From 16bee429dea67015c486073a4e1d1603491ccc7a Mon Sep 17 00:00:00 2001
From: Sven Ketelsen <sven.ketelsen@netgo.de>
Date: Thu, 3 Nov 2022 17:19:35 +0100
Subject: [PATCH] DEV-666 added iam configuration for mpmexec

---
 group_vars/stage_ext/vault.yml                | 48 +++++++++--------
 host_vars/ext-bdev-mpmexec-02/vault.yml       | 52 +++++++++----------
 roles/connect_compact/defaults/main.yml       | 41 ++++++++++++++-
 roles/connect_compact/tasks/main.yml          | 26 +++++++---
 roles/keycloak_compact/defaults/main.yml      | 23 +-------
 roles/keycloak_compact/tasks/main.yml         | 49 ++++-------------
 .../application-linked-applications.yml.j2    |  4 +-
 .../connect-compact/docker-compose.yml.j2     | 15 +++---
 8 files changed, 129 insertions(+), 129 deletions(-)

diff --git a/group_vars/stage_ext/vault.yml b/group_vars/stage_ext/vault.yml
index 022b394..0e5791b 100644
--- a/group_vars/stage_ext/vault.yml
+++ b/group_vars/stage_ext/vault.yml
@@ -1,24 +1,26 @@
 $ANSIBLE_VAULT;1.1;AES256
-30316130326434323533613836303239636361376431353133363233333566313135346232663534
-6335633261323064386630363336316635636537333238650a323738333831383963363031313338
-34643139323365643561313637623463653238316138656437346632656532356330323335366464
-6436363531346137390a343633373630626439376163623331613139386363303461323136636336
-30343636646366303737663364363364636266643731666634643134306430356338653239663037
-64633135393937663834626134383736643139393634386465303437366563346261316534306139
-39636431313532613464623137336334333836376465623035353166363631383733313163353838
-32666539323465666238616331346561363938616130343934613935306533393930626532303832
-65323762343936353834343039363332656661613139363831613366346262623732623439613366
-65633435313336316433363339303739303531316364366164306230393230333038616465306163
-31336231643238343964393535333936613238323339356539346464363639623665643663306363
-63373334303235626139663331613432623539313531313937336437613763643161376462623366
-35653166373934663935323933343733363264366630656162353164313938356431323730393130
-63616361323264333561373062306662613033653661306364313832373336333534326136656631
-30303364623636386432343165646535646663353436633463376534346336623632396434306134
-61373432346434663764643435386639613562656632383962326139303233613335663637376438
-63633833393363323237616631623236653539313532663133633737373831666435363066656631
-30323766663535393735323264623330336662663039373934636531643537373333366138373864
-38623139306534303730353037373032623533313939366561653261366565313466663637653335
-33633836353966363864663961363962353061666334633165356166333731633966366239653333
-62303438613235383638383637303263623834666336393636393237313031383666336262666334
-63346439633032653338336533396532326634646236346536303862383531303430636136343235
-316337613734663564373334333963633361
+32643537336235663630363934636436626161383032653030366535666136643739643964663034
+3531386635303335613435306634383732326330306662310a656639336337656438343531306166
+32383530396439626539343963353162306163343465333166303632353336666565333133386537
+6464636561653435630a623132373762653335636639343262616239646664653637323461373262
+34376431646538623466353931626336356364626530616633316339343061636230316333366638
+65353765373735383530623232343835626663353738363530633430303131356261323736376464
+32373538636534666334343763633231353862636531303331623039376135663838376362383738
+36393838303336376162653064366264363963623834623435373036393562363237313066623536
+61316666336133363166643031316430366361343361353332613862663334653562383763316433
+36353737613962366561323362343661393233653130623864386534323762303062633765353133
+39333030346636653764663861303135666138373135343735663439613536373761323363313830
+63636433663432653063353730323233666461303634666330623432346430323139373431363838
+33653735356634326131653533663039363265386365336634346333626265643966366434363532
+38306165343666363264646538303263303439323962623962306433346162363639653934303866
+64343363623631353834373562353666643661666362613763356462396331343938363131633539
+32633866326232346666386533613839613564303262333266303036346663313031643333613434
+34343535393533303734636332333265616135343134613236363462643834343665363965363934
+33643237396237313331356235306363353465633734353431303964306665366431666635616231
+63383138393735383162373062373037656139393762356562376465386466656465666463346438
+64363333383431613536306561623932393739303330636438633138363839313339393138633235
+38313064393864353739313566646439373365383165643734643462313563333330333766343838
+33303232373664666239363466623032363765326231366637373330376265653132306633616132
+61343331653866623337353233386137613764333238353966653632636236373639663433353562
+65343364333733366131303039653535336431626134303665396538643361303565396330316330
+6339
diff --git a/host_vars/ext-bdev-mpmexec-02/vault.yml b/host_vars/ext-bdev-mpmexec-02/vault.yml
index 7112ee0..6492bf9 100644
--- a/host_vars/ext-bdev-mpmexec-02/vault.yml
+++ b/host_vars/ext-bdev-mpmexec-02/vault.yml
@@ -1,27 +1,27 @@
 $ANSIBLE_VAULT;1.1;AES256
-31623731653564323539633934643263373538376137396231336534656138623931336531383565
-6131373964386665663538636563326136343535626632370a613639356538363135366138333062
-37636466353362633839313837616266666565656438663833323461326231313064366132316637
-3732613365653332360a303436303733393863313763313263383534653064306231333239366464
-30613663313334336635653830363235623433366539396263373165656261656134343239343233
-35656635356530313535373030653663353438636538623236373864616663316130323332313432
-63616564336131346336646561653138623832363762306537653065376566633133376130636165
-38383430626464643632326435613139643439333030303635643765373133653766393965313666
-31323930636637376334383763326264346562666135333061333164373035643366666436313664
-38356261316462363733356562323463303238343839326134343330616638336566343438653965
-30653032383436636434643763613162656136633366613837326462636162656463393066353835
-38333230336134636465373931383366626630343864643735616535303533363739393366343833
-34663430396363393735343164333866643166326636343035653435363539633561373837633535
-61326634396663396134366136636435316238323063386331653934393664383338333137323466
-64653761663636313062643036626632626436303637633538613330366464623564346131343638
-34313836326362643162343137323563363762666666646532336138353862343936383165613463
-61663036626137366666613361373262366564643335323666306633353836313134326435323538
-66316332303335363638323065663265366562363934613332303065356630633433666365363934
-66636465383761333861353664663161316633396235653263373261386632373065316435643635
-37633438643936363239616431353438323165663866333833356663356339323133666266353435
-37383938396430386136383964343064396663366262383332373533303637376634353938333337
-33316537376232613631366637386230316438323032343031326562326665383464623662393432
-31656139323962653164346639316439623836393031343831373131363163663966626337396661
-38363461393731303337366138346361303361313462366237626565663232623463343930303064
-32313535643965303535393538396632376363393437343932316136383439643339306234643136
-3264396433623638313265366239363530386433653535376539
+34303331663434306466313361366436663531366466313339343465636536633163343439663530
+6438313066353537623764666466383432326561363737330a616262613530323234643164313136
+32306636393432326465643763366563613162396630643364656363633064653465316539393639
+3431396664613332630a336639316632613365303262623462333532633365623237343039643463
+37313832343231343833623138363131383337346363626335613264323439393534353136383132
+64353964363464373237306462316633616436636632613738346339373566343133336262336538
+39316562333930653565303730323931383438353631653033353734373930616338306534636235
+36393035313931313430396661623436373334633237636338663236653132613732363164623138
+32393464306638303231656637323932613361663137656162626665393761393236336130633036
+61623134333239613966663366346437383030313031656637616462613338323561336430613330
+61653339316531643466623537643763656538333866353739326264313637326266393031396563
+64303734663339393562396562366430366438356639376431613363666635646565336133333732
+36636138613664376438306634663861353338633431373530656462643732363039363638613832
+61303235313235303035653737656438396665323437323064346365653031353162346337346137
+34623231323537643361346161356538616166336139366333663035316666303733363334633164
+39343038313930373835633932323334633465376135373162633437666235333061343031343437
+39633136376131633861613031363432356165386538356263646538303230346162343461623532
+32653031623939666539666235656635326262373863323462363539353565356232306565386631
+37643631346263376162366532643662313435386235303631633438383466306638376134643963
+32306132323939326530343533376639356133336239366439396564323130626662383932353838
+33313830383933353935343234623765333961336363666630653661613461363935363032303236
+39323436643537663135336134303561346436666530343662383334616566353063613137393237
+33656564396665353865366237626135613137646534383465333836666531343736333136383065
+38663065623865656637333539336262353962326430623563353833626233653833636165666533
+37306563353838323563346236356138643233316530663064333933336131643433343834313561
+3738363261386563373133633466376565353331363132373735
diff --git a/roles/connect_compact/defaults/main.yml b/roles/connect_compact/defaults/main.yml
index 0ad162e..9122680 100644
--- a/roles/connect_compact/defaults/main.yml
+++ b/roles/connect_compact/defaults/main.yml
@@ -7,6 +7,11 @@ connect_postgres_username: "connect-postgres-username"
 connect_postgres_password: "{{ connect_postgres_password_vault }}"
 connect_image_name: "{{ shared_service_harbor_hostname }}/smardigo/connect-whitelabel-app"
 
+iam_image_name: "{{ shared_service_harbor_hostname }}/smardigo/iam-app"
+
+elasticsearch_username: "elastic"
+elasticsearch_password: "{{ elasticsearch_password_vault }}"
+
 keycloak_id: "{{ inventory_hostname }}-keycloak"
 keycloak_admin_username: "keycloak-admin"
 keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
@@ -14,5 +19,37 @@ keycloak_postgres_username: "keycloak_postgres"
 keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
 keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak"
 
-elasticsearch_username: "elastic"
-elasticsearch_password: "{{ elasticsearch_password_vault }}"
+shared_service_mail_hostname: "not_available"
+
+current_realm_name: connect
+connect_client_id: "{{ connect_id }}"
+
+current_realm_clients: [
+  {
+    name: '{{ connect_client_id }}',
+    clientId: "{{ connect_client_id }}",
+    admin_url: '',
+    root_url: '',
+    redirect_uris: [
+      "{{ http_s }}://{{ connect_base_url }}/*",
+      "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*",
+    ],
+    secret: '{{ connect_client_id }}',
+    web_origins: [
+        "{{ http_s }}://{{ connect_base_url }}",
+        "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}",
+    ]
+  },{
+    name: 'mpm',
+    clientId: "mpm",
+    admin_url: '',
+    root_url: '',
+    redirect_uris: [
+      "{{ http_s }}://{{ connect_base_url }}/*",
+    ],
+    secret: '9d9ca019-8245-4b72-b8eb-8020535eba8e',
+    web_origins: [
+        "{{ http_s }}://{{ connect_base_url }}",
+    ]
+  },
+]
\ No newline at end of file
diff --git a/roles/connect_compact/tasks/main.yml b/roles/connect_compact/tasks/main.yml
index bb41c5a..d25f209 100644
--- a/roles/connect_compact/tasks/main.yml
+++ b/roles/connect_compact/tasks/main.yml
@@ -15,17 +15,21 @@
     record_name: "{{ connect_external_domain }}"
   when: connect_external_domain is defined
 
+- name: "Setup realm for {{ connect_id }}"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_realm
+    apply:
+        tags:
+          - configure_realm
+  tags:
+    - configure_realm
+
 - name: "Check if {{ connect_id }}/docker-compose.yml exists"
   stat:
     path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml'
   register: check_docker_compose_file_connect
 
-- name: "Stop {{ connect_id }}"
-  community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ connect_id }}'
-    state: absent
-  when: check_docker_compose_file_connect.stat.exists
-
 - name: "Deploy docker templates for {{ connect_id }}"
   include_role:
     name: sma_deploy
@@ -37,8 +41,14 @@
     current_owner: "{{ docker_owner }}"
     current_group: "{{ docker_group }}"
 
+- name: "Stop {{ connect_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ connect_id }}'
+    state: absent
+  when: check_docker_compose_file_connect.stat.exists
+
 - name: "Restart {{ connect_id }}"
   community.docker.docker_compose:
     project_src: '{{ service_base_path }}/{{ connect_id }}'
-    restarted: yes
-    build: no
+    state: present
+    pull: no
diff --git a/roles/keycloak_compact/defaults/main.yml b/roles/keycloak_compact/defaults/main.yml
index 98e4316..6622f0a 100644
--- a/roles/keycloak_compact/defaults/main.yml
+++ b/roles/keycloak_compact/defaults/main.yml
@@ -7,25 +7,4 @@ keycloak_postgres_username: "keycloak_postgres"
 keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}"
 keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak"
 
-shared_service_mail_hostname: "not_available"
-
-connect_client_id: connect
-current_realm_name: connect
-
-current_realm_clients: [
-  {
-    name: '{{ connect_client_id }}',
-    clientId: "{{ connect_client_id }}",
-    admin_url: '',
-    root_url: '',
-    redirect_uris: [
-      "{{ http_s }}://{{ connect_base_url }}/*",
-      "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*"
-    ],
-    secret: '{{ connect_client_id }}',
-    web_origins: [
-        "{{ http_s }}://{{ connect_base_url }}",
-        "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}"
-    ]
-  }
-]
+service_port_keycloak_external: 8110
diff --git a/roles/keycloak_compact/tasks/main.yml b/roles/keycloak_compact/tasks/main.yml
index f91243c..4a09a43 100644
--- a/roles/keycloak_compact/tasks/main.yml
+++ b/roles/keycloak_compact/tasks/main.yml
@@ -23,12 +23,6 @@
     path: '{{ service_base_path }}/{{ keycloak_id }}/docker-compose.yml'
   register: check_docker_compose_file
 
-- name: "Stop {{ keycloak_id }}"
-  community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
-    state: absent
-  when: check_docker_compose_file.stat.exists
-
 - name: "Deploy docker templates for {{ keycloak_id }}"
   include_role:
     name: sma_deploy
@@ -40,46 +34,23 @@
     current_owner: "{{ docker_owner }}"
     current_group: "{{ docker_group }}"
 
-# TODO DEV-XXX check why docker-compose up works and the comnuity role not... -> postgres/keycloak
-- name: "Start {{ keycloak_id }}" # noqa command-instead-of-shell no-changed-when
-  shell: docker-compose up -d
-  args:
-    chdir: '{{ service_base_path }}/{{ keycloak_id }}'
+- name: "Stop {{ keycloak_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
+    state: absent
+  when: check_docker_compose_file.stat.exists
 
-#- name: "Restart {{ keycloak_id }}"
-#  community.docker.docker_compose:
-#    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
-#    restarted: yes
-#    build: no
+- name: "Start {{ keycloak_id }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ keycloak_id }}'
+    state: present
 
 - name: "Setting local keycloak url"
   set_fact:  
     keycloak_server_url: "http://localhost:{{ service_port_keycloak_external }}"
-  tags:
-    - configure_realm
 
 - name: "Wait for <localhost:{{ service_port_keycloak_external }}>"
   wait_for:
     host: "localhost"
     port: '{{ service_port_keycloak_external }}'
-    delay: 60
-
-- name: "Setup realm for {{ inventory_hostname }}"
-  include_role:
-    name: keycloak
-    tasks_from: _authenticate
-    apply:
-        tags:
-          - configure_realm
-  tags:
-    - configure_realm
-
-- name: "Setup realm for {{ inventory_hostname }}"
-  include_role:
-    name: keycloak
-    tasks_from: _configure_realm
-    apply:
-        tags:
-          - configure_realm
-  tags:
-    - configure_realm
+    delay: 30
\ No newline at end of file
diff --git a/templates/connect-compact/config/application-linked-applications.yml.j2 b/templates/connect-compact/config/application-linked-applications.yml.j2
index f9d5faf..07628fb 100644
--- a/templates/connect-compact/config/application-linked-applications.yml.j2
+++ b/templates/connect-compact/config/application-linked-applications.yml.j2
@@ -2,10 +2,10 @@ smardigo:
   linked-applications:
     -
       name: Password Change
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/connect/account/password
+      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
     -
       name: User Management
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/connect/console
+      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
     - 
       name: MPM Process Mining
       url: https://mehrwerk-demo.eu.qlikcloud.com
\ No newline at end of file
diff --git a/templates/connect-compact/docker-compose.yml.j2 b/templates/connect-compact/docker-compose.yml.j2
index abc4064..53fcd1b 100644
--- a/templates/connect-compact/docker-compose.yml.j2
+++ b/templates/connect-compact/docker-compose.yml.j2
@@ -36,7 +36,7 @@ services:
     environment:
       NAME: "MPM eXecution 2.0"
 
-      TENANT_ID: "connect"
+      TENANT_ID: "{{ connect_id }}"
       ADMIN_LOGIN: "{{ connect_admin_username }}"
       ADMIN_PASSWORD: "{{ connect_admin_password }}"
 
@@ -59,12 +59,12 @@ services:
       MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: "true"
 
       AUTH_MODULE: "oidc"
-      OIDC_CLIENT_ID: "connect"
-      OIDC_CLIENT_SECRET: "connect"
-      OIDC_REGISTRATION_ID: "connect"
-      OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/connect"
-      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/connect/account/password"
-      USER_MANAGEMENT_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/connect/console"
+      OIDC_CLIENT_ID: "{{ connect_id }}"
+      OIDC_CLIENT_SECRET: "{{ connect_id }}"
+      OIDC_REGISTRATION_ID: "{{ connect_id }}"
+      OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
+      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
+      USER_MANAGEMENT_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"
 
       IAM_MODULE: "external"
       IAM_CLIENT_ENABLED: "true"
@@ -88,6 +88,7 @@ services:
       SMA_CORS_ALLOWED_HEADERS: "*"
       SMA_CORS_PATH_PATTERN: "/**"
       SMA_LANGUAGE_CODE: "en"
+
       SMA_JWT_ENABLED: "True"
       SMA_JWT_SECRET: "{{ sma_jwt_secret }}"