diff --git a/roles/allserverspostdeployment/tasks/main.yml b/roles/allserverspostdeployment/tasks/main.yml index deab8c3..b215c8d 100644 --- a/roles/allserverspostdeployment/tasks/main.yml +++ b/roles/allserverspostdeployment/tasks/main.yml @@ -23,3 +23,5 @@ state: reloaded name: sshd +- include_tasks: squid-whitelist.yml + when: multinetwork diff --git a/roles/allserverspostdeployment/tasks/squid-whitelist.yml b/roles/allserverspostdeployment/tasks/squid-whitelist.yml new file mode 100644 index 0000000..66104e7 --- /dev/null +++ b/roles/allserverspostdeployment/tasks/squid-whitelist.yml @@ -0,0 +1,32 @@ +- name: Generate SSH keypair + command: ssh-keygen -t rsa -N "" -f /home/cloud-user/.ssh/id_rsa + no_log: True + delegate_to: localhost + run_once: yes + +- name: Copy generated SSH keypair to controlplane loadbalancers + authorized_key: + user: cloud-user + state: present + key: " {{ lookup('file', '/home/cloud-user/.ssh/id_rsa.pub') }}" + when: inventory_hostname in groups.loadbalancers_controlplane + +- name: Store whitelist serviceaccount base64 token on Bastion + lineinfile: + dest: /home/cloud-user/whitelist-sa-token + line: "{{ hostvars[groups.masters[0]]['whitelist_token_b64']['stdout'] }}" + state: present + create: yes + delegate_to: localhost + run_once: yes + +- name: Create a cron file for updating proxy whitelist for net2 deployments + cron: + name: "Update custom sites in Squid Whitelist" + cron_file: proxy-whitelist + minute: 0 + user: cloud-user + job: "/usr/bin/ansible-playbook -i /usr/share/ansible/openshift-deployment-ansible/openshift-ansible-hosts /usr/share/ansible/openshift-deployment-ansible/tools/playbooks/squid-whitelist.yaml >> /home/cloud-user/proxy-whitelist.log 2>&1" + become: true + delegate_to: localhost + run_once: yes diff --git a/roles/openshiftpostdeployment/tasks/main.yml b/roles/openshiftpostdeployment/tasks/main.yml index 451680b..0da723a 100644 --- a/roles/openshiftpostdeployment/tasks/main.yml +++ b/roles/openshiftpostdeployment/tasks/main.yml @@ -5,19 +5,9 @@ force: yes backup: yes -- name: Setup tier-2 storage class file - template: - src: templates/storage-class-tier2.j2 - dest: ~/storage-class-tier2.yml - force: yes - backup: yes - - name: create tier-1 class command: /usr/local/bin/oc create -f ~/storage-class-tier1.yml -#- name: create tier-2 class -# command: /usr/local/bin/oc create -f ~/storage-class-tier2.yml - - name: Give admin rights command: /usr/local/bin/oc adm policy --config=/etc/origin/master/admin.kubeconfig add-cluster-role-to-user cluster-admin admin @@ -129,3 +119,6 @@ namespace: "openshift-monitoring" hostname: "prometheus" when: getCertificates == True + +- include_tasks: squid-whitelist.yml + when: multinetwork diff --git a/roles/openshiftpostdeployment/tasks/squid-whitelist.yml b/roles/openshiftpostdeployment/tasks/squid-whitelist.yml new file mode 100644 index 0000000..f8ed94b --- /dev/null +++ b/roles/openshiftpostdeployment/tasks/squid-whitelist.yml @@ -0,0 +1,22 @@ +- name: Create whitelist project + command: /usr/local/bin/oc new-project whitelist + +- name: Create proxy-whitelist configmap and create empty key + command: /usr/local/bin/oc create configmap proxy-whitelist --from-literal=proxy-whitelist.txt= -n whitelist + +- name: Create whitelist-reader serviceaccount + command: /usr/local/bin/oc create sa whitelist-reader -n whitelist + +- name: Create read-whitelist role + command: /usr/local/bin/oc create role read-whitelist --verb=get,list --resource=configmaps --resource-name=proxy-whitelist -n whitelist + +- name: Apply read-whitelist role to whitelist-reader serviceaccount + command: /usr/local/bin/oc policy add-role-to-user read-whitelist -z whitelist-reader -n whitelist --role-namespace='whitelist' + +- name: Get whitelist-reader serviceaccount token name + command: /usr/local/bin/oc get sa -n whitelist -o jsonpath='{$.items[?(@.metadata.name=="whitelist-reader")].secrets[0].name}' + register: whitelist_token_name + +- name: Extract base64 whitelist-reader token + command: /usr/local/bin/oc get secret {{ whitelist_token_name.stdout }} -n whitelist -o jsonpath='{$.data.token}' + register: whitelist_token_b64 diff --git a/roles/squid/templates/squid.j2 b/roles/squid/templates/squid.j2 index 9b3a604..f328a1f 100644 --- a/roles/squid/templates/squid.j2 +++ b/roles/squid/templates/squid.j2 @@ -1,63 +1,30 @@ -# -# Recommended minimum configuration: -# +http_port 3128 -# Example rule allowing access from your local networks. -# Adapt to list your (internal) IP networks from where browsing -# should be allowed -#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src {{ internalNetworkCidr }} # Neutron network acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 443 # https + +acl Safe_ports port 80 # http +acl Safe_ports port 443 # https + acl CONNECT method CONNECT -# -# Recommended minimum Access Permission configuration: -# -# Deny requests to certain unsafe ports http_access deny !Safe_ports - -# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports - -# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager - -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user http_access deny to_localhost -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# acl whitelist dstdomain "/etc/squid/sites.whitelist.txt" -http_access allow whitelist -# Example rule allowing access from your local networks. -# Adapt localnet in the ACL section to list your (internal) IP networks -# from where browsing should be allowed -#http_access allow localnet +http_access allow whitelist localnet http_access allow localhost - -# And finally deny all other access to this proxy http_access deny all -# Squid normally listens to port 3128 -http_port 3128 - -# Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 - -# Leave coredumps in the first cache dir coredump_dir /var/spool/squid -# -# Add any of your own refresh_pattern entries above these. -# -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 diff --git a/tools/playbooks/squid-whitelist.yaml b/tools/playbooks/squid-whitelist.yaml new file mode 100644 index 0000000..28e5a46 --- /dev/null +++ b/tools/playbooks/squid-whitelist.yaml @@ -0,0 +1,26 @@ +--- +- hosts: localhost, loadbalancers_controlplane + tasks: + - name: Retrieve whitelist from config-map + shell: | + /usr/bin/oc login https://ocp.{{ domainSuffix }}:8443 --token={{ lookup('file', '/home/cloud-user/whitelist-sa-token') | b64decode }} > /dev/null + /usr/bin/oc get configmaps proxy-whitelist -n whitelist -o jsonpath='{.data.proxy-whitelist\.txt}' + when: inventory_hostname == 'localhost' and multinetwork + register: proxy_whitelist + + - name: Insert changed block to /etc/squid/sites.whitelist.txt + blockinfile: + block: "{{ hostvars['localhost']['proxy_whitelist']['stdout'] }}" + path: /etc/squid/sites.whitelist.txt + insertafter: EOF + marker: "# {mark} ANSIBLE MANAGED BLOCK - User whitelisted domains #" + become: yes + when: inventory_hostname in groups.loadbalancers_controlplane and multinetwork + notify: + - reconfigure squid + + handlers: + - name: reconfigure squid + command: /usr/sbin/squid -k reconfigure + become: yes + when: inventory_hostname in groups.loadbalancers_controlplane