diff --git a/roles/sso/tasks/main.yml b/roles/sso/tasks/main.yml index 62f3ab4..e3d1124 100644 --- a/roles/sso/tasks/main.yml +++ b/roles/sso/tasks/main.yml @@ -84,16 +84,10 @@ command: oc new-app -n {{ sso_project }} {{ sso_template }} -p "HTTPS_PASSWORD={{ sso_keystore_password }}" -p "JGROUPS_ENCRYPT_PASSWORD={{ sso_keystore_password }}" -p "SSO_REALM={{ sso_realm }}" -p "SSO_ADMIN_USERNAME={{ sso_admin_username }}" -p "APPLICATION_NAME={{ sso_application_name }}" -p "SSO_SERVICE_PASSWORD={{ sso_service_password }}" -p "SSO_SERVICE_USERNAME={{ sso_service_username }}" when: deploy_needed - - name: Extract the CA Cert from the keystore.jks - command: creates=cacert.pem keytool -exportcert -alias ssl -keypass "{{ sso_keystore_password }}" -storepass "{{ sso_keystore_password }}" -keystore keystore.jks -file cacert.pem -rfc - - - name: Convert the CA Cert to a JSON String to be used in a JSON Patch - command: 'perl -pe ''chomp; s/\r//g; print "\\n"'' cacert.pem' - register: cacert - - - name: Update the secure route to use "reencrypt" instead of "passthrough" - command: 'oc patch route secure-{{ sso_application_name }} -n {{ sso_project }} --type=json -p ''[ { "op": "replace", "path": "/spec/tls/termination", "value": "reencrypt" }, { "op": "replace", "path": "/spec/tls/destinationCACertificate", "value": "{{ cacert.stdout }}" } ]'' ' - + # Update the secure route to use "Re-encrypt" instead of "Passthrough" + - include: update-route.yml + tags: update-route + - name: Get Admin Username command: oc get dc {{ sso_application_name }} -n "{{ sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_USERNAME")].value}' register: username diff --git a/roles/sso/tasks/update-route.yml b/roles/sso/tasks/update-route.yml new file mode 100644 index 0000000..c7b7fb0 --- /dev/null +++ b/roles/sso/tasks/update-route.yml @@ -0,0 +1,22 @@ +--- +# +# By default, the RH-SSO template creates a secure route that uses "Passthrough". +# +# This my be useful if you plan to have client certificate authentication but +# it has strong requirements on the client side because of the SNI extensions +# (Server Name Indication) that are used by the underlying OpenShift Router to +# direct the TLS flow to the right service. +# +# For a test lab / PoC, it is better to switch to "Re-encrypt" that has less +# requirements to get it working. +# + + - name: Extract the CA Cert from the keystore.jks + command: creates=cacert.pem keytool -exportcert -alias ssl -keypass "{{ sso_keystore_password }}" -storepass "{{ sso_keystore_password }}" -keystore keystore.jks -file cacert.pem -rfc + + - name: Convert the CA Cert to a JSON String to be used in a JSON Patch + command: 'perl -pe ''chomp; s/\r//g; print "\\n"'' cacert.pem' + register: cacert + + - name: Update the secure route to use "reencrypt" instead of "passthrough" + command: 'oc patch route secure-{{ sso_application_name }} -n {{ sso_project }} --type=json -p ''[ { "op": "replace", "path": "/spec/tls/termination", "value": "reencrypt" }, { "op": "replace", "path": "/spec/tls/destinationCACertificate", "value": "{{ cacert.stdout }}" } ]'' '