Set stage/dev OSBS auth to require htpasswd instead of be wide open

2016-03-02 14:59:09 -06:00 · 2016-03-02 14:59:09 -06:00 · 033f0fe5e9
commit 033f0fe5e9
parent ef9fc80b37
5 changed files with 75 additions and 4 deletions
--- a/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml
+++ b/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml
@ -43,7 +43,32 @@
    - osbs-atomic-reactor
    - osbs-common
    - osbs-install-openshift
-    - osbs-master
+    - {
+        role: osbs-master,
+          osbs_master_export_port: true,
+          osbs_manage_firewalld: true,
+          osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
+          osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
+          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
+          osbs_readonly_users: [],
+          osbs_readonly_groups: [],
+          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
+          osbs_readwrite_groups: [],
+          osbs_admin_users: [],
+          osbs_admin_groups: [],
+          osbs_master_max_pods: 3,
+          osbs_update_packages: false,
+          osbs_image_gc_high_threshold: 90,
+          osbs_image_gc_low_threshold: 80,
+          osbs_identity_provider: "htpasswd_provider",
+          osbs_identity_htpasswd: {
+            name: htpasswd_provider,
+            challenge: true,
+            login: true,
+            provider_file: "/etc/openshift/htpasswd"
+          }
+      }
    - {
      role: osbs-client,
        general: {
@ -52,6 +77,8 @@
          openshift_required_version: 1.1.0,
        },
        default: {
+          username: "{{ osbs_koji_stg_username }}",
+          password: "{{ osbs_koji_stg_password }}",
          openshift_url: 'https://osbs-dev.fedorainfracloud.org:8443/',
          registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
          source_registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
@ -106,6 +133,11 @@
        dest: /etc/hosts
        line: "{{ ansible_default_ipv4.address }} osbs osbs-dev.fedorainfracloud.org"

+    - name: place htpasswd file
+      file:
+        src: "{{private}}/files/httpd/osbs.htpasswd"
+        dest: /etc/origin/htpasswd
+
    - name: install docker
      action: "{{ ansible_pkg_mgr }} name=docker state=installed"

--- a/roles/osbs-client/defaults/main.yml
+++ b/roles/osbs-client/defaults/main.yml
@ -14,6 +14,8 @@ general:

 # Settings for the [default] section of the osbs.conf file
 default:
+  username: ""
+  password: ""
  openshift_url: https://osbs.localdomain:8443/
  koji_root: http://koji.fedoraproject.org/koji
  koji_hub: http://koji.fedoraproject.org/kojihub
--- a/roles/osbs-client/templates/osbs.conf.j2
+++ b/roles/osbs-client/templates/osbs.conf.j2
@ -4,6 +4,12 @@ build_json_dir = {{ general.build_json_dir }}
 openshift_required_version = {{ general.openshift_required_version }}

 [default]
+{% if default.username %}
+username = {{ default.username }}
+{% endif %}
+{% if default.password %}
+password = {{ default.password }}
+{% endif %}
 openshift_url = {{ default.openshift_url }}
 koji_root = {{ default.koji_root }}
 koji_hub = {{ default.koji_hub }}
--- a/roles/osbs-master/defaults/main.yml
+++ b/roles/osbs-master/defaults/main.yml
@ -72,3 +72,23 @@ osbs_update_packages: false

 osbs_image_gc_high_threshold: 90
 osbs_image_gc_low_threshold: 80
+
+
+# Specify different identity providers and options needed for the master-config
+# template
+#
+# Currently supported options are:
+#   request_header
+#   htpasswd_provider
+osbs_identity_provider: "request_header"
+
+osbs_identity_request:
+  name: request_header
+  challenge: true
+  login: true
+
+osbs_identity_htpasswd:
+  name: htpasswd_provider
+  challenge: true
+  login: true
+  provider_file: /etc/openshift/htpasswd
--- a/roles/osbs-master/templates/master-config.yaml.j2
+++ b/roles/osbs-master/templates/master-config.yaml.j2
@ -107,15 +107,26 @@ oauthConfig:
  grantConfig:
    method: auto
  identityProviders:
-  - name: request_header
-    challenge: false
-    login: false
+{% if osbs_identity_provider == "request_header" %}
+  - name: {{ osbs_identity_request.name }}
+    challenge: {{ osbs_identity_request.challenge }}
+    login: {{ osbs_identity_request.login }}
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }}
      headers:
      - X-Remote-User
+{% endif %}
+{% if osbs_identity_provider == "htpasswd_provider" %}
+  - name: {{ osbs_identity_htpasswd.name }}
+    challenge: {{ osbs_identity_htpasswd.challenge }}
+    login: {{ osbs_identity_htpasswd.login }}
+    provider:
+      apiVersion: v1
+      kind: HTPasswdPasswordIdentityProvider
+      file: {{ osbs_identity_htpasswd.provider_file }}
+{% endif %}
  masterCA: ca.crt
  masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
  masterURL: https://{{ ansible_default_ipv4.address }}:8443