nicolas
/
OpenShift-Lab
mirror of https://github.com/nmasse-itix/OpenShift-Lab.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

put quirks in a separate file

master
Nicolas Massé 9 years ago
parent
6390e36851
commit
c91a2476b6
2 changed files with 26 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      roles/sso/tasks/main.yml
  2. 22
      roles/sso/tasks/update-route.yml

14
roles/sso/tasks/main.yml
View File

@ -84,16 +84,10 @@
command: oc new-app -n {{ sso_project }} {{ sso_template }} -p "HTTPS_PASSWORD={{ sso_keystore_password }}" -p "JGROUPS_ENCRYPT_PASSWORD={{ sso_keystore_password }}" -p "SSO_REALM={{ sso_realm }}" -p "SSO_ADMIN_USERNAME={{ sso_admin_username }}" -p "APPLICATION_NAME={{ sso_application_name }}" -p "SSO_SERVICE_PASSWORD={{ sso_service_password }}" -p "SSO_SERVICE_USERNAME={{ sso_service_username }}"
when: deploy_needed
- name: Extract the CA Cert from the keystore.jks
command: creates=cacert.pem keytool -exportcert -alias ssl -keypass "{{ sso_keystore_password }}" -storepass "{{ sso_keystore_password }}" -keystore keystore.jks -file cacert.pem -rfc
- name: Convert the CA Cert to a JSON String to be used in a JSON Patch
command: 'perl -pe ''chomp; s/\r//g; print "\\n"'' cacert.pem'
register: cacert
- name: Update the secure route to use "reencrypt" instead of "passthrough"
command: 'oc patch route secure-{{ sso_application_name }} -n {{ sso_project }} --type=json -p ''[ { "op": "replace", "path": "/spec/tls/termination", "value": "reencrypt" }, { "op": "replace", "path": "/spec/tls/destinationCACertificate", "value": "{{ cacert.stdout }}" } ]'' '
# Update the secure route to use "Re-encrypt" instead of "Passthrough"
- include: update-route.yml
tags: update-route
- name: Get Admin Username
command: oc get dc {{ sso_application_name }} -n "{{ sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_USERNAME")].value}'
register: username

22
roles/sso/tasks/update-route.yml
View File

@ -0,0 +1,22 @@
---
#
# By default, the RH-SSO template creates a secure route that uses "Passthrough".
#
# This my be useful if you plan to have client certificate authentication but
# it has strong requirements on the client side because of the SNI extensions
# (Server Name Indication) that are used by the underlying OpenShift Router to
# direct the TLS flow to the right service.
#
# For a test lab / PoC, it is better to switch to "Re-encrypt" that has less
# requirements to get it working.
#
- name: Extract the CA Cert from the keystore.jks
command: creates=cacert.pem keytool -exportcert -alias ssl -keypass "{{ sso_keystore_password }}" -storepass "{{ sso_keystore_password }}" -keystore keystore.jks -file cacert.pem -rfc
- name: Convert the CA Cert to a JSON String to be used in a JSON Patch
command: 'perl -pe ''chomp; s/\r//g; print "\\n"'' cacert.pem'
register: cacert
- name: Update the secure route to use "reencrypt" instead of "passthrough"
command: 'oc patch route secure-{{ sso_application_name }} -n {{ sso_project }} --type=json -p ''[ { "op": "replace", "path": "/spec/tls/termination", "value": "reencrypt" }, { "op": "replace", "path": "/spec/tls/destinationCACertificate", "value": "{{ cacert.stdout }}" } ]'' '
Write Preview
Loading…
Cancel
Save