From 9b760b0a89a77c5be0b3521a2c35b5afcb2a20d2 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Thu, 3 Dec 2015 14:09:42 -0500 Subject: Clean up idempotency issues with session secrets. --- roles/openshift_master/tasks/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'roles/openshift_master/tasks/main.yml') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a22654678..1c7fdfcf9 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,6 +9,13 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods +# Session Options Validation +- fail: + msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) +- fail: + msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) # HA Variable Validation - fail: @@ -55,9 +62,9 @@ portal_net: "{{ openshift_master_portal_net | default(None) }}" session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}" session_name: "{{ openshift_master_session_name | default(None) }}" + session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}" session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}" - session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" @@ -221,7 +228,7 @@ template: dest: "{{ openshift.master.session_secrets_file }}" src: sessionSecretsFile.yaml.v1.j2 - force: no + when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - restart master - restart master api -- cgit v1.2.3 From ef014ae06a50c5f2050aa183638165895154db5f Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 16 Dec 2015 17:56:09 -0500 Subject: Secrets validation. --- roles/openshift_master/tasks/main.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'roles/openshift_master/tasks/main.yml') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1c7fdfcf9..e6ddd1c49 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -11,11 +11,21 @@ # Session Options Validation - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + msg: > + Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + msg: > + openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) +- fail: + msg: > + Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters + when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool +- fail: + msg: > + Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters + when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: -- cgit v1.2.3 From 62fcc9436db024d189f3ff8107aeb7e2a1ae812f Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Fri, 18 Dec 2015 11:02:52 -0500 Subject: openshift_facts validation --- roles/openshift_master/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) (limited to 'roles/openshift_master/tasks/main.yml') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index e6ddd1c49..a3cddfd63 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,14 +18,6 @@ msg: > openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) -- fail: - msg: > - Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters - when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool -- fail: - msg: > - Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters - when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: -- cgit v1.2.3 From 82db6897085a1278e6b982a403875ed8671190bb Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 6 Jan 2016 13:01:25 -0500 Subject: Move extra secret validations into openshift_facts. --- roles/openshift_master/tasks/main.yml | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'roles/openshift_master/tasks/main.yml') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a3cddfd63..397122631 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,16 +9,6 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods -# Session Options Validation -- fail: - msg: > - Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) -- fail: - msg: > - openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - # HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" -- cgit v1.2.3