| | |
| | | --- |
| | | # Implement your Workload deployment tasks here |
| | | - name: Set up ocp4_workload_authentication combined dictionary |
| | | set_fact: |
| | | ocp4_workload_authentication: >- |
| | | {{ ocp4_workload_authentication_defaults |
| | | | combine(ocp4_workload_authentication_input | default( {} ), |
| | | ocp4_workload_authentication_secret | default( {} ), recursive=true) |
| | | }} |
| | | - name: Print combined role variables |
| | | debug: |
| | | var: ocp4_workload_authentication |
| | | verbosity: 2 |
| | | |
| | | - name: Check that ocp4_idm_install is defined |
| | | when: |
| | | - ocp4_idm_install is not defined |
| | | fail: |
| | | msg: "ocp4_idm_install is not defined" |
| | | - name: Check that ocp4_workload_authentication.idm_type is defined and valid |
| | | assert: |
| | | that: |
| | | - ocp4_workload_authentication.idm_type is defined |
| | | - ocp4_workload_authentication.idm_type == "none" or ocp4_workload_authentication.idm_type == "htpasswd" or ocp4_workload_authentication.idm_type == "ldap" |
| | | fail_msg: "ocp4_workload_authentication.idm_type is not defined or not in ('none', 'htpasswd', 'ldap')." |
| | | |
| | | - name: Setup HTPasswd Authentication |
| | | when: ocp4_idm_install == "htpasswd" |
| | | when: ocp4_workload_authentication.idm_type == "htpasswd" |
| | | block: |
| | | # Generate Passwords if no passwords specified |
| | | - name: Generate cluster admin password |
| | | when: ocp4_idm_htpasswd_admin_password | d('') | length == 0 |
| | | when: ocp4_workload_authentication.htpasswd_admin_password | d('') | length == 0 |
| | | set_fact: |
| | | ocp4_idm_htpasswd_admin_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}" |
| | | ocp4_workload_authentication_admin_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}" |
| | | |
| | | - name: Use provided admin password |
| | | when: ocp4_workload_authentication.htpasswd_admin_password | d('') | length > 0 |
| | | set_fact: |
| | | ocp4_workload_authentication_admin_password: "{{ ocp4_workload_authentication.htpasswd_admin_password }}" |
| | | |
| | | - name: Generate htpasswd hash for admin user |
| | | shell: >- |
| | | htpasswd -nb "admin" "{{ ocp4_workload_authentication_admin_password }}"|cut -d: -f2 |
| | | register: r_htpasswd_line |
| | | |
| | | - name: Set htpasswd admin password hash |
| | | set_fact: |
| | | ocp4_workload_authentication_admin_password_hash: "{{ r_htpasswd_line.stdout }}" |
| | | when: |
| | | - r_htpasswd_line is succeeded |
| | | |
| | | - name: Generate user passwords |
| | | when: ocp4_idm_htpasswd_user_password | d('') | length == 0 |
| | | when: ocp4_workload_authentication.htpasswd_user_password | d('') | length == 0 |
| | | set_fact: |
| | | ocp4_idm_htpasswd_user_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}" |
| | | ocp4_workload_authentication_user_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}" |
| | | |
| | | # Generate password hashes |
| | | - name: Use provided user passwords |
| | | when: ocp4_workload_authentication.htpasswd_user_password | d('') | length > 0 |
| | | set_fact: |
| | | ocp4_workload_authentication_user_password: "{{ ocp4_workload_authentication.htpasswd_user_password }}" |
| | | |
| | | - name: Generate htpasswd hash for user passwords |
| | | shell: >- |
| | | htpasswd -nb "userN" "{{ ocp4_idm_htpasswd_user_password }}"|cut -d: -f2 |
| | | register: htpasswd_line |
| | | htpasswd -nb "userN" "{{ ocp4_workload_authentication_user_password }}"|cut -d: -f2 |
| | | register: r_htpasswd_line |
| | | |
| | | - name: Set fact ocp4_idm_htpasswd_user_password_hash |
| | | - name: Set htpasswd user password hash |
| | | set_fact: |
| | | ocp4_idm_htpasswd_user_password_hash: "{{ htpasswd_line.stdout }}" |
| | | ocp4_workload_authentication_user_password_hash: "{{ r_htpasswd_line.stdout }}" |
| | | when: |
| | | - htpasswd_line is succeeded |
| | | - r_htpasswd_line is succeeded |
| | | |
| | | - name: Generate htpasswd hash for ocp4_idm_admin_user |
| | | shell: >- |
| | | htpasswd -nb "admin" "{{ ocp4_idm_htpasswd_admin_password }}"|cut -d: -f2 |
| | | register: htpasswd_line |
| | | |
| | | - name: Set fact ocp4_idm_htpasswd_admin_password_hash |
| | | set_fact: |
| | | ocp4_idm_htpasswd_admin_password_hash: "{{ htpasswd_line.stdout }}" |
| | | when: |
| | | - htpasswd_line is succeeded |
| | | |
| | | # Generate htpasswd file |
| | | - name: Generate htpasswd file |
| | | template: |
| | | src: "htpasswd.j2" |
| | |
| | | - name: Update OAuth Configuration |
| | | k8s: |
| | | state: present |
| | | merge_type: |
| | | - strategic-merge |
| | | - merge |
| | | definition: "{{ lookup('file', item ) | from_yaml }}" |
| | | loop: |
| | | - ./files/oauth-htpasswd.yaml |
| | |
| | | msg: "{{ item }}" |
| | | loop: |
| | | - "user.info: HTPasswd Authentication is enabled on this cluster." |
| | | - "user.info: {{ ocp4_idm_htpasswd_user_base }}1 .. {{ ocp4_idm_htpasswd_user_base }}{{ ocp4_idm_htpasswd_user_count }} are created." |
| | | - "user.info: User `{{ ocp4_idm_admin_user }}` is cluster admin with password `{{ ocp4_idm_htpasswd_admin_password }}`." |
| | | - "user.info: {{ ocp4_workload_authentication.htpasswd_user_base }}1 .. {{ ocp4_workload_authentication.htpasswd_user_base }}{{ ocp4_workload_authentication.htpasswd_user_count }} are created with password `{{ ocp4_workload_authentication_user_password }}`" |
| | | - "user.info: User `{{ ocp4_workload_authentication.admin_user }}` with password `{{ ocp4_workload_authentication_admin_password }}` is cluster admin." |
| | | |
| | | - name: Print User Information for each User |
| | | agnosticd_user_info: |
| | | user: "{{ ocp4_idm_htpasswd_user_base }}{{ n }}" |
| | | user: "{{ ocp4_workload_authentication.htpasswd_user_base }}{{ n }}" |
| | | data: |
| | | password: "{{ ocp4_idm_htpasswd_user_password }}" |
| | | login_command: "oc login -u {{ ocp4_idm_htpasswd_user_base }}{{ n }} -p {{ ocp4_idm_htpasswd_user_password }} {{ r_cluster.resources[0].status.apiServerURL }}" |
| | | loop: "{{ range(1, 1 + ocp4_idm_htpasswd_user_count | int) | list }}" |
| | | password: "{{ ocp4_workload_authentication_user_password }}" |
| | | login_command: "oc login -u {{ ocp4_workload_authentication.htpasswd_user_base }}{{ n }} -p {{ ocp4_workload_authentication_user_password }} {{ r_cluster.resources[0].status.apiServerURL }}" |
| | | loop: "{{ range(1, 1 + ocp4_workload_authentication.htpasswd_user_count | int) | list }}" |
| | | loop_control: |
| | | loop_var: n |
| | | |
| | | - name: Setup OpenTLC LDAP Authentication |
| | | when: ocp4_idm_install == "ldap" |
| | | when: ocp4_workload_authentication.idm_type == "ldap" |
| | | block: |
| | | - name: Check for LDAP Bind Password |
| | | when: ocp4_workload_authentication_secret.ldap_bind_password is not defined |
| | | fail: |
| | | msg: LDAP Authentication is configured but LDAP BindPassword (ocp4_idm_ldap_bindPassword) is not defined. |
| | | when: ocp4_idm_ldap_bindPassword is not defined |
| | | msg: LDAP Authentication is configured but LDAP BindPassword (ocp4_workload_authentication_secret.ldap_bind_password) is not defined. |
| | | |
| | | - name: Get IPA CA Cert |
| | | get_url: |
| | | url: "{{ ocp4_idm_ldap_ca_url }}" |
| | | url: "{{ ocp4_workload_authentication.ldap_ca_url }}" |
| | | dest: "/home/{{ ansible_user }}/ipa-ca.crt" |
| | | mode: 0660 |
| | | |
| | |
| | | namespace: openshift-config |
| | | |
| | | - name: Create LDAP Bind Password Secret |
| | | shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ ocp4_idm_ldap_bindPassword }}\" -n openshift-config" |
| | | shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ ocp4_workload_authentication_secret.ldap_bind_password }}\" -n openshift-config" |
| | | |
| | | - name: Update OAuth Configuration |
| | | k8s: |
| | | state: present |
| | | merge_type: |
| | | - strategic-merge |
| | | - merge |
| | | definition: "{{ lookup('template', item ) | from_yaml }}" |
| | | loop: |
| | | - ./templates/oauth-opentlc-ldap.j2 |
| | |
| | | loop: |
| | | - "user.info: OpenTLC LDAP Authentication is enabled on this cluster." |
| | | - "user.info: Use your OpenTLC user and Password to log into this cluster." |
| | | - "user.info: User `{{ ocp4_idm_admin_user }}` is cluster admin." |
| | | - "user.info: User `{{ ocp4_workload_authentication.admin_user }}` is cluster admin." |
| | | |
| | | - name: Set up Cluster Admin User |
| | | when: |
| | | - ocp4_idm_install != "none" |
| | | - ocp4_idm_admin_user is defined |
| | | - ocp4_workload_authentication.idm_type != "none" |
| | | - ocp4_workload_authentication.admin_user is defined |
| | | k8s: |
| | | state: present |
| | | merge_type: |
| | | - strategic-merge |
| | | - merge |
| | | definition: "{{ lookup('template', './templates/cluster_role_binding.j2') | from_yaml }}" |
| | | |
| | | - name: Remove kubeadmin User |
| | | when: |
| | | - ocp4_idm_admin_user is defined |
| | | - ocp4_idm_install != "none" |
| | | - ocp4_idm_remove_kubeadmin | bool |
| | | - ocp4_workload_authentication.idm_type != "none" |
| | | - ocp4_workload_authentication.admin_user is defined |
| | | - ocp4_workload_authentication.remove_kubeadmin | bool |
| | | block: |
| | | - name: Remove kubeadmin user secret |
| | | k8s: |
| | |
| | | kind: Secret |
| | | namespace: kube-system |
| | | name: kubeadmin |
| | | - name: Remove kubeadmin file |
| | | file: |
| | | state: absent |
| | | path: "/home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeadmin-password" |
| | | |
| | | # Leave this as the last task in the playbook. |
| | | - name: workload tasks complete |