From 782fb308e295359049dddc5545d2eae73e95ade8 Mon Sep 17 00:00:00 2001 From: Pedro Moura Date: Fri, 2 Feb 2024 17:24:02 -0300 Subject: [PATCH] Planet: add kerberos configuration Signed-off-by: Pedro Moura --- .../planet/templates/configmap.yml | 15 +++++++++++ .../planet/templates/deployment.yml | 18 ++++++++++++- .../openshift-apps/planet/templates/krb5.conf | 25 +++++++++++++++++++ 3 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 roles/openshift-apps/planet/templates/configmap.yml create mode 100644 roles/openshift-apps/planet/templates/krb5.conf diff --git a/roles/openshift-apps/planet/templates/configmap.yml b/roles/openshift-apps/planet/templates/configmap.yml new file mode 100644 index 0000000000..3982d600fb --- /dev/null +++ b/roles/openshift-apps/planet/templates/configmap.yml @@ -0,0 +1,15 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: ConfigMap +metadata: {} +items: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: krb5-config + labels: + app: planet + data: + krb5.conf: |- + {{ load_file('krb5.conf') | indent(6) }} diff --git a/roles/openshift-apps/planet/templates/deployment.yml b/roles/openshift-apps/planet/templates/deployment.yml index 98f52d41cb..6f9f38af4e 100644 --- a/roles/openshift-apps/planet/templates/deployment.yml +++ b/roles/openshift-apps/planet/templates/deployment.yml @@ -21,14 +21,30 @@ spec: containers: - name: planet image: image-registry.openshift-image-registry.svc:5000/planet/planet:latest + env: + - name: KRB5_CONFIG + value: '/etc/krb5.conf' + name: KRB5_CLIENT_KTNAME + value: '/etc/keytabs/http' ports: - containerPort: 8080 volumeMounts: - name: keytab-volume mountPath: /etc/keytabs readOnly: true + - name: krb-config-volume + mountPath: /etc/krb5 + readOnly: true + - name: ipa-config-volume + mountPath: /etc/ipa + readOnly: true volumes: - name: keytab-volume secret: secretName: planet-keytab-http - \ No newline at end of file + - name: krb-config-volume + configMap: + name: krb5-config + - name: ipa-config-volume + configMap: + name: ipa-client-config diff --git a/roles/openshift-apps/planet/templates/krb5.conf b/roles/openshift-apps/planet/templates/krb5.conf new file mode 100644 index 0000000000..3897d425b8 --- /dev/null +++ b/roles/openshift-apps/planet/templates/krb5.conf @@ -0,0 +1,25 @@ +includedir /etc/krb5.conf.d/ + +[libdefaults] + default_realm = {{ ipa_realm }} + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 0 + rdns = false + dns_canonicalize_hostname = false + dns_lookup_realm = false + dns_lookup_kdc = false + +[realms] +{{ ipa_realm }} = { + default_domain = {{ ipa_realm | lower }} + pkinit_anchors = FILE:/etc/ipa/ca.crt + pkinit_pool = FILE:/etc/ipa/ca.crt +} + +[domain_realm] +{{ env_short }}.fedoraproject.org = {{ ipa_realm }} + .{{ env_short }}.fedoraproject.org = {{ ipa_realm }} + {{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }} + .{{ env_short }}.{{ datacenter }}.fedoraproject.org = {{ ipa_realm }} + fasjson{{ env_suffix }}.fedoraproject.org = {{ ipa_realm }}