Skip to content

Scripts used in httpd containers for configuring authentication

License

Notifications You must be signed in to change notification settings

Vatson112/httpd_configmap_generator

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Httpd Configmap Generator

Gem Version Build Status Code Climate Test Coverage Dependency Status Security

Chat

This GEM provides a CLI to automate the generation of auth-config maps which can be used with the httpd auth pod for enabling external authentication.

Install as follows:

gem install httpd_configmap_generator

Running the tool

Generating an auth-config map can be done by running the httpd_configmap_generator tool

$ httpd_configmap_generator --help
httpd_configmap_generator 0.1.1 - External Authentication Configuration script

Usage: httpd_configmap_generator auth_type | update | export [--help | options]

supported auth_type: active-directory, ipa, ldap, saml, oidc

httpd_configmap_generator options are:
  -V, --version    Version of the httpd_configmap_generator command
  -h, --help       Show this message

Showing the usage for each authentication type or sub-command as follows:

$ httpd_configmap_generator ipa --help

Supported Authentication Types

auth-type Identity Provider/Environment for usage:
active-directory Active Directory domain realm join README-active-directory
ipa IPA, IPA 2-factor authentication, IPA/AD Trust README-ipa
ldap Ldap directories README-ldap
saml Keycloak, etc. README-saml
OpenID-Connect (oidc) Keycloak, etc. README-oidc

Updating an auth configuration map:

With the update subcommand, it is possible to add file(s) to the configuration map as per the following usage:

$ httpd_configmap_generator update --help
Options:
  -i, --input=<s>       Input config map file
  -o, --output=<s>      Output config map file
  -f, --force           Force configuration if configured already
  -d, --debug           Enable debugging
  -a, --add-file=<s>    Add file to config map
  -h, --help            Show this message

The --add-file option can be specified multiple times, one per file to add to a configuration map.

Supported file specification for the --add-file option are:

--add-file=file-path
--add-file=source-file-path,target-file-path
--add-file=source-file-path,target-file-path,file-permission
--add-file=file-url,target-file-path,file-permission

Where:

  • file-url is an http URL
  • file-permission can be specified as: mode:owner:group

Examples:

Adding files by specifying paths:

The file ownership and permissions will be based on the files specified.

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                    \
  --add-file=/etc/openldap/cacerts/primary-directory-cert.pem  \
  --add-file=/etc/openldap/cacerts/seconday-directory-cert.pem \
  --output=/tmp/updated-auth-configmap.yaml

Adding target files from different source directories:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                                        \
  --add-file=/tmp/uploaded-cert1,/etc/openldap/cacerts/primary-directory-cert.pem  \
  --add-file=/tmp/uploaded-cert2,/etc/openldap/cacerts/seconday-directory-cert.pem \
  --output=/tmp/updated-auth-configmap.yaml

The file ownership and permissions will be based on the source files specified, in this case the ownership and permissiong of the /tmp/uploaded-cert1 and /tmp/uploaded-cert2 files will be used.

Adding a target file with user specified ownership and mode:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                          \
  --add-file=/tmp/secondary-keytab,/etc/http2.keytab,600:apache:root \
  --output=/tmp/updated-auth-configmap.yaml

Adding files by URL:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml \
  --add-file=http://aab-keycloak:8080/auth/realms/testrealm/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
  --output=/tmp/updated-auth-configmap.yaml

When downloading a file by URL, a target file path and file ownership/mode must be specified.


Exporting a file from an auth configuration map

With the export subcommand, it is possible to export a file from the configuration map as per the following usage:

$ httpd_configmap_generator export --help
Options:
  -i, --input=<s>     Input config map file
  -l, --file=<s>      Config map file to export
  -o, --output=<s>    The output file being exported
  -f, --force         Force configuration if configured already
  -d, --debug         Enable debugging
  -h, --help          Show this message

Example:

Extract the sssd.conf file out of the auth configuration map:

$ httpd_configmap_generator export \
  --input=/tmp/external-ipa.yaml \
  --file=/etc/sssd/sssd.conf     \
  --output=/tmp/sssd.conf

Building the Httpd Configmap Generator in a Container

Container for configuring external authentication for the httpd auth pod. It is based on the auth httpd container and generates the httpd auth-config map needed to enable external authentication.

Installing

$ git clone https://github.com/ManageIQ/httpd_configmap_generator.git

Running with Docker

Building container image

$ cd httpd_configmap_generator
$ docker build . -t manageiq/httpd_configmap_generator:latest

Running the httpd_configmap_generator container

$ docker run --privileged manageiq/httpd_configmap_generator:latest &

Getting the httpd_configmap_generator container id:

$ CONFIGMAP_GENERATOR_ID="`docker ps -l -q`"

Generating a configmap for external authentication against IPA

While the httpd_configmap_generator tool can be run in the container by first getting into a bash shell:

$ docker exec -it $CONFIGMAP_GENERATOR_ID /bin/bash -i

The tool can also be executed directly as follows:

Example for generating a configuration map for IPA:

$ docker exec $CONFIGMAP_GENERATOR_ID httpd_configmap_generator ipa \
    --host=appliance.example.com        \
    --ipa-server=ipaserver.example.com  \
    --ipa-domain=example.com            \
    --ipa-realm=EXAMPLE.COM             \
    --ipa-principal=admin               \
    --ipa-password=smartvm1             \
    -o /tmp/external-ipa.yaml

--host above must be the DNS of the application exposing the httpd auth pod,

i.e. ${APPLICATION_DOMAIN}

Copying the new auth configmap back locally:

$ docker cp $CONFIGMAP_GENERATOR_ID:/tmp/external-ipa.yaml ./external-ipa.yaml

The new configmap can then be applied to the auth httpd pod and then redeployed to take effect:

$ oc replace configmaps httpd-auth-configs --filename ./external-ipa.yaml

Stopping the httpd_configmap_generator container

When completed with httpd_configmap_generator, the container can simply be stopped and/or removed:

$ docker stop $CONFIGMAP_GENERATOR_ID
$ docker rmi --force manageiq/httpd_configmap_generator:latest

Running with OpenShift

Pre-deployment tasks

The httpd-configmap-generator service account must be added to the httpd-scc-sysadmin SCC before the Httpd Configmap Generator can run.

As Admin

Create the httpd-scc-sysadmin SCC:

$ oc create -f templates/httpd-scc-sysadmin.yaml

Include the httpd-configmap-generator service account with the new SCC:

$ oc adm policy add-scc-to-user httpd-scc-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator

Verify that the httpd-configmap-generator service account is now included in the httpd-scc-sysadmin SCC:

$ oc describe scc httpd-scc-sysadmin | grep Users
Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator

Deploy the Httpd Configmap Generator Application

As basic user

$ oc create -f templates/httpd-configmap-generator-template.yaml

$ oc get templates
NAME                        DESCRIPTION                                 PARAMETERS     OBJECTS
httpd-configmap-generator   Httpd Configmap Generator                   6 (all set)    3

Deploy the Httpd Configmap Generator

$ oc new-app --template=httpd-configmap-generator

Check the readiness of the Httpd Configmap Generator

$ oc get pods
NAME                                READY     STATUS    RESTARTS   AGE
httpd-configmap-generator-1-txc34   1/1       Running   0          1h

Getting the POD Name

For working with the httpd_configmap_generator script in the httpd-configmap-generator pod, it is necessary to get the pod name reference below:

$ CONFIGMAP_GENERATOR_POD=`oc get pods | grep "httpd-configmap-generator" | cut -f1 -d" "`

Generating a configmap for external authentication against IPA

$ oc exec $CONFIGMAP_GENERATOR_POD  -- bash -c 'httpd_configmap_generator ipa ...

Example configuration:

$ oc exec $CONFIGMAP_GENERATOR_POD -- bash -c 'httpd_configmap_generator ipa \
    --host=appliance.example.com        \
    --ipa-server=ipaserver.example.com  \
    --ipa-domain=example.com            \
    --ipa-realm=EXAMPLE.COM             \
    --ipa-principal=admin               \
    --ipa-password=smartvm1             \
    -o /tmp/external-ipa.yaml'

--host above must be the DNS of the application exposing the httpd auth pod,

i.e. ${APPLICATION_DOMAIN}

Copying the new auth configmap back locally:

$ oc cp $CONFIGMAP_GENERATOR_POD:/tmp/external-ipa.yaml ./external-ipa.yaml

The new configmap can then be applied to the auth httpd pod and then redeployed to take effect:

$ oc replace configmaps httpd-auth-configs --filename ./external-ipa.yaml

To generate a new auth configuration map it is recommended to redeploy the httpd_configmap_generator pod first to get a clean environment before running the httpd_configmap_generator tool.

When done generating an auth-configmap, the httpd_configmap_generator pod can simply be scaled down:

$ oc scale dc httpd-configmap-generator --replicas=0

or deleted if no longer needed:

$ oc delete all  -l app=httpd-configmap-generator
$ oc delete pods -l app=httpd-configmap-generator

About

Scripts used in httpd containers for configuring authentication

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 98.1%
  • Dockerfile 1.7%
  • Shell 0.2%