Create an ansible vault for OpenShift

computate commented 4 years ago

Create an ansible vault for your OpenShift.

As a team, create and edit an encrypted ansible vault with a password for the host secrets for your shared OpenShift inventory.

install -d /usr/local/src/southerncoalition/inventories/openshift/host_vars/localhost/
ansible-vault create /usr/local/src/southerncoalition/inventories/openshift/host_vars/localhost/vault
ansible-vault edit /usr/local/src/southerncoalition/inventories/openshift/host_vars/localhost/vault

The contents of the vault will contain the secrets needed to override any default values you want to change in the app defaults defined here.

https://github.com/computate/computate/blob/master/ansible/roles/southerncoalition_openshift_enUS/defaults/main.yml

There are descriptions for each of the fields. There are several sections of fields, including:

app system defaults
Ansible defaults
Zookeeper defaults
Solr defaults
PostgreSQL defaults
computate-medical global defaults
app US English defaults
SMTP defaults
OpenID Connect auth server defaults
SSL/TLS defaults

Here is an example of the contents of the ansible vault for OpenShift:


####################
# Ansible defaults #
####################

# Add to an ansible-vault the username of your user on your computer (echo $HOSTNAME). 
USER_NAME: "..."
# Add to an ansible-vault the password of your user on your computer to become root for configuring the applications. 
USER_PASSWORD: "..."
# Setup the ansible user when running the playbook as your user. 
ansible_user: "{{USER_NAME}}"
# Setup the ansible sudo password as your password when running the playbook. 
ansible_sudo_pass: "{{USER_PASSWORD}}"
# Setup the ansible password for elevated privileges as your password when running the playbook. 
ansible_become_pass: "{{USER_PASSWORD}}"
# Setup the ansible password for ssh as your password when running the playbook. 
ansible_ssh_pass: "{{USER_PASSWORD}}"
# Setup the decryption password for decrypting other secrets in the playbook. 
VAULT_PASSWORD: "{{USER_PASSWORD}}"

######################
# OpenShift defaults #
######################

# The OpenShift base URL where applications will be deployed. 
REDHAT_OPENSHIFT_HOST: https://api.pro-us-east-1.openshift.com
# The OpenShift secret token to grant access to OpenShift (https://api.pro-us-east-1.openshift.com/oauth/token/request). 
REDHAT_OPENSHIFT_TOKEN: "..."
# The OpenShift namespace where applications will be deployed. 
REDHAT_OPENSHIFT_NAMESPACE: "mynamespace"

######################
# Zookeeper defaults #
######################

# The default port that Zookeeper runs to manage the cluster. 
ZOOKEEPER_PORT: 2181
# The Zookeeper OpenShift base URL where Zookeeper will be deployed. 
ZOOKEEPER_HOST: "{{REDHAT_OPENSHIFT_HOST}}"
# The Zookeeper OpenShift secret token to grant access to OpenShift (https://api.pro-us-east-1.openshift.com/oauth/token/request). 
ZOOKEEPER_TOKEN: "{{REDHAT_OPENSHIFT_TOKEN}}"
# The Zookeeper OpenShift namespace where Zookeeper will be deployed. 
ZOOKEEPER_NAMESPACE: "{{REDHAT_OPENSHIFT_NAMESPACE}}"
# The Zookeeper volume size for Zookeeper files. 
ZOOKEEPER_VOLUME_SIZE: 1Gi
# The default hostname for the Zookeeper cluster manager. 
ZOOKEEPER_HOST_NAME: "computate-zookeeper.{{ZOOKEEPER_NAMESPACE}}.svc"

#################
# Solr defaults #
#################

# The default port that Solr runs. 
SOLR_PORT: 8983
# The Solr OpenShift base URL where Solr will be deployed. 
SOLR_HOST: "{{REDHAT_OPENSHIFT_HOST}}"
# The Solr OpenShift secret token to grant access to OpenShift (https://api.pro-us-east-1.openshift.com/oauth/token/request). 
SOLR_TOKEN: "{{REDHAT_OPENSHIFT_TOKEN}}"
# The Solr OpenShift namespace where Solr be deployed. 
SOLR_NAMESPACE: "{{REDHAT_OPENSHIFT_NAMESPACE}}"
# The Solr volume size for Solr files. 
SOLR_VOLUME_SIZE: 1Gi
# The default hostname for the Solr search engine. 
SOLR_HOST_NAME: "computate-solr.{{SOLR_NAMESPACE}}.svc"

#######################
# PostgreSQL defaults #
#######################

# The default port that PostgreSQL runs. 
POSTGRES_PORT: 5432
# The PostgreSQL OpenShift base URL where PostgreSQL will be deployed. 
POSTGRES_HOST: "{{REDHAT_OPENSHIFT_HOST}}"
# The PostgreSQL OpenShift secret token to grant access to OpenShift (https://api.pro-us-east-1.openshift.com/oauth/token/request). 
POSTGRES_TOKEN: "{{REDHAT_OPENSHIFT_TOKEN}}"
# The PostgreSQL OpenShift namespace where PostgreSQL be deployed. 
POSTGRES_NAMESPACE: "{{REDHAT_OPENSHIFT_NAMESPACE}}"
# The PostgreSQL volume size for Solr files. 
POSTGRES_VOLUME_SIZE: 1Gi
# The default hostname for the PostreSQL database. 
POSTGRES_HOST_NAME: "postgres.{{POSTGRES_NAMESPACE}}.svc"
# The default username for the PostreSQL database. 
POSTGRES_DB_USER: computate
# The default PostgreSQL database name. 
POSTGRES_DB_NAME: southerncoalition
# The default PostgreSQL database password. 
POSTGRES_DB_PASSWORD: "..."

#####################################
# southerncoalition global defaults #
#####################################

# The base URL where the static files will point to.  
SOUTHERNCOALITION_STATIC_BASE_URL: "https://example.neocities.org"
# The number of background worker executors that may run. 
SOUTHERNCOALITION_NUMBER_EXECUTORS: 5
# The properties file where the SSL/TLS encryption is configured. 
SOUTHERNCOALITION_SSL_PROPERTIES_FILENAME: southerncoalition-keystore.properties

#################################################
# southerncoalition English in the US defaults #
#################################################

# The domain name of the site. 
SOUTHERNCOALITION_DOMAIN_NAME_ENUS: "example.com"
# The host name of the site. 
SOUTHERNCOALITION_SITE_HOST_NAME_ENUS: "southerncoalition-dev.{{SOUTHERNCOALITION_DOMAIN_NAME_ENUS}}"
# The port of the site. 
SOUTHERNCOALITION_SITE_PORT_ENUS: "10581"
# The base URL of the site. 
SOUTHERNCOALITION_SITE_BASE_URL_ENUS: "https://{{SOUTHERNCOALITION_SITE_HOST_NAME_ENUS}}:{{SOUTHERNCOALITION_SITE_PORT_ENUS}}"
# The Solr collection of the site. 
SOUTHERNCOALITION_SOLR_COLLECTION_ENUS: "site"
# The timezone of the site. 
SOUTHERNCOALITION_SITE_ZONE_ENUS: "America/Denver"
# The PostgreSQL database host name of the site. 
SOUTHERNCOALITION_DB_HOST_NAME_ENUS: "localhost"
# The PostgreSQL database user name of the site. 
SOUTHERNCOALITION_DB_USER_ENUS: computate
# The PostgreSQL database password of the site. 
SOUTHERNCOALITION_DB_PASSWORD_ENUS: "..."
# The PostgreSQL database name of the site. 
SOUTHERNCOALITION_DB_NAME_ENUS: southerncoalition
# The Java main class of the site. 
SOUTHERNCOALITION_JAVA_MAIN_CLASS_ENUS: org.computate.southerncoalition.enUS.vertx.AppVertx
# The backup directory of the site. 
SOUTHERNCOALITION_BACKUP_DIR_ENUS: /usr/local/src/southerncoalition-static/data/enUS
# The restore directory of the site. 
SOUTHERNCOALITION_RESTORE_DIR_ENUS: /home/ctate/backup/southerncoalition-dev/enUS

#################
# SMTP defaults #
#################

# The email SMTP host name. 
EMAIL_HOST_NAME: smtp.example.com
# The email SMTP port. 
EMAIL_PORT: 465
# The email SMTP from email address. 
EMAIL_FROM: "..."
# Whether email SMTP SSL/TLS encryption is enabled. 
EMAIL_SSL: true
# Whether email SMTP username password authentication is enabled. 
EMAIL_AUTH: true
# The email SMTP username. 
EMAIL_USER: "..."
EMAIL_PASSWORD: "..."

####################
# SSL/TLS defaults #
####################

# The keystore alias. 
SSL_ALIAS: "{{SOUTHERNCOALITION_DOMAIN_NAME_FRFR}}"
# The keystore directory. 
SSL_KEYSTORE_PATH: /opt/keystore
# The keystore properties filename. 
SSL_PROPERTIES_FILENAME: "{{SOUTHERNCOALITION_SSL_PROPERTIES_FILENAME}}"
# The keystore filename. 
SSL_JKS_FILENAME: "{{SSL_ALIAS}}.jks"
# The keystore path. 
SSL_JKS_PATH: "{{SSL_KEYSTORE_PATH}}/{{SSL_JKS_FILENAME}}"
# The certificate filename. 
SSL_CRT_FILENAME: "{{SSL_ALIAS}}.crt"
# The certificate path. 
SSL_CRT_PATH: "{{SSL_KEYSTORE_PATH}}/{{SSL_CRT_FILENAME}}"
# The private key filename. 
SSL_KEY_FILENAME: "{{SSL_ALIAS}}.key"
# The private key path. 
SSL_KEY_PATH: "{{SSL_KEYSTORE_PATH}}/{{SSL_KEY_FILENAME}}"
# The p12 file password. 
SSL_P12_PASSWORD: "..."
# The keystore file password. 
SSL_JKS_PASSWORD: "{{SSL_P12_PASSWORD}}"
# The keystore file base64 encoded (base64 -w 0 /opt/keystore/computate.org.jks). 
SSL_JKS_BASE64: "..."
# The jceks file base64 encoded (base64 -w 0 /opt/keystore/computate.org.jceks). 
SSL_JCEKS_BASE64: "..."

#######################################
# OpenID Connect auth server defaults #
#######################################

# The Red Hat SSO OpenShift base URL where Red Hat SSO will be deployed. 
SSO_HOST: "{{REDHAT_OPENSHIFT_HOST}}"
# The Red Hat SSO OpenShift secret token to grant access to OpenShift (https://api.pro-us-east-1.openshift.com/oauth/token/request). 
SSO_TOKEN: "{{REDHAT_OPENSHIFT_TOKEN}}"
# The Red Hat SSO OpenShift namespace where Red Hat SSO be deployed. 
SSO_NAMESPACE: "{{REDHAT_OPENSHIFT_NAMESPACE}}"
# The default username for the Red Hat SSO PostreSQL database. 
SSO_DB_USERNAME: "..."
# The default Red Hat SSO PostgreSQL database password. 
SSO_DB_PASSWORD: "..."
# The default Red Hat SSO PostgreSQL database name. 
SSO_DB_DATABASE: root
# The Red Hat SSO HTTPS keystore alias. 
SSO_HTTPS_NAME: "{{SSL_ALIAS}}"
# The Red Hat SSO HTTPS keystore file password. 
SSO_HTTPS_PASSWORD: "{{SSL_JKS_PASSWORD}}"
# The Red Hat SSO JGroups keystore alias. 
SSO_JGROUPS_ENCRYPT_NAME: "{{SSL_ALIAS}}"
# The Red Hat SSO JGroups keystore file password. 
SSO_JGROUPS_ENCRYPT_PASSWORD: "{{SSL_JKS_PASSWORD}}"
# A Red Hat SSO JGroups cluster password. 
SSO_JGROUPS_CLUSTER_PASSWORD: "..."
# A Red Hat SSO admin username. 
SSO_ADMIN_USERNAME: "..."
# A Red Hat SSO admin password. 
SSO_ADMIN_PASSWORD: "..."
SSO_REALM: "{{AUTH_REALM}}"
# A Red Hat SSO initial user username. 
SSO_SERVICE_USERNAME: "..."
# A Red Hat SSO initial user password. 
SSO_SERVICE_PASSWORD: "..."
# The Red Hat SSO truststore file password. 
SSO_TRUSTSTORE_PASSWORD: "{{SSL_JKS_PASSWORD}}"
# The Red Hat SSO volume size for Solr files. 
SSO_VOLUME_SIZE: 1Gi
# The default hostname for Red Hat SSO. 
SSO_SITE_HOST_NAME: "sso.example.com"

# The Auth realm. 
AUTH_REALM: EXAMPLE.COM
# The Auth client or resource. 
AUTH_RESOURCE: example.com
# The Auth secret. 
AUTH_SECRET: "..."
# The Auth URL. 
AUTH_URL: https://sso.example.com/auth

Look for values to override, especially those like this: "...".

charlescampbell599 commented 4 years ago

@computate The steps weren't clear to me at first...that I needed to copy the contents of the yaml file into the editor after issuing the ansible create/edit command. Perhaps the instructions could be edited to provide more clear step by step instructions:

install
create
Copy contents of yaml file into editor (vi for my Mac)
edit

cc5tudio commented 4 years ago

@computate Chris, I forgot I was logged in with my other account...this is the github account I need to use for this project. Can you invite cc5tudio instead of charlescampbell599 to the account. Thanks.

computate commented 4 years ago

OK, I cleaned up the accounts @cc5tudio

cc5tudio commented 4 years ago

What are the values for REDHAT_OPENSHIFT_TOKEN ? Its asking me to create another account: https://manage.openshift.com/register/plan

computate commented 4 years ago

@cc5tudio The REDHAT_OPENSHIFT_TOKEN is the token you get when you copy the login command in OpenShift as seen here:

Southern-Coalition-Team-19 / southerncoalition

Create an ansible vault for OpenShift #22

Create an ansible vault for your OpenShift.