Merge pull request #9731 from vrutkovs/ldap_ca_in_origin_master

Dissalow custom CA paths for identity providers

roles/lib_utils/filter_plugins/openshift_master.py

@@ -158,6 +158,8 @@ class LDAPPasswordIdentityProvider(IdentityProviderBase):
             pref_user = self._idp['attributes'].pop('preferred_username')
             self._idp['attributes']['preferredUsername'] = pref_user
 
+        self._idp['ca'] = '/etc/origin/master/{}_ldap_ca.crt'.format(self._idp['name'])
+
     def validate(self):
         ''' validate this idp instance '''
         if not isinstance(self.provider['attributes'], dict):
@@ -218,6 +220,8 @@ class RequestHeaderIdentityProvider(IdentityProviderBase):
                            ['emailHeaders', 'email_headers'],
                            ['nameHeaders', 'name_headers'],
                            ['preferredUsernameHeaders', 'preferred_username_headers']]
+        self._idp['clientCA'] = \
+            '/etc/origin/master/{}_request_header_ca.crt'.format(self._idp['name'])
 
     def validate(self):
         ''' validate this idp instance '''
@@ -358,6 +362,8 @@ class OpenIDIdentityProvider(IdentityProviderOauthBase):
         if 'extra_authorize_parameters' in self._idp:
             self._idp['extraAuthorizeParameters'] = self._idp.pop('extra_authorize_parameters')
 
+        self._idp['ca'] = '/etc/origin/master/{}_openid_ca.crt'.format(self._idp['name'])
+
     def validate(self):
         ''' validate this idp instance '''
         if not isinstance(self.provider['claims'], dict):

roles/openshift_control_plane/tasks/main.yml

@@ -78,7 +78,7 @@
 
 - name: Create the ldap ca file if needed
   copy:
-    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else '/etc/origin/master/' ~ item.ca | default('ldap_ca.crt') }}"
+    dest: "/etc/origin/master/{{ item.name }}_ldap_ca.crt"
     content: "{{ openshift.master.ldap_ca }}"
     mode: 0600
     backup: yes
@@ -89,26 +89,24 @@
 
 - name: Create the openid ca file if needed
   copy:
-    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else '/etc/origin/master/' ~ item.ca | default('openid_ca.crt') }}"
+    dest: "/etc/origin/master/{{ item.name }}_openid_ca.crt"
     content: "{{ openshift.master.openid_ca }}"
     mode: 0600
     backup: yes
   when:
   - openshift.master.openid_ca is defined
   - item.kind == 'OpenIDIdentityProvider'
-  - item.ca | default('') != ''
   with_items: "{{ openshift_master_identity_providers }}"
 
 - name: Create the request header ca file if needed
   copy:
-    dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else '/etc/origin/master/' ~ item.clientCA | default('request_header_ca.crt') }}"
+    dest: "/etc/origin/master/{{ item.name }}_request_header_ca.crt"
     content: "{{ openshift_master_request_header_ca }}"
     mode: 0600
     backup: yes
   when:
   - openshift_master_request_header_ca != l_osm_request_header_none
   - item.kind == 'RequestHeaderIdentityProvider'
-  - item.clientCA | default('') != ''
   with_items: "{{ openshift_master_identity_providers }}"
 
 - name: Set fact of all etcd host IPs