diff options
Diffstat (limited to 'roles/openshift_master')
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 39 | ||||
-rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 28 | ||||
-rw-r--r-- | roles/openshift_master/templates/v1_partials/oauthConfig.j2 | 93 |
3 files changed, 46 insertions, 114 deletions
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 185bfb8f3..011b5dedd 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -1,13 +1,16 @@ --- -# TODO: add validation for openshift_master_identity_providers # TODO: add ability to configure certificates given either a local file to # point to or certificate contents, set in default cert locations. -- assert: - that: - - openshift_master_oauth_grant_method in openshift_master_valid_grant_methods - when: openshift_master_oauth_grant_method is defined +# Authentication Variable Validation +# TODO: validate the different identity provider kinds as well +- fail: + msg: > + Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} + when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods + +# HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" when: openshift_master_ha | bool and ((openshift_master_cluster_method is not defined) or (openshift_master_cluster_method is defined and openshift_master_cluster_method not in ["native", "pacemaker"])) @@ -76,16 +79,16 @@ - name: Install Master package yum: pkg={{ openshift.common.service_type }}-master{{ openshift_version }} state=present + when: ansible_pkg_mgr == "yum" + register: install_result + +- name: Install Master package + dnf: pkg={{ openshift.common.service_type }}-master{{ openshift_version }} state=present + when: ansible_pkg_mgr == "dnf" register: install_result -# TODO: These values need to be configurable -- name: Set dns facts +- name: Re-gather package dependent master facts openshift_facts: - role: dns - local_facts: - ip: "{{ openshift_master_cluster_vip | default(openshift.common.ip, true) | default(None) }}" - domain: cluster.local - when: openshift.master.embedded_dns - name: Create config parent directory if it does not exist file: @@ -115,7 +118,12 @@ - name: Install httpd-tools if needed yum: pkg=httpd-tools state=present - when: item.kind == 'HTPasswdPasswordIdentityProvider' + when: (ansible_pkg_mgr == "yum") and (item.kind == 'HTPasswdPasswordIdentityProvider') + with_items: openshift.master.identity_providers + +- name: Install httpd-tools if needed + dnf: pkg=httpd-tools state=present + when: (ansible_pkg_mgr == "dnf") and (item.kind == 'HTPasswdPasswordIdentityProvider') with_items: openshift.master.identity_providers - name: Ensure htpasswd directory exists @@ -172,6 +180,9 @@ - restart master - restart master api +- set_fact: + translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1') }}" + # TODO: add the validate parameter when there is a validation command to run - name: Create master config template: @@ -256,7 +267,7 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Install cluster packages - yum: pkg=pcs state=present + action: "{{ansible_pkg_mgr}} pkg=pcs state=present" when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' register: install_result diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index bb12a0a0f..cadb02fa3 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -27,9 +27,6 @@ corsAllowedOrigins: {% for custom_origin in openshift.master.custom_cors_origins | default("") %} - {{ custom_origin }} {% endfor %} -{% for name in (named_certificates | map(attribute='names')) | list | oo_flatten %} - - {{ name }} -{% endfor %} {% if 'disabled_features' in openshift.master %} disabledFeatures: {{ openshift.master.disabled_features | to_json }} {% endif %} @@ -86,7 +83,7 @@ kubernetesMasterConfig: {% endif %} apiServerArguments: {{ api_server_args if api_server_args is defined else 'null' }} controllerArguments: {{ controller_args if controller_args is defined else 'null' }} - masterCount: {{ openshift.master.master_count }} + masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }} masterIP: {{ openshift.common.ip }} podEvictionTimeout: "" proxyClientInfo: @@ -110,7 +107,24 @@ networkConfig: {% endif %} # serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet serviceNetworkCIDR: {{ openshift.master.portal_net }} -{% include 'v1_partials/oauthConfig.j2' %} +oauthConfig: + assetPublicURL: {{ openshift.master.public_console_url }}/ + grantConfig: + method: {{ openshift.master.oauth_grant_method }} + identityProviders: +{% for line in translated_identity_providers.splitlines() %} + {{ line }} +{% endfor %} + masterCA: ca.crt + masterPublicURL: {{ openshift.master.public_api_url }} + masterURL: {{ openshift.master.api_url }} + sessionConfig: + sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }} + sessionName: {{ openshift.master.session_name }} + sessionSecretsFile: {{ openshift.master.session_secrets_file }} + tokenConfig: + accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }} + authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }} pauseControllers: false policyConfig: bootstrapPolicyFile: {{ openshift_master_policy }} @@ -144,9 +158,9 @@ servingInfo: keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 -{% if named_certificates %} +{% if openshift.master.named_certificates %} namedCertificates: -{% for named_certificate in named_certificates %} +{% for named_certificate in openshift.master.named_certificates %} - certFile: {{ named_certificate['certfile'] }} keyFile: {{ named_certificate['keyfile'] }} names: diff --git a/roles/openshift_master/templates/v1_partials/oauthConfig.j2 b/roles/openshift_master/templates/v1_partials/oauthConfig.j2 deleted file mode 100644 index 8a4f5a746..000000000 --- a/roles/openshift_master/templates/v1_partials/oauthConfig.j2 +++ /dev/null @@ -1,93 +0,0 @@ -{% macro identity_provider_config(identity_provider) %} - apiVersion: v1 - kind: {{ identity_provider.kind }} -{% if identity_provider.kind == 'HTPasswdPasswordIdentityProvider' %} - file: {{ identity_provider.filename }} -{% elif identity_provider.kind == 'BasicAuthPasswordIdentityProvider' %} - url: {{ identity_provider.url }} -{% for key in ('ca', 'certFile', 'keyFile') %} -{% if key in identity_provider %} - {{ key }}: "{{ identity_provider[key] }}" -{% endif %} -{% endfor %} -{% elif identity_provider.kind == 'LDAPPasswordIdentityProvider' %} - attributes: -{% for attribute_key in identity_provider.attributes %} - {{ attribute_key }}: -{% for attribute_value in identity_provider.attributes[attribute_key] %} - - {{ attribute_value }} -{% endfor %} -{% endfor %} -{% for key in ('bindDN', 'bindPassword', 'ca') %} - {{ key }}: "{{ identity_provider[key] }}" -{% endfor %} -{% for key in ('insecure', 'url') %} - {{ key }}: {{ identity_provider[key] }} -{% endfor %} -{% elif identity_provider.kind == 'RequestHeaderIdentityProvider' %} - headers: {{ identity_provider.headers }} -{% if 'clientCA' in identity_provider %} - clientCA: {{ identity_provider.clientCA }} -{% endif %} -{% elif identity_provider.kind == 'GitHubIdentityProvider' %} - clientID: {{ identity_provider.clientID }} - clientSecret: {{ identity_provider.clientSecret }} -{% elif identity_provider.kind == 'GoogleIdentityProvider' %} - clientID: {{ identity_provider.clientID }} - clientSecret: {{ identity_provider.clientSecret }} -{% if 'hostedDomain' in identity_provider %} - hostedDomain: {{ identity_provider.hostedDomain }} -{% endif %} -{% elif identity_provider.kind == 'OpenIDIdentityProvider' %} - clientID: {{ identity_provider.clientID }} - clientSecret: {{ identity_provider.clientSecret }} - claims: - id: identity_provider.claims.id -{% for claim_key in ('preferredUsername', 'name', 'email') %} -{% if claim_key in identity_provider.claims %} - {{ claim_key }}: {{ identity_provider.claims[claim_key] }} -{% endif %} -{% endfor %} - urls: - authorize: {{ identity_provider.urls.authorize }} - token: {{ identity_provider.urls.token }} -{% if 'userInfo' in identity_provider.urls %} - userInfo: {{ identity_provider.userInfo }} -{% endif %} -{% if 'extraScopes' in identity_provider %} - extraScopes: -{% for scope in identity_provider.extraScopes %} - - {{ scope }} -{% endfor %} -{% endif %} -{% if 'extraAuthorizeParameters' in identity_provider %} - extraAuthorizeParameters: -{% for param_key, param_value in identity_provider.extraAuthorizeParameters.iteritems() %} - {{ param_key }}: {{ param_value }} -{% endfor %} -{% endif %} -{% endif %} -{% endmacro %} -oauthConfig: - assetPublicURL: {{ openshift.master.public_console_url }}/ - grantConfig: - method: {{ openshift.master.oauth_grant_method }} - identityProviders: -{% for identity_provider in openshift.master.identity_providers %} - - name: {{ identity_provider.name }} - challenge: {{ identity_provider.challenge }} - login: {{ identity_provider.login }} - provider: -{{ identity_provider_config(identity_provider) }} -{%- endfor %} - masterCA: ca.crt - masterPublicURL: {{ openshift.master.public_api_url }} - masterURL: {{ openshift.master.api_url }} - sessionConfig: - sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }} - sessionName: {{ openshift.master.session_name }} - sessionSecretsFile: {{ openshift.master.session_secrets_file }} - tokenConfig: - accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }} - authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }} -{# Comment to preserve newline after authorizeTokenMaxAgeSeconds #} |