mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-20 12:07:34 +08:00
Planet: add kerberos configuration
Signed-off-by: Pedro Moura <pmoura@redhat.com>
This commit is contained in:
Pedro Moura
15
roles/openshift-apps/planet/templates/configmap.yml
Normal file
15
roles/openshift-apps/planet/templates/configmap.yml
Normal file
@@ -0,0 +1,15 @@
|
||||
{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata: {}
|
||||
items:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: krb5-config
|
||||
labels:
|
||||
app: planet
|
||||
data:
|
||||
krb5.conf: |-
|
||||
{{ load_file('krb5.conf') | indent(6) }}
|
||||
@@ -21,14 +21,30 @@ spec:
|
||||
containers:
|
||||
- name: planet
|
||||
image: image-registry.openshift-image-registry.svc:5000/planet/planet:latest
|
||||
env:
|
||||
- name: KRB5_CONFIG
|
||||
value: '/etc/krb5.conf'
|
||||
name: KRB5_CLIENT_KTNAME
|
||||
value: '/etc/keytabs/http'
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
volumeMounts:
|
||||
- name: keytab-volume
|
||||
mountPath: /etc/keytabs
|
||||
readOnly: true
|
||||
- name: krb-config-volume
|
||||
mountPath: /etc/krb5
|
||||
readOnly: true
|
||||
- name: ipa-config-volume
|
||||
mountPath: /etc/ipa
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: keytab-volume
|
||||
secret:
|
||||
secretName: planet-keytab-http
|
||||
|
||||
- name: krb-config-volume
|
||||
configMap:
|
||||
name: krb5-config
|
||||
- name: ipa-config-volume
|
||||
configMap:
|
||||
name: ipa-client-config
|
||||
|
||||
25
roles/openshift-apps/planet/templates/krb5.conf
Normal file
25
roles/openshift-apps/planet/templates/krb5.conf
Normal file
@@ -0,0 +1,25 @@
|
||||
includedir /etc/krb5.conf.d/
|
||||
|
||||
[libdefaults]
|
||||
default_realm = {{ ipa_realm }}
|
||||
ticket_lifetime = 24h
|
||||
forwardable = true
|
||||
udp_preference_limit = 0
|
||||
rdns = false
|
||||
dns_canonicalize_hostname = false
|
||||
dns_lookup_realm = false
|
||||
dns_lookup_kdc = false
|
||||
|
||||
[realms]
|
||||
{{ ipa_realm }} = {
|
||||
default_domain = {{ ipa_realm | lower }}
|
||||
pkinit_anchors = FILE:/etc/ipa/ca.crt
|
||||
pkinit_pool = FILE:/etc/ipa/ca.crt
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
{{ env_short }}.fedoraproject.org = {{ ipa_realm }}
|
||||
.{{ env_short }}.fedoraproject.org = {{ ipa_realm }}
|
||||
{{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }}
|
||||
.{{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }}
|
||||
fasjson{{ env_suffix }}.fedoraproject.org = {{ ipa_realm }}
|
||||
Reference in New Issue
Block a user