diff options
author | Petr OspalĂ˝ <p.ospaly@partner.samsung.com> | 2019-04-08 04:55:47 +0200 |
---|---|---|
committer | Michal Ptacek <m.ptacek@partner.samsung.com> | 2019-04-24 14:03:19 +0000 |
commit | 72b09b1a46200b6544600ff2432693f0b43c3918 (patch) | |
tree | c0cc18c0c98c0a80b5d273f188b458cc4d307d89 /ansible/roles/rancher | |
parent | 9dee2011bf2eeddf43c4479935a5219c818e1cfb (diff) |
Add support for rancher authentication
This commit adds a new mode to the rancher1_api module, which enables
the rancher local authentication (username/password).
There is an already predefined rancher admin user called 'admin' and
that is the account, which this mode modifies. Due to the complex
API and the fact that rancher 1.6 is soon to be obsoleted, this module
is going the simpler route and it is just editing this default admin
account instead of creating a completely arbitrary username/password
credentials. For that reason is using the 'account_id', which is unique
for all accounts and the default admin account of rancher has '1a1'.
As of now this module cannot handle changed password once the auth. is
enabled.
Change-Id: Iea8923c71bdb82267c966a00d62f0f43eb5adb76
Issue-ID: OOM-1734
Signed-off-by: Petr OspalĂ˝ <p.ospaly@partner.samsung.com>
Diffstat (limited to 'ansible/roles/rancher')
-rw-r--r-- | ansible/roles/rancher/defaults/main.yml | 3 | ||||
-rw-r--r-- | ansible/roles/rancher/tasks/rancher_server.yml | 17 |
2 files changed, 20 insertions, 0 deletions
diff --git a/ansible/roles/rancher/defaults/main.yml b/ansible/roles/rancher/defaults/main.yml index 67e581cd..e4d5cb9f 100644 --- a/ansible/roles/rancher/defaults/main.yml +++ b/ansible/roles/rancher/defaults/main.yml @@ -21,3 +21,6 @@ rancher: service_log_purge_after_seconds: 86400 # 1 day # Auto-purge Audit Log entries after this long (seconds) audit_log_purge_after_seconds: 2592000 # 30 days + + # Set this password for the rancher admin account: + admin_password: "admin" diff --git a/ansible/roles/rancher/tasks/rancher_server.yml b/ansible/roles/rancher/tasks/rancher_server.yml index b71bf8d1..e93dd0e0 100644 --- a/ansible/roles/rancher/tasks/rancher_server.yml +++ b/ansible/roles/rancher/tasks/rancher_server.yml @@ -32,6 +32,14 @@ delay: 5 until: env.data is defined +# There is a lack of idempotency in the previous task and so there are new api +# key-pairs created with each run. +# +# ToDo: fix idempotency of rancher role +# +# Anyway as rke will be default k8s orchestrator in Dublin, it's supposed to be +# low prio topic. The following tasks dealing with the API are ignoring this problem +# and they simply use the new created API key-pair, which is set as a fact here: - name: Set apikey values set_fact: k8s_env_id: "{{ env.data.environment.id }}" @@ -40,6 +48,15 @@ rancher_agent_image: "{{ env.data.registration_tokens.image }}" rancher_agent_reg_url: "{{ env.data.registration_tokens.reg_url }}" +- name: Setup rancher admin password and enable authentication + rancher1_api: + server: "{{ rancher_server_url }}" + account_key: "{{ key_public }}:{{ key_private }}" + mode: access_control + data: + account_id: 1a1 # default rancher admin account + password: "{{ rancher.admin_password }}" + - name: Configure the size of the rancher cattle db and logs block: - name: Main tables |