Updates regarding options that are Ansible-configurable.

dougbtv · Aug 19, 2016 · ca4fd6d · ca4fd6d
1 parent a9bd0c1
commit ca4fd6d
Show file tree

Hide file tree

Showing 10 changed files with 420 additions and 39 deletions.
diff --git a/dev_guide/builds.adoc b/dev_guide/builds.adoc
@@ -497,6 +497,11 @@ dockerStrategy:
 ----
 ====
 
+ifdef::openshift-enterprise,openshift-origin[]
+You can also 
+xref:../install_config/http_proxies.adoc#configuring-hosts-for-proxies[configure build settings using Ansible].
+endif::[]
+
 [[custom-strategy-options]]
 
 == Custom Strategy Options
@@ -606,6 +611,11 @@ customStrategy:
 ----
 ====
 
+ifdef::openshift-enterprise,openshift-origin[]
+You can also 
+xref:../install_config/http_proxies.adoc#configuring-hosts-for-proxies[configure build settings using Ansible].
+endif::[]
+
 [[pipeline-strategy-options]]
 == Pipeline Strategy Options
 
@@ -781,6 +791,11 @@ source:
 ----
 ====
 
+ifdef::openshift-enterprise,openshift-origin[]
+You can also 
+xref:../install_config/http_proxies.adoc#configuring-hosts-for-proxies[configure a proxy for git cloning using Ansible].
+endif::[]
+
 // end::using-a-proxy-for-git-cloning-1[]
 
 

diff --git a/install_config/build_defaults_overrides.adoc b/install_config/build_defaults_overrides.adoc
@@ -44,6 +44,67 @@ they are allowed to pull.
 [[setting-global-build-defaults]]
 == Setting Global Build Defaults
 
+You can set global build defaults two ways:
+
+- xref:ansible-set-global-build-defaults-overrides[using Ansible and the advanced installation tool]
+- xref:manually-setting-global-build-defaults[manually by modifying the *_master-config.yaml_* file]
+
+[[ansible-set-global-build-defaults-overrides]]
+=== Configuring Global Build Defaults with Ansible
+
+During
+xref:../install_config/install/advanced_install.adoc#install-config-install-advanced-install[advanced installations], 
+the `*BuildDefaults*` plug-in can
+be configured using 
+xref:../install_config/install/advanced_install.adoc#advanced-install-configuring-global-proxy[the following parameters], which are configurable in the inventory file:
+
+- `*openshift_builddefaults_http_proxy*`
+- `*openshift_builddefaults_https_proxy*`
+- `*openshift_builddefaults_no_proxy*`
+- `*openshift_builddefaults_git_http_proxy*`
+- `*openshift_builddefaults_git_https_proxy*`
+
+.Example Build Defaults Configuration with Ansible
+====
+----
+# These options configure the BuildDefaults admission controller which injects
+# environment variables into Builds. These values will default to the global proxy
+# config values. You only need to set these if they differ from the global settings
+# above. See BuildDefaults
+# documentation at https://docs.openshift.org/latest/admin_guide/build_defaults_overrides.html
+#openshift_builddefaults_http_proxy=http://USER:PASSWORD@HOST:PORT
+openshift_builddefaults_https_proxy=https://USER:PASSWORD@HOST:PORT
+openshift_builddefaults_no_proxy=build_defaults
+openshift_builddefaults_git_http_proxy=http://USER:PASSWORD@HOST:PORT
+openshift_builddefaults_git_https_proxy=https://USER:PASSWORD@HOST:PORT
+# Or you may optionally define your own serialized as json
+#openshift_builddefaults_json='{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[{"name":"HTTP_PROXY","value":"http://proxy.example.com.redhat.com:3128"},{"name":"NO_PROXY","value":"ose3-master.example.com"}],"gitHTTPProxy":"http://proxy.example.com:3128","kind":"BuildDefaultsConfig"}}}'
+----
+====
+
+[NOTE]
+====
+There are 
+xref:../install_config/install/advanced_install.adoc#advanced-install-configuring-global-proxy[additional proxy settings] 
+that can be 
+xref:../install_config/build_defaults_overrides.adoc#setting-global-build-defaults[configured for builds] using Ansible parameters. For
+example:
+- The 
+`*openshift_builddefaults_git_http_proxy*` and
+`*openshift_builddefaults_git_https_proxy*` parameters allow you to 
+xref:../dev_guide/builds.adoc#using-a-proxy-for-git-cloning[use a proxy for git cloning]
+- The `*openshift_builddefaults_http_proxy*` and 
+`*openshift_builddefaults_https_proxy*` parameters can make environment
+variables available to the 
+xref:../dev_guide/builds.adoc#docker-strategy-environment[Docker build strategy]
+and 
+xref:../dev_guide/builds.adoc#custom-strategy-environment[Custom build strategy]
+processes. 
+====
+
+[[manually-setting-global-build-defaults]]
+=== Manually Setting Global Build Defaults
+
 To configure the `*BuildDefaults*` plug-in, add a configuration for it in the
 *_/etc/origin/master/master-config.yaml_* file on masters:
 
@@ -117,3 +178,4 @@ Restart the master service for the changes to take effect:
 ----
 ====
 // end::installconfig_build_defaults_overrides[]
+
diff --git a/install_config/certificate_customization.adoc b/install_config/certificate_customization.adoc
@@ -16,9 +16,43 @@ Administrators can configure custom serving certificates for the public host
 names of the {product-title} API and
 xref:../architecture/infrastructure_components/web_console.adoc#architecture-infrastructure-components-web-console[web console].
 This can be done during an
-xref:../install_config/install/advanced_install.adoc#advanced-install-custom-certificates[advanced
-installation] or configured after installation.
+xref:../install_config/install/advanced_install.adoc#advanced-install-custom-certificates[advanced installation] or configured after installation.
 
+[[ansible-configuring-custom-certificates]]
+== Configuring Custom Certificates with Ansible
+
+During 
+xref:../install_config/install/advanced_install.adoc#install-config-install-advanced-install[advanced installations], 
+custom certificates can be configured using the
+`*openshift_master_named_certificates*` and
+`*openshift_master_overwrite_named_certificates*` parameters, which are
+configurable in the inventory file. More details are available about 
+xref:../install_config/install/advanced_install.adoc#advanced-install-custom-certificates[configuring custom certificates with Ansible].
+
+.Example Custom Certificate Configuration with Ansible
+====
+----
+# Configure custom named certificates
+# NOTE: openshift_master_named_certificates is cached on masters and is an
+# additive fact, meaning that each run with a different set of certificates
+# will add the newly provided certificates to the cached set of certificates.
+#
+# An optional CA may be specified for each named certificate. CAs will
+# be added to the OpenShift CA bundle which allows for the named
+# certificate to be served for internal cluster communication.
+#
+# If you would like openshift_master_named_certificates to be overwritten with
+# the provided value, specify openshift_master_overwrite_named_certificates.
+openshift_master_overwrite_named_certificates=true
+#
+# Provide local certificate paths which will be deployed to masters
+openshift_master_named_certificates=[{"certfile": "/path/on/host/to/custom1.crt", "keyfile": "/path/on/host/to/custom1.key", "cafile": "/path/on/host/to/custom-ca1.crt"}]
+#
+# Detected names may be overridden by specifying the "names" key
+#openshift_master_named_certificates=[{"certfile": "/path/on/host/to/custom1.crt", "keyfile": "/path/on/host/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/on/host/to/custom-ca1.crt"}]
+----
+====
+
 [[configuring-custom-certificates]]
 == Configuring Custom Certificates
 

diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
@@ -22,7 +22,11 @@ access tokens] to authenticate themselves to the API.
 
 As an administrator, you can configure OAuth using the
 xref:../install_config/master_node_configuration.adoc#install-config-master-node-configuration[master configuration file] to specify an
-xref:identity-providers[identity provider]. If you installed {product-title} using
+xref:identity-providers[identity provider]. 
+This can be done during an
+xref:../install_config/install/advanced_install.adoc#configuring-cluster-variables[advanced installation] or configured after installation.
+
+If you installed {product-title} using
 the
 ifdef::openshift-enterprise[]
 xref:../install_config/install/quick_install.adoc#install-config-install-quick-install[Quick Installation] or
@@ -55,9 +59,47 @@ configuration file.
 xref:../architecture/additional_concepts/authorization.adoc#roles[Roles] need
 to be assigned to administer the setup with an external user.
 ====
+
+[[identity-providers-ansible]]
+== Configuring Identity Providers with Ansible
 
-[[identity-providers]]
+For initial xref:../install_config/install/advanced_install.adoc#install-config-install-advanced-install[advanced installations], the
+xref:../install_config/configuring_authentication.adoc#DenyAllPasswordIdentityProvider[Deny All] identity provider is configured by default,
+though it can be
+xref:../install_config/install/advanced_install.adoc#configuring-ansible[overridden during installation] using the
+xref:../install_config/install/advanced_install.adoc#configuring-cluster-variables[`*openshift_master_identity_providers*` parameter], which is configurable in the inventory file. 
+xref:../install_config/install/advanced_install.html#advanced-install-session-options[Session options in the OAuth configuration] are also configurable in the inventory file. 
+
+.Example Identity Provider Configuration with Ansible
+====
+
+----
+# htpasswd auth
+openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
+# Defining htpasswd users
+#openshift_master_htpasswd_users={'user1': '<pre-hashed password>', 'user2': '<pre-hashed password>'
+# or
+#openshift_master_htpasswd_file=<path to local pre-generated htpasswd file>
 
+# Allow all auth
+#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
+
+# LDAP auth
+#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
+# Configuring the ldap ca certificate
+#openshift_master_ldap_ca=<ca text>
+# or
+#openshift_master_ldap_ca_file=<path to local ca file to use>
+
+# Available variables for configuring certificates for other identity providers:
+#openshift_master_openid_ca
+#openshift_master_openid_ca_file
+#openshift_master_request_header_ca
+#openshift_master_request_header_ca_file
+----
+====
+
+[[identity-providers]]
 == Identity Providers
 You can configure the master host for authentication using your desired identity
 provider by modifying the
@@ -563,8 +605,7 @@ Set *RequestHeaderIdentityProvider* in the `*identityProviders*` stanza to
 identify users from request header values, such as `X-Remote-User`. It is
 typically used in combination with an authenticating proxy, which sets the
 request header value. This is similar to how
-link:https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html/Deployment_Guide/Configuring_OpenShift_Enterprise_Authentication.html[the
-remote user plug-in in OpenShift Enterprise 2] allowed administrators to
+link:https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html/Deployment_Guide/Configuring_OpenShift_Enterprise_Authentication.html[the remote user plug-in in OpenShift Enterprise 2] allowed administrators to
 provide Kerberos, LDAP, and many other forms of enterprise authentication.
 
 For users to authenticate using this identity provider, they must access
@@ -1122,8 +1163,7 @@ to authenticate.
 
 Set *OpenIDIdentityProvider* in the `*identityProviders*` stanza to integrate
 with an OpenID Connect identity provider using an
-link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization
-Code Flow].
+link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow].
 
 [NOTE]
 ====
@@ -1137,14 +1177,12 @@ Claims are read from the JWT `id_token` returned from the OpenID identity
 provider and, if specified, from the JSON returned by the `*UserInfo*` URL.
 
 At least one claim must be configured to use as the user's identity. The
-link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard
-identity claim] is `sub`.
+link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard identity claim] is `sub`.
 
 You can also indicate which claims to use as the user's preferred user name,
 display name, and email address. If multiple claims are specified, the first one
 with a non-empty value is used. The
-link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard
-claims] are:
+link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard claims] are:
 
 [horizontal]
 `sub`:: The user identity.
@@ -1268,8 +1306,7 @@ authentication fails.
 for this identity. First non-empty claim is used.
 <6> List of claims to use as the display name. First non-empty claim is used.
 <7> List of claims to use as the email address. First non-empty claim is used.
-<8> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo
-Endpoint] described in the OpenID spec. Must use `https`.
+<8> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] described in the OpenID spec. Must use `https`.
 ====
 
 [[token-options]]

diff --git a/install_config/configuring_aws.adoc b/install_config/configuring_aws.adoc
@@ -12,14 +12,12 @@ toc::[]
 
 == Overview
 {product-title} can be configured to access an
-link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html[AWS EC2
-infrastructure], including
+link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html[AWS EC2 infrastructure], including
 xref:../install_config/persistent_storage/persistent_storage_aws.adoc#install-config-persistent-storage-persistent-storage-aws[using AWS
 volumes as persistent storage] for application data. After AWS is configured
 properly, some additional configurations will need to be completed on the
 {product-title} hosts.
 
-
 [[configuring-aws-variables]]
 == Configuring AWS Variables
 
@@ -34,9 +32,55 @@ Zone = us-east-1c <1>
 <1> This is the Availability Zone of your AWS Instance and where your EBS Volume
 resides; this information is obtained from the AWS Managment Console.
 ====
-
+ 
 [[aws-configuring-masters]]
-== Configuring Masters
+== Configuring {product-title} Masters for AWS
+
+You can set the AWS configuration on your {product-title} master hosts in two ways:
+
+- xref:aws-configuring-masters-ansible[using Ansible and the advanced installation tool]
+- xref:aws-configuring-masters-manually[manually, by modifying the *_master-config.yaml_* file]
+
+[[aws-configuring-masters-ansible]]
+=== Configuring {product-title} for AWS with Ansible
+
+During
+xref:../install_config/install/advanced_install.adoc#install-config-install-advanced-install[advanced installations], 
+AWS can be configured using 
+xref:../install_config/install/advanced_install.adoc#advanced-install-configuring-global-proxy[the `*openshift_cloudprovider_aws_access_key*`, `*openshift_cloudprovider_aws_secret_key*`, and `*openshift_cloudprovider_kind*` parameters], which are configurable in the inventory file. 
+
+.Example AWS Configuration with Ansible
+====
+----
+# Cloud Provider Configuration
+#
+# Note: You may make use of environment variables rather than store
+# sensitive configuration within the ansible inventory.
+# For example:
+#openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
+#openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
+#
+# AWS
+#openshift_cloudprovider_kind=aws
+# Note: IAM profiles may be used instead of storing API credentials on disk.
+#openshift_cloudprovider_aws_access_key=aws_access_key_id
+#openshift_cloudprovider_aws_secret_key=aws_secret_access_key
+----
+====
+
+[NOTE]
+====
+When Ansible configures AWS, the following files are created for you:
+
+- *_/etc/aws/aws.conf_*
+- *_/etc/origin/master/master-config.yaml_*
+- *_/etc/origin/node/node-config.yaml_*
+- *_/etc/sysconfig/atomic-openshift-master_*
+- *_/etc/sysconfig/atomic-openshift-node_*
+====
+
+[[aws-configuring-masters-manually]]
+=== Manually Configuring {product-title} Masters for AWS
 
 Edit or
 xref:../install_config/master_node_configuration.adoc#creating-new-configuration-files[create]
@@ -71,7 +115,7 @@ container. Therefore, *_aws.conf_* should be in *_/etc/origin/_* instead of
 ====
 
 [[aws-configuring-nodes]]
-== Configuring Nodes
+=== Manually Configuring {product-title} Nodes for AWS
 
 Edit or
 xref:../install_config/master_node_configuration.adoc#creating-new-configuration-files[create]