Add post-deployment tasks to set up a repeatable method of reading a …

…configmap and applying the contents to the squid whitelist (#121) * Creation of playbook to install boto3 on Bastion which is a dependency of the aws_s3 module * Initial creation of playbook to retrieve a specified file from an S3-compliant source, to copy this to squid proxy hosts and reconfigure if there is a modification * Simplify playbook by removing unnecessary checksum verification seeing as blockinfile can check if source file has been modified * Renamed playbooks * Changed reference to renamed playbook * Change method from querying S3 compatible source to retrieving configmap * Remove localhost from playbook * Specify key in case multiple items are added to configmap * First attempt at automating cron job creation * Execute as root * Creation of playbook to generate SSH KeyPair and copy to Master node * Update name parameter so it is not empty * Restrict tasks to only run when deployment is multinetwork * Move tools playbooks to allserverspostdeployment role and remove install-pip from tools playbook seeing as we're not using the s3 module * Include new allserverspostdeployment playbooks * Change include to include_tasks * Change squid.conf template so that it more closely matches Squid 3.5 default config and add localnet acl * Initial commit of changing playbooks to query OpenShift API from Bastion instead of from a master to increase security * Remove playbook syntax as tasks are being directly included in main.yml * Creation of new playbook seeing as exporting a token to localhost can't be done from openshiftpostdeployment role * Extract whitelist-reader serviceaccount token * Remove multinetwork condition as this is defined when including tasks in allserverspostdeployment role playbook * Modify playbook to connect using oc client from Bastion using whitelist-reader serviceaccount instead of from a master to improve security * Add delegation to tasks where they need to run on localhost (seeing as it does not exist in a group) * Slight fixes to squid-whitelist playbook * Combine multiple allserverspostdeployment task files into one and update references * Remove install-pip playbook and add missing carriage return * Adding line return so GitHub is happy
UKCloud · Jan 16, 2019 · 76c5faf · 76c5faf
1 parent d6cc8e4
commit 76c5faf
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 54 deletions.
diff --git a/roles/allserverspostdeployment/tasks/main.yml b/roles/allserverspostdeployment/tasks/main.yml
@@ -23,3 +23,5 @@
     state: reloaded
     name: sshd
 
+- include_tasks: squid-whitelist.yml
+  when: multinetwork
diff --git a/roles/allserverspostdeployment/tasks/squid-whitelist.yml b/roles/allserverspostdeployment/tasks/squid-whitelist.yml
@@ -0,0 +1,32 @@
+- name: Generate SSH keypair
+  command: ssh-keygen -t rsa -N "" -f /home/cloud-user/.ssh/id_rsa
+  no_log: True
+  delegate_to: localhost
+  run_once: yes
+
+- name: Copy generated SSH keypair to controlplane loadbalancers
+  authorized_key:
+    user: cloud-user
+    state: present
+    key: " {{ lookup('file', '/home/cloud-user/.ssh/id_rsa.pub') }}"
+  when: inventory_hostname in groups.loadbalancers_controlplane
+
+- name: Store whitelist serviceaccount base64 token on Bastion
+  lineinfile:
+    dest: /home/cloud-user/whitelist-sa-token
+    line: "{{ hostvars[groups.masters[0]]['whitelist_token_b64']['stdout'] }}"
+    state: present
+    create: yes
+  delegate_to: localhost
+  run_once: yes
+
+- name: Create a cron file for updating proxy whitelist for net2 deployments
+  cron:
+    name: "Update custom sites in Squid Whitelist"
+    cron_file: proxy-whitelist
+    minute: 0
+    user: cloud-user
+    job: "/usr/bin/ansible-playbook -i /usr/share/ansible/openshift-deployment-ansible/openshift-ansible-hosts /usr/share/ansible/openshift-deployment-ansible/tools/playbooks/squid-whitelist.yaml >> /home/cloud-user/proxy-whitelist.log 2>&1"
+  become: true
+  delegate_to: localhost
+  run_once: yes
diff --git a/roles/openshiftpostdeployment/tasks/main.yml b/roles/openshiftpostdeployment/tasks/main.yml
@@ -5,19 +5,9 @@
     force: yes
     backup: yes
 
-- name: Setup tier-2 storage class file
-  template:
-    src: templates/storage-class-tier2.j2
-    dest: ~/storage-class-tier2.yml
-    force: yes
-    backup: yes
-
 - name: create tier-1 class 
   command: /usr/local/bin/oc create -f ~/storage-class-tier1.yml
 
-#- name: create tier-2 class 
-#  command: /usr/local/bin/oc create -f ~/storage-class-tier2.yml
-
 - name: Give admin rights
   command: /usr/local/bin/oc adm policy --config=/etc/origin/master/admin.kubeconfig add-cluster-role-to-user cluster-admin admin
 
@@ -129,3 +119,6 @@
       namespace: "openshift-monitoring"
       hostname: "prometheus"
   when: getCertificates == True
+
+- include_tasks: squid-whitelist.yml
+  when: multinetwork
diff --git a/roles/openshiftpostdeployment/tasks/squid-whitelist.yml b/roles/openshiftpostdeployment/tasks/squid-whitelist.yml
@@ -0,0 +1,22 @@
+- name: Create whitelist project
+  command: /usr/local/bin/oc new-project whitelist
+
+- name: Create proxy-whitelist configmap and create empty key
+  command: /usr/local/bin/oc create configmap proxy-whitelist --from-literal=proxy-whitelist.txt= -n whitelist
+
+- name: Create whitelist-reader serviceaccount
+  command: /usr/local/bin/oc create sa whitelist-reader -n whitelist
+
+- name: Create read-whitelist role
+  command: /usr/local/bin/oc create role read-whitelist --verb=get,list --resource=configmaps --resource-name=proxy-whitelist -n whitelist
+
+- name: Apply read-whitelist role to whitelist-reader serviceaccount
+  command: /usr/local/bin/oc policy add-role-to-user read-whitelist -z whitelist-reader -n whitelist --role-namespace='whitelist'
+
+- name: Get whitelist-reader serviceaccount token name
+  command: /usr/local/bin/oc get sa -n whitelist -o jsonpath='{$.items[?(@.metadata.name=="whitelist-reader")].secrets[0].name}'
+  register: whitelist_token_name
+
+- name: Extract base64 whitelist-reader token
+  command: /usr/local/bin/oc get secret {{ whitelist_token_name.stdout }} -n whitelist -o jsonpath='{$.data.token}'
+  register: whitelist_token_b64
diff --git a/roles/squid/templates/squid.j2 b/roles/squid/templates/squid.j2
@@ -1,63 +1,30 @@
-#
-# Recommended minimum configuration:
-#
+http_port 3128
 
-# Example rule allowing access from your local networks.
-# Adapt to list your (internal) IP networks from where browsing
-# should be allowed
-#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+acl localnet src {{ internalNetworkCidr }}  # Neutron network
 
 acl SSL_ports port 443
-acl Safe_ports port 80		# http
-acl Safe_ports port 443		# https
+
+acl Safe_ports port 80                        # http
+acl Safe_ports port 443                       # https
+
 acl CONNECT method CONNECT
 
-#
-# Recommended minimum Access Permission configuration:
-#
-# Deny requests to certain unsafe ports
 http_access deny !Safe_ports
-
-# Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
-
-# Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
-
-# We strongly recommend the following be uncommented to protect innocent
-# web applications running on the proxy server who think the only
-# one who can access services on "localhost" is a local user
 http_access deny to_localhost
 
-#
-# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
-#
 acl whitelist dstdomain "/etc/squid/sites.whitelist.txt"
-http_access allow whitelist
 
-# Example rule allowing access from your local networks.
-# Adapt localnet in the ACL section to list your (internal) IP networks
-# from where browsing should be allowed
-#http_access allow localnet
+http_access allow whitelist localnet
 http_access allow localhost
-
-# And finally deny all other access to this proxy
 http_access deny all
 
-# Squid normally listens to port 3128
-http_port 3128
-
-# Uncomment and adjust the following to add a disk cache directory.
 #cache_dir ufs /var/spool/squid 100 16 256
-
-# Leave coredumps in the first cache dir
 coredump_dir /var/spool/squid
 
-#
-# Add any of your own refresh_pattern entries above these.
-#
-refresh_pattern ^ftp:		1440	20%	10080
-refresh_pattern ^gopher:	1440	0%	1440
-refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
-refresh_pattern .		0	20%	4320
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
diff --git a/tools/playbooks/squid-whitelist.yaml b/tools/playbooks/squid-whitelist.yaml
@@ -0,0 +1,26 @@
+---
+- hosts: localhost, loadbalancers_controlplane
+  tasks:
+  - name: Retrieve whitelist from config-map
+    shell: |
+      /usr/bin/oc login https://ocp.{{ domainSuffix }}:8443 --token={{ lookup('file', '/home/cloud-user/whitelist-sa-token') | b64decode }} > /dev/null
+      /usr/bin/oc get configmaps proxy-whitelist -n whitelist -o jsonpath='{.data.proxy-whitelist\.txt}'
+    when: inventory_hostname == 'localhost' and multinetwork
+    register: proxy_whitelist
+
+  - name: Insert changed block to /etc/squid/sites.whitelist.txt
+    blockinfile:
+      block: "{{ hostvars['localhost']['proxy_whitelist']['stdout'] }}"
+      path: /etc/squid/sites.whitelist.txt
+      insertafter: EOF
+      marker: "# {mark} ANSIBLE MANAGED BLOCK - User whitelisted domains #"
+    become: yes
+    when: inventory_hostname in groups.loadbalancers_controlplane and multinetwork
+    notify:
+      - reconfigure squid
+
+  handlers:
+    - name: reconfigure squid
+      command: /usr/sbin/squid -k reconfigure
+      become: yes
+      when: inventory_hostname in groups.loadbalancers_controlplane