Update to support foundational update of container-httpd for external authentication #194
Conversation
|
Why is systemd required in the first place ?
|
|
When external authentication is enabled, that will depend on SSSD which requires systemd. |
| The miq-sysadmin service account must be added to the miq-sysadmin SCC before the front-end Httpd pod can run. | ||
|
|
||
| ```bash | ||
| $ oc adm policy add-scc-to-user miq-sysadmin system:serviceaccount:<your-namespace>:miq-sysadmin |
There was a problem hiding this comment.
Can we not piggyback on an existing service account?
There was a problem hiding this comment.
Then everyone using that service account would also get the SYS_ADMIN capability.
I don't think that's what we want.
There was a problem hiding this comment.
This looks good to me.
This new scc is essentially the anyuid scc with an added capability.
If a user is not able to create a new scc in the environment I would assume privileged would also work, right @abellotti ?
| @@ -22,6 +22,10 @@ objects: | |||
| metadata: | |||
| name: miq-privileged | |||
| - apiVersion: v1 | |||
| kind: ServiceAccount | |||
There was a problem hiding this comment.
Don't forget to make the same changes on the external db template.
There was a problem hiding this comment.
👍 done with commit# 2bbe170
abellotti
force-pushed
the
ext-auth-foundation
branch
from
287f093
to
1a4bb68
Compare
|
@carbonin correct, if they cannot add miq-sysadmin, then a privileged SCC will also work, I ran systemd/sssd/dbus early on as such successfully. |
abellotti
force-pushed
the
ext-auth-foundation
branch
from
f00e59a
to
2bbe170
Compare
templates/miq-template-ext-db.yaml
Outdated
| name: "${HTTPD_SERVICE_NAME}-configs" | ||
| data: | ||
| redirects.conf: | | ||
| # The following redirects files must be included to handle most specific to least specific URLs. |
There was a problem hiding this comment.
Is this redirects.conf file valid? This is all outside of a <VirtualHost> block.
There was a problem hiding this comment.
I think we should hold off on this until #197 is merged. It will significantly simplify the httpd config.
templates/miq-template-ext-db.yaml
Outdated
|
|
||
| ProxyPreserveHost on | ||
| RequestHeader set X_FORWARDED_PROTO 'https' | ||
| logging.conf: | |
There was a problem hiding this comment.
Why are these separate files? I was thinking we would just supply the entire config in one file.
|
This pull request is not mergeable. Please rebase and repush. |
and service account for the container-httpd pod. This is needed for running httpd under systemd, a requirement for enabling external authentication.
Apache config files (redirects, logging, etc) that get mapped to /etc/httpd/conf.d/application.d/
… changes for manageiq/httpd. - Fixed up format of the templates to be rspec test compliant. - Rebased to support latest changes where container-httpd delegates management of SSL to the openshift route.
abellotti
force-pushed
the
ext-auth-foundation
branch
from
2bbe170
to
5b5d7e4
Compare
|
Checked commits abellotti/manageiq-pods@aedf0ed~...5b5d7e4 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
Updating manageiq-pods so that it defines an miq-sysadmin scc and service account for the container-httpd pod.
This is needed for running httpd under systemd, a requirement for enabling external authentication.