diff options
| -rw-r--r-- | filter_plugins/openshift_master.py | 23 | ||||
| -rw-r--r-- | inventory/byo/hosts.aep.example | 14 | ||||
| -rw-r--r-- | inventory/byo/hosts.origin.example | 14 | ||||
| -rw-r--r-- | inventory/byo/hosts.ose.example | 14 | ||||
| -rw-r--r-- | roles/openshift_master/tasks/main.yml | 33 | ||||
| -rw-r--r-- | roles/openshift_master/templates/htpasswd.j2 | 5 | ||||
| -rw-r--r-- | roles/openshift_master_facts/tasks/main.yml | 4 | ||||
| -rw-r--r-- | utils/src/ooinstall/cli_installer.py | 25 | ||||
| -rw-r--r-- | utils/src/ooinstall/oo_config.py | 2 | ||||
| -rw-r--r-- | utils/src/ooinstall/openshift_ansible.py | 3 | ||||
| -rw-r--r-- | utils/test/fixture.py | 2 |
11 files changed, 134 insertions, 5 deletions
diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index dc12eb24b..c21709fe3 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -531,9 +531,30 @@ class FilterModule(object): 'openshift-master.kubeconfig'] return certs + @staticmethod + def oo_htpasswd_users_from_file(file_contents): + ''' return a dictionary of htpasswd users from htpasswd file contents ''' + htpasswd_entries = {} + if not isinstance(file_contents, basestring): + raise errors.AnsibleFilterError("failed, expects to filter on a string") + for line in file_contents.splitlines(): + user = None + passwd = None + if len(line) == 0: + continue + if ':' in line: + user, passwd = line.split(':', 1) + + if user is None or len(user) == 0 or passwd is None or len(passwd) == 0: + error_msg = "failed, expects each line to be a colon separated string representing the user and passwd" + raise errors.AnsibleFilterError(error_msg) + htpasswd_entries[user] = passwd + return htpasswd_entries + def filters(self): ''' returns a mapping of filters to methods ''' return {"translate_idps": self.translate_idps, "validate_pcs_cluster": self.validate_pcs_cluster, - "certificates_to_synchronize": self.certificates_to_synchronize} + "certificates_to_synchronize": self.certificates_to_synchronize, + "oo_htpasswd_users_from_file": self.oo_htpasswd_users_from_file} diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 8649f02b4..71bab31f4 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -87,12 +87,26 @@ deployment_type=atomic-enterprise # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +# or +#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> # Allow all auth #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] # LDAP auth #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# Configuring the ldap ca certificate +#openshift_master_ldap_ca=<ca text> +# or +#openshift_master_ldap_ca_file=<path to local ca file to use> + +# Available variables for configuring certificates for other identity providers: +#openshift_master_openid_ca +#openshift_master_openid_ca_file +#openshift_master_request_header_ca +#openshift_master_request_header_ca_file # Cloud Provider Configuration # diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 1679d5aea..4eb28bdfb 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -92,12 +92,26 @@ deployment_type=origin # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +# or +#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> # Allow all auth #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] # LDAP auth #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# Configuring the ldap ca certificate +#openshift_master_ldap_ca=<ca text> +# or +#openshift_master_ldap_ca_file=<path to local ca file to use> + +# Available variables for configuring certificates for other identity providers: +#openshift_master_openid_ca +#openshift_master_openid_ca_file +#openshift_master_request_header_ca +#openshift_master_request_header_ca_file # Cloud Provider Configuration # diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 7055081f8..98d484ecb 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -88,12 +88,26 @@ deployment_type=openshift-enterprise # htpasswd auth openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] +# Defining htpasswd users +#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>' +# or +#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file> # Allow all auth #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}] # LDAP auth #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}] +# Configuring the ldap ca certificate +#openshift_master_ldap_ca=<ca text> +# or +#openshift_master_ldap_ca_file=<path to local ca file to use> + +# Available variables for configuring certificates for other identity providers: +#openshift_master_openid_ca +#openshift_master_openid_ca_file +#openshift_master_request_header_ca +#openshift_master_request_header_ca_file # Cloud Provider Configuration # diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 18a42bf93..fee6d3924 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -88,14 +88,41 @@ with_items: openshift.master.identity_providers - name: Create the htpasswd file if needed - copy: + template: dest: "{{ item.filename }}" - content: "" + src: htpasswd.j2 mode: 0600 - force: no + backup: yes when: item.kind == 'HTPasswdPasswordIdentityProvider' with_items: openshift.master.identity_providers +- name: Create the ldap ca file if needed + copy: + dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('ldap_ca.crt') }}" + content: "{{ openshift.master.ldap_ca }}" + mode: 0600 + backup: yes + when: openshift.master.ldap_ca is defined and item.kind == 'LDAPPasswordIdentityProvider' + with_items: openshift.master.identity_providers + +- name: Create the openid ca file if needed + copy: + dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('openid_ca.crt') }}" + content: "{{ openshift.master.openid_ca }}" + mode: 0600 + backup: yes + when: openshift.master.openid_ca is defined and item.kind == 'OpenIDIdentityProvider' and item.ca | default('') != '' + with_items: openshift.master.identity_providers + +- name: Create the request header ca file if needed + copy: + dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else openshift_master_config_dir ~ '/' ~ item.clientCA | default('request_header_ca.crt') }}" + content: "{{ openshift.master.request_header_ca }}" + mode: 0600 + backup: yes + when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != '' + with_items: openshift.master.identity_providers + - name: Install the systemd units include: systemd_units.yml diff --git a/roles/openshift_master/templates/htpasswd.j2 b/roles/openshift_master/templates/htpasswd.j2 new file mode 100644 index 000000000..ba2c02e20 --- /dev/null +++ b/roles/openshift_master/templates/htpasswd.j2 @@ -0,0 +1,5 @@ +{% if 'htpasswd_users' in openshift.master %} +{% for user,pass in openshift.master.htpasswd_users.iteritems() %} +{{ user ~ ':' ~ pass }} +{% endfor %} +{% endif %} diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index d39c89516..090511864 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -42,6 +42,10 @@ access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" + htpasswd_users: "{{ openshift_master_htpasswd_users | default(lookup('file', openshift_master_htpasswd_file) | oo_htpasswd_users_from_file if openshift_master_htpasswd_file is defined else None) }}" + ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}" + openid_ca: "{{ openshift_master_openid_ca | default(lookup('file', openshift_master_openid_ca_file) if openshift_master_openid_ca_file is defined else None) }}" + request_header_ca: "{{ openshift_master_request_header_ca | default(lookup('file', openshift_master_request_header_ca_file) if openshift_master_request_header_ca_file is defined else None) }}" registry_url: "{{ oreg_url | default(None) }}" oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}" sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}" diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py index 3d6b24138..71bdbd5a1 100644 --- a/utils/src/ooinstall/cli_installer.py +++ b/utils/src/ooinstall/cli_installer.py @@ -520,6 +520,24 @@ def error_if_missing_info(oo_cfg): if missing_info: sys.exit(1) +def get_proxy_hostname_and_excludes(): + message = """ +If a proxy is needed to reach HTTP and HTTPS traffic please enter the name below. +This proxy will be configured by default for all processes needing to reach systems outside +the cluster. + +More advanced configuration is possible if using ansible directly: + +https://docs.openshift.com/enterprise/latest/install_config/http_proxies.html +""" + click.echo(message) + + message = "Specify the hostname for your proxy? (ENTER for none)" + proxy_hostname = click.prompt(message) + + message = "List any hosts that should be excluded from your proxy. (ENTER for none)" + proxy_excludes = click.prompt(message) + return proxy_hostname, proxy_excludes def get_missing_info_from_user(oo_cfg): """ Prompts the user for any information missing from the given configuration. """ @@ -566,6 +584,13 @@ https://docs.openshift.com/enterprise/latest/admin_guide/install/prerequisites.h oo_cfg.settings['master_routingconfig_subdomain'] = get_master_routingconfig_subdomain() click.clear() + if not oo_cfg.settings.get('openshift_http_proxy', None): + proxy_hostname, proxy_excludes = get_proxy_hostname_and_excludes() + oo_cfg.settings['openshift_http_proxy'] = proxy_hostname + oo_cfg.settings['openshift_https_proxy'] = proxy_hostname + oo_cfg.settings['openshift_no_proxy'] = proxy_excludes + click.clear() + return oo_cfg diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py index 0f1f5caf7..24dfbe013 100644 --- a/utils/src/ooinstall/oo_config.py +++ b/utils/src/ooinstall/oo_config.py @@ -11,6 +11,8 @@ PERSIST_SETTINGS = [ 'ansible_config', 'ansible_log_path', 'master_routingconfig_subdomain', + 'proxy', + 'proxy_exclude_hosts', 'variant', 'variant_version', 'version', diff --git a/utils/src/ooinstall/openshift_ansible.py b/utils/src/ooinstall/openshift_ansible.py index cfe2819e8..5ace63918 100644 --- a/utils/src/ooinstall/openshift_ansible.py +++ b/utils/src/ooinstall/openshift_ansible.py @@ -129,7 +129,8 @@ def write_inventory_vars(base_inventory, multiple_masters, proxy): "openshift_master_cluster_public_hostname={}\n".format(proxy.public_hostname)) if CFG.settings.get('master_routingconfig_subdomain', False): base_inventory.write( - "openshift_master_default_subdomain={}\n".format(CFG.settings['master_routingconfig_subdomain'])) + "openshift_master_default_subdomain={}\n".format( + CFG.settings['master_routingconfig_subdomain'])) if CFG.settings.get('variant_version', None) == '3.1': #base_inventory.write('openshift_image_tag=v{}\n'.format(CFG.settings.get('variant_version'))) base_inventory.write('openshift_image_tag=v{}\n'.format('3.1.1.6')) diff --git a/utils/test/fixture.py b/utils/test/fixture.py index 1657d8f46..4e0977e5d 100644 --- a/utils/test/fixture.py +++ b/utils/test/fixture.py @@ -201,6 +201,8 @@ def build_input(ssh_user=None, hosts=None, variant_num=None, inputs.append(storage) inputs.append('subdomain.example.com') + inputs.append('proxy.example.com') + inputs.append('exclude.example.com') # TODO: support option 2, fresh install if add_nodes: |