Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Set stage/dev OSBS auth to require htpasswd instead of be wide open

Browse source
This commit is contained in:
Adam Miller 2016-03-02 14:59:09 -06:00 committed by Adam Miller
parent ef9fc80b37
commit 033f0fe5e9
5 changed files with 75 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

34
playbooks/hosts/osbs-dev.fedorainfracloud.org.yml
View file

@ -43,7 +43,32 @@
- osbs-atomic-reactor - osbs-atomic-reactor
- osbs-common - osbs-common
- osbs-install-openshift - osbs-install-openshift
- osbs-master - {
role: osbs-master,
osbs_master_export_port: true,
osbs_manage_firewalld: true,
osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
osbs_readwrite_groups: [],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_master_max_pods: 3,
osbs_update_packages: false,
osbs_image_gc_high_threshold: 90,
osbs_image_gc_low_threshold: 80,
osbs_identity_provider: "htpasswd_provider",
osbs_identity_htpasswd: {
name: htpasswd_provider,
challenge: true,
login: true,
provider_file: "/etc/openshift/htpasswd"
}
}
- { - {
role: osbs-client, role: osbs-client,
general: { general: {
@ -52,6 +77,8 @@
openshift_required_version: 1.1.0, openshift_required_version: 1.1.0,
}, },
default: { default: {
username: "{{ osbs_koji_stg_username }}",
password: "{{ osbs_koji_stg_password }}",
openshift_url: 'https://osbs-dev.fedorainfracloud.org:8443/', openshift_url: 'https://osbs-dev.fedorainfracloud.org:8443/',
registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2', registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
source_registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2', source_registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
@ -106,6 +133,11 @@
dest: /etc/hosts dest: /etc/hosts
line: "{{ ansible_default_ipv4.address }} osbs osbs-dev.fedorainfracloud.org" line: "{{ ansible_default_ipv4.address }} osbs osbs-dev.fedorainfracloud.org"
- name: place htpasswd file
file:
src: "{{private}}/files/httpd/osbs.htpasswd"
dest: /etc/origin/htpasswd
- name: install docker - name: install docker
action: "{{ ansible_pkg_mgr }} name=docker state=installed" action: "{{ ansible_pkg_mgr }} name=docker state=installed"

2
roles/osbs-client/defaults/main.yml
View file

@ -14,6 +14,8 @@ general:
# Settings for the [default] section of the osbs.conf file # Settings for the [default] section of the osbs.conf file
default: default:
username: ""
password: ""
openshift_url: https://osbs.localdomain:8443/ openshift_url: https://osbs.localdomain:8443/
koji_root: http://koji.fedoraproject.org/koji koji_root: http://koji.fedoraproject.org/koji
koji_hub: http://koji.fedoraproject.org/kojihub koji_hub: http://koji.fedoraproject.org/kojihub

6
roles/osbs-client/templates/osbs.conf.j2
View file

@ -4,6 +4,12 @@ build_json_dir = {{ general.build_json_dir }}
openshift_required_version = {{ general.openshift_required_version }} openshift_required_version = {{ general.openshift_required_version }}
[default] [default]
{% if default.username %}
username = {{ default.username }}
{% endif %}
{% if default.password %}
password = {{ default.password }}
{% endif %}
openshift_url = {{ default.openshift_url }} openshift_url = {{ default.openshift_url }}
koji_root = {{ default.koji_root }} koji_root = {{ default.koji_root }}
koji_hub = {{ default.koji_hub }} koji_hub = {{ default.koji_hub }}

20
roles/osbs-master/defaults/main.yml
View file

@ -72,3 +72,23 @@ osbs_update_packages: false
osbs_image_gc_high_threshold: 90 osbs_image_gc_high_threshold: 90
osbs_image_gc_low_threshold: 80 osbs_image_gc_low_threshold: 80
# Specify different identity providers and options needed for the master-config
# template
#
# Currently supported options are:
# request_header
# htpasswd_provider
osbs_identity_provider: "request_header"
osbs_identity_request:
name: request_header
challenge: true
login: true
osbs_identity_htpasswd:
name: htpasswd_provider
challenge: true
login: true
provider_file: /etc/openshift/htpasswd

17
roles/osbs-master/templates/master-config.yaml.j2
View file

@ -107,15 +107,26 @@ oauthConfig:
grantConfig: grantConfig:
method: auto method: auto
identityProviders: identityProviders:
- name: request_header {% if osbs_identity_provider == "request_header" %}
challenge: false - name: {{ osbs_identity_request.name }}
login: false challenge: {{ osbs_identity_request.challenge }}
login: {{ osbs_identity_request.login }}
provider: provider:
apiVersion: v1 apiVersion: v1
kind: RequestHeaderIdentityProvider kind: RequestHeaderIdentityProvider
clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }} clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }}
headers: headers:
- X-Remote-User - X-Remote-User
{% endif %}
{% if osbs_identity_provider == "htpasswd_provider" %}
- name: {{ osbs_identity_htpasswd.name }}
challenge: {{ osbs_identity_htpasswd.challenge }}
login: {{ osbs_identity_htpasswd.login }}
provider:
apiVersion: v1
kind: HTPasswdPasswordIdentityProvider
file: {{ osbs_identity_htpasswd.provider_file }}
{% endif %}
masterCA: ca.crt masterCA: ca.crt
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
masterURL: https://{{ ansible_default_ipv4.address }}:8443 masterURL: https://{{ ansible_default_ipv4.address }}:8443