starlingx/ansible-playbooks
Code Issues Proposed changes

Merge "Apply oidc-auth-apps at bootstrap for local LDAP users."

Browse Source
This commit is contained in:
Zuul
2025-10-28 14:02:13 +00:00
committed by Gerrit Code Review
parent 64fe9806b3 223410cc86
commit 1192992e85
13 changed files with 267 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/main.yml
View File

@@ -1,6 +1,6 @@
---
#
# Copyright (c) 2023-2024 Wind River Systems, Inc.
# Copyright (c) 2023-2025 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@@ -110,6 +110,23 @@
- include_role:
name: common/install-platform-certificates
# Set the required overrides for the oidc-auth-apps
- name: Setup oidc-auth-apps default requirements
include_tasks: setup_oidc_auth_apps_requirements.yml
when: distributed_cloud_role != 'subcloud'
# To apply oidc-auth-apps, it's needed common/install-platform-certificates
# to be done due the required oidc-auth-apps-certificate
- name: Apply oidc-auth-apps
include_tasks: upload_and_apply_application.yml
with_items:
- oidc-auth-apps
vars:
searched_app_name: "{{ item }}"
when:
- mode != 'restore'
- distributed_cloud_role != 'subcloud'
- name: Upload and apply user defined applications
include_tasks: upload_and_apply_user_applications.yml
when:

113
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/setup_oidc_auth_apps_requirements.yml Normal file
View File

@@ -0,0 +1,113 @@
---
#
# Copyright (c) 2025 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# Configure all required oidc overrides
#
- name: Get primary oam ip addresses
include_tasks: roles/common/get_network_addresses_from_sysinv/tasks/get_network_addresses_from_sysinv.yml
vars:
network_type: oam
network_stack: primary
- debug:
msg: primary oam addresses {{ addresses }}
- name: Assign primary oam ip addresses
set_fact:
oam_ip_primary: "{{ addresses.floating_address }}"
- name: Get primary management ip addresses
include_tasks: roles/common/get_network_addresses_from_sysinv/tasks/get_network_addresses_from_sysinv.yml
vars:
network_type: mgmt
network_stack: primary
- debug:
msg: primary management addresses {{ addresses }}
- name: Assign primary management ip addresses
set_fact:
management_floating_ip_primary: "{{ addresses.floating_address }}"
- name: set LDAP host
set_fact:
ldap_host: >-
{{
'"[' ~ management_floating_ip_primary ~ ']:636"' if ':' in management_floating_ip_primary
else management_floating_ip_primary ~ ':636'
}}
- debug:
var: ldap_host
- debug:
msg: Setting up oidc overrides
- name: Get LDAP password from keyring
shell: keyring get ldap ldapadmin
register: keyring_result
changed_when: false
- name: Set LDAP password fact
set_fact:
ldap_bind_pw: "{{ keyring_result.stdout }}"
no_log: true
- name: Set oidc-auth-apps overrides directory
set_fact:
override_dir: /tmp
- name: Set helm names
set_fact:
helm_names:
- dex
- oidc-client
- secret-observer
- name: Create overrides.yaml from template for oidc
template:
src: "{{ item }}-overrides.yaml.j2"
dest: "{{ override_dir }}/{{ item }}-overrides.yaml"
owner: root
group: root
mode: '0644'
loop: "{{ helm_names }}"
- name: Set oidc overrides
set_fact:
oidc_overrides: >-
{{
oidc_overrides | default([]) +
[
{
'chart': item,
'namespace': 'kube-system',
'values-path': override_dir ~ '/' ~ item ~ '-overrides.yaml'
}
]
}}
loop: "{{ helm_names }}"
- name: Add oidc overrides to oidc item in the application list
set_fact:
applications_str: |
[
{% for app in applications %}
{% set path = app.keys() | first %}
{% if 'oidc-auth-apps' in path %}
{ {{ path | to_json }}: {{ {'overrides': oidc_overrides} | to_json }} }
{% else %}
{ {{ path | to_json }}: null }
{% endif %}
{% if not loop.last %},{% endif %}
{% endfor %}
]
- name: Update applications list
set_fact:
applications: "{{ applications_str | from_yaml }}"

42
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/templates/dex-overrides.yaml.j2 Normal file
View File

@@ -0,0 +1,42 @@
config:
expiry:
idTokens: "24h"
connectors:
- type: ldap
name: ldap-1
id: ldap-1
config:
host: {{ ldap_host }}
rootCA: /etc/ssl/certs/adcert/ca.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: {{ ldap_bind_pw }}
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: oidc-auth-apps-certificate
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate

4
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/templates/oidc-client-overrides.yaml.j2 Normal file
View File

@@ -0,0 +1,4 @@
tlsName: oidc-auth-apps-certificate
config:
issuer_root_ca: /home/ca.crt
issuer_root_ca_secret: oidc-auth-apps-certificate

11
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/templates/secret-observer-overrides.yaml.j2 Normal file
View File

@@ -0,0 +1,11 @@
cronSchedule: "*/15 * * * *"
observedSecrets:
- secretName: "oidc-auth-apps-certificate"
filename: "ca.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"

43
playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/main.yml
View File

@@ -364,6 +364,49 @@
scheduler_extra_args: "{{ scheduler_extra_args | combine({ 'leader-elect': 'false' }) }}"
when: system_mode == 'simplex'
- name: Set OIDC issuer IP address based on distributed cloud role
set_fact:
oidc_issuer_address: >-
{{
system_controller_oam_floating_address if distributed_cloud_role == 'subcloud'
else external_oam_floating_address
}}
- name: Check if oidc_issuer_address is ipv6.
set_fact:
is_oidc_issuer_address_ipv6: "{{ ':' in oidc_issuer_address }}"
- block:
- name: Normalize oidc_issuer_address to the expected ipv6 format supported by kubeapi server
set_fact:
normalize_address_cmd: |
python3 -c "import ipaddress,os; s='{{ oidc_issuer_address }}';
ip=ipaddress.IPv6Address(s)
print(ip.compressed)
"
- name: Register normalize_address_cmd_result
shell: "{{ normalize_address_cmd }}"
register: normalize_address_cmd_result
- name: Set oidc_issuer_floating_address
set_fact:
oidc_issuer_address: "{{ normalize_address_cmd_result.stdout }}"
when: is_oidc_issuer_address_ipv6
- name: Set default apiserver_oidc when undefined
set_fact:
apiserver_oidc:
client_id: stx-oidc-client-app
username_claim: email
groups_claim: groups
issuer_url: >-
{{
('https://[' ~ oidc_issuer_address ~ ']:30556/dex') if is_oidc_issuer_address_ipv6
else ('https://' ~ oidc_issuer_address ~ ':30556/dex')
}}
when: (apiserver_oidc | length) == 0
- name: Add OpenID Connect parameter oidc-client-id to apiserver extraArgs section
set_fact:
apiserver_extra_args: "{{ apiserver_extra_args | combine({ 'oidc-client-id' : apiserver_oidc.client_id })}}"

16
playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml
View File

@@ -1148,6 +1148,14 @@
use_regex: yes
register: find_cert_manager_tarball_output
- name: Get the name of the oidc-auth-apps tarball
find:
paths: "/usr/local/share/applications/helm/"
patterns: 'oidc-auth-apps-[^-]*-[^-]*\.tgz'
use_regex: yes
register: find_oidc_auth_apps_tarball_output
when: distributed_cloud_role != 'subcloud'
# we prepend nginx and append cert manager to try and enforce ordering
# nginx need to be applied before cert manager
- name: Append default nginx entry if not present
@@ -1162,6 +1170,14 @@
with_items: "{{ find_cert_manager_tarball_output.files }}"
when: item.path not in all_applications
- name: Append default oidc-auth-apps entry if not present
set_fact:
applications: "{{ applications }} + [ {'{{ item.path }}': None}]"
with_items: "{{ find_oidc_auth_apps_tarball_output.files }}"
when:
- item.path not in all_applications
- distributed_cloud_role != 'subcloud'
- block:
- name: Retrieve list of applications from sysinv
shell: "source /etc/platform/openrc; system application-list --nowrap | awk '{print $2}'"

1
playbookconfig/src/playbooks/roles/common/install-platform-certificates/tasks/define-certs-to-create.yml
View File

@@ -19,6 +19,7 @@
install_system_open_ldap_certificate: "{{ distributed_cloud_role != 'subcloud' }}"
install_system_registry_local_certificate: true
install_system_restapi_gui_certificate: true
install_oidc_auth_apps_certificate: "{{ distributed_cloud_role != 'subcloud' }}"
when: mode == 'bootstrap'
- name: If upgrading, generate required certificates only if they don't exist

3
playbookconfig/src/playbooks/roles/common/load-images-information/tasks/main.yml
View File

@@ -125,6 +125,9 @@
- "{{ cert_manager_controller_img }}"
- "{{ cert_manager_webhook_img }}"
- "{{ cert_manager_startupapicheck_img }}"
- "{{ oidc_stx_oidc_client_img }}"
- "{{ oidc_dex_img }}"
- "{{ oidc_curl_img }}"
- block:
- name: Change security images if upgrading from 22.12

4
playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.29.2/system-images.yml
View File

@@ -30,3 +30,7 @@ flux_helm_controller_img: docker.io/fluxcd/helm-controller:v1.2.0
flux_source_controller_img: docker.io/fluxcd/source-controller:v1.5.0
flux_notification_controller_img: ghcr.io/fluxcd/notification-controller:v1.5.0
flux_kustomize_controller_img: ghcr.io/fluxcd/kustomize-controller:v1.5.1
# oidc-auth-apps images
oidc_stx_oidc_client_img: docker.io/starlingx/stx-oidc-client:stx.11.0-v1.0.9
oidc_dex_img: ghcr.io/dexidp/dex:v2.42.0
oidc_curl_img: docker.io/curlimages/curl:8.13.0

4
playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.30.6/system-images.yml
View File

@@ -30,3 +30,7 @@ flux_helm_controller_img: docker.io/fluxcd/helm-controller:v1.2.0
flux_source_controller_img: docker.io/fluxcd/source-controller:v1.5.0
flux_notification_controller_img: ghcr.io/fluxcd/notification-controller:v1.5.0
flux_kustomize_controller_img: ghcr.io/fluxcd/kustomize-controller:v1.5.1
# oidc-auth-apps images
oidc_stx_oidc_client_img: docker.io/starlingx/stx-oidc-client:stx.11.0-v1.0.9
oidc_dex_img: ghcr.io/dexidp/dex:v2.42.0
oidc_curl_img: docker.io/curlimages/curl:8.13.0

4
playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.32.2/system-images.yml
View File

@@ -30,3 +30,7 @@ flux_helm_controller_img: docker.io/fluxcd/helm-controller:v1.2.0
flux_source_controller_img: docker.io/fluxcd/source-controller:v1.5.0
flux_notification_controller_img: ghcr.io/fluxcd/notification-controller:v1.5.0
flux_kustomize_controller_img: ghcr.io/fluxcd/kustomize-controller:v1.5.1
# oidc-auth-apps images
oidc_stx_oidc_client_img: docker.io/starlingx/stx-oidc-client:stx.11.0-v1.0.9
oidc_dex_img: ghcr.io/dexidp/dex:v2.42.0
oidc_curl_img: docker.io/curlimages/curl:8.13.0

4
playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.33.0/system-images.yml
View File

@@ -30,3 +30,7 @@ flux_helm_controller_img: docker.io/fluxcd/helm-controller:v1.2.0
flux_source_controller_img: docker.io/fluxcd/source-controller:v1.5.0
flux_notification_controller_img: ghcr.io/fluxcd/notification-controller:v1.5.0
flux_kustomize_controller_img: ghcr.io/fluxcd/kustomize-controller:v1.5.1
# oidc-auth-apps images
oidc_stx_oidc_client_img: docker.io/starlingx/stx-oidc-client:stx.11.0-v1.0.9
oidc_dex_img: ghcr.io/dexidp/dex:v2.42.0
oidc_curl_img: docker.io/curlimages/curl:8.13.0