-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
00e609c
commit cabdaed
Showing
12 changed files
with
327 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
from generatorPreProcessor import GeneratorPreProcessor | ||
import sys | ||
|
||
# Validating: | ||
# --- | ||
# openshift_sso: | ||
# - openshift_cluster_name: {{ env_id }} | ||
|
||
def preprocessor(attributes=None, fullConfig=None, moduleVariables=None): | ||
g = GeneratorPreProcessor(attributes,fullConfig,moduleVariables) | ||
|
||
g('openshift_cluster_name').expandWith('openshift[*]',remoteIdentifier='name') | ||
g('state').isRequired() | ||
|
||
result = { | ||
'attributes_updated': g.getExpandedAttributes(), | ||
'errors': g.getErrors() | ||
} | ||
return result |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
133 changes: 133 additions & 0 deletions
133
automation-roles/40-configure-infra/openldap/tasks/install-openldap.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
- set_fact: | ||
_openldap_bind_password_new: '' | ||
|
||
- name: Retrieve LDAP bind password from vault secret {{ current_openshift_cluster.name }}-openldap-bind-password | ||
include_role: | ||
name: vault-get-secret | ||
vars: | ||
secret_name: "{{ current_openshift_cluster.name }}-openldap-bind-password" | ||
secret_group: "{{ environment_name }}" | ||
_p_secret_variable: _openldap_bind_password | ||
|
||
- set_fact: | ||
_openldap_bind_password_new: "{{ global_config.universal_password | default('') }}" | ||
when: _openldap_bind_password=='' | ||
|
||
- name: Generate new bind password if none is available yet | ||
block: | ||
- ansible.builtin.include_role: | ||
name: generate-password | ||
- set_fact: | ||
_openldap_bind_password_new: "{{ _p_generated_password }}" | ||
when: | ||
- _openldap_bind_password=='' | ||
- _openldap_bind_password_new=='' | ||
|
||
- name: Set LDAP bind password into secret {{ current_openshift_cluster.name }}-openldap-bind-password | ||
include_role: | ||
name: vault-set-secret | ||
vars: | ||
secret_name: "{{ current_openshift_cluster.name }}-openldap-bind-password" | ||
secret_group: "{{ environment_name }}" | ||
secret_payload: "{{ _openldap_bind_password_new }}" | ||
when: _openldap_bind_password_new!='' | ||
|
||
- set_fact: | ||
_openldap_bind_password: "{{ _openldap_bind_password_new }}" | ||
when: _openldap_bind_password_new!='' | ||
|
||
- name: Create OpenLdap directory for generated files | ||
ansible.builtin.file: | ||
path: "{{ openldap_output_directory }}" | ||
state: directory | ||
mode: u+rwx | ||
|
||
- name: Create Project | ||
ansible.builtin.include_role: | ||
name: common | ||
tasks_from: create-project | ||
vars: | ||
common_namespace_name: openldap | ||
common_output_directory: "{{ openldap_output_directory }}" | ||
|
||
- name: Prepare yaml file for anyuid RoleBinding | ||
ansible.builtin.template: | ||
src: anyuid-scc-rolebinding.yaml.j2 | ||
dest: "{{ openldap_output_directory }}/anyuid-scc-rolebinding.yaml" | ||
mode: u+rwx | ||
|
||
- name: Add anyuid RoleBinding | ||
kubernetes.core.k8s: | ||
state: present | ||
force: false | ||
merge_type: merge | ||
src: "{{ openldap_output_directory }}/anyuid-scc-rolebinding.yaml" | ||
wait: true | ||
wait_sleep: 15 | ||
wait_timeout: 15 | ||
|
||
- name: Add helm-openldap chart repo | ||
kubernetes.core.helm_repository: | ||
name: helm-openldap | ||
repo_url: "https://jp-gouin.github.io/helm-openldap/" | ||
|
||
- name: Prepare yaml file for values of helm chart | ||
ansible.builtin.template: | ||
src: openldap-values.yaml.j2 | ||
dest: "{{ openldap_output_directory }}/{{ current_openshift_cluster.name }}-openldap-values.yaml" | ||
mode: u+rwx | ||
|
||
- name: Deploy openldap chart using values files on target | ||
kubernetes.core.helm: | ||
name: openldap-openldap-stack-ha | ||
chart_ref: helm-openldap/openldap-stack-ha | ||
chart_version: "{{ openldap_chart_version }}" | ||
release_namespace: openldap | ||
values_files: | ||
- "{{ openldap_output_directory }}/{{ current_openshift_cluster.name }}-openldap-values.yaml" | ||
|
||
- name: Get OpenShift applications Endpoint | ||
ansible.builtin.include_role: | ||
name: common | ||
tasks_from: apps-endpoint | ||
vars: | ||
common_output_to_var: "apps_endpoint_domain" | ||
when: apps_endpoint_domain is not defined | ||
|
||
- name: Create edge route for openldap | ||
ansible.builtin.include_role: | ||
name: common | ||
tasks_from: create-edge-route | ||
vars: | ||
common_namespace_name: openldap | ||
common_route_name: openldap-phpldapadmin | ||
common_service_name: openldap-openldap-stack-ha-phpldapadmin | ||
common_apps_endpoint_domain: "{{ apps_endpoint_domain }}" | ||
common_output_directory: "{{ openldap_output_directory }}" | ||
|
||
- name: Wait for openldap-openldap-stack-ha-phpldapadmin Deployment to be Available | ||
ansible.builtin.include_role: | ||
name: common | ||
tasks_from: wait-resource-condition | ||
vars: | ||
common_api_version: apps/v1 | ||
common_resource_kind: Deployment | ||
common_resource_name: openldap-openldap-stack-ha-phpldapadmin | ||
common_resource_namespace: openldap | ||
common_condition_name: Available | ||
common_retries: 60 | ||
common_delay: 15 | ||
|
||
- name: Wait for openldap-openldap-stack-ha StatefulSet ready replicas | ||
ansible.builtin.include_role: | ||
name: common | ||
tasks_from: wait-resource-condition-generic | ||
vars: | ||
common_api_version: apps/v1 | ||
common_resource_kind: StatefulSet | ||
common_resource_name: openldap-openldap-stack-ha | ||
common_resource_namespace: openldap | ||
common_condition_query: resources[*].status.readyReplicas | ||
common_condition_value: 1 | ||
common_retries: 30 | ||
common_delay: 120 |
22 changes: 22 additions & 0 deletions
22
automation-roles/40-configure-infra/openldap/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
--- | ||
- set_fact: | ||
_current_openldap: {} | ||
|
||
- when: "all_config.openldap is defined" | ||
block: | ||
- set_fact: | ||
_current_openldap: "{{ all_config.openldap | json_query(query) | first | default({}) }}" | ||
vars: | ||
query: >- | ||
[?openshift_cluster_name=='{{ current_openshift_cluster.name }}'] | ||
- name: Show openldap for current cluster | ||
debug: | ||
var: _current_openldap | ||
|
||
- ansible.builtin.include_tasks: install-openldap.yml | ||
when: | ||
- _current_openldap != {} | ||
- _current_openldap.state | default('installed') == 'installed' | ||
|
||
- ansible.builtin.include_tasks: remove-openldap.yml | ||
when: _current_openldap == {} or _current_openldap.state | default('installed') != 'installed' |
19 changes: 19 additions & 0 deletions
19
automation-roles/40-configure-infra/openldap/tasks/remove-openldap.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
- name: Remove Project openldap | ||
kubernetes.core.k8s: | ||
state: absent | ||
api_version: project.openshift.io/v1 | ||
kind: Project | ||
name: openldap | ||
wait: true | ||
wait_sleep: 15 | ||
wait_timeout: 120 | ||
|
||
- name: Remove RoleBinding openldap-anyuid | ||
kubernetes.core.k8s: | ||
state: absent | ||
api_version: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
name: openldap-anyuid | ||
wait: true | ||
wait_sleep: 15 | ||
wait_timeout: 120 |
13 changes: 13 additions & 0 deletions
13
automation-roles/40-configure-infra/openldap/templates/anyuid-scc-rolebinding.yaml.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: 'openldap-anyuid' | ||
namespace: openldap | ||
subjects: | ||
- kind: ServiceAccount | ||
name: default | ||
namespace: openldap | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: 'system:openshift:scc:anyuid' |
71 changes: 71 additions & 0 deletions
71
automation-roles/40-configure-infra/openldap/templates/openldap-values.yaml.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
replicaCount: 1 | ||
env: | ||
LDAP_ORGANISATION: "{{ _current_openldap.ldap_config.base_domain }}" | ||
LDAP_DOMAIN: "{{ _current_openldap.ldap_config.base_domain }}" | ||
global: | ||
adminPassword: '{{ _openldap_bind_password }}' | ||
configPassword: '{{ _openldap_bind_password }}' | ||
customLdifFiles: | ||
01-default-users.ldif: |- | ||
# Units | ||
dn: {{ _current_openldap.ldap_config.user_base_dn }} | ||
objectClass: organizationalUnit | ||
ou: {{ _current_openldap.ldap_config.user_ou }} | ||
|
||
dn: {{ _current_openldap.ldap_config.group_base_dn }} | ||
objectClass: organizationalUnit | ||
ou: {{ _current_openldap.ldap_config.group_ou }} | ||
|
||
# Users | ||
{% for _ldap_user in _current_openldap.users %} | ||
dn: {{ _current_openldap.ldap_config.user_id_attribute }}={{ _ldap_user.uid }},{{ _current_openldap.ldap_config.user_base_dn }} | ||
objectClass: {{ _current_openldap.ldap_config.user_object_class }} | ||
objectClass: top | ||
cn: {{ _ldap_user.givenName }} | ||
sn: {{ _ldap_user.sn }} | ||
{{ _current_openldap.ldap_config.user_id_attribute }}: {{ _ldap_user.uid }} | ||
mail: {% if '@' in _ldap_user.mail -%}{{ _ldap_user.mail }}{% else -%}{{ _ldap_user.mail }}@{{ _current_openldap.ldap_config.base_domain }}{% endif %} | ||
userpassword:: {{ _ldap_user.mail | b64encode | default(_openldap_bind_password | b64encode) }} | ||
employeeType: admin | ||
|
||
{% endfor %} | ||
|
||
# Groups | ||
{% for _ldap_group in _current_openldap.groups %} | ||
dn: {{ _current_openldap.ldap_config.group_id_attribute }}={{ _ldap_group.cn }},{{ _current_openldap.ldap_config.group_base_dn }} | ||
objectClass: {{ _current_openldap.ldap_config.group_object_class }} | ||
objectClass: top | ||
cn: {{ _ldap_group.cn }} | ||
{% for _ldap_group_member in _ldap_group.members %} | ||
member: {{ _ldap_group_member }} | ||
{% endfor %} | ||
|
||
{% endfor %} | ||
|
||
replication: | ||
enabled: false | ||
persistence: | ||
enabled: true | ||
accessModes: | ||
- ReadWriteMany | ||
size: 8Gi | ||
storageClass: "{{ ocp_storage_class_file }}" | ||
livenessProbe: | ||
initialDelaySeconds: 60 | ||
readinessProbe: | ||
initialDelaySeconds: 60 | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 256Mi | ||
limits: | ||
cpu: 500m | ||
memory: 512Mi | ||
ltb-passwd: | ||
enabled: false | ||
phpldapadmin: | ||
enabled: true | ||
ingress: | ||
enabled: false | ||
env: | ||
PHPLDAPADMIN_LDAP_HOSTS: "{{ openldap_hostname }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
openldap_action: install | ||
openldap_output_directory: "{{ status_dir }}/openshift" | ||
openldap_dir_name: openldap | ||
openldap_universal_password: "" | ||
openldap_storage_class_name: "" | ||
openldap_chart_version: 3.0.2 | ||
openldap_hostname: openldap-openldap-stack-ha.openldap.svc.cluster.local | ||
|
||
principal_admin_user: cpadmin |
29 changes: 29 additions & 0 deletions
29
automation-roles/40-configure-infra/openldap/vars/openldap-vars.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
lc_principal_admin_user: "{{ ldap_configuration.lc_principal_admin_user | default(principal_admin_user) }}" | ||
lc_principal_admin_password: "{{ ldap_configuration.lc_principal_admin_password | default(universal_password) }}" | ||
lc_principal_admin_group: "{{ ldap_configuration.lc_principal_admin_group | default('cpadmins') }}" | ||
lc_admin_groups: "{{ ldap_configuration.lc_admin_groups | default(['cpadmins']) }}" | ||
lc_admin_users: "{{ ldap_configuration.lc_admin_users | default(['cpadmin']) }}" | ||
lc_general_groups: "{{ ldap_configuration.lc_general_groups | default(['cpusers', 'cpusers1']) }}" | ||
lc_selected_ldap_type: "{{ ldap_configuration.lc_selected_ldap_type | default('Custom') }}" | ||
lc_ldap_server: "{{ ldap_configuration.lc_ldap_server | default('openldap-openldap-stack-ha.openldap.svc.cluster.local') }}" | ||
lc_bind_secret: "{{ ldap_configuration.lc_bind_secret | default('ldap-bind-secret') }}" | ||
lc_ldap_base_dn: "{{ ldap_configuration.lc_ldap_base_dn | default('dc=cp,dc=internal') }}" | ||
lc_ldap_user_base_dn: "{{ ldap_configuration.lc_ldap_user_base_dn | default('ou=Users,dc=cp,dc=internal') }}" | ||
lc_ldap_domain: "{{ ldap_configuration.lc_ldap_domain | default('cp.internal') }}" | ||
lc_ldap_ssl_enabled: "{{ ldap_configuration.lc_ldap_ssl_enabled | default(false) }}" | ||
lc_ldap_ssl_secret_name: "{{ ldap_configuration.lc_ldap_ssl_secret_name | default('') }}" | ||
lc_ldap_port: "{{ ldap_configuration.lc_ldap_port | default('389' if not lc_ldap_ssl_enabled else '636') }}" | ||
lc_ldap_user_object_class: "{{ ldap_configuration.lc_ldap_user_object_class | default('inetOrgPerson') }}" | ||
lc_ldap_user_id_attribute: "{{ ldap_configuration.lc_ldap_user_id_attribute | default('uid') }}" | ||
lc_ldap_user_name_attribute: "{{ ldap_configuration.lc_ldap_user_name_attribute | default('*:cn') }}" | ||
lc_ldap_user_display_name_attr: "{{ ldap_configuration.lc_ldap_user_display_name_attr | default('cn') }}" | ||
lc_ldap_group_object_class: "{{ ldap_configuration.lc_ldap_group_object_class | default('groupOfNames') }}" | ||
lc_ldap_group_base_dn: "{{ ldap_configuration.lc_ldap_group_base_dn | default('ou=Groups,dc=cp,dc=internal') }}" | ||
lc_ldap_group_id_attribute: "{{ ldap_configuration.lc_ldap_group_id_attribute | default('cn') }}" | ||
lc_ldap_group_name_attribute: "{{ ldap_configuration.lc_ldap_group_name_attribute | default('*:cn') }}" | ||
lc_ldap_group_display_name_attr: "{{ ldap_configuration.lc_ldap_group_display_name_attr | default('cn') }}" | ||
lc_ldap_group_membership_search_filter: "{{ ldap_configuration.lc_ldap_group_membership_search_filter | ||
| default('(|(&(objectclass='+lc_ldap_group_object_class+')(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))') }}" | ||
lc_ldap_group_member_id_map: "{{ ldap_configuration.lc_ldap_group_member_id_map | default(lc_ldap_group_object_class + ':member') }}" | ||
lc_bind_admin_user: "{{ ldap_configuration.lc_bind_admin_user | default('cn=admin,'+ lc_ldap_base_dn) }}" | ||
lc_bind_admin_password: "{{ ldap_configuration.lc_bind_admin_password | default(universal_password) | default('') }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters