-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #14 from AdityaHonkalas/request-header-auth-provid…
…er-test-auto Automation for an identity provider- Request header
- Loading branch information
Showing
8 changed files
with
262 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
|
|
||
| # Request-header identity provider vars | ||
| request_header_provider: false # Set true to enable the test execution | ||
| request_header_user_display_name: "Default User" # User's full name to be displayed e.g. "John Doe" | ||
| request_header_username: "rh-user" # Username to be attached in the request header e.g. "jdoe" | ||
| ca_cert_configmap: "cert-auth-configmap" # Name for a ConfigMap object containing CA certificate bundle | ||
| request_header_cr_name: "request-header-provider" # Name for a identity provider custom resource object | ||
| request_header_user_role: "cluster-reader" # Role based permission to be assigned to the new user e.g. ["admin", "basic-user", "cluster-admin", "cluster-status", "cluster-reader", "edit", "self-provisioner", "view"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
|
|
||
| - name: Request-header identity provider test | ||
| hosts: bastion | ||
| roles: | ||
| - request-header-identity-provider |
65 changes: 65 additions & 0 deletions
65
playbooks/roles/request-header-identity-provider/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| Request header identity provider test | ||
| ===================================== | ||
|
|
||
| A request header is an identity provider method to identify users from request header values, such as `X-Remote-User`. It is typically used in combination with an authenticating proxy, which sets the request header value. | ||
|
|
||
| This ansible role will configure request header as an identity provider to authenticate users with cluster OAUTH server and grants *"cluster-reader"* as a default user role permission. | ||
|
|
||
|
|
||
|
|
||
| Requirements | ||
| ------------ | ||
| - Running OCP 4.x cluster is needed. | ||
| - Access to the cluster with the cluster-admin role. | ||
|
|
||
| Dependencies | ||
| ------------ | ||
| - None | ||
|
|
||
|
|
||
| Role Variables | ||
| -------------- | ||
|
|
||
| | Variable | Required | Default | Comments | | ||
| |-----------------------------------|----------|--------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | request_header_provider | no | false | Set to true to enable request header test execution | | ||
| | request_header_user_display_name | no | Default User | User's full name to be sent in a request header, if undefined default user display name will be set | | ||
| | request_header_username | no | rh-user | Username to be sent in a request header, if undefined default username will be set | | ||
| | ca_configmap_name | no | cert-auth-configmap | User defined name for CA configmap object, if undefined default name will be set to the CA certificate configmap | | ||
| | request_header_cr_name | no | request-header-provider | User defined name for identity provider CR object, if undefined default name will be set to the provider CR object | | ||
| | request_header_user_role | no | cluster-reader | User role permission to be granted to the newly created user. the possible role permission can be `"admin", "basic-user", "cluster-admin", "cluster-status", "cluster-reader", "edit", "self-provisioner", "view"`, if empty default user role will be assigned | | ||
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ||
|
|
||
|
|
||
| Example Playbook | ||
| ---------------- | ||
| ``` | ||
| --- | ||
| - name: Configuring request header identity provider | ||
| hosts: bastion | ||
| roles: | ||
| - ocp-request-header-identity-provider | ||
| ``` | ||
|
|
||
| Steps to run the playbook | ||
| ------------------------- | ||
|
|
||
| - Copy `ocp4-playbooks-extras/examples/inventory` file to the home or working directory and modify to add a remote host | ||
| - Copy the `ocp4-playbooks-extras/examples/all.yaml` to the home or working directory and set the role variables for `roles/request-header-identity-provider` with the custom inputs. Enable the role execution by setting `request-header-provider` to `true`. | ||
| - To execute the playbook run the below sample command | ||
|
|
||
|
|
||
| Sample Command | ||
| --------------- | ||
|
|
||
| ansible-playbook -i inventory -e @all.yaml ~/ocp4-playbooks-extras/playbooks/main.yml | ||
|
|
||
|
|
||
| License | ||
| ------- | ||
| See LICENCE.txt | ||
|
|
||
| Author Information | ||
| ------------------ | ||
| [email protected] |
9 changes: 9 additions & 0 deletions
9
playbooks/roles/request-header-identity-provider/defaults/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
|
|
||
| # Request-header identity provider vars with default values | ||
| request_header_provider: false | ||
| request_header_user_display_name: "Default User" | ||
| request_header_username: "rh-user" | ||
| ca_cert_configmap: "cert-auth-configmap" | ||
| request_header_cr_name: "request-header-provider" | ||
| request_header_user_role: "cluster-reader" |
161 changes: 161 additions & 0 deletions
161
playbooks/roles/request-header-identity-provider/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,161 @@ | ||
| --- | ||
|
|
||
| # request header auth provider tasks module | ||
|
|
||
| - name: Login to the cluster as a system-admin | ||
| shell: oc login -u system:admin | ||
|
|
||
| - name: Cleanup block to delete the old identities and users | ||
| block: | ||
| - name: Get the existing identities | ||
| shell: oc get identity --no-headers | awk '{print $1}' | ||
| register: old_identities | ||
|
|
||
| - name: Get the existing users associated with these providers | ||
| shell: oc get user --no-headers | awk '{print $1}' | ||
| register: old_users | ||
|
|
||
| - name: Delete the existing identities | ||
| k8s: | ||
| state: absent | ||
| kind: Identity | ||
| name: "{{ item }}" | ||
| api_version: user.openshift.io/v1 | ||
| loop: "{{ old_identities.stdout_lines }}" | ||
|
|
||
| - name: Delete the existing users | ||
| k8s: | ||
| state: absent | ||
| kind: User | ||
| name: "{{ item }}" | ||
| api_version: user.openshift.io/v1 | ||
| loop: "{{ old_users.stdout_lines }}" | ||
|
|
||
| - name: Create a sub-directory ~/certs | ||
| file: | ||
| path: ~/certs | ||
| state: directory | ||
| mode: 0755 | ||
|
|
||
| - name: Extract a ca certificate to provide along with request headers | ||
| shell: "oc extract -n openshift-config cm/admin-kubeconfig-client-ca --confirm" | ||
| args: | ||
| chdir: ~/certs | ||
|
|
||
| - name: Check if CA configmap exists for {{ ca_cert_configmap }} | ||
| shell: "oc get configmap {{ ca_cert_configmap }} -n openshift-config --no-headers | wc -l" | ||
| register: ca_configmap_exists | ||
|
|
||
| - name: Create a CA configmap | ||
| shell: "oc create configmap {{ ca_cert_configmap }} --from-file=ca.crt=ca-bundle.crt -n openshift-config" | ||
| args: | ||
| chdir: ~/certs | ||
| when: ca_configmap_exists.stdout|int == 0 | ||
|
|
||
| - name: Update a OAUTH cluster CR with request header provider configuration | ||
| k8s: | ||
| state: present | ||
| apply: yes | ||
| definition: | ||
| apiVersion: config.openshift.io/v1 | ||
| kind: OAuth | ||
| metadata: | ||
| name: cluster | ||
| spec: | ||
| identityProviders: | ||
| - name: "{{ request_header_cr_name }}" | ||
| mappingMethod: claim | ||
| type: RequestHeader | ||
| requestHeader: | ||
| challengeURL: "https://www.example.com/challenging-proxy/oauth/authorize?${query}" | ||
| loginURL: "https://www.example.com/login-proxy/oauth/authorize?${query}" | ||
| ca: | ||
| name: "{{ ca_cert_configmap }}" | ||
| headers: | ||
| - X-Remote-User | ||
| - SSO-User | ||
| emailHeaders: | ||
| - X-Remote-User-Email | ||
| nameHeaders: | ||
| - X-Remote-User-Display-Name | ||
| preferredUsernameHeaders: | ||
| - X-Remote-User-Login | ||
|
|
||
| - name: Delay to get pods reinitialised | ||
| wait_for: | ||
| timeout: 180 | ||
|
|
||
| - name: Wait until pods get in the Running state | ||
| shell: "oc get pods -n openshift-authentication --no-headers | grep -v Running | wc -l" | ||
| retries: 10 | ||
| delay: 30 | ||
| register: pods_in_running | ||
| until: pods_in_running.stdout|int == 0 | ||
| ignore_errors: yes | ||
|
|
||
| - name: Prepare client certificate and key for extracted ca | ||
| block: | ||
| - name: Extract the current kubeconfig for client certificate and key | ||
| shell: "oc config view --context admin --minify --raw > current.kubeconfig" | ||
| args: | ||
| chdir: ~/certs | ||
|
|
||
| - name: Obtain the client certificate from the kubeconfig | ||
| shell: grep client-certificate-data current.kubeconfig | grep -Eo "[^ ]+$" | base64 -d > client.crt | ||
| args: | ||
| chdir: ~/certs | ||
|
|
||
| - name: Extract the key for client certificate obtained in previous step | ||
| shell: grep client-key-data current.kubeconfig | grep -Eo "[^ ]+$" | base64 -d > client.key | ||
| args: | ||
| chdir: ~/certs | ||
|
|
||
| - name: Extract the OAUTH server route path | ||
| k8s_info: | ||
| api_version: route.openshift.io/v1 | ||
| kind: Route | ||
| name: oauth-openshift | ||
| namespace: openshift-authentication | ||
| register: oauthroutepath | ||
|
|
||
| - name: Trigger HTTP request to proxy auth endpoint with the request headers containing user details | ||
| shell: | | ||
| curl -k -I --cert ./client.crt --key ./client.key \ | ||
| -H "SSO-User: {{ request_header_username }}" -H "X-Remote-User-Display-Name: {{ request_header_user_display_name }}" \ | ||
| "https://{{ OAUTH_ROUTE_HOST }}/oauth/authorize?response_type=token&client_id=openshift-challenging-client" \ | ||
| | grep -oP "sha256~[a-zA-Z0-9\-\_\~]+" | ||
| args: | ||
| chdir: ~/certs | ||
| warn: false | ||
| vars: | ||
| OAUTH_ROUTE_HOST: "{{ oauthroutepath.resources[0].spec.host }}" | ||
| environment: | ||
| KUBECONFIG: "/root/openstack-upi/auth/kubeconfig" | ||
| register: oauth_access_token | ||
|
|
||
| - name: Check the created identity | ||
| shell: oc get identity | ||
| register: get_oc_identity_output | ||
|
|
||
| - debug: | ||
| msg: "{{ get_oc_identity_output.stdout_lines }}" | ||
|
|
||
| - name: Login to the cluster with newly added user | ||
| shell: "oc login --token {{ oauth_access_token.stdout.strip('\"') }}" | ||
| register: login_output | ||
|
|
||
| - debug: | ||
| msg: "{{ login_output.stdout_lines }}" | ||
|
|
||
| - name: Check the current logged-in user | ||
| shell: oc whoami | ||
| register: current_logged_in_user | ||
|
|
||
| - debug: | ||
| msg: "{{ current_logged_in_user.stdout_lines }}" | ||
|
|
||
| - name: Switch back again to system-admin user | ||
| shell: oc login -u system:admin | ||
|
|
||
| - name: Grant the role permission to the newly created user | ||
| shell: "oc adm policy add-cluster-role-to-user {{ request_header_user_role }} {{ request_header_user_display_name }}" |