Mutualize the ipa client config in openshift
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard
parent
a65d4589d0
commit
b7e08d6d48
9 changed files with 59 additions and 34 deletions
|
|
@ -10,16 +10,6 @@
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Get the IPA CA cert
|
|
||||||
slurp:
|
|
||||||
src: /etc/ipa/ca.crt
|
|
||||||
delegate_to: "{{ ipa_server }}"
|
|
||||||
register: ipa_ca_cert_var
|
|
||||||
- name: Register the IPA CA cert in a fact
|
|
||||||
set_fact:
|
|
||||||
ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}"
|
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
# RabbitMQ is not redeployed in staging yet
|
# RabbitMQ is not redeployed in staging yet
|
||||||
# - role: rabbit/user
|
# - role: rabbit/user
|
||||||
|
|
@ -65,30 +55,40 @@
|
||||||
- role: openshift/imagestream
|
- role: openshift/imagestream
|
||||||
app: noggin
|
app: noggin
|
||||||
imagename: noggin
|
imagename: noggin
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: buildconfig.yml
|
template: buildconfig.yml
|
||||||
objectname: buildconfig.yml
|
objectname: buildconfig.yml
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: configmap.yml
|
template: configmap.yml
|
||||||
objectname: configmap.yml
|
objectname: configmap.yml
|
||||||
|
|
||||||
|
- role: openshift/ipa-client
|
||||||
|
app: noggin
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
file: service.yml
|
file: service.yml
|
||||||
objectname: service.yml
|
objectname: service.yml
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: route.yml
|
template: route.yml
|
||||||
objectname: route.yml
|
objectname: route.yml
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: secrets.yml
|
template: secrets.yml
|
||||||
objectname: secrets.yml
|
objectname: secrets.yml
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: secret-webhook.yml
|
template: secret-webhook.yml
|
||||||
objectname: secret-webhook.yml
|
objectname: secret-webhook.yml
|
||||||
|
|
||||||
- role: openshift/object
|
- role: openshift/object
|
||||||
app: noggin
|
app: noggin
|
||||||
template: deploymentconfig.yml
|
template: deploymentconfig.yml
|
||||||
|
|
|
||||||
|
|
@ -34,14 +34,3 @@ items:
|
||||||
data:
|
data:
|
||||||
config.toml: |-
|
config.toml: |-
|
||||||
{{ load_file('fedora-messaging.toml') | indent(6) }}
|
{{ load_file('fedora-messaging.toml') | indent(6) }}
|
||||||
- apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: ipa-config
|
|
||||||
data:
|
|
||||||
ldap.conf: |-
|
|
||||||
{{ load_file('ipa-ldap.conf') | indent(6) }}
|
|
||||||
default.conf: |-
|
|
||||||
{{ load_file('ipa-default.conf') | indent(6) }}
|
|
||||||
ca.crt: |-
|
|
||||||
{{ ipa_ca_cert | indent(6) }}
|
|
||||||
|
|
|
||||||
|
|
@ -107,7 +107,7 @@ spec:
|
||||||
secretName: fedora-messaging-key
|
secretName: fedora-messaging-key
|
||||||
- name: ipa-config-volume
|
- name: ipa-config-volume
|
||||||
configMap:
|
configMap:
|
||||||
name: ipa-config
|
name: ipa-client-config
|
||||||
triggers:
|
triggers:
|
||||||
- imageChangeParams:
|
- imageChangeParams:
|
||||||
automatic: true
|
automatic: true
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,15 @@
|
||||||
amqp_url = "amqps://noggin:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
|
amqp_url = "amqps://noggin:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
|
||||||
|
|
||||||
|
# Just check if the queue exist, don't try to create it (the server does not allow it).
|
||||||
passive_declares = true
|
passive_declares = true
|
||||||
publish_exchange = "amq.topic"
|
|
||||||
topic_prefix = ""
|
# The topic_prefix configuration value will add a prefix to the topics of every sent message.
|
||||||
|
# This is used for migrating from fedmsg, and should not be used afterwards.
|
||||||
|
{% if env == "staging" %}
|
||||||
|
topic_prefix = "org.fedoraproject.stg"
|
||||||
|
{% else %}
|
||||||
|
topic_prefix = "org.fedoraproject.prod"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[tls]
|
[tls]
|
||||||
ca_cert = "/etc/pki/fedora-messaging/cacert.pem"
|
ca_cert = "/etc/pki/fedora-messaging/cacert.pem"
|
||||||
|
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
SASL_NOCANON on
|
|
||||||
URI ldaps://{{ ipa_server }}
|
|
||||||
{% if env == "staging" %}
|
|
||||||
BASE dc=stg,dc=fedoraproject,dc=org
|
|
||||||
{% else %}
|
|
||||||
BASE dc=fedoraproject,dc=org
|
|
||||||
{% endif %}
|
|
||||||
TLS_CACERT /etc/ipa/ca.crt
|
|
||||||
SASL_MECH GSSAPI
|
|
||||||
19
roles/openshift/ipa-client/tasks/main.yml
Normal file
19
roles/openshift/ipa-client/tasks/main.yml
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
- name: Get the IPA CA cert
|
||||||
|
slurp:
|
||||||
|
src: /etc/ipa/ca.crt
|
||||||
|
delegate_to: "{{ ipa_server }}"
|
||||||
|
register: ipa_ca_cert_var
|
||||||
|
|
||||||
|
- name: Register the IPA CA cert in a fact
|
||||||
|
set_fact:
|
||||||
|
ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}"
|
||||||
|
|
||||||
|
- name: Copy ipa config template to temporary file
|
||||||
|
template:
|
||||||
|
src: "{{roles_path}}/openshift/ipa-client/templates/configmap.yml"
|
||||||
|
dest: "/etc/openshift_apps/{{app}}/configmap-ipa-client.yml"
|
||||||
|
register: object_template
|
||||||
|
|
||||||
|
- name: Call `oc apply` on the copied file
|
||||||
|
shell: oc -n {{app}} apply -f /etc/openshift_apps/{{app}}/configmap-ipa-client.yml
|
||||||
|
when: object_template.changed or object_template_fullpath.changed or object_file.changed
|
||||||
13
roles/openshift/ipa-client/templates/configmap.yml
Normal file
13
roles/openshift/ipa-client/templates/configmap.yml
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: ipa-client-config
|
||||||
|
data:
|
||||||
|
ldap.conf: |-
|
||||||
|
{{ load_file('ldap.conf') | indent(6) }}
|
||||||
|
default.conf: |-
|
||||||
|
{{ load_file('default.conf') | indent(6) }}
|
||||||
|
ca.crt: |-
|
||||||
|
{{ ipa_ca_cert | indent(6) }}
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
[global]
|
[global]
|
||||||
basedn = dc=freeipa-dev,dc=fedoraproject,dc=org
|
basedn = {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
|
||||||
realm = {{ ipa_realm }}
|
realm = {{ ipa_realm }}
|
||||||
domain = {{ ipa_realm | lower }}
|
domain = {{ ipa_realm | lower }}
|
||||||
server = {{ ipa_server }}
|
server = {{ ipa_server }}
|
||||||
5
roles/openshift/ipa-client/templates/ldap.conf
Normal file
5
roles/openshift/ipa-client/templates/ldap.conf
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
SASL_NOCANON on
|
||||||
|
URI ldaps://{{ ipa_server }}
|
||||||
|
BASE {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
|
||||||
|
TLS_CACERT /etc/ipa/ca.crt
|
||||||
|
SASL_MECH GSSAPI
|
||||||
Loading…
Add table
Add a link
Reference in a new issue