#580 Add openldap configuration

IBM · Mar 20, 2024 · cabdaed · cabdaed
1 parent 00e609c
commit cabdaed
Show file tree

Hide file tree

Showing 12 changed files with 327 additions and 3 deletions.
diff --git a/automation-generators/generic/openldap/main.yaml b/automation-generators/generic/openldap/main.yaml
@@ -0,0 +1 @@
+---
diff --git a/automation-generators/generic/openldap/preprocessor.py b/automation-generators/generic/openldap/preprocessor.py
@@ -0,0 +1,19 @@
+from generatorPreProcessor import GeneratorPreProcessor
+import sys
+
+# Validating:
+# ---
+# openshift_sso:
+# - openshift_cluster_name: {{ env_id }}
+
+def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
+    g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
+
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
+    g('state').isRequired()
+
+    result = {
+        'attributes_updated': g.getExpandedAttributes(),
+        'errors': g.getErrors()
+    }
+    return result
diff --git a/automation-generators/generic/openshift_redhat_sso/preprocessor.py b/automation-generators/generic/openshift_redhat_sso/preprocessor.py
@@ -9,7 +9,7 @@
 def preprocessor(attributes=None, fullConfig=None, moduleVariables=None):
     g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables)
 
-    g('openshift_cluster_name').isRequired()
+    g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name')
 
     result = {
         'attributes_updated': g.getExpandedAttributes(),

diff --git a/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml b/automation-roles/40-configure-infra/configure-openshift/tasks/main.yml
@@ -28,6 +28,12 @@
   loop_control:
     loop_var: current_openshift_storage
 
+- name: Get OpenShift storage classes to use for OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role: 
+    name: get-openshift-storage
+  vars:
+    _p_openshift_cluster_name: "{{ current_openshift_cluster.name }}"
+
 - name: Configure Multi-Cloud Object Gateway
   include_role:
     name: openshift-mcg
@@ -62,6 +68,10 @@
   include_role:
     name: openshift-redhat-sso
 
+- name: Install openldap on OpenShift cluster {{ current_openshift_cluster.name }}
+  include_role:
+    name: openldap
+
 - name: Configure logging for OpenShift cluster {{ current_openshift_cluster.name }}
   include_role:
     name: openshift-logging

diff --git a/automation-roles/40-configure-infra/openldap/tasks/install-openldap.yml b/automation-roles/40-configure-infra/openldap/tasks/install-openldap.yml
@@ -0,0 +1,133 @@
+- set_fact:
+    _openldap_bind_password_new: ''
+
+- name: Retrieve LDAP bind password from vault secret {{ current_openshift_cluster.name }}-openldap-bind-password
+  include_role: 
+    name: vault-get-secret
+  vars:
+    secret_name: "{{ current_openshift_cluster.name }}-openldap-bind-password"
+    secret_group: "{{ environment_name }}" 
+    _p_secret_variable: _openldap_bind_password
+
+- set_fact:
+    _openldap_bind_password_new: "{{ global_config.universal_password | default('') }}"
+  when: _openldap_bind_password==''
+
+- name: Generate new bind password if none is available yet
+  block:
+  - ansible.builtin.include_role:
+      name: generate-password
+  - set_fact:
+      _openldap_bind_password_new: "{{ _p_generated_password }}"
+  when: 
+  - _openldap_bind_password==''
+  - _openldap_bind_password_new==''
+
+- name: Set LDAP bind password into secret {{ current_openshift_cluster.name }}-openldap-bind-password
+  include_role:
+    name: vault-set-secret
+  vars:
+    secret_name: "{{ current_openshift_cluster.name }}-openldap-bind-password"
+    secret_group: "{{ environment_name }}"
+    secret_payload: "{{ _openldap_bind_password_new }}"
+  when: _openldap_bind_password_new!=''
+
+- set_fact:
+    _openldap_bind_password: "{{ _openldap_bind_password_new }}"
+  when: _openldap_bind_password_new!=''
+
+- name: Create OpenLdap directory for generated files
+  ansible.builtin.file:
+    path: "{{ openldap_output_directory }}"
+    state: directory
+    mode: u+rwx
+
+- name: Create Project
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: create-project
+  vars:
+    common_namespace_name: openldap
+    common_output_directory: "{{ openldap_output_directory }}"
+
+- name: Prepare yaml file for anyuid RoleBinding
+  ansible.builtin.template:
+    src: anyuid-scc-rolebinding.yaml.j2
+    dest: "{{ openldap_output_directory }}/anyuid-scc-rolebinding.yaml"
+    mode: u+rwx
+
+- name: Add anyuid RoleBinding
+  kubernetes.core.k8s:
+    state: present
+    force: false
+    merge_type: merge
+    src: "{{ openldap_output_directory }}/anyuid-scc-rolebinding.yaml"
+    wait: true
+    wait_sleep: 15
+    wait_timeout: 15
+
+- name: Add helm-openldap chart repo
+  kubernetes.core.helm_repository:
+    name: helm-openldap
+    repo_url: "https://jp-gouin.github.io/helm-openldap/"
+
+- name: Prepare yaml file for values of helm chart
+  ansible.builtin.template:
+    src: openldap-values.yaml.j2
+    dest: "{{ openldap_output_directory }}/{{ current_openshift_cluster.name }}-openldap-values.yaml"
+    mode: u+rwx
+
+- name: Deploy openldap chart using values files on target
+  kubernetes.core.helm:
+    name: openldap-openldap-stack-ha
+    chart_ref: helm-openldap/openldap-stack-ha
+    chart_version: "{{ openldap_chart_version }}"
+    release_namespace: openldap
+    values_files:
+      - "{{ openldap_output_directory }}/{{ current_openshift_cluster.name }}-openldap-values.yaml"
+
+- name: Get OpenShift applications Endpoint
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: apps-endpoint
+  vars:
+    common_output_to_var: "apps_endpoint_domain"
+  when: apps_endpoint_domain is not defined
+
+- name: Create edge route for openldap
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: create-edge-route
+  vars:
+    common_namespace_name: openldap
+    common_route_name: openldap-phpldapadmin
+    common_service_name: openldap-openldap-stack-ha-phpldapadmin
+    common_apps_endpoint_domain: "{{ apps_endpoint_domain }}"
+    common_output_directory: "{{ openldap_output_directory }}"
+
+- name: Wait for openldap-openldap-stack-ha-phpldapadmin Deployment to be Available
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: wait-resource-condition
+  vars:
+    common_api_version: apps/v1
+    common_resource_kind: Deployment
+    common_resource_name: openldap-openldap-stack-ha-phpldapadmin
+    common_resource_namespace: openldap
+    common_condition_name: Available
+    common_retries: 60
+    common_delay: 15
+
+- name: Wait for openldap-openldap-stack-ha StatefulSet ready replicas
+  ansible.builtin.include_role:
+    name: common
+    tasks_from: wait-resource-condition-generic
+  vars:
+    common_api_version: apps/v1
+    common_resource_kind: StatefulSet
+    common_resource_name: openldap-openldap-stack-ha
+    common_resource_namespace: openldap
+    common_condition_query: resources[*].status.readyReplicas
+    common_condition_value: 1
+    common_retries: 30
+    common_delay: 120
diff --git a/automation-roles/40-configure-infra/openldap/tasks/main.yml b/automation-roles/40-configure-infra/openldap/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- set_fact:
+    _current_openldap: {}
+
+- when: "all_config.openldap is defined"
+  block:
+  - set_fact:
+      _current_openldap: "{{ all_config.openldap | json_query(query) | first | default({}) }}"
+    vars:
+      query: >-
+        [?openshift_cluster_name=='{{ current_openshift_cluster.name }}']
+  - name: Show openldap for current cluster
+    debug:
+      var: _current_openldap
+
+- ansible.builtin.include_tasks: install-openldap.yml
+  when: 
+  - _current_openldap != {}
+  - _current_openldap.state | default('installed') == 'installed'
+
+- ansible.builtin.include_tasks: remove-openldap.yml
+  when: _current_openldap == {} or _current_openldap.state | default('installed') != 'installed'
diff --git a/automation-roles/40-configure-infra/openldap/tasks/remove-openldap.yml b/automation-roles/40-configure-infra/openldap/tasks/remove-openldap.yml
@@ -0,0 +1,19 @@
+- name: Remove Project openldap
+  kubernetes.core.k8s:
+    state: absent
+    api_version: project.openshift.io/v1
+    kind: Project
+    name: openldap
+    wait: true
+    wait_sleep: 15
+    wait_timeout: 120
+
+- name: Remove RoleBinding openldap-anyuid
+  kubernetes.core.k8s:
+    state: absent
+    api_version: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    name: openldap-anyuid
+    wait: true
+    wait_sleep: 15
+    wait_timeout: 120
diff --git a/automation-roles/40-configure-infra/openldap/templates/anyuid-scc-rolebinding.yaml.j2 b/automation-roles/40-configure-infra/openldap/templates/anyuid-scc-rolebinding.yaml.j2
@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: 'openldap-anyuid'
+  namespace: openldap
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: openldap
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:openshift:scc:anyuid'
diff --git a/automation-roles/40-configure-infra/openldap/templates/openldap-values.yaml.j2 b/automation-roles/40-configure-infra/openldap/templates/openldap-values.yaml.j2
@@ -0,0 +1,71 @@
+replicaCount: 1
+env:
+  LDAP_ORGANISATION: "{{ _current_openldap.ldap_config.base_domain }}"
+  LDAP_DOMAIN: "{{ _current_openldap.ldap_config.base_domain }}"
+global:  
+  adminPassword: '{{ _openldap_bind_password }}'
+  configPassword: '{{ _openldap_bind_password }}'
+customLdifFiles:
+  01-default-users.ldif: |-
+    # Units
+    dn: {{ _current_openldap.ldap_config.user_base_dn }}
+    objectClass: organizationalUnit
+    ou: {{ _current_openldap.ldap_config.user_ou }}
+
+    dn: {{ _current_openldap.ldap_config.group_base_dn }}
+    objectClass: organizationalUnit
+    ou: {{ _current_openldap.ldap_config.group_ou }}
+
+    # Users
+{% for _ldap_user in _current_openldap.users %}
+    dn: {{ _current_openldap.ldap_config.user_id_attribute }}={{ _ldap_user.uid }},{{ _current_openldap.ldap_config.user_base_dn }}
+    objectClass: {{ _current_openldap.ldap_config.user_object_class }}
+    objectClass: top
+    cn: {{ _ldap_user.givenName }}
+    sn: {{ _ldap_user.sn }}
+    {{ _current_openldap.ldap_config.user_id_attribute }}: {{ _ldap_user.uid }}
+    mail: {% if '@' in _ldap_user.mail -%}{{ _ldap_user.mail }}{% else -%}{{ _ldap_user.mail }}@{{ _current_openldap.ldap_config.base_domain }}{% endif %}
+    userpassword:: {{ _ldap_user.mail | b64encode | default(_openldap_bind_password | b64encode) }}
+    employeeType: admin
+
+{% endfor %}
+
+    # Groups
+{% for _ldap_group in _current_openldap.groups %}
+    dn: {{ _current_openldap.ldap_config.group_id_attribute }}={{ _ldap_group.cn }},{{ _current_openldap.ldap_config.group_base_dn }}
+    objectClass: {{ _current_openldap.ldap_config.group_object_class }}
+    objectClass: top
+    cn: {{ _ldap_group.cn }}
+{% for _ldap_group_member in _ldap_group.members %}
+    member: {{ _ldap_group_member }}
+{% endfor %}
+
+{% endfor %}
+
+replication:
+  enabled: false
+persistence:
+  enabled: true
+  accessModes:
+    - ReadWriteMany
+  size: 8Gi
+  storageClass: "{{ ocp_storage_class_file }}"
+livenessProbe:
+  initialDelaySeconds: 60
+readinessProbe:
+  initialDelaySeconds: 60
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+ltb-passwd:
+  enabled: false
+phpldapadmin:
+  enabled: true
+  ingress:
+    enabled: false
+  env:
+    PHPLDAPADMIN_LDAP_HOSTS: "{{ openldap_hostname }}"
diff --git a/automation-roles/40-configure-infra/openldap/vars/main.yml b/automation-roles/40-configure-infra/openldap/vars/main.yml
@@ -0,0 +1,9 @@
+openldap_action: install
+openldap_output_directory: "{{ status_dir }}/openshift"
+openldap_dir_name: openldap
+openldap_universal_password: ""
+openldap_storage_class_name: ""
+openldap_chart_version: 3.0.2
+openldap_hostname: openldap-openldap-stack-ha.openldap.svc.cluster.local
+
+principal_admin_user: cpadmin
diff --git a/automation-roles/40-configure-infra/openldap/vars/openldap-vars.yml b/automation-roles/40-configure-infra/openldap/vars/openldap-vars.yml
@@ -0,0 +1,29 @@
+lc_principal_admin_user: "{{ ldap_configuration.lc_principal_admin_user | default(principal_admin_user) }}"
+lc_principal_admin_password: "{{ ldap_configuration.lc_principal_admin_password | default(universal_password) }}"
+lc_principal_admin_group: "{{ ldap_configuration.lc_principal_admin_group | default('cpadmins') }}"
+lc_admin_groups: "{{ ldap_configuration.lc_admin_groups | default(['cpadmins']) }}"
+lc_admin_users: "{{ ldap_configuration.lc_admin_users | default(['cpadmin']) }}"
+lc_general_groups: "{{ ldap_configuration.lc_general_groups | default(['cpusers', 'cpusers1']) }}"
+lc_selected_ldap_type: "{{ ldap_configuration.lc_selected_ldap_type | default('Custom') }}"
+lc_ldap_server: "{{ ldap_configuration.lc_ldap_server | default('openldap-openldap-stack-ha.openldap.svc.cluster.local') }}"
+lc_bind_secret: "{{ ldap_configuration.lc_bind_secret | default('ldap-bind-secret') }}"
+lc_ldap_base_dn: "{{ ldap_configuration.lc_ldap_base_dn | default('dc=cp,dc=internal') }}"
+lc_ldap_user_base_dn: "{{ ldap_configuration.lc_ldap_user_base_dn | default('ou=Users,dc=cp,dc=internal') }}"
+lc_ldap_domain: "{{ ldap_configuration.lc_ldap_domain | default('cp.internal') }}"
+lc_ldap_ssl_enabled: "{{ ldap_configuration.lc_ldap_ssl_enabled | default(false) }}"
+lc_ldap_ssl_secret_name: "{{ ldap_configuration.lc_ldap_ssl_secret_name | default('') }}"
+lc_ldap_port: "{{ ldap_configuration.lc_ldap_port | default('389' if not lc_ldap_ssl_enabled else '636') }}"
+lc_ldap_user_object_class: "{{ ldap_configuration.lc_ldap_user_object_class | default('inetOrgPerson') }}"
+lc_ldap_user_id_attribute: "{{ ldap_configuration.lc_ldap_user_id_attribute | default('uid') }}"
+lc_ldap_user_name_attribute: "{{ ldap_configuration.lc_ldap_user_name_attribute | default('*:cn') }}"
+lc_ldap_user_display_name_attr: "{{ ldap_configuration.lc_ldap_user_display_name_attr | default('cn') }}"
+lc_ldap_group_object_class: "{{ ldap_configuration.lc_ldap_group_object_class | default('groupOfNames') }}"
+lc_ldap_group_base_dn: "{{ ldap_configuration.lc_ldap_group_base_dn | default('ou=Groups,dc=cp,dc=internal') }}"
+lc_ldap_group_id_attribute: "{{ ldap_configuration.lc_ldap_group_id_attribute | default('cn') }}"
+lc_ldap_group_name_attribute: "{{ ldap_configuration.lc_ldap_group_name_attribute | default('*:cn') }}"
+lc_ldap_group_display_name_attr: "{{ ldap_configuration.lc_ldap_group_display_name_attr | default('cn') }}"
+lc_ldap_group_membership_search_filter: "{{ ldap_configuration.lc_ldap_group_membership_search_filter
+    | default('(|(&(objectclass='+lc_ldap_group_object_class+')(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))') }}"
+lc_ldap_group_member_id_map: "{{ ldap_configuration.lc_ldap_group_member_id_map | default(lc_ldap_group_object_class + ':member') }}"
+lc_bind_admin_user: "{{ ldap_configuration.lc_bind_admin_user | default('cn=admin,'+ lc_ldap_base_dn) }}"
+lc_bind_admin_password: "{{ ldap_configuration.lc_bind_admin_password | default(universal_password) | default('') }}"
diff --git a/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml b/automation-roles/40-configure-infra/openshift-redhat-sso/tasks/main.yml
@@ -4,8 +4,6 @@
 
 - when: "all_config.openshift_redhat_sso is defined"
   block:
-  - debug:
-      var: all_config.openshift_redhat_sso
   - set_fact:
       _p_openshift_redhat_sso: "{{ all_config.openshift_redhat_sso | json_query(query) | first | default({}) }}"
     vars: