Skip to content

Commit

Permalink
#50: Simplifying architecture for IDE Non-HA setup (#51)
Browse files Browse the repository at this point in the history
  • Loading branch information
@GeorgSchulz
GeorgSchulz authored Sep 27, 2024
1 parent 5e4b28e commit aee41cc
Show file tree
Hide file tree
Showing 154 changed files with 1,622 additions and 1,301 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Added

- communitylab#50: Simplifying architecture for IDE Non-HA setup
- communitylab#48: Downgrading OpenJDK and updating documentation images

## [v1.4.0] - 2024-08-27
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ georg@notebook:~/git/CommunityLab/collections/ansible_collections/jupyter/hub/ex
```

### 2.7 Login to JupyterHub here using credentials of variable [ldap_users](./collections/ansible_collections/jupyter/hub/extensions/molecule/default/molecule.yml):
https://172.23.27.3
https://172.23.27.3:8443

![IDE Docker](https://github.com/GeorgSchulz/CommunityLab/blob/master/images/ide_in_docker.bmp?raw=True)

Expand Down Expand Up @@ -196,7 +196,7 @@ georg@notebook:~/git/CommunityLab$ ansible-playbook setup.yml
### 3.4 Access IDE via JupyterHub
#### (e.g. using domain: example.com)
#### 3.4.1 Non-HA IDE
Use credentials of variable [ldap_users](./group_vars/all.yml) and login here: https://hub1.example.com
Use credentials of variable [ldap_users](./group_vars/all.yml) and login here: https://hub1.example.com:8443

#### 3.4.2 HA IDE
Use credentials of variable [ldap_users](./group_vars/all.yml) and login here: https://jupyterhub.example.com
Expand Down
8 changes: 4 additions & 4 deletions ...ctions/ansible_collections/authentication/kerberos/extensions/molecule/default/create.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@
community.docker.docker_network:
name: example.com
ipam_config:
- subnet: "172.23.27.0/24"
gateway: "172.23.27.2"
iprange: "172.23.27.0/26"
- subnet: 172.23.27.0/24
gateway: 172.23.27.2
iprange: 172.23.27.0/26

- name: Create container
become: true
Expand Down Expand Up @@ -42,7 +42,7 @@
item.container.State.ExitCode != 0 or
not item.container.State.Running
ansible.builtin.include_tasks:
file: create-fail.yml
file: tasks/create-fail.yml
loop: "{{ result.results }}"
loop_control:
label: "{{ item.container.Name }}"
Expand Down
0 ...tensions/molecule/default/create-fail.yml → ...ns/molecule/default/tasks/create-fail.yml
View file
File renamed without changes.
3 changes: 2 additions & 1 deletion collections/ansible_collections/authentication/kerberos/roles/check/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
check_kerberos_propagation_principal: "test"
---
check_kerberos_propagation_principal: test
19 changes: 10 additions & 9 deletions collections/ansible_collections/authentication/kerberos/roles/check/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,36 @@
---
- name: Delete existing test kerberos principal
ansible.builtin.command: "kadmin.local -q \"delprinc -force {{ check_kerberos_propagation_principal }}\""
ansible.builtin.command: kadmin.local -q "delprinc -force {{ check_kerberos_propagation_principal }}"
when: "'kerberos1' in group_names"

- name: Block for Kerberos primary KDC
when: "'kerberos1' in group_names"
block:
- name: Create test kerberos principal on primary KDC
ansible.builtin.command: "kadmin.local -q \"addprinc -randkey {{ check_kerberos_propagation_principal }}\""
ansible.builtin.command: kadmin.local -q "addprinc -randkey {{ check_kerberos_propagation_principal }}"

- name: Get principals of Kerberos primary KDC
ansible.builtin.command: "kadmin.local -q \"listprincs\""
ansible.builtin.command: kadmin.local -q "listprincs"
register: kerberos_primary_principals

- name: Print message depending on listprincs output
ansible.builtin.assert:
that: "'{{ check_kerberos_propagation_principal }}@{{ setup_realm }}' in kerberos_primary_principals.stdout"
fail_msg: "Kerberos Principal was not created, see Logs for details"
success_msg: "Kerberos Principal was successfully created"
fail_msg: Kerberos Principal was not created, see Logs for details
success_msg: Kerberos Principal was successfully created

- name: Block for Kerberos secondary KDC
when: "'kerberos2' in group_names"
block:
- name: Get principals of Kerberos secondary KDC
ansible.builtin.command: "kadmin.local -q \"listprincs\""
ansible.builtin.command: kadmin.local -q "listprincs"
register: kerberos_secondary_principals

- name: Print message depending on listprincs output
ansible.builtin.assert:
that: "'{{ check_kerberos_propagation_principal }}@{{ setup_realm }}' in kerberos_secondary_principals.stdout"
fail_msg: "Kerberos database replication failed, see Logs for details"
success_msg: "Kerberos primary and secondary KDC running and Kerberos database replication successfull"
fail_msg: Kerberos database replication failed, see Logs for details
success_msg: Kerberos primary and secondary KDC running and Kerberos database replication successfull

- name: Delete test kerberos principal
ansible.builtin.command: "kadmin.local -q \"delprinc -force {{ check_kerberos_propagation_principal }}\""
ansible.builtin.command: kadmin.local -q "delprinc -force {{ check_kerberos_propagation_principal }}"
1 change: 1 addition & 0 deletions collections/ansible_collections/authentication/kerberos/roles/client/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
---
setup_realm: "{{ realm | default('COMMUNITY.LAB') }}"
setup_domain: "{{ domain | default('example.com') }}"
9 changes: 5 additions & 4 deletions collections/ansible_collections/authentication/kerberos/roles/client/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
---
- name: Install necessary packages
ansible.builtin.apt:
name: "krb5-user"
name: krb5-user
state: present
update_cache: true

- name: Copy krb5.conf
ansible.builtin.template:
src: "krb5.conf"
dest: "/etc/krb5.conf"
src: krb5.conf
dest: /etc/krb5.conf
mode: "0644"

- name: Create folder /etc/keytabs
ansible.builtin.file:
path: "/etc/keytabs"
path: /etc/keytabs
state: directory
mode: "0755"
1 change: 1 addition & 0 deletions collections/ansible_collections/authentication/kerberos/roles/get_facts/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
- name: Gather package facts
ansible.builtin.package_facts:
manager: auto
1 change: 1 addition & 0 deletions collections/ansible_collections/authentication/kerberos/roles/keytab/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
---
keytab_user: "{% if keytab.keytab_user is defined %}{{ keytab.keytab_user }}{% else %}{{ keytab.principal }}{% endif %}"
keytab_group: "{{ ide_services_group | default('root') }}"
31 changes: 15 additions & 16 deletions collections/ansible_collections/authentication/kerberos/roles/keytab/tasks/create-keytab.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
---
- name: Set fact for keytab hostname
ansible.builtin.set_fact:
keytab_hostname: "{{ ansible_fqdn if molecule_deployment is defined and molecule_deployment else inventory_hostname }}"

- name: Check if keytab is already present and kinit possible using specific principal
ansible.builtin.command: "kinit -k {{ keytab.principal}}/{{ keytab_hostname }}@{{ realm }} -t {{ keytab_folder }}/{{ keytab.principal }}.keytab"
ansible.builtin.command: kinit -k {{ keytab.principal }}/{{ keytab_hostname }}@{{ realm }} -t {{ keytab_folder }}/{{ keytab.principal }}.keytab
failed_when: false
register: keytab_possible

Expand All @@ -12,55 +13,53 @@
when: keytab_possible.rc != 0
block:
- name: Add specific principal
ansible.builtin.command: "kadmin.local -q \"addprinc -randkey {{ keytab.principal }}/{{ keytab_hostname }}\""
ansible.builtin.command: kadmin.local -q "addprinc -randkey {{ keytab.principal }}/{{ keytab_hostname }}"

- name: Add additional non-fqdn principal if additional_principal true
ansible.builtin.command: "kadmin.local -q \"addprinc -randkey {{ keytab.principal }}/{{ keytab.additional_principal_name }}\""
ansible.builtin.command: kadmin.local -q "addprinc -randkey {{ keytab.principal }}/{{ keytab.additional_principal_name }}"
when: keytab.additional_principal_name is defined

- name: Change random principal password for specific principal if set
ansible.builtin.command: "kadmin.local -q \"change_password -w {{ keytab.principal_password }} {{ keytab.principal }}/{{ keytab_hostname }}\""
ansible.builtin.command: kadmin.local -q "change_password -w {{ keytab.principal_password }} {{ keytab.principal }}/{{ keytab_hostname }}"
when: keytab.principal_password is defined

- name: Delete existing keytab in /tmp
ansible.builtin.file:
path: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
path: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
state: absent

- name: Create keytab in /tmp
ansible.builtin.command: "kadmin.local -q \"xst -norandkey \
-k /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab \
{{ keytab.principal }}/{{ keytab_hostname }}\""
ansible.builtin.command: kadmin.local \
-q "xst -norandkey -k /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab {{ keytab.principal }}/{{ keytab_hostname }}"

- name: Add additional non-fqdn principal to keytab if additional_principal_name is defined
ansible.builtin.command: "kadmin.local -q \"ktadd -norandkey \
-k /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab \
{{ keytab.principal }}/{{ keytab.additional_principal_name }}\""
ansible.builtin.command: kadmin.local \
-q "ktadd -norandkey -k /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab {{ keytab.principal }}/{{ keytab.additional_principal_name }}"
when: keytab.additional_principal_name is defined

- name: Fetch keytab to localhost to /tmp
ansible.builtin.fetch:
src: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
dest: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
src: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
dest: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
flat: true

- name: Delete existing keytab in /tmp
ansible.builtin.file:
path: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
path: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
state: absent

- name: Copy keytab from localhost to remote host
when: keytab_possible.rc != 0
block:
- name: Copy keytab to kerberos client to /tmp
ansible.builtin.copy:
src: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
src: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
dest: "{{ keytab_folder }}/{{ keytab.principal }}.keytab"
mode: "0644"
owner: "{{ keytab_user }}"
group: "{{ keytab_group }}"

- name: Delete existing keytab in /tmp
ansible.builtin.file:
path: "/tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab"
path: /tmp/{{ keytab.principal }}_{{ keytab_hostname }}.keytab
state: absent
1 change: 1 addition & 0 deletions collections/ansible_collections/authentication/kerberos/roles/keytab/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
- name: Create keytab looping over kerberos_keytabs list
ansible.builtin.include_tasks: create-keytab.yml
loop: "{{ kerberos_keytabs }}"
Expand Down
13 changes: 7 additions & 6 deletions collections/ansible_collections/authentication/kerberos/roles/server/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
---
server_primary_kdc_packages:
- "krb5-kdc-ldap"
- "schema2ldif"
- "krb5-admin-server"
- krb5-kdc-ldap
- schema2ldif
- krb5-admin-server

server_secondary_kdc_packages:
- "krb5-kdc-ldap"
- "schema2ldif"
- "krb5-admin-server"
- krb5-kdc-ldap
- schema2ldif
- krb5-admin-server
69 changes: 34 additions & 35 deletions .../ansible_collections/authentication/kerberos/roles/server/tasks/configure-primary-kdc.yml
View file
Original file line number Diff line number Diff line change
@@ -1,64 +1,64 @@
---
- name: Check if Kerberos schema file is already copied
ansible.builtin.stat:
path: "/etc/ldap/schema/kerberos.schema.gz"
path: /etc/ldap/schema/kerberos.schema.gz
register: kerberos_schema_file

- name: Copy and unarchive Kerberos schema file
when: not kerberos_schema_file.stat.exists
block:
- name: Copy Kerberos schema file to path /etc/ldap/schema
ansible.builtin.copy:
src: "/usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
dest: "/etc/ldap/schema/kerberos.schema.gz"
src: /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
dest: /etc/ldap/schema/kerberos.schema.gz
mode: "0644"
remote_src: true

- name: Decompress Kerberos schema file using gunzip
ansible.builtin.command: "gunzip /etc/ldap/schema/kerberos.schema.gz"
ansible.builtin.command: gunzip /etc/ldap/schema/kerberos.schema.gz

- name: Import Kerberos schema
ansible.builtin.command: "ldap-schema-manager -i kerberos.schema"
ansible.builtin.command: ldap-schema-manager -i kerberos.schema

- name: Copy krb5_principal_name.ldif to /tmp
ansible.builtin.copy:
src: "krb5_principal_name.ldif"
dest: "/tmp/krb5_principal_name.ldif"
src: krb5_principal_name.ldif
dest: /tmp/krb5_principal_name.ldif
mode: "0644"

- name: Import index krbPrincipalName to LDAP database
failed_when: ldap_modify.rc not in [0,20]
ansible.builtin.command: "ldapmodify -Q -Y EXTERNAL -H ldapi:/// -w {{ ldap_password }} -f /tmp/krb5_principal_name.ldif"
ansible.builtin.command: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -w {{ ldap_password }} -f /tmp/krb5_principal_name.ldif
register: ldap_modify

- name: Copy krb5_administrative_entities.ldif to /tmp
ansible.builtin.template:
src: "krb5_administrative_entities.ldif"
dest: "/tmp/krb5_administrative_entities.ldif"
src: krb5_administrative_entities.ldif
dest: /tmp/krb5_administrative_entities.ldif
mode: "0644"

- name: Create LDAP entries for the Kerberos administrative entities that will contact the OpenLDAP server
failed_when: ldap_add.rc not in [0,68]
ansible.builtin.command: "ldapadd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} \
-f /tmp/krb5_administrative_entities.ldif"
ansible.builtin.command: ldapadd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} -f /tmp/krb5_administrative_entities.ldif
register: ldap_add

- name: Set password for 'uid=kdc-service,{{ ldap_organization }}'
ansible.builtin.command: "ldappasswd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} \
-s {{ ldap_kdc_service_password }} uid=kdc-service,{{ ldap_organization }}"
ansible.builtin.command: ldappasswd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} \
-s {{ ldap_kdc_service_password }} uid=kdc-service,{{ ldap_organization }}

- name: Set password for 'uid=kadmin-service,{{ ldap_organization }}'
ansible.builtin.command: "ldappasswd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} \
-s {{ ldap_kadmin_service_password }} uid=kadmin-service,{{ ldap_organization }}"
ansible.builtin.command: ldappasswd -H ldapi:/// -D cn=admin,{{ ldap_organization }} -w {{ ldap_password }} \
-s {{ ldap_kadmin_service_password }} uid=kadmin-service,{{ ldap_organization }}

- name: Copy kerberos_ldap_acls.ldif to /tmp
ansible.builtin.template:
src: "kerberos_ldap_acls.ldif"
dest: "/tmp/kerberos_ldap_acls.ldif"
src: kerberos_ldap_acls.ldif
dest: /tmp/kerberos_ldap_acls.ldif
mode: "0644"

- name: Add Kerberos ACLs to LDAP database
failed_when: ldap_modify.rc not in [0,20]
ansible.builtin.command: "ldapmodify -Q -Y EXTERNAL -H ldapi:/// -w {{ ldap_password }} -f /tmp/kerberos_ldap_acls.ldif"
ansible.builtin.command: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -w {{ ldap_password }} -f /tmp/kerberos_ldap_acls.ldif
register: ldap_modify

- name: Copy kerberos configuration files
Expand All @@ -67,17 +67,17 @@
dest: "{{ item.path }}/{{ item.file }}"
mode: "0644"
loop:
- file: "kadm5.acl"
path: "/etc/krb5kdc"
- file: "krb5.conf"
path: "/etc"
- file: kadm5.acl
path: /etc/krb5kdc
- file: krb5.conf
path: /etc
loop_control:
label: "{{ item.file }}"

- name: Create Kerberos LDAP database
failed_when: false
ansible.builtin.command: "kdb5_ldap_util -D cn=admin,{{ ldap_organization }} create -subtrees {{ ldap_organization }} \
-r {{ realm }} -s -H ldapi:/// -w {{ ldap_password }} -P {{ realm_password }}"
ansible.builtin.command: kdb5_ldap_util -D cn=admin,{{ ldap_organization }} create \
-subtrees {{ ldap_organization }} -r {{ realm }} -s -H ldapi:/// -w {{ ldap_password }} -P {{ realm_password }}

- name: Copy script to create password stash file
ansible.builtin.template:
Expand All @@ -86,29 +86,28 @@
mode: "0555"

- name: Create a stash of the password used to bind to the LDAP server
ansible.builtin.shell: "/tmp/create_stash_file.sh"

ansible.builtin.command: /tmp/create_stash_file.sh
- name: Stop Kerberos services
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
loop:
- "krb5-kdc"
- "krb5-admin-server"
- krb5-kdc
- krb5-admin-server

- name: Start Kerberos services
ansible.builtin.systemd:
name: "{{ item }}"
state: started
loop:
- "krb5-kdc"
- "krb5-admin-server"
- krb5-kdc
- krb5-admin-server

- name: Fetch stash and service.keyfile to ansible server
ansible.posix.synchronize:
src: "/etc/krb5kdc/{{ item }}"
dest: "/tmp/"
src: /etc/krb5kdc/{{ item }}
dest: /tmp/
mode: pull
loop:
- ".k5.{{ realm }}"
- "service.keyfile"
- .k5.{{ realm }}
- service.keyfile
Loading

0 comments on commit aee41cc

Please sign in to comment.