Suggestion : Use a YAML file to configure Fabric 8 Installer - Vagrant

[Charles Moulliard]

Hi,

Our Vagrant Fabric8 installer file contains 2 ENV variables (https://github.com/fabric8io/fabric8-installer/blob/master/vagrant/openshift/Vagrantfile#L11-L14) and could growth to include additional parameters required to start OpenShift with an IdentityProvider: Keycloak

Here is the by default config defined within the OpenShift Master Config file using as Authentication mode : anypassword

identityProviders:

  - challenge: true

    login: true

    mappingMethod: claim

    name: anypassword

    provider:

      apiVersion: v1

      kind: AllowAllPasswordIdentityProvider

This config requires additional parameters when we configure an IdentityProvider 

identityProviders:

  - challenge: true

    login: true

    name: keycloak

    provider:

      apiVersion: v1

      kind: OpenIDIdentityProvider

      ca: ca.crt

      clientID: openshift

      clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5

      claims:

        id:

        - sub

        preferredUsername:

        - preferred_username

        name:

        - name

        email:

        - email

      urls:

        authorize: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth

        token: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token

        userInfo: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/userinfo

To support to configure an Identity Provider, it will be required to define at least 7 keys :

- name

- ca file

- clientId

- clientSecret

- urls - authorize

- urls - token

- urls - userInfo

- logoutUrl 

...

We can define additional parameters/env variables within the Vagrant file to configure this YAML config used to setup the Master Config file of OpenShift but I would like to suggest that we externalise our parameters within a YAML config file parsed by Vagrant as such 

Example :

require 'yaml'

settings = YAML.load_file 'vagrant.yml'

...

$vmMemory = settings['FABRIC8_VM_MEMORY']

$vmName = settings['FABRIC8_VM_NAME']

$identityProvider = settings['OPENSHIFT_IDENTITY_PROVIDER']

$identityProviderConfig = settings['OPENSHIFT_IDENTITY_PROVIDER_CONFIG']

and

FABRIC8_VM_MEMORY : 4096

FABRIC8_VM_NAME       : fabric8-openshift

OPENSHIFT_IDENTITY_PROVIDER : anypassword, keycloak, ....

OPENSHIFT_IDENTITY_PROVIDER_CONFIG : >

 identityProviders:

  - challenge: true

    login: true

    name: keycloak

    provider:

      apiVersion: v1

      kind: OpenIDIdentityProvider

      ca: ca.crt

      clientID: openshift

      clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5

      claims:

        id:

        - sub

        preferredUsername:

        - preferred_username

        name:

        - name

        email:

        - email

      urls:

        authorize: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth

        token: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token

        userInfo: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/userinfo

What do you think about this suggestion ?

Remark : The most challenging part will be to configure correctly the master config file generated during this step - https://github.com/fabric8io/fabric8-installer/blob/master/vagrant/openshift/Vagrantfile#L63 when we will change the identityProviders key or any other. It should be great to have a tool generating this config file !

Regards,

Charles

[James Strachan]

Fabric8 really focusses on making it easy to install fabric8 microservice platform components on top of any openshift / kubernetes cluster. Its up to openshift to have a nice way to configure itself & specify the identity provider really. So I'd rather raise this with OpenShift. We generally defer to other tools like OpenShift / ansible / kargo / kubernetes-anywhere to figure out how to install/configure OpenShift / Kubernetes.

We want to make it as easy as possible to just run fabric8 on any kubernetes environment. I'd actually like to go the other way; just have a simple OpenShift template or Kubernetes manifest that runs on any openshift / kubernetes cluster and just works; then bootstraps any other parts of fabric8 you need (so that we effectively hide gofabric8 from the user).

--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

James
-------
Red Hat

Twitter: @jstrachan
Email: james.s...@gmail.com

Blog: https://medium.com/@jstrachan/

fabric8: http://fabric8.io/

open source microservices platform

[Charles Moulliard]

I have raised a ticket to ask to Openshift Team : https://github.com/openshift/origin/issues/8977

--

Charles Moulliard

Apache Committer & PMC / Architect @RedHat

Twitter : @cmoulliard | Blog :  http://cmoulliard.github.io

[Charles Moulliard]

If we use Ansible to manage the deployment of Openshift, we can setup OSE3Vars as described here : https://docs.openshift.org/latest/install_config/install/advanced_install.html

and of course configure the Identity Providers using this variable : openshift_master_identity_providers

Example : 

openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]

[Charles Moulliard]

FYI: OpenShift has closed the ticket : https://github.com/openshift/origin/issues/8977