From edbb48c3fecdc62c90ce10eaca909c4087af63cb Mon Sep 17 00:00:00 2001 From: hungts Date: Fri, 19 Nov 2021 11:16:13 +0700 Subject: [PATCH 01/11] Load LDAP password from secret and update guideline --- README.md | 69 ++++++++++++++++++- config/crd/bases/awx.ansible.com_awxs.yaml | 3 + roles/installer/defaults/main.yml | 3 + .../tasks/load_ldap_password_secret.yml | 14 ++++ roles/installer/tasks/main.yml | 5 ++ roles/installer/templates/config.yaml.j2 | 6 ++ 6 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 roles/installer/tasks/load_ldap_password_secret.yml diff --git a/README.md b/README.md index 4b95133d8..740798b4c 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Privileged Tasks](#privileged-tasks) * [Containers Resource Requirements](#containers-resource-requirements) * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority) + * [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap) * [Persisting Projects Directory](#persisting-projects-directory) * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options) * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers) @@ -584,8 +585,8 @@ Trusting a custom Certificate Authority allows the AWX to access network service | Name | Description | Default | | -------------------------------- | ---------------------------------------- | --------| | ldap_cacert_secret | LDAP Certificate Authority secret name | '' | +| ldap_password_secret | LDAP BIND DN Password secret name | '' | | bundle_cacert_secret | Certificate Authority secret name | '' | - Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter. Example of customization could be: @@ -595,10 +596,13 @@ Example of customization could be: spec: ... ldap_cacert_secret: -custom-certs + ldap_password_secret: -ldap-password bundle_cacert_secret: -custom-certs ``` -To create the secret, you can use the command below: +To create the secrets, you can use the commands below: + +* Certificate Authority secret ``` # kubectl create secret generic -custom-certs \ @@ -606,6 +610,67 @@ To create the secret, you can use the command below: --from-file=bundle-ca.crt= ``` +* LDAP BIND DN Password secret + +``` +# kubectl create secret generic -ldap-password \ + --from-literal=ldap-password= +``` + +#### Enabling LDAP Integration at AWX bootstrap + +A sample of extra settings can be found as below: + +```yaml + - setting: AUTH_LDAP_SERVER_URI + value: >- + "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636" + + - setting: AUTH_LDAP_BIND_DN + value: >- + "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com" + + - setting: AUTH_LDAP_USER_SEARCH + value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)' + + - setting: AUTH_LDAP_GROUP_SEARCH + value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)' + + - setting: AUTH_LDAP_USER_ATTR_MAP + value: '{"first_name": "givenName","last_name": "sn","email": "mail"}' + + - setting: AUTH_LDAP_REQUIRE_GROUP + value: >- + "CN=operators,OU=Groups,DC=abc,DC=com" + + - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP + value: { + "is_superuser": [ + "CN=admin,OU=Groups,DC=abc,DC=com" + ] + } + + + - setting: AUTH_LDAP_ORGANIZATION_MAP + value: { + "abc": { + "admins": "CN=admin,OU=Groups,DC=abc,DC=com", + "remove_users": false, + "remove_admins": false, + "users": true + } + } + + - setting: AUTH_LDAP_TEAM_MAP + value: { + "admin": { + "remove": true, + "users": "CN=admin,OU=Groups,DC=abc,DC=com", + "organization": "abc" + } + } +``` + #### Persisting Projects Directory In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`. diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 3f7f5d001..551573c65 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -371,6 +371,9 @@ spec: ldap_cacert_secret: description: Secret where can be found the LDAP trusted Certificate Authority Bundle type: string + ldap_password_secret: + description: Secret where can be found the LDAP bind password + type: string bundle_cacert_secret: description: Secret where can be found the trusted Certificate Authority Bundle type: string diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index df7f13e3f..11e0e09d6 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -226,6 +226,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" # ldap_cacert_secret: '' +# Secret to lookup that provides the LDAP bind password +ldap_password_secret: '' + # Secret to lookup that provides the custom CA trusted bundle bundle_cacert_secret: '' diff --git a/roles/installer/tasks/load_ldap_password_secret.yml b/roles/installer/tasks/load_ldap_password_secret.yml new file mode 100644 index 000000000..5b1418523 --- /dev/null +++ b/roles/installer/tasks/load_ldap_password_secret.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve LDAP bind password Secret + k8s_info: + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ldap_password_secret }}' + register: ldap_password + no_log: true + +- name: Load LDAP bind password Secret content + set_fact: + ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}' + no_log: true + when: '"ldap-password" in ldap_password["resources"][0]["data"]' diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 3b2e38957..0d422e4c4 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -25,6 +25,11 @@ when: - ldap_cacert_secret != '' +- name: Load ldap bind password + include_tasks: load_ldap_password_secret.yml + when: + - ldap_password_secret != '' + - name: Load bundle certificate authority certificate include_tasks: load_bundle_cacert_secret.yml when: diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2 index 903994d13..8b4f67acb 100644 --- a/roles/installer/templates/config.yaml.j2 +++ b/roles/installer/templates/config.yaml.j2 @@ -18,6 +18,7 @@ data: settings: | import os import socket + from django_auth_ldap.config import LDAPSearch def get_secret(): if os.path.exists("/etc/tower/SECRET_KEY"): @@ -89,6 +90,11 @@ data: BROADCAST_WEBSOCKET_PORT = 8052 BROADCAST_WEBSOCKET_PROTOCOL = 'http' + # Load LDAP BIND password from Kubernetes secret if define + {% if ldap_password_secret -%} + AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}" + {% endif %} + {% for item in extra_settings | default([]) %} {{ item.setting }} = {{ item.value }} {% endfor %} From daf1c5762fb4f6b0e07e498e02532e6f282b41a4 Mon Sep 17 00:00:00 2001 From: Loc Mai Date: Mon, 29 Nov 2021 15:28:08 +0700 Subject: [PATCH 02/11] Add pod_labels for custom pod labels Signed-off-by: Loc Mai --- config/crd/bases/awx.ansible.com_awxs.yaml | 3 +++ config/manifests/bases/olm-parameters.yaml | 6 ++++++ roles/installer/defaults/main.yml | 6 ++++++ roles/installer/templates/deployment.yaml.j2 | 1 + 4 files changed, 16 insertions(+) diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 3f7f5d001..eec403607 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -134,6 +134,9 @@ spec: node_selector: description: nodeSelector for the pods type: string + pod_labels: + description: Additional labels to apply to the pod + type: string service_labels: description: Additional labels to apply to the service type: string diff --git a/config/manifests/bases/olm-parameters.yaml b/config/manifests/bases/olm-parameters.yaml index 023d504f7..9a6a4232a 100644 --- a/config/manifests/bases/olm-parameters.yaml +++ b/config/manifests/bases/olm-parameters.yaml @@ -511,6 +511,12 @@ x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: Pod Labels + path: pod_labels + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:text + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Service Labels path: service_labels x-descriptors: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index df7f13e3f..551e097b5 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -3,6 +3,12 @@ deployment_type: awx kind: '{{ deployment_type | upper }}' api_version: '{{ deployment_type }}.ansible.com/v1beta1' +# Custom labels for the tower pod. Specify as literal block. E.g.: +# pod_labels: | +# environment: non-production +# zone: internal +pod_labels: '' + database_name: "{{ deployment_type }}" database_username: "{{ deployment_type }}" diff --git a/roles/installer/templates/deployment.yaml.j2 b/roles/installer/templates/deployment.yaml.j2 index 20e53d07d..f95c67369 100644 --- a/roles/installer/templates/deployment.yaml.j2 +++ b/roles/installer/templates/deployment.yaml.j2 @@ -27,6 +27,7 @@ spec: app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}' app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' app.kubernetes.io/component: '{{ deployment_type }}' + {{ pod_labels | indent(width=8) }} spec: serviceAccountName: '{{ ansible_operator_meta.name }}' {% if image_pull_secret %} From 57e744f18c337af695b8dbb1d5f96e9986af5e6d Mon Sep 17 00:00:00 2001 From: hungts Date: Tue, 30 Nov 2021 10:35:34 +0700 Subject: [PATCH 03/11] Omit tls secret if using wildcard cert --- roles/installer/templates/ingress.yaml.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index 57cf42e73..13d338337 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -28,11 +28,12 @@ spec: number: 80 {% if hostname %} host: {{ hostname }} -{% endif %} -{% if ingress_tls_secret %} tls: - hosts: - - {{ hostname }} + - {{ hostname }} +{% endif %} + +{% if ingress_tls_secret %} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From 8fcbd1c8b6619738cf02d9970ebd0b598f7e272a Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 13:36:08 +0700 Subject: [PATCH 04/11] Resolve conflicts --- config/crd/bases/awx.ansible.com_awxs.yaml | 3 --- config/manifests/bases/olm-parameters.yaml | 6 ------ roles/installer/defaults/main.yml | 6 ------ roles/installer/templates/deployment.yaml.j2 | 1 - roles/installer/templates/ingress.yaml.j2 | 3 --- 5 files changed, 19 deletions(-) diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index c59d6f274..551573c65 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -134,9 +134,6 @@ spec: node_selector: description: nodeSelector for the pods type: string - pod_labels: - description: Additional labels to apply to the pod - type: string service_labels: description: Additional labels to apply to the service type: string diff --git a/config/manifests/bases/olm-parameters.yaml b/config/manifests/bases/olm-parameters.yaml index 9a6a4232a..023d504f7 100644 --- a/config/manifests/bases/olm-parameters.yaml +++ b/config/manifests/bases/olm-parameters.yaml @@ -511,12 +511,6 @@ x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden - - displayName: Pod Labels - path: pod_labels - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:advanced - - urn:alm:descriptor:com.tectonic.ui:text - - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Service Labels path: service_labels x-descriptors: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 2bc112e44..11e0e09d6 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -3,12 +3,6 @@ deployment_type: awx kind: '{{ deployment_type | upper }}' api_version: '{{ deployment_type }}.ansible.com/v1beta1' -# Custom labels for the tower pod. Specify as literal block. E.g.: -# pod_labels: | -# environment: non-production -# zone: internal -pod_labels: '' - database_name: "{{ deployment_type }}" database_username: "{{ deployment_type }}" diff --git a/roles/installer/templates/deployment.yaml.j2 b/roles/installer/templates/deployment.yaml.j2 index f95c67369..20e53d07d 100644 --- a/roles/installer/templates/deployment.yaml.j2 +++ b/roles/installer/templates/deployment.yaml.j2 @@ -27,7 +27,6 @@ spec: app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}' app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' app.kubernetes.io/component: '{{ deployment_type }}' - {{ pod_labels | indent(width=8) }} spec: serviceAccountName: '{{ ansible_operator_meta.name }}' {% if image_pull_secret %} diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index 13d338337..fcf05c06b 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -31,9 +31,6 @@ spec: tls: - hosts: - {{ hostname }} -{% endif %} - -{% if ingress_tls_secret %} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From 4032d4b3dd2e245ee4bd31438057d035b88aa8d9 Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 17:36:40 +0700 Subject: [PATCH 05/11] Remove the ingress changes --- roles/installer/templates/ingress.yaml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index fcf05c06b..57cf42e73 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -28,9 +28,11 @@ spec: number: 80 {% if hostname %} host: {{ hostname }} +{% endif %} +{% if ingress_tls_secret %} tls: - hosts: - - {{ hostname }} + - {{ hostname }} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From 06d08caa6ce792b4f10d881be99b6c6bc882d4a4 Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 17:39:37 +0700 Subject: [PATCH 06/11] Remove the config changes --- roles/installer/templates/config.yaml.j2 | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2 index 8b4f67acb..5ebaca458 100644 --- a/roles/installer/templates/config.yaml.j2 +++ b/roles/installer/templates/config.yaml.j2 @@ -26,6 +26,7 @@ data: ADMINS = () STATIC_ROOT = '/var/lib/awx/public/static' + STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}' PROJECTS_ROOT = '/var/lib/awx/projects' JOBOUTPUT_ROOT = '/var/lib/awx/job_status' @@ -90,11 +91,6 @@ data: BROADCAST_WEBSOCKET_PORT = 8052 BROADCAST_WEBSOCKET_PROTOCOL = 'http' - # Load LDAP BIND password from Kubernetes secret if define - {% if ldap_password_secret -%} - AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}" - {% endif %} - {% for item in extra_settings | default([]) %} {{ item.setting }} = {{ item.value }} {% endfor %} @@ -178,15 +174,15 @@ data: deny all; } - location /static/ { + location {{ (ingress_path + '/static').replace('//', '/') }} { alias /var/lib/awx/public/static/; } - location /favicon.ico { + location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} { alias /var/lib/awx/public/static/media/favicon.ico; } - location /websocket { + location {{ (ingress_path + '/websocket').replace('//', '/') }} { # Pass request to the upstream alias proxy_pass http://daphne; # Require http version 1.1 to allow for upgrade requests @@ -208,7 +204,7 @@ data: proxy_set_header Connection $connection_upgrade; } - location / { + location {{ ingress_path }} { # Add trailing / if missing rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; uwsgi_read_timeout 120s; From 30f3d56375cfcf48a683088dbef7deab3ae5c629 Mon Sep 17 00:00:00 2001 From: hungts Date: Fri, 19 Nov 2021 11:16:13 +0700 Subject: [PATCH 07/11] Load LDAP password from secret and update guideline --- README.md | 81 +++++++++++++++++-- config/crd/bases/awx.ansible.com_awxs.yaml | 3 + roles/installer/defaults/main.yml | 3 + .../tasks/load_ldap_password_secret.yml | 14 ++++ roles/installer/tasks/main.yml | 5 ++ roles/installer/templates/config.yaml.j2 | 5 ++ 6 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 roles/installer/tasks/load_ldap_password_secret.yml diff --git a/README.md b/README.md index aa6cf9eb8..cdf19a9a1 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Containers Resource Requirements](#containers-resource-requirements) * [Assigning AWX pods to specific nodes](#assigning-awx-pods-to-specific-nodes) * [Trusting a Custom Certificate Authority](#trusting-a-custom-certificate-authority) + * [Enabling LDAP Integration at AWX bootstrap](#enabling-ldap-integration-at-awx-bootstrap) * [Persisting Projects Directory](#persisting-projects-directory) * [Custom Volume and Volume Mount Options](#custom-volume-and-volume-mount-options) * [Default execution environments from private registries](#default-execution-environments-from-private-registries) @@ -45,6 +46,10 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Contributing](#contributing) * [Release Process](#release-process) * [Author](#author) + + + + ## Purpose @@ -633,11 +638,11 @@ In cases which you need to trust a custom Certificate Authority, there are few v Trusting a custom Certificate Authority allows the AWX to access network services configured with SSL certificates issued locally, such as cloning a project from from an internal Git server via HTTPS. It is common for these scenarios, experiencing the error [unable to verify the first certificate](https://github.com/ansible/awx-operator/issues/376). -| Name | Description | Default | -| -------------------- | -------------------------------------- | ------- | -| ldap_cacert_secret | LDAP Certificate Authority secret name | '' | -| bundle_cacert_secret | Certificate Authority secret name | '' | - +| Name | Description | Default | +| -------------------------------- | ---------------------------------------- | --------| +| ldap_cacert_secret | LDAP Certificate Authority secret name | '' | +| ldap_password_secret | LDAP BIND DN Password secret name | '' | +| bundle_cacert_secret | Certificate Authority secret name | '' | Please note the `awx-operator` will look for the data field `ldap-ca.crt` in the specified secret when using the `ldap_cacert_secret`, whereas the data field `bundle-ca.crt` is required for `bundle_cacert_secret` parameter. Example of customization could be: @@ -647,10 +652,13 @@ Example of customization could be: spec: ... ldap_cacert_secret: -custom-certs + ldap_password_secret: -ldap-password bundle_cacert_secret: -custom-certs ``` -To create the secret, you can use the command below: +To create the secrets, you can use the commands below: + +* Certificate Authority secret ``` # kubectl create secret generic -custom-certs \ @@ -658,6 +666,67 @@ To create the secret, you can use the command below: --from-file=bundle-ca.crt= ``` +* LDAP BIND DN Password secret + +``` +# kubectl create secret generic -ldap-password \ + --from-literal=ldap-password= +``` + +#### Enabling LDAP Integration at AWX bootstrap + +A sample of extra settings can be found as below: + +```yaml + - setting: AUTH_LDAP_SERVER_URI + value: >- + "ldaps://ad01.abc.com:636 ldaps://ad02.abc.com:636" + + - setting: AUTH_LDAP_BIND_DN + value: >- + "CN=LDAP User,OU=Service Accounts,DC=abc,DC=com" + + - setting: AUTH_LDAP_USER_SEARCH + value: 'LDAPSearch("DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)' + + - setting: AUTH_LDAP_GROUP_SEARCH + value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)' + + - setting: AUTH_LDAP_USER_ATTR_MAP + value: '{"first_name": "givenName","last_name": "sn","email": "mail"}' + + - setting: AUTH_LDAP_REQUIRE_GROUP + value: >- + "CN=operators,OU=Groups,DC=abc,DC=com" + + - setting: AUTH_LDAP_USER_FLAGS_BY_GROUP + value: { + "is_superuser": [ + "CN=admin,OU=Groups,DC=abc,DC=com" + ] + } + + + - setting: AUTH_LDAP_ORGANIZATION_MAP + value: { + "abc": { + "admins": "CN=admin,OU=Groups,DC=abc,DC=com", + "remove_users": false, + "remove_admins": false, + "users": true + } + } + + - setting: AUTH_LDAP_TEAM_MAP + value: { + "admin": { + "remove": true, + "users": "CN=admin,OU=Groups,DC=abc,DC=com", + "organization": "abc" + } + } +``` + #### Persisting Projects Directory In cases which you want to persist the `/var/lib/projects` directory, there are few variables that are customizable for the `awx-operator`. diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index fe93f6474..05f8e7658 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -405,6 +405,9 @@ spec: ldap_cacert_secret: description: Secret where can be found the LDAP trusted Certificate Authority Bundle type: string + ldap_password_secret: + description: Secret where can be found the LDAP bind password + type: string bundle_cacert_secret: description: Secret where can be found the trusted Certificate Authority Bundle type: string diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 7dbc2bbf0..21253a156 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -247,6 +247,9 @@ ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" # ldap_cacert_secret: '' +# Secret to lookup that provides the LDAP bind password +ldap_password_secret: '' + # Secret to lookup that provides the custom CA trusted bundle bundle_cacert_secret: '' diff --git a/roles/installer/tasks/load_ldap_password_secret.yml b/roles/installer/tasks/load_ldap_password_secret.yml new file mode 100644 index 000000000..5b1418523 --- /dev/null +++ b/roles/installer/tasks/load_ldap_password_secret.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve LDAP bind password Secret + k8s_info: + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ldap_password_secret }}' + register: ldap_password + no_log: true + +- name: Load LDAP bind password Secret content + set_fact: + ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}' + no_log: true + when: '"ldap-password" in ldap_password["resources"][0]["data"]' diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index aef52bbbe..85ea1ec33 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -25,6 +25,11 @@ when: - ldap_cacert_secret != '' +- name: Load ldap bind password + include_tasks: load_ldap_password_secret.yml + when: + - ldap_password_secret != '' + - name: Load bundle certificate authority certificate include_tasks: load_bundle_cacert_secret.yml when: diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2 index 10944be96..23ff4d235 100644 --- a/roles/installer/templates/config.yaml.j2 +++ b/roles/installer/templates/config.yaml.j2 @@ -101,6 +101,11 @@ data: BROADCAST_WEBSOCKET_PORT = 8052 BROADCAST_WEBSOCKET_PROTOCOL = 'http' + # Load LDAP BIND password from Kubernetes secret if define + {% if ldap_password_secret -%} + AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}" + {% endif %} + {% for item in extra_settings | default([]) %} {{ item.setting }} = {{ item.value }} {% endfor %} From 0361a7f11f57e7b179bdff584cc68829c1397bcb Mon Sep 17 00:00:00 2001 From: hungts Date: Tue, 30 Nov 2021 10:35:34 +0700 Subject: [PATCH 08/11] Omit tls secret if using wildcard cert --- roles/installer/templates/ingress.yaml.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index 57cf42e73..13d338337 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -28,11 +28,12 @@ spec: number: 80 {% if hostname %} host: {{ hostname }} -{% endif %} -{% if ingress_tls_secret %} tls: - hosts: - - {{ hostname }} + - {{ hostname }} +{% endif %} + +{% if ingress_tls_secret %} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From b4e89f9657aa0f1e41a43fc1f40b76775b802713 Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 13:36:08 +0700 Subject: [PATCH 09/11] Resolve conflicts --- roles/installer/templates/ingress.yaml.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index 13d338337..fcf05c06b 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -31,9 +31,6 @@ spec: tls: - hosts: - {{ hostname }} -{% endif %} - -{% if ingress_tls_secret %} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From e003a51638fb955d8ef965f15122e53bbe4ce1e2 Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 17:36:40 +0700 Subject: [PATCH 10/11] Remove the ingress changes --- roles/installer/templates/ingress.yaml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/installer/templates/ingress.yaml.j2 b/roles/installer/templates/ingress.yaml.j2 index fcf05c06b..57cf42e73 100644 --- a/roles/installer/templates/ingress.yaml.j2 +++ b/roles/installer/templates/ingress.yaml.j2 @@ -28,9 +28,11 @@ spec: number: 80 {% if hostname %} host: {{ hostname }} +{% endif %} +{% if ingress_tls_secret %} tls: - hosts: - - {{ hostname }} + - {{ hostname }} secretName: {{ ingress_tls_secret }} {% endif %} {% endif %} From 0cc17d956292ab4f703eaa6348dcc11abf63b8a3 Mon Sep 17 00:00:00 2001 From: hungts Date: Sat, 12 Feb 2022 17:39:37 +0700 Subject: [PATCH 11/11] Remove the config changes --- roles/installer/templates/config.yaml.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2 index 23ff4d235..10944be96 100644 --- a/roles/installer/templates/config.yaml.j2 +++ b/roles/installer/templates/config.yaml.j2 @@ -101,11 +101,6 @@ data: BROADCAST_WEBSOCKET_PORT = 8052 BROADCAST_WEBSOCKET_PROTOCOL = 'http' - # Load LDAP BIND password from Kubernetes secret if define - {% if ldap_password_secret -%} - AUTH_LDAP_BIND_PASSWORD = "{{ ldap_bind_password }}" - {% endif %} - {% for item in extra_settings | default([]) %} {{ item.setting }} = {{ item.value }} {% endfor %}