-
-
Save detiber/da042623b26522fcd5767825eafe97a0 to your computer and use it in GitHub Desktop.
| --- | |
| version: v3 | |
| variant: openshift-enterprise | |
| variant_version: '3.1' | |
| # The deployment key specifies the hosts and roles fo rthe deployment | |
| # and configuration values that apply to the deployment as a whole | |
| deployment: | |
| ansible_config: /usr/share/atomic-openshift-utils/ansible.cfg | |
| ansible_log_path: /tmp/ansible.log | |
| ansible_ssh_user: cloud-user | |
| # any unmapped variables for the entire deployment can go here | |
| # they are passed through to the generated inventory as is | |
| openshift_hosted_registry_storage_host: nfs.example.com | |
| openshift_hosted_registry_storage_nfs_options: '*(rw,root_squash)' | |
| openshift_hosted_registry_storage_nfs_directory: /exports | |
| openshift_hosted_registry_storage_volume_name: registry | |
| openshift_hosted_registry_storage_access_modes: ['ReadWriteMany'] | |
| # the hosts key represents settings applied at the host level | |
| hosts: | |
| - connect_to: 10.0.1.1 | |
| hostname: smunilla-newt.os1.phx2.redhat.com | |
| ip: 10.0.1.1 | |
| public_ip: 51.41.51.41 | |
| public_hostname: openshift.public.redhat.com | |
| # any unmapped variables for a host can go here | |
| # they are passed through to the generated inventory as is | |
| node_labels: | |
| region: master | |
| zone: default | |
| roles: | |
| - etcd | |
| - master | |
| - node | |
| - connect_to: 10.0.0.2 | |
| hostname: smunilla-gecko.os1.phx2.redhat.com | |
| ip: 10.0.1.2 | |
| containerized: false | |
| node_labels: | |
| region: primary | |
| zone: default | |
| roles: | |
| - node | |
| - connect_to: 10.1.0.1 | |
| hostname: smunilla-anole.os1.phx2.redhat.com | |
| ip: 10.1.0.1 | |
| node_labels: | |
| region: infra | |
| zone: default | |
| roles: | |
| - storage | |
| - loadbalancer | |
| - dns | |
| roles: | |
| master: | |
| containerized: true | |
| # cluster_* variables are only used for configuring ha masters. | |
| cluster_method: native | |
| cluster_hostname: openshift-ansible.test.example.com | |
| cluster_public_hostname: openshift-ansible.test.example.com | |
| # any unmapped variables for a host can go here | |
| # they are passed through to the generated inventory as is | |
| openshift_master_identity_providers: | |
| - name: htpasswd_auth | |
| login: true | |
| challenge: true | |
| kind: HTPasswdPasswordIdentityProvider | |
| filename: /etc/origin/master/htpasswd | |
| openshift_master_htpasswd_users: | |
| user1: pass1 | |
| user2: pass2 | |
| node: | |
| containerized: true | |
| loadbalancer: | |
| containerized: false | |
| etcd: | |
| containerized: true | |
| storage: | |
| dns: | |
| ... |
other identity provider configs:
openshift_master_identity_providers:
- name: allow_all
login: true
challenge: true
kind: AllowAllPasswordIdentityProvider
openshift_master_identity_providers:
- name: ldap
login: true
challenge: true
kind: LDAPPasswordIdentityProvider
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
bindDN: ''
bindPassword: ''
ca: ''
insecure: false
url: 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'
openshift_master_identity_providers:
- name: req_header
login: true
challenge: true
kind: RequestHeaderIdentityProvider
challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}"
loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}"
clientCA: /path/to/client-ca.file
headers:
- X-Remote-User
- SSO-User
openshift_master_identity_providers:
- name: openid_connect
login: true
challenge: true
kind: OpenIDIdentityProvider
clientID: my_client_id
clientSecret: my_client_secret
ca: my-openid-ca-bundle.crt
extraScopes:
- email
- profile
extraAuthorizeParameters:
include_granted_scopes: "true"
claims:
id:
- custom_id_claim
- sub
preferredUsername:
- preferred_username
- email
name:
- nickname
- given_name
- name
email:
- custom_email_claim
- email
urls:
authorize: https://myidp.example.com/oauth2/authorize
token: https://myidp.example.com/oauth2/token
userInfo: https://myidp.example.com/oauth2/userinfo
Just for record keeping: labels was my original idea for 'node_labels', which as you pointed out, is a much better name.
@detiber I know this is just an example, but can you outline also:
- rhel subscriptions
- containerized deployment
- docker local storage (lvm)
- multiple etcd
- multiple master
I am sure you'll be asked for example when we'll start leveraging those.
Also the authentication options (that you mentioned above) are very interesting for us. Thanks!
- rhel subscriptions
This will be external to the installer, since it will be run as a separate step
- containerized deployment
Already covered: https://gist.github.com/detiber/da042623b26522fcd5767825eafe97a0#file-atomic-openshift-installer-config-yml-L39, https://gist.github.com/detiber/da042623b26522fcd5767825eafe97a0#file-atomic-openshift-installer-config-yml-L57, https://gist.github.com/detiber/da042623b26522fcd5767825eafe97a0#file-atomic-openshift-installer-config-yml-L75, https://gist.github.com/detiber/da042623b26522fcd5767825eafe97a0#file-atomic-openshift-installer-config-yml-L77
- docker local storage (lvm)
I would propose we add the following variables to openshift_ansible:
openshift_docker_storage_setup_devs
openshift_docker_storage_setup_lv
This would match up with the DEVS= and LV= fields in /etc/sysconfig/docker-storage-setup
- multiple etcd
Ah, nice catch, that should have been included. Basically one or more hosts would need to have the etcd role and etcd would need to be added to the roles. I will update the example above.
- multiple master
Not explicitly covered, but would just require that multiple hosts are specified with the master role and that the cluster_* variables are set on the master role: https://gist.github.com/detiber/da042623b26522fcd5767825eafe97a0#file-atomic-openshift-installer-config-yml-L59-L61
@detiber I'm adding the next lines for auth providers in the inventory file, if you can go through them and make sure i passed everything correctly it will be great.
- The values are arbitrary, ignore them.
- The lines are in file format thats why the strings are escaped.
Allow-all:
"openshift_master_identity_providers=[{\"name\":\"Allow_all",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"AllowAllPasswordIdentityProvider\",\"mappingMethod\":\"claim\"}]"
HTPasswd:
- openshift_master_htpasswd_users is added over here.
"openshift_master_identity_providers=[{\"name\":\"HTPasswd\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"HTPasswdPasswordIdentityProvider\",\"mappingMethod\":\"claim\",\"filename\":\"/root\", \"openshift_master_htpasswd_users\" : {\"alon\":\"pass1\",\"daniel\":\"pass2\"}}]"
LDAP:
"openshift_master_identity_providers=[{\"name\":\"LDAP\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"LDAPPasswordIdentityProvider\",\"mappingMethod\":\"claim\",\"attributes\":{\"id\":2,\"email\":\"[email protected]\",\"name\":\"bebe\",\"preferredUsername\":\"fds\"},\"bindDN\":\"fsd\",\"bindPassword\":\"fdsaf\",\"ca\":\"fda\",\"insecure\":\"true\",\"url\":\"Fda\"}]"
Request-header:
"openshift_master_identity_providers=[{\"name\":\"Request-header\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"RequestHeaderIdentityProvider\",\"mappingMethod\":\"claim\",\"challengeURL\":\"fda\",\"loginURL\":\"fdas\",\"clientCA\":\"fdsa\",\"headers\":[\"vav\",\"va\"]}]"
OpenID:
"openshift_master_identity_providers=[{\"name\":\"OpenID\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"OpenIDIdentityProvider\",\"mappingMethod\":\"claim\",\"clientID\":\"2\",\"clientSecret\":\"23\",\"claims\":{\"id\":\"Fdafsa\"},\"urls\":{\"authorize\":\"Fdafsa\",\"toekn\":\"fdafa\"}}]"
Google:
"openshift_master_identity_providers=[{\"name\":\"Google\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"GoogleIdentityProvider\",\"mappingMethod\":\"claim\",\"clientID\":\"2\",\"clientSecret\":\"23\",\"hostedDomain\":\"Fdafsd\"}]"
Git:
"openshift_master_identity_providers=[{\"name\":\"Git\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"GitHubIdentityProvider\",\"mappingMethod\":\"claim\",\"clientID\":\"2\",\"clientSecret\":\"23\"}]"
@alongoldboim some general comments first:
- I'm assuming that the quotes around the entire line represent the generated strings and not the actual entries in the inventory file (which I've never tested, but it seems like it would break the ini file format parsing if they are wrapped in quotes that way).
- Omit the mappingMethod attribute, since if it isn't provided it defaults to 'claim'
- Set login to true for all of the identity providers
- Set challenge to true for all identity providers except OpenID, Google, Github
- We might want to let the user know somehow that they will not be able to login using the cli with a username/password and will have to generate a token from the webui prior to using the cli for these methods.
"openshift_master_identity_providers=[{\"name\":\"HTPasswd\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"HTPasswdPasswordIdentityProvider\",\"mappingMethod\":\"claim\",\"filename\":\"/root\", \"openshift_master_htpasswd_users\" : {\"alon\":\"pass1\",\"daniel\":\"pass2\"}}]"
openshift_master_htpasswd_users should be a separate variable here:
"openshift_master_identity_providers=[{\"name\":\"HTPasswd\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"HTPasswdPasswordIdentityProvider\",\"mappingMethod\":\"claim\",\"filename\":\"/root\"}]"
"openshift_master_htpasswd_users={\"alon\":\"pass1\",\"daniel\":\"pass2\"}"
"openshift_master_identity_providers=[{\"name\":\"Git\",\"login\":\"false\",\"challenge\":\"false\",\"kind\":\"GitHubIdentityProvider\",\"mappingMethod\":\"claim\",\"clientID\":\"2\",\"clientSecret\":\"23\"}]"
- In the UI we want to make sure to call this Github and not Git, the value of the name attribute doesn't matter though (only that it is unique when specifying multiple).
- It's not in the docs (yet), but we also support an additional parameter called
organizationsthat takes a list of Github Organization names to limit auth.
@detiber, Thanks for reviewing it.
Ill make the needed changes and update you.
@detiber is variant_version the version of the yaml file or the version that we want to deploy?
If it's the version of the deployment (e.g. openshift 3.1 vs 3.2, etc...) then it may need to be under deployment.
@detiber anything to pass existing persistent volumes? (e.g. for the registry)
Hosts need to have username/private_key or password specified so that ssh can work. Also not sure about ip vs hostname. I think we need to refer to hosts by hostname, it is cumbersome to ask users specify both - ip and hostname. Or is the idea to also add DNS records?
In the flexy installer I allow creating DNS records for hosts without a hostname when desired. Also allow for creating wildcard DNS for routers. It would be preferable to have DNS implementation pluggable. e.g. support Dyn, bind dynamic dns updates, etc.
The DNS stuff can be handled in a separate step/playbook though. Bringing it up just so you can keep it in mind.
@smunilla I'm looking at passing this on to the CFME team, any issues you see?
I do have a question about how the labels key is used by the storage role... is that passed on as the router/registry selector?
If so, I would expect to see that sit under the deployment config, or a separate hosted role rather than under the storage role (which should only contain variables related to the storage host itself).