Planet: add kerberos configuration
Signed-off-by: Pedro Moura <pmoura@redhat.com>
This commit is contained in:
Pedro Moura
phsmoura
parent
22192bfefd
commit
782fb308e2
3 changed files with 57 additions and 1 deletions
15
roles/openshift-apps/planet/templates/configmap.yml
Normal file
15
roles/openshift-apps/planet/templates/configmap.yml
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata: {}
|
||||
items:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: krb5-config
|
||||
labels:
|
||||
app: planet
|
||||
data:
|
||||
krb5.conf: |-
|
||||
{{ load_file('krb5.conf') | indent(6) }}
|
||||
|
|
@ -21,14 +21,30 @@ spec:
|
|||
containers:
|
||||
- name: planet
|
||||
image: image-registry.openshift-image-registry.svc:5000/planet/planet:latest
|
||||
env:
|
||||
- name: KRB5_CONFIG
|
||||
value: '/etc/krb5.conf'
|
||||
name: KRB5_CLIENT_KTNAME
|
||||
value: '/etc/keytabs/http'
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
volumeMounts:
|
||||
- name: keytab-volume
|
||||
mountPath: /etc/keytabs
|
||||
readOnly: true
|
||||
- name: krb-config-volume
|
||||
mountPath: /etc/krb5
|
||||
readOnly: true
|
||||
- name: ipa-config-volume
|
||||
mountPath: /etc/ipa
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: keytab-volume
|
||||
secret:
|
||||
secretName: planet-keytab-http
|
||||
|
||||
- name: krb-config-volume
|
||||
configMap:
|
||||
name: krb5-config
|
||||
- name: ipa-config-volume
|
||||
configMap:
|
||||
name: ipa-client-config
|
||||
|
|
|
|||
25
roles/openshift-apps/planet/templates/krb5.conf
Normal file
25
roles/openshift-apps/planet/templates/krb5.conf
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
includedir /etc/krb5.conf.d/
|
||||
|
||||
[libdefaults]
|
||||
default_realm = {{ ipa_realm }}
|
||||
ticket_lifetime = 24h
|
||||
forwardable = true
|
||||
udp_preference_limit = 0
|
||||
rdns = false
|
||||
dns_canonicalize_hostname = false
|
||||
dns_lookup_realm = false
|
||||
dns_lookup_kdc = false
|
||||
|
||||
[realms]
|
||||
{{ ipa_realm }} = {
|
||||
default_domain = {{ ipa_realm | lower }}
|
||||
pkinit_anchors = FILE:/etc/ipa/ca.crt
|
||||
pkinit_pool = FILE:/etc/ipa/ca.crt
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
{{ env_short }}.fedoraproject.org = {{ ipa_realm }}
|
||||
.{{ env_short }}.fedoraproject.org = {{ ipa_realm }}
|
||||
{{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }}
|
||||
.{{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }}
|
||||
fasjson{{ env_suffix }}.fedoraproject.org = {{ ipa_realm }}
|
||||
Loading…
Add table
Add a link
Reference in a new issue