Enhancement to support the httpd authentication configuration map. #201
Conversation
abellotti
commented
Aug 17, 2017
abellotti
commented
- Added new httpd-auth-configs config map to the templates
- mounted the new configmap for httpd pod as /etc/httpd/auth-conf.d
- updated teardown script to handle the new config map
- Added new httpd-auth-configs config map to the templates - mounted the new configmap for httpd pod as /etc/httpd/auth-conf.d - updated teardown script to handle the new config map
|
@abellotti Can you add something to the README about how to specify the other external auth files? Should they be added to the same ConfigMap? Also, is any guidance needed around what files should be added for which authentication types? |
|
Stuff here should be generic, I can move the config map/config file syntax out of the templates into the README and maybe give a single example. Yes, they go to the same httpd-auth-configs map. The guidance/list of files generated for each auth type will go in the new repo (scripts configuring the different ext-auth and creating the configmap that users can update here and restart their httpd pod), probably ManageIQ/container-httpd-auth-config, coming soon. |
Ah, I didn't know there was more. My concern was that this felt like we were leaving too much up to the user to figure out how to configure this stuff. It sounds like this repo will accomplish what I was looking for. In that case a link from the README here to that repo with a sentence or two will probably be enough. |
…ile. - Updated template's Auth Configmap usage details to reference the README file.
|
/cc @carbonin updated for you. simplified config maps, referencing this pod's README which has all details, with reference to future container-httpd-auth-config repo for auto-generating those puppies. |
README.md
Outdated
| $ oc edit configmaps httpd-auth-configs | ||
| ``` | ||
|
|
||
| Then rebouncing the _httpd_ pod for the new authentication configuration to take effect. |
There was a problem hiding this comment.
I think "redeploy the httpd pod" or "rollout a new httpd deployment" here rather than "rebouncing the httpd pod"
templates/miq-template.yaml
Outdated
| @@ -963,6 +978,10 @@ parameters: | |||
| displayName: Apache Configuration Directory | |||
| description: Directory used to store the Apache configuration files. | |||
| value: "/etc/httpd/conf.d" | |||
| - name: HTTPD_AUTH_CONFIG_DIR | |||
| displayName: External Authentication Configuration Directory | |||
| description: Directory used to store the exxternal authentication configuration files. | |||
… redeploying the httpd pod.
|
hmm, might take a week or two to get the other repo up. I do need this merged in now though. I could remove the reference for now until the other is live, then re-add that paragraph in the README.md then, thoughts ? |
|
Yeah, I think that's probably for the best. When we have the other repo up and running we'll re-add the info about it. |
…d-auth-config. We will
re-add once that repo/pod is available.
Removed text:
Support for automatically generating authentication configuration maps for _httpd_ will be provided by
[ManageIQ/container-httpd-auth-config](https://github.com/ManageIQ/container-httpd-auth-config).
Please see the [README.md](https://github.com/ManageIQ/container-httpd-auth-config/blob/master/README.md)
in that repo for further details.
The generated authentication configuration map can then be defined in the _httpd_ pod
and further customized as follows:
```bash
$ oc edit configmaps httpd-auth-configs
```
|
👍 done. 7d783ba |
|
ping @bdunne |
abellotti
changed the title
- kick off the /usr/bin/entrypoint via a postStart lifecycle hook. - declare the authentication type as a config map auth-type key. - expose the auth-type key as an HTTPD_AUTH_TYPE environment variable. Updated README.md for the auth config map changes.
abellotti
changed the title
README.md
Outdated
| @@ -541,3 +541,100 @@ $ oc new-app --template=manageiq \ | |||
| -p APPLICATION_IMG_TAG=latest \ | |||
| ... | |||
| ``` | |||
|
|
|||
| ## Configuring External Authentication | |||
| Configuring the _httpd_ pod for external authentication is done by updating the _httpd-auth-configs_ configuration map to include all necessary config files and certificates. Upon startup, the _httpd_ pod overlays its files with the ones specified in the _auth-configuration.conf_ file in the configuration map. This is done by the _initialize-httpd-auth_ service that runs before _httpd_. | |||
There was a problem hiding this comment.
Instead of italics can you use backticks, to make it preformatted? I find it hard to read with italics. (pretty much everywhere in these changes
templates/miq-template-ext-db.yaml
Outdated
| auth-configuration.conf: | | ||
| # External Authentication Configuration File | ||
| # | ||
| # For details on usage please see https://github.com/ManageIQ/manageiq-pods/blob/master/README.md |
There was a problem hiding this comment.
You can actually link directly to your new section with :
https://github.com/ManageIQ/manageiq-pods/blob/master/README.md#configuring-external-authentication
|
Checked commits abellotti/manageiq-pods@7abe98b~...6465faa with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
|
LGTM |
