Rename oc_setup role into ocp_add_users

README.md

@@ -98,9 +98,9 @@ Name | Description
 [redhatci.ocp.multibench_run](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/multibench_run/README.md) | Launch a crucible scenario on OCP
 [redhatci.ocp.nfs_external_storage](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/nfs_external_storage/README.md) | Add NFS external storage provisioner to a cluster.
 [redhatci.ocp.node_prep](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/node_prep/README.md) | [Preparation for IPI installer](https://github.com/openshift-kni/baremetal-deploy)
+[redhatci.ocp.ocp_add_users](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/ocp_add_users/README.md) | Add users to an OpenShift cluster through htpasswd Identity Provider.
 [redhatci.ocp.ocp_logging](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/ocp_logging/README.md) | Enables the OCP logging subsystem.
 [redhatci.ocp.ocp_on_libvirt](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/ocp_on_libvirt/README.md) | Creation of a libvirt environment to install OCP
-[redhatci.ocp.oc_setup](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/oc_setup/README.md) | Setup additional credentials (httpasswd) for a running OCP cluster.
 [redhatci.ocp.odf_setup](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/odf_setup/README.md) | Setup of [OpenShift Data Foundation (ODF)](https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation)
 [redhatci.ocp.olm_operator](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/olm_operator/README.md) | Deploys an OLM-based operator.
 [redhatci.ocp.opcap_tool](https://github.com/redhatci/ansible-collection-redhatci-ocp/blob/main/roles/opcap_tool/README.md) | Runs OPCAP tool to test the installation of the Openshift operators.

ansible-collection-redhatci-ocp.spec

@@ -3,7 +3,7 @@
 %global forgeurl https://github.com/%{org}/%{repo}
 
 Name:           %{repo}
-Version:        0.22.EPOCH
+Version:        0.23.EPOCH
 Release:        VERS%{?dist}
 Summary:        Red Hat OCP CI Collection for Ansible
 
@@ -51,6 +51,9 @@ find -type f ! -executable -name '*.py' -print -exec sed -i -e '1{\@^#!.*@d}' '{
 
 
 %changelog
+* Wed Oct 16 2024 Tony Garcia <tonyg@redhat.com> - 0.23.EPOCH-VERS
+- Repurpose oc_setup role, into ocp_add_users role
+
 * Tue Oct  8 2024 Tony Garcia <tonyg@redhat.com> - 0.22.EPOCH-VERS
 - Add etcd_data role
 

galaxy.yml

@@ -9,7 +9,7 @@ name: ocp
 # Always leave patch version as .0
 # Patch version is replaced from commit date in UNIX epoch format
 # example: 0.3.2147483647
-version: 0.22.0
+version: 0.23.0
 
 # The path to the Markdown (.md) readme file.
 readme: README.md

roles/ocp_add_users/README.md

@@ -0,0 +1,78 @@
+# ocp_add_users role
+
+This role adds users to an OpenShift cluster through htpasswd Identity Provider.
+
+It configures the [htpasswd identity provider](https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/authentication_and_authorization/index#configuring-htpasswd-identity-provider) to allow new users to login into OpenShift Container Platform with credentials from an htpasswd file.
+
+When users already exist through htpasswd IdP, it will append the new users or replace old users with new password and new role.
+
+See the [Roles](./#Roles) for information about the type of roles used to create users.
+
+## Requirements
+
+Access to a valid kubeconfig file via an `KUBECONFIG` environment variable.
+
+```Shell
+export KUBECONFIG=<kubeconfig_path>
+```
+
+## Variables
+
+| Variable           | Default    | Required  | Description
+| ------------------ | ---------- | --------- | -----------
+| oau_config_dir     | undefined  | Yes       | Directory where the credentials will be saved.
+| oau_users          | undefined  | Yes       | List of users to create and their associated [role](#roles). See [formatting](#formatting) for details.
+| oau_passwd_len     | 15         | No        | Password length.
+| oau_secure_log     | true       | No        | Whether or not hide sensitive logs.
+
+## Formatting
+
+The `oau_users` expects a list of users and its [role](#roles) divided by `:`, no spaces, i.e. `<username>:<role>`.
+The `username` must include alphanumeric characters or the special character `-`.
+The `role` must include only valid roles, see [roles](#roles) for more details.
+
+In this example, three users will be created: `admin`, `basic-user` and `nonadmin`, each user will have a role associated, `admin`, `basic-user`, and `none` respectively.
+
+```yaml
+oau_users:
+  - admin:admin
+  - basic-user:basic-user
+  - nonadmin:none
+```
+
+## Roles
+
+These are the roles assigned to the users on creation. See [official documentation about the default roles](https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/postinstallation_configuration/post-install-preparing-for-users#default-roles_post-install-preparing-for-users)
+
+| Role             | Description
+| ---------------- | -----------
+| admin            | A project manager. If used in a local binding, an admin has rights to view any resource in the project and modify any resource in the project except for quota.
+| basic-user       | A user that can get basic information about projects and users.
+| cluster-admin    | A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.
+| cluster-status   | A user that can get basic cluster status information.
+| cluster-reader   | A user that can get or view most of the objects but cannot modify them.
+| edit             | A user that can modify most objects in a project but does not have the power to view or modify roles or bindings.
+| self-provisioner | A user that can create their own projects.
+| view             | A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.
+| none             | No role is assigned.
+
+## Role Outputs
+
+A file with the created accounts is saved in the `oau_config_dir` directory as `ocp_cred.txt`.
+
+## Usage example
+
+- Adding two users
+
+```yaml
+- name: Add OCP users
+  ansible.builtin.include_role:
+    name: redhatci.ocp.ocp_add_user
+  vars:
+    oau_config_dir: /path/to/some/dir
+    oau_users:
+      - custom-admin:admin
+      - test-user-0:basic-user
+      - test-user-1:view
+      - nonadmin:none
+```

roles/ocp_add_users/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+oau_idp_type: "HTPasswd"

roles/ocp_add_users/tasks/add-roles.yml

@@ -0,0 +1,21 @@
+---
+- name: Add roles to users
+  vars:
+    user: "{{ item.split(':')[0] }}"
+    role: "{{ item.split(':')[1] }}"
+  community.kubernetes.k8s:
+    state: present
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: "{{ user | replace('_', '-') }}-0"
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: "{{ role }}"
+      subjects:
+        - kind: User
+          name: "{{ user }}"
+  loop: "{{ oau_users }}"
+  when: role != "none"

roles/ocp_add_users/tasks/add-users.yml

@@ -0,0 +1,47 @@
+---
+- name: Set all the users (new and current)
+  vars:
+    current_users: "{{ (_oau_secret.resources[0].data.htpasswd | default('Cg==') | b64decode).split() }}"
+    new_users: "{{ (_oau_new_users_encoded_password.content | b64decode).split() }}"
+  ansible.builtin.set_fact:
+    oau_all_users: "{{ _oau_all_users | default({}) | combine({item.split(':')[0]: item.split(':')[1]}) }}"
+  loop: "{{ current_users + new_users }}"
+  loop_control:
+    label: "{{ item.split(':')[0] }}"
+  no_log: "{{ oau_secure_log | bool }}"
+
+- name: Create/Update htpasswd secret
+  vars:
+    _all_users_text: |
+      {% for user, passwd in oau_all_users.items() %}
+      {{ user + ":" + passwd }}
+      {% endfor %}
+  community.kubernetes.k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: htpass-secret
+        namespace: openshift-config
+      type: Opaque
+      data:
+        htpasswd: "{{ _all_users_text | b64encode }}"
+  no_log: "{{ oau_secure_log | bool }}"
+
+- name: Setup htpasswd auth IdP backend in OCP
+  community.kubernetes.k8s:
+    definition:
+      apiVersion: config.openshift.io/v1
+      kind: OAuth
+      metadata:
+        name: cluster
+      spec:
+        identityProviders:
+          - name: htpassidp
+            challenge: true
+            login: true
+            mappingMethod: claim
+            type: HTPasswd
+            htpasswd:
+              fileData:
+                name: htpass-secret

roles/ocp_add_users/tasks/create-users.yml

@@ -0,0 +1,37 @@
+---
+- name: Generate Random passwords for new users
+  vars:
+    user: "{{ item.split(':')[0] }}"
+    passwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
+  ansible.builtin.set_fact:
+    oau_pass: "{{ _oau_pass | default({}) | combine({user: passwd}) }}"
+  loop: "{{ oau_users }}"
+  no_log: "{{ oau_secure_log | bool }}"
+
+- name: Save passwords to the output directory
+  ansible.builtin.copy:
+    content: |
+      # OCP automatically generated users for the API/GUI
+      {% for user, passwd in oau_pass.items() %}
+      {{ user + ":" + passwd }}
+      {% endfor %}
+    dest: "{{ oau_dir }}/ocp_creds.txt"
+    mode: '0640'
+  no_log: "{{ oau_secure_log | bool }}"
+
+- name: Create http auth file for new users
+  ansible.builtin.htpasswd:
+    path: "{{ oau_dir }}/new_users.htpasswd"
+    name: "{{ user }}"
+    password: "{{ oau_pass[user] }}"
+    mode: "0640"
+  loop: "{{ oau_pass.keys() | list }}"
+  loop_control:
+    loop_var: user
+    label: "{{ user }}"
+  no_log: "{{ oau_secure_log | bool }}"
+
+- name: Read new encoded users
+  ansible.builtin.slurp:
+    src: "{{ oau_dir }}/new_users.htpasswd"
+  register: _oau_new_encoded_users