Sync OpenShift Groups with records from an external provider.
Version added: 2.1.0
- In order to sync/prune OpenShift Group records with those from an external provider, determine which Groups you wish to sync and where their records live.
- Analogous to oc adm prune groups and oc adm group sync.
- LDAP sync configuration file syntax can be found here https://docs.openshift.com/container-platform/4.9/authentication/ldap-syncing.html.
- The bindPassword attribute of the LDAP sync configuration is expected to be a string, please use ansible-vault encryption to secure this information.
The below requirements are needed on the host that executes this module.
- python >= 3.6
- kubernetes >= 12.0.0
- python-ldap
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
|
allow_groups
list
/ elements=string
|
Default: []
|
Allowed groups, could be openshift group name or LDAP group dn value.
When parameter
type is set to ldap this should contains only LDAP group definition like cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat. |
|
|
api_key
string
|
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
|
||
|
ca_cert
path
|
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
aliases: ssl_ca_cert |
||
|
client_cert
path
|
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
aliases: cert_file |
||
|
client_key
path
|
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
aliases: key_file |
||
|
context
string
|
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
|
||
|
deny_groups
list
/ elements=string
|
Default: []
|
Denied groups, could be openshift group name or LDAP group dn value.
When parameter
type is set to ldap this should contains only LDAP group definition like cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat.The elements specified in this list will override the ones specified in
allow_groups. |
|
|
host
string
|
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
|
||
|
impersonate_groups
list
/ elements=string
added in 2.3.0
|
Group(s) to impersonate for the operation.
Can also be specified via K8S_AUTH_IMPERSONATE_GROUPS environment. Example: Group1,Group2
|
||
|
impersonate_user
string
added in 2.3.0
|
Username to impersonate for the operation.
Can also be specified via K8S_AUTH_IMPERSONATE_USER environment.
|
||
|
kubeconfig
raw
|
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
Multiple Kubernetes config file can be provided using separator ';' for Windows platform or ':' for others platforms.
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
|
||
|
no_proxy
string
added in 2.3.0
|
The comma separated list of hosts/domains/IP/CIDR that shouldn't go through proxy. Can also be specified via K8S_AUTH_NO_PROXY environment variable.
Please note that this module does not pick up typical proxy settings from the environment (e.g. NO_PROXY).
This feature requires kubernetes>=19.15.0. When kubernetes library is less than 19.15.0, it fails even no_proxy set in correct.
example value is "localhost,.local,.example.com,127.0.0.1,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
||
|
password
string
|
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
Please read the description of the
username option for a discussion of when this option is applicable. |
||
|
persist_config
boolean
|
|
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
Default to false.
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
The fix for this k8s python library is here: kubernetes-client/python-base#169
|
|
|
proxy
string
|
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
|
||
|
proxy_headers
dictionary
added in 2.0.0
|
The Header used for the HTTP proxy.
Documentation can be found here https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html?highlight=proxy_headers#urllib3.util.make_headers.
|
||
|
basic_auth
string
|
Colon-separated username:password for basic authentication header.
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
|
||
|
proxy_basic_auth
string
|
Colon-separated username:password for proxy basic authentication header.
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
|
||
|
user_agent
string
|
String representing the user-agent you want, such as foo/1.0.
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
|
||
|
state
string
|
|
Determines if the group should be sync when set to
present or pruned when set to absent. |
|
|
sync_config
dictionary
/ required
|
Provide a valid YAML definition of an LDAP sync configuration.
aliases: config, src |
||
|
type
string
|
|
which groups allow and deny list entries refer to.
|
|
|
username
string
|
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
|
||
|
validate_certs
boolean
|
|
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
aliases: verify_ssl |
|
Note
- To avoid SSL certificate validation errors when
validate_certsis True, the full certificate chain for the API server must be provided viaca_certor in the kubeconfig file.
# Prune all orphaned groups
- name: Prune all orphan groups
openshift_adm_groups_sync:
state: absent
src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}"
# Prune all orphaned groups from a list of specific groups specified in allow_groups
- name: Prune all orphan groups from a list of specific groups specified in allow_groups
openshift_adm_groups_sync:
state: absent
src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}"
allow_groups:
- cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat
- cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat
# Sync all groups from an LDAP server
- name: Sync all groups from an LDAP server
openshift_adm_groups_sync:
src:
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://localhost:1390
insecure: true
bindDN: cn=admin,dc=example,dc=org
bindPassword: adminpassword
rfc2307:
groupsQuery:
baseDN: "cn=admins,ou=groups,dc=example,dc=org"
scope: sub
derefAliases: never
filter: (objectClass=*)
pageSize: 0
groupUIDAttribute: dn
groupNameAttributes: [cn]
groupMembershipAttributes: [member]
usersQuery:
baseDN: "ou=users,dc=example,dc=org"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [mail]
tolerateMemberNotFoundErrors: true
tolerateMemberOutOfScopeErrors: true
# Sync all groups except the ones from the deny_groups from an LDAP server
- name: Sync all groups from an LDAP server using deny_groups
openshift_adm_groups_sync:
src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}"
deny_groups:
- cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat
- cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat
# Sync all OpenShift Groups that have been synced previously with an LDAP server
- name: Sync all OpenShift Groups that have been synced previously with an LDAP server
openshift_adm_groups_sync:
src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}"
type: openshiftCommon return values are documented here, the following are the fields unique to this module:
- Aubin Bikouo (@abikouo)