gateway_authenticators.yml

In these files we configure the authenticators to use in rhaap for user authentication.
we will probably do this on the global configuration (ALL).
However the is an option to enable a remote development team by using their LDAP server in development.

group_vars/all/gateway_authenticators.yml

For user authentication we will use the organizations own LDAP server.
This will authenticate all users in all rhaap environments.

---
gateway_authenticators_all:
  - name: Auth LDAP
    type: 'ansible_base.authentication.authenticator_plugins.ldap'
    slug: authenticator-ldap
    enabled: true
    configuration:
      SERVER_URI:
        - ldap://docker.homelab
      BIND_DN: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32323734343163363262353237306361363834613262396335643161323062383061616137633861
          3333633537343533366333313530303433393538643936630a616465353332613133326634363732
          37656135373965396566393335623834663635663731346365663239346563663266333733666135
          3532393065366331610a643961346530303438303565646232316362386134343331656565363838
          36363436346536336632353633306362353639653161306266303438396363613435
      BIND_PASSWORD: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62376235356630323466653639303235366562393632613031303630643564656535306264633634
          3133616538333963663961656631326164343534366538630a623665663764373838383838333335
          64386531356335303439643132663561383166656166613232323537336565323562633765363435
          3063343531383132650a613834653466623166656264393731366262616661353562336330373437
          3963
      # CONNECTION_OPTIONS: OPT_MATCHED_DN
      GROUP_TYPE: GroupOfNamesType
      GROUP_TYPE_PARAMS:
        name_attr: cn
      GROUP_SEARCH:
        - ou=Groups,dc=homelab,dc=wf
        - SCOPE_SUBTREE
        - (objectClass=groupOfNames)
      START_TLS: false
      USER_DN_TEMPLATE: null
      USER_ATTR_MAP:
        email: mail
        first_name: givenName
        last_name: sn
      USER_SEARCH:
        - ou=people,dc=homelab,dc=wf
        - SCOPE_SUBTREE
        - (uid=%(user)s)

But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.

group_vars/dev/gateway_authenticators.yml

For development, we could add an external LDAP server for a trusted development party, but only in development. This implies that the development environment is fully separated from production.

---
gateway_euthenticators_dev: []
  - name: External LDAP
    type: 'ansible_base.authentication.authenticator_plugins.ldap'
    slug: authenticator-ext
    enabled: true
    configuration:
      SERVER_URI:
        - ldap://external.development.org
      BIND_DN: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32323734343163363262353237306361363834613262396335643161323062383061616137633861
          3333633537343533366333313530303433393538643936630a616465353332613133326634363732
          37656135373965396566393335623834663635663731346365663239346563663266333733666135
          3532393065366331610a643961346530303438303565646232316362386134343331656565363838
          36363436346536336632353633306362353639653161306266303438396363613435
      BIND_PASSWORD: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62376235356630323466653639303235366562393632613031303630643564656535306264633634
          3133616538333963663961656631326164343534366538630a623665663764373838383838333335
          64386531356335303439643132663561383166656166613232323537336565323562633765363435
          3063343531383132650a613834653466623166656264393731366262616661353562336330373437
          3963
      # CONNECTION_OPTIONS: OPT_MATCHED_DN
      GROUP_TYPE: GroupOfNamesType
      GROUP_TYPE_PARAMS:
        name_attr: cn
      GROUP_SEARCH:
        - ou=Groups,dc=external,dc=development,dc=org
        - SCOPE_SUBTREE
        - (objectClass=groupOfNames)
      START_TLS: false
      USER_DN_TEMPLATE: null
      USER_ATTR_MAP:
        email: mail
        first_name: givenName
        last_name: sn
      USER_SEARCH:
        - ou=people,dc=external,dc=development,dc=org
        - SCOPE_SUBTREE
        - (uid=%(user)s)
...

Here the variable has the "_dev" extension, so the variable will not be overridden.

group_vars/prod/gateway_authenticators.yml

As we do not configure extra authenticators in prod, this file is an empty set.

---
gateway_authenticators_prod: []
  # No extra config exists
...

Here the variable has the "_prod" extension, so the variable will not be overridden.

When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables: - gateway_authenticators_all
- gateway_authenticators_

We will merge these 2 variables into 1: gateway_authenticators and feed this to the infra.aap_configuration.authenticators role.

Back