Skip to content

[enterprise-3.10] bug 1633137 request header changes #13008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 3, 2018
Merged

[enterprise-3.10] bug 1633137 request header changes #13008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion install/configuring_inventory_file.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ xref:../install_config/configuring_authentication.adoc#install-config-configurin
The default value is
xref:../install_config/configuring_authentication.adoc#DenyAllPasswordIdentityProvider[Deny
All]. If you use a supported identity provider, configure {product-title} to
use it.
use it. You can configure multiple identity providers.

|`openshift_master_named_certificates`
.2+.^|These variables are used to configure xref:../install_config/certificate_customization.adoc#install-config-certificate-customization[custom certificates] which are deployed as part of the installation. See xref:advanced-install-custom-certificates[Configuring Custom Certificates] for more information.
Expand Down
59 changes: 46 additions & 13 deletions install_config/configuring_authentication.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,22 +156,58 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
#openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]

# LDAP auth
#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]
# Configuring the ldap ca certificate <1>
#openshift_master_ldap_ca=<ca text>
# or
#openshift_master_ldap_ca_file=<path to local ca file to use>
#openshift_master_ldap_ca_file=<path to local ca file to use> <2>

# Available variables for configuring certificates for other identity providers:
# Available variables for configuring certificates for other identity providers: <3>
#openshift_master_openid_ca
#openshift_master_openid_ca_file
#openshift_master_openid_ca_file <2>
#openshift_master_request_header_ca
#openshift_master_request_header_ca_file
----
<1> If you specify your CA certificate location in the
`openshift_master_identity_providers` parameter, do not specify a certificate
value in the `openshift_master_ldap_ca` parameter or path in the
`openshift_master_ldap_ca_file` parameter.
#openshift_master_request_header_ca_file <2>
----
<1> If you specified `'insecure': 'false'`
in the `openshift_master_identity_providers` parameter for only an LDAP identity
provider, you can omit the CA certificate.
<2> If you specify a file on the host you run the playbook on, its contents are
copied to the
*_/etc/origin/master/<identity_provider_name>_<identity_provider_type>_ca.crt_*
file. The
identity provider name is the value of the `openshift_master_identity_providers`
parameter, `ldap`, `openid`, or `request_header`. If you do not
specify the CA text or the path to the local CA file, you must place the CA
certificate in this location. If you specify multiple identity providers, you
must manually place the CA certificate for each provider in this location. You cannot change this location.

You can specify multiple identity providers. If you do, you must place the
CA certificate for each identity provider in the *_/etc/origin/master/_* directory.
For example, you include the following providers in your
`openshift_master_identity_providers` value:

----
openshift_master_identity_providers:
- name: foo
provider:
kind: OpenIDIdentityProvider
...
- name: bar
provider:
kind: OpenIDIdentityProvider
...
- name: baz
provider:
kind: RequestHeaderIdentityProvider
...
----

You must place the CA certificates for these identity providers in the following
files:

* *_/etc/origin/master/foo_openid_ca.crt_*
* *_/etc/origin/master/bar_openid_ca.crt_*
* *_/etc/origin/master/baz_requestheader_ca.crt_*

[[identity_providers_master_config]]

Expand Down Expand Up @@ -199,9 +235,6 @@ oauthConfig:
When set to the default `*claim*` value, OAuth will fail if the identity is
mapped to a previously-existing user name.

[[identity_providers_methods]]
=== Configuring an identity provider or method

[[LookupMappingMethod]]
==== Manually provisioning a user when using the lookup mapping method

Expand Down