-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rename oc_setup role into ocp_add_users #467
Open
tonyskapunk
wants to merge
9
commits into
main
Choose a base branch
from
ocp_add_users
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
2755b96
Rename oc_setup role into ocp_add_users
tonyskapunk 3d0e27b
Feedback on ocp_add_users role
tonyskapunk 8b20c0f
Set a secret name for htpass
tonyskapunk 511fd76
Fix conditional for empty providers
tonyskapunk a73c401
Cast the length as a string
tonyskapunk 859ee53
Fix current users' variable
tonyskapunk 6941020
Fix typo in defining var
tonyskapunk 4fed668
Remove IdP types
tonyskapunk e39ed4f
ansible-collection-redhatci-ocp.spec: add a Conflicts line to avoid a…
fredericlepied File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# ocp_add_users role | ||
|
||
This role adds users to an OpenShift cluster through htpasswd Identity Provider. | ||
|
||
It configures the [htpasswd identity provider](https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/authentication_and_authorization/index#configuring-htpasswd-identity-provider) to allow new users to login into OpenShift Container Platform with credentials from an htpasswd file. | ||
|
||
When users already exist through htpasswd IdP, it will append the new users or replace old users with new password and new role. | ||
|
||
See the [Roles](./#Roles) for information about the type of roles used to create users. | ||
|
||
## Requirements | ||
|
||
- Python [passlib](https://pypi.org/project/passlib) library | ||
- Access to a valid kubeconfig file via an `KUBECONFIG` environment variable. | ||
|
||
```Shell | ||
export KUBECONFIG=<kubeconfig_path> | ||
``` | ||
|
||
## Variables | ||
|
||
| Variable | Default | Required | Description | ||
| --------------- | ---------- | --------- | ----------- | ||
| oau_dir | undefined | Yes | Directory where the credentials will be saved. | ||
| oau_users | undefined | Yes | List of users to create and their associated [role](#roles). See [formatting](#formatting) for details. | ||
| oau_passwd_len | 15 | No | Password length. | ||
| oau_secure_log | true | No | Whether or not hide sensitive logs. | ||
|
||
## Formatting | ||
|
||
The `oau_users` expects a list of users and its [role](#roles) divided by `:`, no spaces, i.e. `<username>:<role>`. | ||
The `username` must include alphanumeric characters or the special character `-`. | ||
The `role` must include only valid roles, see [roles](#roles) for more details. | ||
|
||
In this example, three users will be created: `admin`, `basic-user` and `nonadmin`, each user will have a role associated, `admin`, `basic-user`, and `none` respectively. | ||
|
||
```yaml | ||
oau_users: | ||
- admin:admin | ||
- basic-user:basic-user | ||
- nonadmin:none | ||
``` | ||
|
||
## Roles | ||
|
||
These are the roles assigned to the users on creation. See [official documentation about the default roles](https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/postinstallation_configuration/post-install-preparing-for-users#default-roles_post-install-preparing-for-users) | ||
|
||
| Role | Description | ||
| ---------------- | ----------- | ||
| admin | A project manager. If used in a local binding, an admin has rights to view any resource in the project and modify any resource in the project except for quota. | ||
| basic-user | A user that can get basic information about projects and users. | ||
| cluster-admin | A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project. | ||
| cluster-status | A user that can get basic cluster status information. | ||
| cluster-reader | A user that can get or view most of the objects but cannot modify them. | ||
| edit | A user that can modify most objects in a project but does not have the power to view or modify roles or bindings. | ||
| self-provisioner | A user that can create their own projects. | ||
| view | A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings. | ||
| none | No role is assigned. | ||
tonyskapunk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Role Outputs | ||
|
||
A file with the created accounts is saved in the `oau_config_dir` directory as `ocp_cred.txt`. | ||
|
||
## Usage example | ||
|
||
- Adding two users | ||
|
||
```yaml | ||
- name: Add OCP users | ||
ansible.builtin.include_role: | ||
name: redhatci.ocp.ocp_add_user | ||
vars: | ||
tonyskapunk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
oau_config_dir: /path/to/some/dir | ||
oau_users: | ||
- custom-admin:admin | ||
- test-user-0:basic-user | ||
- test-user-1:view | ||
- nonadmin:none | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
oau_passwd_len: 15 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
- name: Add roles to users | ||
vars: | ||
user: "{{ item.split(':')[0] }}" | ||
role: "{{ item.split(':')[1] }}" | ||
community.kubernetes.k8s: | ||
state: present | ||
definition: | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: "{{ user | replace('_', '-') }}-0" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: "{{ role }}" | ||
subjects: | ||
- kind: User | ||
name: "{{ user }}" | ||
loop: "{{ oau_users }}" | ||
when: role != "none" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
- name: Set all the users (new and current) | ||
vars: | ||
current_users: "{{ (_oau_secret.resources[0].data.htpasswd | default('Cg==') | b64decode).split() }}" | ||
new_users: "{{ (_oau_new_encoded_users.content | b64decode).split() }}" | ||
ansible.builtin.set_fact: | ||
oau_all_users: "{{ _oau_all_users | default({}) | combine({item.split(':')[0]: item.split(':')[1]}) }}" | ||
loop: "{{ current_users + new_users }}" | ||
loop_control: | ||
label: "{{ item.split(':')[0] }}" | ||
no_log: "{{ oau_secure_log | bool }}" | ||
|
||
- name: Create/Update htpasswd secret | ||
vars: | ||
_all_users_text: | | ||
{% for user, passwd in oau_all_users.items() %} | ||
{{ user + ":" + passwd }} | ||
{% endfor %} | ||
community.kubernetes.k8s: | ||
definition: | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: "{{ oau_secret_name }}" | ||
namespace: openshift-config | ||
type: Opaque | ||
data: | ||
htpasswd: "{{ _all_users_text | b64encode }}" | ||
no_log: "{{ oau_secure_log | bool }}" | ||
|
||
- name: Setup htpasswd auth IdP backend in OCP | ||
tonyskapunk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
community.kubernetes.k8s: | ||
definition: | ||
apiVersion: config.openshift.io/v1 | ||
kind: OAuth | ||
metadata: | ||
name: cluster | ||
spec: | ||
identityProviders: | ||
- name: htpassidp | ||
challenge: true | ||
login: true | ||
mappingMethod: claim | ||
type: HTPasswd | ||
htpasswd: | ||
fileData: | ||
name: "{{ oau_secret_name }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
--- | ||
- name: Generate Random passwords for new users | ||
vars: | ||
user: "{{ item.split(':')[0] }}" | ||
passwd: "{{ lookup('password', '/dev/null length=' + oau_passwd_len | string + ' chars=ascii_letters,digits') }}" | ||
ansible.builtin.set_fact: | ||
oau_pass: "{{ oau_pass | default({}) | combine({user: passwd}) }}" | ||
loop: "{{ oau_users }}" | ||
loop_control: | ||
label: "{{ user }}" | ||
no_log: "{{ oau_secure_log | bool }}" | ||
|
||
- name: Save passwords to the output directory | ||
ansible.builtin.copy: | ||
content: | | ||
# OCP automatically generated users for the API/GUI | ||
{% for user, passwd in oau_pass.items() %} | ||
{{ user + ":" + passwd }} | ||
{% endfor %} | ||
dest: "{{ oau_dir }}/ocp_creds.txt" | ||
mode: '0640' | ||
no_log: "{{ oau_secure_log | bool }}" | ||
|
||
- name: Create http auth file for new users | ||
ansible.builtin.htpasswd: | ||
path: "{{ oau_dir }}/new_users.htpasswd" | ||
name: "{{ user }}" | ||
password: "{{ oau_pass[user] }}" | ||
mode: "0640" | ||
loop: "{{ oau_pass.keys() | list }}" | ||
loop_control: | ||
loop_var: user | ||
label: "{{ user }}" | ||
no_log: "{{ oau_secure_log | bool }}" | ||
|
||
- name: Read new encoded users | ||
ansible.builtin.slurp: | ||
src: "{{ oau_dir }}/new_users.htpasswd" | ||
register: _oau_new_encoded_users |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍