Try SpotterSynchronize Quay Container Registry teams with LDAP groups
| "added in version" 0.0.9 of herve4m.quay"
Authors: Herve Quatremain (@herve4m)
Install with ansible-galaxy collection install herve4m.quay:==1.2.0
collections:
- name: herve4m.quay
version: 1.2.0Synchronize and unsynchronize teams in organizations with LDAP groups.
- name: Ensure team operators exists before activating LDAP synchronization
herve4m.quay.quay_team:
name: operators
organization: production
role: creator
# Only robot accounts can be added to a team you prepare for LDAP
# synchronization. User accounts that you might add are removed when the
# synchronization is activated
members:
- production+automationrobot
append: false
state: present
quay_host: https://quay.example.com
quay_token: vgfH9zH5q6eV16Con7SvDQYSr0KPYQimMHVehZv7
- name: Ensure team operators is synchronized with the op1 LDAP group
herve4m.quay.quay_team_ldap:
name: operators
organization: production
sync: true
group_dn: cn=op1,ou=groups
quay_host: https://quay.example.com
quay_token: vgfH9zH5q6eV16Con7SvDQYSr0KPYQimMHVehZv7
- name: Ensure team operators is not synchronized anymore with an LDAP group
herve4m.quay.quay_team_ldap:
name: operators
organization: production
sync: false
# Remove all the users from the team synchronized from the LDAP group
keep_users: false
quay_host: https://quay.example.com
quay_token: vgfH9zH5q6eV16Con7SvDQYSr0KPYQimMHVehZv7
name:
description:
- Name of the team to synchronize or unsynchronize with an LDAP group. That team must
exist (see the M(herve4m.quay.quay_team) module to create it).
required: true
type: str
sync:
default: true
description:
- If C(yes), then the team members are retrieved from the LDAP group that you define
in I(group_dn). The pre-existing members are removed from the team before the synchronization
process starts. Existing robot account members are not removed.
- If C(no), then the synchronization from LDAP is disabled. Existing team members
(from LDAP) are kept, except if you set I(keep_users) to C(no).
type: bool
group_dn:
description:
- LDAP group distinguished name (DN), relative to the base DN that you defined in
the C(config.yaml) Quay configuration file with the C(LDAP_BASE_DN) parameter.
- For example, if the LDAP group DN is C(cn=group1,ou=groups,dc=example,dc=org) and
the base DN is C(dc=example,dc=org), then you must set I(group_dn) to C(cn=group1,ou=groups).
- I(group_dn) is required when I(sync) is C(yes).
type: str
quay_host:
default: http://127.0.0.1
description:
- URL for accessing the API. U(https://quay.example.com:8443) for example.
- If you do not set the parameter, then the module uses the C(QUAY_HOST) environment
variable.
- If you do no set the environment variable either, then the module uses the U(http://127.0.0.1)
URL.
type: str
keep_users:
default: true
description:
- If C(yes), then the current team members are kept after the synchronization is disabled.
- If C(no), then the team members are removed (except robot accounts)
- I(keep_users) is only used when I(sync) is C(no).
type: bool
quay_token:
description:
- OAuth access token for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_TOKEN) environment
variable.
- Mutually exclusive with I(quay_username) and I(quay_password).
type: str
organization:
description:
- Name of the organization for the team. That organization must exist.
required: true
type: str
quay_password:
description:
- The password to use for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_PASSWORD) environment
variable.
- If you set I(quay_password), then you also need to set I(quay_username).
- Mutually exclusive with I(quay_token).
type: str
quay_username:
description:
- The username to use for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_USERNAME) environment
variable.
- If you set I(quay_username), then you also need to set I(quay_password).
- Mutually exclusive with I(quay_token).
type: str
validate_certs:
aliases:
- verify_ssl
default: true
description:
- Whether to allow insecure connections to the API.
- If C(no), then the module does not validate SSL certificates.
- If you do not set the parameter, then the module tries the C(QUAY_VERIFY_SSL) environment
variable (C(yes), C(1), and C(True) mean yes, and C(no), C(0), C(False), and no
value mean no).
type: bool