From 7abe98bbefee1a2fed6b8ae660887c6113f72273 Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Wed, 16 Aug 2017 19:38:48 -0400 Subject: [PATCH 1/7] Enhancement to support the httpd authentication configuration map. - Added new httpd-auth-configs config map to the templates - mounted the new configmap for httpd pod as /etc/httpd/auth-conf.d - updated teardown script to handle the new config map --- teardown | 1 + templates/miq-template-ext-db.yaml | 37 ++++++++++++++++++++++++++++++ templates/miq-template.yaml | 37 ++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/teardown b/teardown index 60628396..fa0d2b03 100755 --- a/teardown +++ b/teardown @@ -15,3 +15,4 @@ oc delete serviceaccount miq-sysadmin oc delete cm postgresql-configs oc delete cm httpd-configs +oc delete cm httpd-auth-configs diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index 9e729109..96a75206 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -489,6 +489,34 @@ objects: ProxyPass / http://${NAME}/ ProxyPassReverse / http://${NAME}/ +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-configuration.conf: | + # + # External Authentication Configuration File + # + # This file declares the following: + # + # The Authentication type, default is internal. + # syntax: type = internal + # + # - other types could include: ipa, ldap, active_directory, saml or simply custom. + # + # The list of files to overlay in order to enable external authentication + # syntax: file = basename target_path mode:owner:group + # + # - basename is the name of the file in the config map. + # - target_path is the path of the file to overwrite, i.e. /etc/sssd/sssd.conf + # - mode:owner:group is optional and reflects the mode and ownership to set the file to. + # i.e. 644:root:apache + # 755 + # - if basename has the .base64 extension, then the file is binary and will be converted + # from its base64 representation in the Config Map before copied to its target_path. + # + type = internal - apiVersion: v1 kind: Service metadata: @@ -537,6 +565,9 @@ objects: - name: httpd-config configMap: name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" containers: - name: httpd image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" @@ -557,6 +588,8 @@ objects: volumeMounts: - name: httpd-config mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" resources: requests: memory: "${HTTPD_MEM_REQ}" @@ -770,6 +803,10 @@ parameters: displayName: Apache httpd Configuration Directory description: Directory used to store the Apache configuration files. value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the exxternal authentication configuration files. + value: "/etc/httpd/auth-conf.d" - name: HTTPD_CPU_REQ displayName: Apache httpd Min CPU Requested required: true diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index 36d17289..90410761 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -132,6 +132,34 @@ objects: ProxyPass / http://${NAME}/ ProxyPassReverse / http://${NAME}/ +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + data: + auth-configuration.conf: | + # + # External Authentication Configuration File + # + # This file declares the following: + # + # The Authentication type, default is internal. + # syntax: type = internal + # + # - other types could include: ipa, ldap, active_directory, saml or simply custom. + # + # The list of files to overlay in order to enable external authentication + # syntax: file = basename target_path mode:owner:group + # + # - basename is the name of the file in the config map. + # - target_path is the path of the file to overwrite, i.e. /etc/sssd/sssd.conf + # - mode:owner:group is optional and reflects the mode and ownership to set the file to. + # i.e. 644:root:apache + # 755 + # - if basename has the .base64 extension, then the file is binary and will be converted + # from its base64 representation in the Config Map before copied to its target_path. + # + type = internal - apiVersion: v1 kind: Service metadata: @@ -700,6 +728,9 @@ objects: - name: httpd-config configMap: name: "${HTTPD_SERVICE_NAME}-configs" + - name: httpd-auth-config + configMap: + name: "${HTTPD_SERVICE_NAME}-auth-configs" containers: - name: httpd image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}" @@ -720,6 +751,8 @@ objects: volumeMounts: - name: httpd-config mountPath: "${HTTPD_CONFIG_DIR}" + - name: httpd-auth-config + mountPath: "${HTTPD_AUTH_CONFIG_DIR}" resources: requests: memory: "${HTTPD_MEM_REQ}" @@ -963,6 +996,10 @@ parameters: displayName: Apache Configuration Directory description: Directory used to store the Apache configuration files. value: "/etc/httpd/conf.d" +- name: HTTPD_AUTH_CONFIG_DIR + displayName: External Authentication Configuration Directory + description: Directory used to store the exxternal authentication configuration files. + value: "/etc/httpd/auth-conf.d" - name: HTTPD_CPU_REQ displayName: Apache httpd Min CPU Requested required: true From 7f2e61a6162c45fdb0af2fed71c6c72afcfa4564 Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Fri, 18 Aug 2017 11:56:25 -0400 Subject: [PATCH 2/7] - Moved details on the auth-configuration.conf file into the README file. - Updated template's Auth Configmap usage details to reference the README file. --- README.md | 98 ++++++++++++++++++++++++++++++ templates/miq-template-ext-db.yaml | 20 +----- templates/miq-template.yaml | 20 +----- 3 files changed, 100 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 259d5163..26cfb1dd 100644 --- a/README.md +++ b/README.md @@ -541,3 +541,101 @@ $ oc new-app --template=manageiq \ -p APPLICATION_IMG_TAG=latest \ ... ``` + +## Configuring External Authentication +Configuring the _httpd_ pod for external authentication is done by updating the _httpd-auth-configs_ configuration map to include all necessary config files and certificates. Upon startup, the _httpd_ pod overlays its files with the ones specified in the _auth-configuration.conf_ file in the configuration map. This is done by the entrypoint before _systemd_ starts so all services will have their updated configuration upon startup. + +The external authentication configuration file _auth-configuration.conf_ declares the following: + +* The authentication type, default is _internal_. +* The list of files to overlay upon startup if type is other than _internal_. + +Syntax for the file is as follows: + +``` +# for comments +type = internal +file = basename1 target_path1 permission1 +file = basename2 target_path2 permission2 +``` + +_internal_ is the default type, anything else is considered external. This could include strings like: ipa, ldap, active_directory, saml or simply custom. + +For the files to overlay on the _httpd_ pod, one _file_ directive is needed per file. + +* the _basename_ is the name of the source file in the configuration map. +* _target\_path_ is the path of the file on the pod to over_write, i.e. _/etc/sssd/sssd.conf_ +* _permission_ is optional, by default files are copied using the pod's default umask, owner and group, so files are created as mode 644 owner root, group root. + +optional _permission_ can be specified as follows: + +* mode +* mode:owner +* mode:owner:group + +Reflecting the mode and ownership to set the copied files to. + +_Examples_: + +* 755 +* 640:root +* 644:root:apache + +Binary files can be specified in the configuration map in their base64 encoded format with a basename having a _.base64_ extension. Such files are then converted back to binary as they are copied to their target path. + +When an _/etc/sssd/sssd.conf_ file is included in the configuration map, the _httpd_ pod automatically enables the sssd service upon startup. + +### Sample external authentication configuration: + +Excluding the content of the files, a SAML auth-config map data section may look like: + +```bash +apiVersion: v1 +data: + auth-configuration.conf: | + # + # Configuration for SAML authentication + # + type = saml + file = manageiq-remote-user.conf /etc/httpd/conf.d/manageiq-remote-user.conf 644 + file = manageiq-external-auth-saml.conf /etc/httpd/conf.d/manageiq-external-auth-saml.conf 644 + file = idp-metadata.xml /etc/httpd/saml2/idp-metadata.xml 644 + file = miqsp-key.key /etc/httpd/saml2/miqsp-key.key 600:root:root + file = miqsp-cert.cert /etc/httpd/saml2/miqsp-cert.cert 644 + file = miqsp-metadata.xml /etc/httpd/saml2/miqsp-metadata.xml 644 + manageiq-remote-user.conf: | + RequestHeader unset X_REMOTE_USER + ... + manageiq-external-auth-saml.conf: | + LoadModule auth_mellon_module modules/mod_auth_mellon.so + ... + idp-metadata.xml: | + + miqsp-key.key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + miqsp-cert.cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + miqsp-metadata.xml: | + +``` + +Support for automatically generating authentication configuration maps for _httpd_ will be provided by +[ManageIQ/container-httpd-auth-config](https://github.com/ManageIQ/container-httpd-auth-config). Please see the [README.md](https://github.com/ManageIQ/container-httpd-auth-config/blob/master/README.md) in that repo for further details. + +The generated authentication configuration map can then be defined in the _httpd_ pod and further customized as follows: + +```bash +$ oc edit configmaps httpd-auth-configs +``` + +Then rebouncing the _httpd_ pod for the new authentication configuration to take effect. + + diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index 96a75206..25c40d97 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -495,27 +495,9 @@ objects: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: auth-configuration.conf: | - # # External Authentication Configuration File # - # This file declares the following: - # - # The Authentication type, default is internal. - # syntax: type = internal - # - # - other types could include: ipa, ldap, active_directory, saml or simply custom. - # - # The list of files to overlay in order to enable external authentication - # syntax: file = basename target_path mode:owner:group - # - # - basename is the name of the file in the config map. - # - target_path is the path of the file to overwrite, i.e. /etc/sssd/sssd.conf - # - mode:owner:group is optional and reflects the mode and ownership to set the file to. - # i.e. 644:root:apache - # 755 - # - if basename has the .base64 extension, then the file is binary and will be converted - # from its base64 representation in the Config Map before copied to its target_path. - # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md type = internal - apiVersion: v1 kind: Service diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index 90410761..5e718e66 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -138,27 +138,9 @@ objects: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: auth-configuration.conf: | - # # External Authentication Configuration File # - # This file declares the following: - # - # The Authentication type, default is internal. - # syntax: type = internal - # - # - other types could include: ipa, ldap, active_directory, saml or simply custom. - # - # The list of files to overlay in order to enable external authentication - # syntax: file = basename target_path mode:owner:group - # - # - basename is the name of the file in the config map. - # - target_path is the path of the file to overwrite, i.e. /etc/sssd/sssd.conf - # - mode:owner:group is optional and reflects the mode and ownership to set the file to. - # i.e. 644:root:apache - # 755 - # - if basename has the .base64 extension, then the file is binary and will be converted - # from its base64 representation in the Config Map before copied to its target_path. - # + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md type = internal - apiVersion: v1 kind: Service From 5c3ed79f1ebf971368c0635e4349035efa4e6d52 Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Fri, 18 Aug 2017 15:11:09 -0400 Subject: [PATCH 3/7] Fixed typos in the miq-templates* and better wording in README.md for redeploying the httpd pod. --- README.md | 2 +- templates/miq-template-ext-db.yaml | 2 +- templates/miq-template.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 26cfb1dd..3fec8285 100644 --- a/README.md +++ b/README.md @@ -636,6 +636,6 @@ The generated authentication configuration map can then be defined in the _httpd $ oc edit configmaps httpd-auth-configs ``` -Then rebouncing the _httpd_ pod for the new authentication configuration to take effect. +Then redeploy the _httpd_ pod for the new authentication configuration to take effect. diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index 25c40d97..3ce2a0c6 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -787,7 +787,7 @@ parameters: value: "/etc/httpd/conf.d" - name: HTTPD_AUTH_CONFIG_DIR displayName: External Authentication Configuration Directory - description: Directory used to store the exxternal authentication configuration files. + description: Directory used to store the external authentication configuration files. value: "/etc/httpd/auth-conf.d" - name: HTTPD_CPU_REQ displayName: Apache httpd Min CPU Requested diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index 5e718e66..aa86166e 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -980,7 +980,7 @@ parameters: value: "/etc/httpd/conf.d" - name: HTTPD_AUTH_CONFIG_DIR displayName: External Authentication Configuration Directory - description: Directory used to store the exxternal authentication configuration files. + description: Directory used to store the external authentication configuration files. value: "/etc/httpd/auth-conf.d" - name: HTTPD_CPU_REQ displayName: Apache httpd Min CPU Requested From 7d783bab26ba47c213b5e324ac85fb1d7c83fe71 Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Fri, 18 Aug 2017 16:04:36 -0400 Subject: [PATCH 4/7] Removed the paragraph mentioning the upcoming ManageIQ/container-httpd-auth-config. We will re-add once that repo/pod is available. Removed text: Support for automatically generating authentication configuration maps for _httpd_ will be provided by [ManageIQ/container-httpd-auth-config](https://github.com/ManageIQ/container-httpd-auth-config). Please see the [README.md](https://github.com/ManageIQ/container-httpd-auth-config/blob/master/README.md) in that repo for further details. The generated authentication configuration map can then be defined in the _httpd_ pod and further customized as follows: ```bash $ oc edit configmaps httpd-auth-configs ``` --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index 3fec8285..db7e10ad 100644 --- a/README.md +++ b/README.md @@ -627,10 +627,7 @@ data: ``` -Support for automatically generating authentication configuration maps for _httpd_ will be provided by -[ManageIQ/container-httpd-auth-config](https://github.com/ManageIQ/container-httpd-auth-config). Please see the [README.md](https://github.com/ManageIQ/container-httpd-auth-config/blob/master/README.md) in that repo for further details. - -The generated authentication configuration map can then be defined in the _httpd_ pod and further customized as follows: +The authentication configuration map can be defined and customized in the _httpd_ pod as follows: ```bash $ oc edit configmaps httpd-auth-configs From 312578369fc5d12b2814035341b3d7b94f1925af Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Fri, 25 Aug 2017 16:59:50 -0400 Subject: [PATCH 5/7] Updated the miq-template* so that for the httpd container: - kick off the /usr/bin/entrypoint via a postStart lifecycle hook. - declare the authentication type as a config map auth-type key. - expose the auth-type key as an HTTPD_AUTH_TYPE environment variable. Updated README.md for the auth config map changes. --- README.md | 28 +++++++++++++++------------- templates/miq-template-ext-db.yaml | 13 ++++++++++++- templates/miq-template.yaml | 13 ++++++++++++- 3 files changed, 39 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index db7e10ad..9a59b007 100644 --- a/README.md +++ b/README.md @@ -543,23 +543,25 @@ $ oc new-app --template=manageiq \ ``` ## Configuring External Authentication -Configuring the _httpd_ pod for external authentication is done by updating the _httpd-auth-configs_ configuration map to include all necessary config files and certificates. Upon startup, the _httpd_ pod overlays its files with the ones specified in the _auth-configuration.conf_ file in the configuration map. This is done by the entrypoint before _systemd_ starts so all services will have their updated configuration upon startup. +Configuring the _httpd_ pod for external authentication is done by updating the _httpd-auth-configs_ configuration map to include all necessary config files and certificates. Upon startup, the _httpd_ pod overlays its files with the ones specified in the _auth-configuration.conf_ file in the configuration map. This is done by the _initialize-httpd-auth_ service that runs before _httpd_. -The external authentication configuration file _auth-configuration.conf_ declares the following: +The config map includes the following: -* The authentication type, default is _internal_. -* The list of files to overlay upon startup if type is other than _internal_. +* The authentication type _auth-type_, default is _internal_ -Syntax for the file is as follows: + _internal_ is the default type, anything else is considered external. _auth-type_ could include strings like: ipa, ldap, active_directory, saml or simply custom. + +* The external authentication configuration file _auth-configuration.conf_ which declares the list of files to overlay upon startup if _auth-type_ is other than _internal_. + + Syntax for the file is as follows: + + ``` + # for comments + file = basename1 target_path1 permission1 + file = basename2 target_path2 permission2 + ``` -``` -# for comments -type = internal -file = basename1 target_path1 permission1 -file = basename2 target_path2 permission2 -``` -_internal_ is the default type, anything else is considered external. This could include strings like: ipa, ldap, active_directory, saml or simply custom. For the files to overlay on the _httpd_ pod, one _file_ directive is needed per file. @@ -592,11 +594,11 @@ Excluding the content of the files, a SAML auth-config map data section may look ```bash apiVersion: v1 data: + auth-type: saml auth-configuration.conf: | # # Configuration for SAML authentication # - type = saml file = manageiq-remote-user.conf /etc/httpd/conf.d/manageiq-remote-user.conf 644 file = manageiq-external-auth-saml.conf /etc/httpd/conf.d/manageiq-external-auth-saml.conf 644 file = idp-metadata.xml /etc/httpd/saml2/idp-metadata.xml 644 diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index 3ce2a0c6..a7832adc 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -494,11 +494,11 @@ objects: metadata: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: + auth-type: internal auth-configuration.conf: | # External Authentication Configuration File # # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md - type = internal - apiVersion: v1 kind: Service metadata: @@ -578,6 +578,17 @@ objects: cpu: "${HTTPD_CPU_REQ}" limits: memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/entrypoint" serviceAccount: miq-sysadmin serviceAccountName: miq-sysadmin parameters: diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index aa86166e..75f740dd 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -137,11 +137,11 @@ objects: metadata: name: "${HTTPD_SERVICE_NAME}-auth-configs" data: + auth-type: internal auth-configuration.conf: | # External Authentication Configuration File # # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md - type = internal - apiVersion: v1 kind: Service metadata: @@ -741,6 +741,17 @@ objects: cpu: "${HTTPD_CPU_REQ}" limits: memory: "${HTTPD_MEM_LIMIT}" + env: + - name: HTTPD_AUTH_TYPE + valueFrom: + configMapKeyRef: + name: "${HTTPD_SERVICE_NAME}-auth-configs" + key: auth-type + lifecycle: + postStart: + exec: + command: + - "/usr/bin/entrypoint" serviceAccount: miq-sysadmin serviceAccountName: miq-sysadmin parameters: From 11b5bb747d3214ef4e7a985486b494277604511f Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Mon, 28 Aug 2017 13:33:35 -0400 Subject: [PATCH 6/7] Improving readability of README.md section on configuring external authentication. --- README.md | 26 +++++++++++++------------- templates/miq-template-ext-db.yaml | 2 +- templates/miq-template.yaml | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 9a59b007..9275d61a 100644 --- a/README.md +++ b/README.md @@ -543,15 +543,15 @@ $ oc new-app --template=manageiq \ ``` ## Configuring External Authentication -Configuring the _httpd_ pod for external authentication is done by updating the _httpd-auth-configs_ configuration map to include all necessary config files and certificates. Upon startup, the _httpd_ pod overlays its files with the ones specified in the _auth-configuration.conf_ file in the configuration map. This is done by the _initialize-httpd-auth_ service that runs before _httpd_. +Configuring the httpd pod for external authentication is done by updating the `httpd-auth-configs` configuration map to include all necessary config files and certificates. Upon startup, the httpd pod overlays its files with the ones specified in the `auth-configuration.conf` file in the configuration map. This is done by the `initialize-httpd-auth` service that runs before httpd. The config map includes the following: -* The authentication type _auth-type_, default is _internal_ +* The authentication type `auth-type`, default is `internal` - _internal_ is the default type, anything else is considered external. _auth-type_ could include strings like: ipa, ldap, active_directory, saml or simply custom. + `internal` is the default type, anything else is considered external. `auth-type` could include strings like: ipa, ldap, active_directory, saml or simply custom. -* The external authentication configuration file _auth-configuration.conf_ which declares the list of files to overlay upon startup if _auth-type_ is other than _internal_. +* The external authentication configuration file `auth-configuration.conf` which declares the list of files to overlay upon startup if `auth-type` is other than `internal`. Syntax for the file is as follows: @@ -563,13 +563,13 @@ The config map includes the following: -For the files to overlay on the _httpd_ pod, one _file_ directive is needed per file. +For the files to overlay on the httpd pod, one `file` directive is needed per file. -* the _basename_ is the name of the source file in the configuration map. -* _target\_path_ is the path of the file on the pod to over_write, i.e. _/etc/sssd/sssd.conf_ -* _permission_ is optional, by default files are copied using the pod's default umask, owner and group, so files are created as mode 644 owner root, group root. +* the `basename` is the name of the source file in the configuration map. +* `target_path` is the path of the file on the pod to overwrite, i.e. `/etc/sssd/sssd.conf` +* `permission` is optional, by default files are copied using the pod's default umask, owner and group, so files are created as mode 644 owner root, group root. -optional _permission_ can be specified as follows: +optional `permission` can be specified as follows: * mode * mode:owner @@ -583,9 +583,9 @@ _Examples_: * 640:root * 644:root:apache -Binary files can be specified in the configuration map in their base64 encoded format with a basename having a _.base64_ extension. Such files are then converted back to binary as they are copied to their target path. +Binary files can be specified in the configuration map in their base64 encoded format with a basename having a `.base64` extension. Such files are then converted back to binary as they are copied to their target path. -When an _/etc/sssd/sssd.conf_ file is included in the configuration map, the _httpd_ pod automatically enables the sssd service upon startup. +When an /etc/sssd/sssd.conf file is included in the configuration map, the httpd pod automatically enables the sssd service upon startup. ### Sample external authentication configuration: @@ -629,12 +629,12 @@ data: ``` -The authentication configuration map can be defined and customized in the _httpd_ pod as follows: +The authentication configuration map can be defined and customized in the httpd pod as follows: ```bash $ oc edit configmaps httpd-auth-configs ``` -Then redeploy the _httpd_ pod for the new authentication configuration to take effect. +Then redeploy the httpd pod for the new authentication configuration to take effect. diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index a7832adc..fe2d6f96 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -498,7 +498,7 @@ objects: auth-configuration.conf: | # External Authentication Configuration File # - # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication - apiVersion: v1 kind: Service metadata: diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index 75f740dd..36bb69fe 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -141,7 +141,7 @@ objects: auth-configuration.conf: | # External Authentication Configuration File # - # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md + # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication - apiVersion: v1 kind: Service metadata: From 6465faa69ef0969486e3db56adde7432964486d5 Mon Sep 17 00:00:00 2001 From: Alberto Bellotti Date: Tue, 29 Aug 2017 07:40:52 -0400 Subject: [PATCH 7/7] Renamed httpd pod postStart script from entrypoint to save-container-environment --- templates/miq-template-ext-db.yaml | 2 +- templates/miq-template.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml index fe2d6f96..f41b622b 100644 --- a/templates/miq-template-ext-db.yaml +++ b/templates/miq-template-ext-db.yaml @@ -588,7 +588,7 @@ objects: postStart: exec: command: - - "/usr/bin/entrypoint" + - "/usr/bin/save-container-environment" serviceAccount: miq-sysadmin serviceAccountName: miq-sysadmin parameters: diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml index 36bb69fe..2da1b557 100644 --- a/templates/miq-template.yaml +++ b/templates/miq-template.yaml @@ -751,7 +751,7 @@ objects: postStart: exec: command: - - "/usr/bin/entrypoint" + - "/usr/bin/save-container-environment" serviceAccount: miq-sysadmin serviceAccountName: miq-sysadmin parameters: