Open hufon opened 5 years ago
iboware
commented
5 years ago I'm also wondering how this is possible. I'm a developer who is new to all this devops tools like terraform and ansible. Can anyone enlighten me about where should I put this authentication provider settings?
joshua-rutherford
commented
5 years ago My proposal here would be to allow the configuration of one or more identity providers by variables. I'll be spiking this in my fork today (already have it hardcoded to use Google instead). If desired, I'll push back upstream.
iboware
commented
5 years ago Thanks @joshua-rutherford. What should I do to activate HTPasswdPasswordIdentityProvider? Can you provide an example variable file?
joshua-rutherford
commented
5 years ago If you are simply looking to activate it in your fork of the current master branch of this repository you just need to modify the following template to add that provider instead of the current one: https://github.com/literalice/terraform-aws-openshift/blob/master/modules/openshift/resources/template-inventory.yaml#L20. You would need to also lay down a password file in the location your configuration expects.
I have opened #14 which outlines a configurable way to specify one or more providers. If that is accepted I might consider adding the additional capability for HTPasswd as well but I need to get traction with that pull request first.
joshua-rutherford
commented
5 years ago @iboware did you ever take action on this? I now have a need for the htpassword provider and would love it if you already solved this one. I'll start it in the mean time.
iboware
commented
5 years ago Hi. Sorry for late answer. I didn't have time to take a look at this since long. Now I'm trying to create a production ready deployment and I saw that you have added support for GoogleIdentityProvider. I'll test those and let you know. Thanks!
iboware
commented
5 years ago Hi @joshua-rutherford, do you know how can I create or transfer the users.htpasswd file to the master node?
joshua-rutherford
commented
5 years ago I am currently just standing up the nodes then copying the desired file into place or editing it on the masters. I'm not a huge fan of controlling that through terraform since passwords will need to change anyway over time. I don't think there is a good way to handle that with htpasswd so some level of ssh'ing in or scp'ing in will be required.
iboware
commented
5 years ago @joshua-rutherford yes I tried the same too but unfortunately I couldn't get it work.
albestia
commented
5 years ago I've just created a new Pull Request with HtpasswdIdentityProvider to be able to set 'admin' password. It is meant to be used with other Providers: Google, Keycloak (I'll work on that) https://github.com/literalice/terraform-aws-openshift/pull/31
I've seen that the authentication is not secure at all by default in this script. It could be better to change it to HTPasswdPasswordIdentityProvider
What is the best way to achieve this ? Thanks for this great work!