io/dependencies: '[{"name":"${NAME}","namespace":"","kind":"Service"}]'
+ spec:
+ ports:
+ - name: http-dbus-api
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: httpd
+- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${HTTPD_SERVICE_NAME}"
@@ -644,6 +819,9 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
livenessProbe:
exec:
command:
@@ -673,6 +851,11 @@ objects:
configMapKeyRef:
name: "${HTTPD_SERVICE_NAME}-auth-configs"
key: auth-type
+ - name: HTTPD_AUTH_KERBEROS_REALMS
+ valueFrom:
+ configMapKeyRef:
+ name: "${HTTPD_SERVICE_NAME}-auth-configs"
+ key: auth-kerberos-realms
lifecycle:
postStart:
exec:
@@ -718,6 +901,11 @@ parameters:
displayName: Application Database Region
description: Database region that will be used for application.
value: '0'
+- name: APPLICATION_ADMIN_PASSWORD
+ displayName: Application Admin Password
+ required: true
+ description: Admin password that will be set on the application.
+ value: smartvm
- name: ANSIBLE_DATABASE_NAME
displayName: Ansible PostgreSQL database name
required: true
@@ -842,7 +1030,7 @@ parameters:
- name: POSTGRESQL_IMG_NAME
displayName: PostgreSQL Image Name
description: This is the PostgreSQL image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-postgresql
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-postgresql
- name: POSTGRESQL_IMG_TAG
displayName: PostgreSQL Image Tag
description: This is the PostgreSQL image tag/version requested to deploy.
@@ -850,7 +1038,7 @@ parameters:
- name: MEMCACHED_IMG_NAME
displayName: Memcached Image Name
description: This is the Memcached image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-memcached
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-memcached
- name: MEMCACHED_IMG_TAG
displayName: Memcached Image Tag
description: This is the Memcached image tag/version requested to deploy.
@@ -858,11 +1046,11 @@ parameters:
- name: FRONTEND_APPLICATION_IMG_NAME
displayName: Frontend Application Image Name
description: This is the Frontend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app-ui
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app-ui
- name: BACKEND_APPLICATION_IMG_NAME
displayName: Backend Application Image Name
description: This is the Backend Application image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-app
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-app
- name: FRONTEND_APPLICATION_IMG_TAG
displayName: Front end Application Image Tag
description: This is the CloudForms Frontend Application image tag/version requested to deploy.
@@ -874,7 +1062,7 @@ parameters:
- name: ANSIBLE_IMG_NAME
displayName: Ansible Image Name
description: This is the Ansible image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-embedded-ansible
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-embedded-ansible
- name: ANSIBLE_IMG_TAG
displayName: Ansible Image Tag
description: This is the Ansible image tag/version requested to deploy.
@@ -907,10 +1095,15 @@ parameters:
displayName: Apache httpd Service Name
description: The name of the OpenShift Service exposed for the httpd container.
value: httpd
+- name: HTTPD_DBUS_API_SERVICE_NAME
+ required: true
+ displayName: Apache httpd DBus API Service Name
+ description: The name of httpd dbus api service.
+ value: httpd-dbus-api
- name: HTTPD_IMG_NAME
displayName: Apache httpd Image Name
description: This is the httpd image name requested to deploy.
- value: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cloudforms46/cfme-openshift-httpd
+ value: registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd
- name: HTTPD_IMG_TAG
displayName: Apache httpd Image Tag
description: This is the httpd image tag/version requested to deploy.