-
Notifications
You must be signed in to change notification settings - Fork 20
/
oc-setup.yml
113 lines (103 loc) · 3.8 KB
/
oc-setup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
---
- block:
- name: Clear out clusterconfigs directory
file:
path: ~/clusterconfigs
state: absent
- name: Get oc command and KUBECONFIG from provisioner
delegate_to: "{{ groups['provisioner'][0] }}"
fetch:
src: "{{ item }}"
dest: "{{ dci_cluster_config_dir }}/"
flat: true
loop:
- /usr/local/bin/oc
- ~/clusterconfigs/auth/kubeconfig
- name: Install packages needed for login
package:
name: "{{ item }}"
state: present
become: true
with_items:
- httpd-tools
- name: Create users.htpasswd file with admin adn nonadmin users
shell: |
# admin user
htpasswd -cbB {{ dci_cluster_config_dir }}/users.htpasswd admin admin
# append nonadmin user
htpasswd -bB {{ dci_cluster_config_dir }}/users.htpasswd nonadmin nonadmin
- name: Set the htpasswd config in the cluster
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/kubeconfig"
shell: |
{{ dci_cluster_config_dir }}/oc create secret generic htpass-secret --from-file=htpasswd={{ dci_cluster_config_dir | expanduser }}/users.htpasswd --namespace openshift-config --dry-run --output yaml | {{ dci_cluster_config_dir }}/oc apply -f -
- name: Setup htpasswd auth backend
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/kubeconfig"
shell: |
cat << EOF | {{ dci_cluster_config_dir }}/oc apply -f -
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: htpassidp
challenge: true
login: true
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
EOF
- name: Give cluster-admin to the admin user
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/kubeconfig"
shell: |
# It can take a few moments for the user to be created...
{{ dci_cluster_config_dir }}/oc adm policy add-cluster-role-to-user cluster-admin admin
- name: Login with non-admin user
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/nonadmin_kubeconfig"
shell: |
# It can take a few moments for the user to be created...
{{ dci_cluster_config_dir }}/oc login --insecure-skip-tls-verify=true -u nonadmin -p nonadmin https://api.{{ cluster }}.{{ domain }}:6443
retries: 10
delay: 10
register: result
until: result.rc == 0
- name: Create a self-provisioner-namespace cluster role
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/kubeconfig"
shell: |
cat <<EOF | {{ dci_cluster_config_dir }}/oc apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
openshift.io/description: A user that can create and delete namespaces
name: self-provisioner-namespaces
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- "*"
EOF
{{ dci_cluster_config_dir }}/oc adm policy add-cluster-role-to-user admin nonadmin
{{ dci_cluster_config_dir }}/oc adm policy add-cluster-role-to-user cluster-reader nonadmin
{{ dci_cluster_config_dir }}/oc adm policy add-cluster-role-to-user self-provisioner-namespaces nonadmin
# It can take a while for the user to be given the permissions
- name: Wait for the nonadmin user to reflect permissions
environment:
KUBECONFIG: "{{ dci_cluster_config_dir | expanduser }}/kubeconfig"
shell: |
# probe for up to 2 minutes (t*sleep time)
for t in {1..60}; do
{{ dci_cluster_config_dir }}/oc adm policy who-can '*' namespaces | grep nonadmin && exit 0
echo "waiting..."
sleep 2;
done
exit 1