11 files changed, 134 insertions, 5 deletions

diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py
index dc12eb24b..c21709fe3 100644
--- a/filter_plugins/openshift_master.py
+++ b/filter_plugins/openshift_master.py
@@ -531,9 +531,30 @@ class FilterModule(object):
                       'openshift-master.kubeconfig']
         return certs
 
+    @staticmethod
+    def oo_htpasswd_users_from_file(file_contents):
+        ''' return a dictionary of htpasswd users from htpasswd file contents '''
+        htpasswd_entries = {}
+        if not isinstance(file_contents, basestring):
+            raise errors.AnsibleFilterError("failed, expects to filter on a string")
+        for line in file_contents.splitlines():
+            user = None
+            passwd = None
+            if len(line) == 0:
+                continue
+            if ':' in line:
+                user, passwd = line.split(':', 1)
+
+            if user is None or len(user) == 0 or passwd is None or len(passwd) == 0:
+                error_msg = "failed, expects each line to be a colon separated string representing the user and passwd"
+                raise errors.AnsibleFilterError(error_msg)
+            htpasswd_entries[user] = passwd
+        return htpasswd_entries
+
 
     def filters(self):
         ''' returns a mapping of filters to methods '''
         return {"translate_idps": self.translate_idps,
                 "validate_pcs_cluster": self.validate_pcs_cluster,
-                "certificates_to_synchronize": self.certificates_to_synchronize}
+                "certificates_to_synchronize": self.certificates_to_synchronize,
+                "oo_htpasswd_users_from_file": self.oo_htpasswd_users_from_file}
diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example
index 8649f02b4..71bab31f4 100644
--- a/inventory/byo/hosts.aep.example
+++ b/inventory/byo/hosts.aep.example
@@ -87,12 +87,26 @@ deployment_type=atomic-enterprise
 
 # htpasswd auth
 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
+# Defining htpasswd users
+#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'
+# or
+#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file>
 
 # Allow all auth
 #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
 
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+# Configuring the ldap ca certificate
+#openshift_master_ldap_ca=<ca text>
+# or
+#openshift_master_ldap_ca_file=<path to local ca file to use>
+
+# Available variables for configuring certificates for other identity providers:
+#openshift_master_openid_ca
+#openshift_master_openid_ca_file
+#openshift_master_request_header_ca
+#openshift_master_request_header_ca_file
 
 # Cloud Provider Configuration
 #
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index 1679d5aea..4eb28bdfb 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -92,12 +92,26 @@ deployment_type=origin
 
 # htpasswd auth
 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
+# Defining htpasswd users
+#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'
+# or
+#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file>
 
 # Allow all auth
 #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
 
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+# Configuring the ldap ca certificate
+#openshift_master_ldap_ca=<ca text>
+# or
+#openshift_master_ldap_ca_file=<path to local ca file to use>
+
+# Available variables for configuring certificates for other identity providers:
+#openshift_master_openid_ca
+#openshift_master_openid_ca_file
+#openshift_master_request_header_ca
+#openshift_master_request_header_ca_file
 
 # Cloud Provider Configuration
 #
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 7055081f8..98d484ecb 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -88,12 +88,26 @@ deployment_type=openshift-enterprise
 
 # htpasswd auth
 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
+# Defining htpasswd users
+#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'
+# or
+#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file>
 
 # Allow all auth
 #openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
 
 # LDAP auth
 #openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+# Configuring the ldap ca certificate
+#openshift_master_ldap_ca=<ca text>
+# or
+#openshift_master_ldap_ca_file=<path to local ca file to use>
+
+# Available variables for configuring certificates for other identity providers:
+#openshift_master_openid_ca
+#openshift_master_openid_ca_file
+#openshift_master_request_header_ca
+#openshift_master_request_header_ca_file
 
 # Cloud Provider Configuration
 #
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 18a42bf93..fee6d3924 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -88,14 +88,41 @@
   with_items: openshift.master.identity_providers
 
 - name: Create the htpasswd file if needed
-  copy:
+  template:
     dest: "{{ item.filename }}"
-    content: ""
+    src: htpasswd.j2
     mode: 0600
-    force: no
+    backup: yes
   when: item.kind == 'HTPasswdPasswordIdentityProvider'
   with_items: openshift.master.identity_providers
 
+- name: Create the ldap ca file if needed
+  copy:
+    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('ldap_ca.crt') }}"
+    content: "{{ openshift.master.ldap_ca }}"
+    mode: 0600
+    backup: yes
+  when: openshift.master.ldap_ca is defined and item.kind == 'LDAPPasswordIdentityProvider'
+  with_items: openshift.master.identity_providers
+
+- name: Create the openid ca file if needed
+  copy:
+    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else openshift_master_config_dir ~ '/' ~ item.ca | default('openid_ca.crt') }}"
+    content: "{{ openshift.master.openid_ca }}"
+    mode: 0600
+    backup: yes
+  when: openshift.master.openid_ca is defined and item.kind == 'OpenIDIdentityProvider' and item.ca | default('') != ''
+  with_items: openshift.master.identity_providers
+
+- name: Create the request header ca file if needed
+  copy:
+    dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else openshift_master_config_dir ~ '/' ~ item.clientCA | default('request_header_ca.crt') }}"
+    content: "{{ openshift.master.request_header_ca }}"
+    mode: 0600
+    backup: yes
+  when: openshift.master.request_header_ca is defined and item.kind == 'RequestHeaderIdentityProvider' and item.clientCA | default('') != ''
+  with_items: openshift.master.identity_providers
+
 - name: Install the systemd units
   include: systemd_units.yml
 
diff --git a/roles/openshift_master/templates/htpasswd.j2 b/roles/openshift_master/templates/htpasswd.j2
new file mode 100644
index 000000000..ba2c02e20
--- /dev/null
+++ b/roles/openshift_master/templates/htpasswd.j2
@@ -0,0 +1,5 @@
+{% if 'htpasswd_users' in openshift.master %}
+{%   for user,pass in openshift.master.htpasswd_users.iteritems() %}
+{{     user ~ ':' ~ pass }}
+{%   endfor %}
+{% endif %}
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index d39c89516..090511864 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -42,6 +42,10 @@
       access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}"
       auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}"
       identity_providers: "{{ openshift_master_identity_providers | default(None) }}"
+      htpasswd_users: "{{ openshift_master_htpasswd_users | default(lookup('file', openshift_master_htpasswd_file) | oo_htpasswd_users_from_file if openshift_master_htpasswd_file is defined else None) }}"
+      ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}"
+      openid_ca: "{{ openshift_master_openid_ca | default(lookup('file', openshift_master_openid_ca_file) if openshift_master_openid_ca_file is defined else None) }}"
+      request_header_ca: "{{ openshift_master_request_header_ca | default(lookup('file', openshift_master_request_header_ca_file) if openshift_master_request_header_ca_file is defined else None) }}"
       registry_url: "{{ oreg_url | default(None) }}"
       oauth_grant_method: "{{ openshift_master_oauth_grant_method | default(None) }}"
       sdn_cluster_network_cidr: "{{ osm_cluster_network_cidr | default(None) }}"
diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py
index 3d6b24138..71bdbd5a1 100644
--- a/utils/src/ooinstall/cli_installer.py
+++ b/utils/src/ooinstall/cli_installer.py
@@ -520,6 +520,24 @@ def error_if_missing_info(oo_cfg):
     if missing_info:
         sys.exit(1)
 
+def get_proxy_hostname_and_excludes():
+    message = """
+If a proxy is needed to reach HTTP and HTTPS traffic please enter the name below.
+This proxy will be configured by default for all processes needing to reach systems outside
+the cluster.
+
+More advanced configuration is possible if using ansible directly:
+
+https://docs.openshift.com/enterprise/latest/install_config/http_proxies.html
+"""
+    click.echo(message)
+
+    message = "Specify the hostname for your proxy? (ENTER for none)"
+    proxy_hostname = click.prompt(message)
+
+    message = "List any hosts that should be excluded from your proxy. (ENTER for none)"
+    proxy_excludes = click.prompt(message)
+    return proxy_hostname, proxy_excludes
 
 def get_missing_info_from_user(oo_cfg):
     """ Prompts the user for any information missing from the given configuration. """
@@ -566,6 +584,13 @@ https://docs.openshift.com/enterprise/latest/admin_guide/install/prerequisites.h
         oo_cfg.settings['master_routingconfig_subdomain'] = get_master_routingconfig_subdomain()
         click.clear()
 
+    if not oo_cfg.settings.get('openshift_http_proxy', None):
+        proxy_hostname, proxy_excludes = get_proxy_hostname_and_excludes()
+        oo_cfg.settings['openshift_http_proxy'] = proxy_hostname
+        oo_cfg.settings['openshift_https_proxy'] = proxy_hostname
+        oo_cfg.settings['openshift_no_proxy'] = proxy_excludes
+        click.clear()
+
     return oo_cfg
 
 
diff --git a/utils/src/ooinstall/oo_config.py b/utils/src/ooinstall/oo_config.py
index 0f1f5caf7..24dfbe013 100644
--- a/utils/src/ooinstall/oo_config.py
+++ b/utils/src/ooinstall/oo_config.py
@@ -11,6 +11,8 @@ PERSIST_SETTINGS = [
     'ansible_config',
     'ansible_log_path',
     'master_routingconfig_subdomain',
+    'proxy',
+    'proxy_exclude_hosts',
     'variant',
     'variant_version',
     'version',
diff --git a/utils/src/ooinstall/openshift_ansible.py b/utils/src/ooinstall/openshift_ansible.py
index cfe2819e8..5ace63918 100644
--- a/utils/src/ooinstall/openshift_ansible.py
+++ b/utils/src/ooinstall/openshift_ansible.py
@@ -129,7 +129,8 @@ def write_inventory_vars(base_inventory, multiple_masters, proxy):
             "openshift_master_cluster_public_hostname={}\n".format(proxy.public_hostname))
     if CFG.settings.get('master_routingconfig_subdomain', False):
         base_inventory.write(
-            "openshift_master_default_subdomain={}\n".format(CFG.settings['master_routingconfig_subdomain']))
+            "openshift_master_default_subdomain={}\n".format(
+                                                    CFG.settings['master_routingconfig_subdomain']))
     if CFG.settings.get('variant_version', None) == '3.1':
         #base_inventory.write('openshift_image_tag=v{}\n'.format(CFG.settings.get('variant_version')))
         base_inventory.write('openshift_image_tag=v{}\n'.format('3.1.1.6'))
diff --git a/utils/test/fixture.py b/utils/test/fixture.py
index 1657d8f46..4e0977e5d 100644
--- a/utils/test/fixture.py
+++ b/utils/test/fixture.py
@@ -201,6 +201,8 @@ def build_input(ssh_user=None, hosts=None, variant_num=None,
         inputs.append(storage)
 
     inputs.append('subdomain.example.com')
+    inputs.append('proxy.example.com')
+    inputs.append('exclude.example.com')
 
     # TODO: support option 2, fresh install
     if add_nodes: