diff --git a/create-service.yml b/create-service.yml index 8688fbc..a91576a 100644 --- a/create-service.yml +++ b/create-service.yml @@ -53,6 +53,7 @@ remote_user: root vars: ansible_ssh_host: "{{ stage_server_domain }}" + connect_version: "{{ connect_image_version }}" # backwards compatibility pre_tasks: - name: "Import autodiscover pre-tasks" diff --git a/group_vars/all/connect.yml b/group_vars/all/connect.yml index ac626dc..39f1aa7 100644 --- a/group_vars/all/connect.yml +++ b/group_vars/all/connect.yml @@ -25,3 +25,21 @@ smardigo_default_theme: "/themes/netgo.json" connect_wordpress_buergerportal_username: "buergerportal" # initial credentials, keycloak forces password update on first login connect_wordpress_buergerportal_password: "Buerger?P0rtal." + +# digital ocean dns service (-> dns-challenge) +connect_customer_urls_digitalocean: [] +# hetzner dns service (-> dns-challenge) +connect_customer_urls_hetzner: [] +# dns is managed by external provider (-> http-challenge) +connect_customer_urls_extern: [] + +# configure reverse proxy for each url +# keycloak redirect/origins for each url +connect_customer_urls: "{{ + connect_customer_urls_digitalocean + + connect_customer_urls_hetzner + + connect_customer_urls_extern }}" + +# allow customer specific access from ips in cidr notation (e.g. 1.2.3.4/32) +# use 0.0.0.0/0 for public access +connect_customer_networks: [] diff --git a/group_vars/all/prometheus.yml b/group_vars/all/prometheus.yml index 466fdf9..52087a3 100644 --- a/group_vars/all/prometheus.yml +++ b/group_vars/all/prometheus.yml @@ -6,9 +6,12 @@ node_exporter_listen_address: "{{ stage_private_server_ip }}" blackbox_exporter_fqdn: "dev-blackbox-01.{{ domain }}" blackbox_http_2xx_targets: - - "https://{{ stage }}-keycloak-01.smardigo.digital/auth/" - - "https://{{ stage_kube }}-awx.smardigo.digital" -# - 'https://{{ stage }}-management-01-connect.smardigo.digital/' + - "{{ shared_service_kube_url_awx }}" + - "{{ shared_service_url_gitea }}" + - "{{ shared_service_url_harbor }}" + - "{{ shared_service_url_keycloak }}/auth/" + - "{{ shared_service_url_kibana }}" + - "{{ shared_service_url_management }}" blackbox_http_2xx_additional_targets: [] diff --git a/host_vars/devnso-mhel-test01/plain.yml b/host_vars/devnso-mhel-test01/plain.yml deleted file mode 100644 index 1f2bbf0..0000000 --- a/host_vars/devnso-mhel-test01/plain.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -server_hcloud_firewall_objects: - - name: "customer-access-to-{{ inventory_hostname }}" - state: present - rules: - - direction: in - protocol: tcp - port: "443" - source_ips: "{{ additional_ip_adresses_vault }}" - destination_ips: [] - description: customer specific access to https services - apply_to: - - type: server - server: - id: "{{ stage_server_id }}" diff --git a/host_vars/devnso-mhel-test01/vault.yml b/host_vars/devnso-mhel-test01/vault.yml deleted file mode 100644 index 128c3a6..0000000 --- a/host_vars/devnso-mhel-test01/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31396666646138353139636535636563613531356430336362386265636465656638656661613135 -6331373138383964363266383331633532383537613837310a366531363137656566306565346263 -32653430646463356464653939363431363666373637633332323430303934316439326234663532 -6661373662663836660a663138613564623237666434353561366366353936363063313831333165 -64333464333061336337393762343362373362353462346236323965653666343264343438306132 -32653561656337636365663531333066666663623738643463653865663961303239376262306362 -373762363465613031666565383535313033 diff --git a/host_vars/prodnso-nsointern-nsoprod-01.yml b/host_vars/prodnso-nsointern-nsoprod-01.yml new file mode 100644 index 0000000..8d9550b --- /dev/null +++ b/host_vars/prodnso-nsointern-nsoprod-01.yml @@ -0,0 +1,6 @@ +--- +connect_customer_urls_extern: + - oes.netgo.de + +connect_customer_networks: + - 0.0.0.0/0 diff --git a/host_vars/prodnso-nsointern-nsoprod-01/plain.yml b/host_vars/prodnso-nsointern-nsoprod-01/plain.yml deleted file mode 100644 index 1f2bbf0..0000000 --- a/host_vars/prodnso-nsointern-nsoprod-01/plain.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -server_hcloud_firewall_objects: - - name: "customer-access-to-{{ inventory_hostname }}" - state: present - rules: - - direction: in - protocol: tcp - port: "443" - source_ips: "{{ additional_ip_adresses_vault }}" - destination_ips: [] - description: customer specific access to https services - apply_to: - - type: server - server: - id: "{{ stage_server_id }}" diff --git a/host_vars/prodnso-nsointern-nsoprod-01/vault.yml b/host_vars/prodnso-nsointern-nsoprod-01/vault.yml deleted file mode 100644 index 128c3a6..0000000 --- a/host_vars/prodnso-nsointern-nsoprod-01/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31396666646138353139636535636563613531356430336362386265636465656638656661613135 -6331373138383964363266383331633532383537613837310a366531363137656566306565346263 -32653430646463356464653939363431363666373637633332323430303934316439326234663532 -6661373662663836660a663138613564623237666434353561366366353936363063313831333165 -64333464333061336337393762343362373362353462346236323965653666343264343438306132 -32653561656337636365663531333066666663623738643463653865663961303239376262306362 -373762363465613031666565383535313033 diff --git a/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml index ee55221..dc94324 100644 --- a/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml +++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml @@ -1,5 +1,4 @@ --- - dns: hetzner domain: "kfzbrief-bautzen.de" domain_env: "smardigo.digital" @@ -20,31 +19,7 @@ connect_mail_properties_smtp_auth: true connect_mail_properties_smtp_starttls_enable: true connect_mail_properties_smtp_starttls_required: true -# smardigo.fzbrief-bautzen.de -connect_external_subdomain: "smardigo" -connect_labels_additional: [ - '"traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"', - '"traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"', - '"traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"', - '"traefik.http.routers.{{ connect_id }}-extern.tls=true"', - '"traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt"', - '"traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port={{ service_port }}"', -] +connect_customer_urls_hetzner: + - smardigo.kfzbrief-bautzen.de -server_hcloud_firewall_objects: - - - name: "customer-access-to-{{ inventory_hostname }}" - state: present - rules: - - - direction: in - protocol: tcp - port: '443' - source_ips: "{{ additional_ip_adresses_vault }}" - destination_ips: [] - description: customer specific access to https services - apply_to: - - - type: server - server: - id: '{{ stage_server_id }}' +connect_customer_networks: "{{ connect_customer_networks_vault }}" diff --git a/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml index 36a9a3a..5e0acec 100644 --- a/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml +++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml @@ -1,17 +1,17 @@ $ANSIBLE_VAULT;1.1;AES256 -33623661396231316264336334366662616361383165643162333435636164376537633634353831 -6330346162656138303539323433353034376635363731640a666263336165643661633039343131 -32376432373666363639336465363835636139663963666433623266663965623063636236393135 -6163313838323639300a643236656466613463633332383033376466373362306239333034343633 -31386235326366306238373664633338303233336134333537373930663333383536343465373161 -38336666343765356463383934373939306338376465623266323735643535363339383733396364 -66373937663432663765326437376465326566303863333033643833663734613061333066663134 -30306563376536646538616361653630646463316334373634336435613537663238666235323766 -33333538326639353366363736393735306238383466653834636531623233613639393732613466 -39333266396531326166346566353533613536646637613131663462663934623363663363653163 -61336139653036373566616335396565353537366263396236306261363439623236316430633532 -37663137313437326534646230613561343435343266666665383561666365323863316464393839 -34303665623265383064313965643630613938656538363162656139613365616633346666353761 -63363864666163633661616664623937616366383138333763636135356334346337323132656538 -36316565383935363136666437393133393063636230366237303030386665373133306665623933 -62326562333931373764 +39633034643831306530346439333466323839303039373564643166373063326634653738393066 +6632613237323364323265333866393533353830376261380a346564613639383931356238346336 +37363032316138393136626137346633353963643933373933653432353330333832346362376238 +3538356439303732330a316364613762396330373166323830363439353464396233346665646135 +38343139636265343338383265316564663131613463356139333063663931316137373335666562 +31303061303732343662316564383662396265363439626336383666376564326461303935343230 +32643138316461373963623437346232386237356239313566326262313062376663633161613031 +61666161623930666638656337623937353766393866303830353536306466376466356636663663 +31653937386336616661616631653234326138316239623835333238393034356232613963663363 +32316631353061666162643832613263373537323937626361373335353864306663343332663238 +35393732386135343165656366356366646663623762313538636432306266646531326536666234 +34303038323830623964653461653133366235643962346465643634386433653661653230353138 +39633537316664613164666533303263393430636465303239353935646462626166353965376462 +34356235343462616266383966613137656462393262306166646337373161323863376566653063 +62336531313031346436313131363361323134323964643838336338343363313330386533313865 +66333164303634363132 diff --git a/library/__pycache__/smardigo_user_token.cpython-311.pyc b/library/__pycache__/smardigo_user_token.cpython-311.pyc deleted file mode 100644 index ec79a79..0000000 Binary files a/library/__pycache__/smardigo_user_token.cpython-311.pyc and /dev/null differ diff --git a/roles/connect/defaults/main.yml b/roles/connect/defaults/main.yml index fc7d4c4..befc27e 100644 --- a/roles/connect/defaults/main.yml +++ b/roles/connect/defaults/main.yml @@ -16,3 +16,24 @@ connect_resubmission_enabled: false connect_search_elastic_enabled: false connect_swagger_enabled: true connect_workflow_heatmap_enabled: false + +firewall_rule_connect_customer: + - direction: in + protocol: tcp + port: "443" + source_ips: "{{ connect_customer_networks }}" + destination_ips: [] + description: customer specific access to https services +firewall_rule_lets_encrypt_http_challenge: + - direction: in + protocol: tcp + port: "80" + source_ips: + - "0.0.0.0/0" + destination_ips: [] + description: lets encrypt http challenge due to external managed dns entries + +connect_customer_firewall_entry_rules: "{{ + (firewall_rule_connect_customer if (connect_customer_networks | length > 0) else []) + + (firewall_rule_lets_encrypt_http_challenge if (connect_customer_urls_extern | length > 0) else []) +}}" diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index e2fcb74..20f58c4 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -1,12 +1,11 @@ --- - ### tags: ### update_certs ### update_deployment - name: "Creating smardigo user token" smardigo_user_token: - secret: "{{ connect_jwt_secret }}" + secret: "{{ connect_jwt_secret }}" user_id: "{{ connect_client_admin_username }}" register: smardigo_user_token_result delegate_to: 127.0.0.1 @@ -16,7 +15,7 @@ - name: "Creating iam user token" smardigo_user_token: - secret: "{{ iam_jwt_secret }}" + secret: "{{ iam_jwt_secret }}" user_id: "{{ connect_client_admin_username }}" realm: "{{ current_realm_name }}" client_id: "{{ connect_oidc_client_id }}" @@ -27,48 +26,104 @@ - update_deployment - name: "Setting smardigo_auth_token_value and iam_auth_token_value as fact" - set_fact: + ansible.builtin.set_fact: smardigo_auth_token_value: "{{ smardigo_user_token_result.token }}" iam_auth_token_value: "{{ iam_user_token_result.token }}" tags: - update_deployment -- name: "Setup hcloud firewalls for <{{ inventory_hostname }}>" - include_role: - name: hetzner-ansible-hcloud - tasks_from: configure-firewall2 - loop: "{{ server_hcloud_firewall_objects }}" - loop_control: - loop_var: firewall_object +# Generate Traefik labels for customer specific domains +- name: "Configure Traefik for customer domains" when: - - server_hcloud_firewall_objects is defined + - connect_customer_urls | length > 0 + tags: + - update_deployment + block: + - name: "Create additional Traefik labels for customer url" + ansible.builtin.set_fact: + connect_labels_customer_urls: + - '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.service={{ connect_id }}"' + - '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.rule=Host(`{{ customer_url }}`)"' + - '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.entrypoints=websecure"' + - '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.tls=true"' + - '"traefik.http.routers.{{ connect_id }}-extern-{{ customer_url | replace(".", "-") }}.tls.certresolver={{ "letsencrypt-http" if (customer_url in connect_customer_urls_extern) else "letsencrypt" }}"' + loop: "{{ connect_customer_urls }}" + register: connect_labels_customer_urls_result + loop_control: + loop_var: customer_url + tags: + - update_deployment -- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>" + - name: "Extract Traefik labels for customer urls" + ansible.builtin.set_fact: + connect_labels_additional: "{{ connect_labels_additional | default([]) + connect_labels_customer_url.ansible_facts.connect_labels_customer_urls }}" + loop: "{{ connect_labels_customer_urls_result.results }}" + loop_control: + loop_var: connect_labels_customer_url + tags: + - update_deployment + +- name: "Setup customer specific firewall rules for <{{ inventory_hostname }}>" + block: + - name: "Configure customer specific firewall rules for <{{ inventory_hostname }}>" + ansible.builtin.set_fact: + connect_customer_firewall_entries: + - name: "customer-access-to-{{ inventory_hostname }}" + state: present + rules: "{{ connect_customer_firewall_entry_rules }}" + apply_to: + - type: server + server: + id: "{{ stage_server_id }}" + - name: "Setup customer specific firewall rules for <{{ inventory_hostname }}>" + ansible.builtin.include_role: + name: hetzner-ansible-hcloud + tasks_from: configure-firewall2 + loop: "{{ connect_customer_firewall_entries }}" + loop_control: + loop_var: firewall_object + +- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" include_role: name: hetzner-ansible-dns vars: record_data: "{{ stage_server_ip }}" - record_name: "{{ connect_external_subdomain }}" + record_name: "{{ connect_id }}" + +- name: "Setup DNS configuration at DigitalOcean" + ansible.builtin.include_role: + name: hetzner-ansible-dns + vars: + dns: digitalocean + record_data: "{{ stage_server_ip }}" + record_name: "{{ item.split('.')[:-2] | join('.') }}" + domain: "{{ item.split('.')[-2:] | join('.') }}" when: - - connect_external_subdomain is defined + - connect_customer_urls_digitalocean | length > 0 + loop: "{{ connect_customer_urls_digitalocean }}" -- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" - include_role: +- name: "Setup DNS configuration at Hetzner" + ansible.builtin.include_role: name: hetzner-ansible-dns vars: + dns: hetzner record_data: "{{ stage_server_ip }}" - record_name: "{{ connect_id }}" + record_name: "{{ item.split('.')[:-2] | join('.') }}" + domain: "{{ item.split('.')[-2:] | join('.') }}" + when: + - connect_customer_urls_hetzner | length > 0 + loop: "{{ connect_customer_urls_hetzner }}" - name: "Check if {{ connect_id }}/docker-compose.yml exists" stat: - path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml' + path: "{{ service_base_path }}/{{ connect_id }}/docker-compose.yml" register: check_docker_compose_file tags: - update_deployment - name: "Stop {{ connect_id }}" community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ connect_id }}' + project_src: "{{ service_base_path }}/{{ connect_id }}" state: absent when: check_docker_compose_file.stat.exists tags: @@ -117,7 +172,7 @@ - name: "Restart {{ connect_id }}" community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ connect_id }}' + project_src: "{{ service_base_path }}/{{ connect_id }}" restarted: yes build: no tags: @@ -126,7 +181,7 @@ - name: "Update {{ connect_id }}" community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ connect_id }}' + project_src: "{{ service_base_path }}/{{ connect_id }}" state: present pull: yes tags: diff --git a/roles/connect/vars/main.yml b/roles/connect/vars/main.yml index 7bd2f7c..92de15c 100644 --- a/roles/connect/vars/main.yml +++ b/roles/connect/vars/main.yml @@ -1,5 +1,4 @@ --- - connect_process_search_module: "{{ connect_search_elastic_enabled | ternary((connect_version is version('11.1', '>=') | ternary('external_v2', 'external')), 'embedded') }}" connect_spring_profiles_include: diff --git a/roles/connect_compact/defaults/main.yml b/roles/connect_compact/defaults/main.yml deleted file mode 100644 index b130034..0000000 --- a/roles/connect_compact/defaults/main.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -connect_id: "{{ inventory_hostname }}-connect" -connect_admin_username: "connect-admin" -connect_admin_password: "{{ connect_admin_password_vault }}" -connect_postgres_username: "connect-postgres-username" -connect_postgres_password: "{{ connect_postgres_password_vault }}" -connect_image_name: "{{ shared_service_hostname_harbor }}/smardigo/connect-whitelabel-app" - -iam_image_name: "{{ shared_service_hostname_harbor }}/smardigo/iam-app" - -elasticsearch_username: "elastic" -elasticsearch_password: "{{ elasticsearch_password_vault }}" - -keycloak_id: "{{ inventory_hostname }}-keycloak" -keycloak_admin_username: "keycloak-admin" -keycloak_admin_password: "{{ keycloak_admin_password_vault }}" -keycloak_postgres_username: "keycloak_postgres" -keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}" -keycloak_image_name: "{{ shared_service_hostname_harbor }}/smardigo/keycloak" - -kibana_id: "{{ inventory_hostname }}-kibana" - -shared_service_mail_hostname: "not_available" - -current_realm_name: connect -connect_client_id: "{{ connect_id }}" - -current_realm_clients: [ - { - name: '{{ connect_client_id }}', - clientId: "{{ connect_client_id }}", - admin_url: '', - root_url: '', - redirect_uris: [ - "{{ http_s }}://{{ connect_base_url }}/*", - "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}/*", - ], - secret: '{{ connect_client_id }}', - web_origins: [ - "{{ http_s }}://{{ connect_base_url }}", - "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}", - ] - },{ - name: 'mpm', - clientId: "mpm", - admin_url: '', - root_url: '', - redirect_uris: [ - "{{ http_s }}://{{ connect_base_url }}/*", - ], - secret: '9d9ca019-8245-4b72-b8eb-8020535eba8e', - web_origins: [ - "{{ http_s }}://{{ connect_base_url }}", - ] - }, -] -connect_compact_tls_cert_resolver: letsencrypt-http diff --git a/roles/connect_compact/tasks/main.yml b/roles/connect_compact/tasks/main.yml deleted file mode 100644 index 38b5146..0000000 --- a/roles/connect_compact/tasks/main.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" - include_role: - name: hetzner-ansible-dns - vars: - record_data: "{{ stage_server_ip }}" - record_name: "{{ connect_id }}" - -- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>" - include_role: - name: hetzner-ansible-dns - vars: - record_data: "{{ stage_server_ip }}" - record_name: "{{ connect_external_subdomain }}" - when: connect_external_subdomain is defined - -- name: "Setup DNS configuration for <{{ kibana_id }}> to <{{ stage_server_ip }}>" - include_role: - name: hetzner-ansible-dns - vars: - record_data: "{{ stage_server_ip }}" - record_name: "{{ kibana_id }}" - -- name: "Setup realm for {{ connect_id }}" - include_role: - name: keycloak - tasks_from: _configure_realm - apply: - tags: - - configure_realm - tags: - - configure_realm - -- name: "Check if {{ connect_id }}/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml' - register: check_docker_compose_file_connect - -- name: "Deploy docker templates for {{ connect_id }}" - include_role: - name: hetzner-ansible-sma-deploy - tasks_from: templates - vars: - current_config: "connect-compact" - current_base_path: "{{ service_base_path }}" - current_destination: "{{ connect_id }}" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - -- name: "Stop {{ connect_id }}" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ connect_id }}' - state: absent - when: check_docker_compose_file_connect.stat.exists - -- name: "Restart {{ connect_id }}" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ connect_id }}' - state: present - pull: no diff --git a/roles/connect_realm/defaults/main.yml b/roles/connect_realm/defaults/main.yml index 0bcdfd8..84ed8a8 100644 --- a/roles/connect_realm/defaults/main.yml +++ b/roles/connect_realm/defaults/main.yml @@ -3,7 +3,7 @@ connect_client_secret: "{{ connect_client_id }}" client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}" client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}" -client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain | default('unset') }}.{{ domain }}" +client_web_origin_connect_external: "{{ connect_customer_urls | map('regex_replace', '(.+)', http_s + '://\\1') | list }}" current_realm_clients: - name: "{{ connect_client_id }}" @@ -13,14 +13,14 @@ current_realm_clients: redirect_uris: "{{ [client_web_origin_connect + '/*'] + ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) + - ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else []) - }}" + (client_web_origin_connect_external | default([]) | map('regex_replace', '(.+)', '\\1/*') | list) + }}" secret: "{{ connect_oidc_client_secret }}" web_origins: "{{ [client_web_origin_connect] + ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) + - ([client_web_origin_connect_external] if connect_external_subdomain is defined else []) - }}" + (client_web_origin_connect_external | default([])) + }}" current_realm_users_base: - username: "{{ connect_client_admin_username }}" diff --git a/roles/keycloak_compact/defaults/main.yml b/roles/keycloak_compact/defaults/main.yml deleted file mode 100644 index e7a75ab..0000000 --- a/roles/keycloak_compact/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -keycloak_id: "{{ inventory_hostname }}-keycloak" -keycloak_admin_username: "keycloak-admin" -keycloak_admin_password: "{{ keycloak_admin_password_vault }}" -keycloak_postgres_username: "keycloak_postgres" -keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}" -keycloak_image_name: "{{ shared_service_hostname_harbor }}/smardigo/keycloak" - -keycloak_compact_tls_cert_resolver: letsencrypt-http - -service_port_keycloak_external: 8110 diff --git a/roles/keycloak_compact/tasks/main.yml b/roles/keycloak_compact/tasks/main.yml deleted file mode 100644 index ef0bedd..0000000 --- a/roles/keycloak_compact/tasks/main.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- - -### tags: -### configure_realm - -- name: "Setup DNS configuration for <{{ keycloak_id }}> to <{{ stage_server_ip }}>" - include_role: - name: hetzner-ansible-dns - vars: - record_data: "{{ stage_server_ip }}" - record_name: "{{ keycloak_id }}" - -- name: "Setup DNS configuration for <{{ keycloak_external_subdomain }}> to <{{ stage_server_ip }}>" - include_role: - name: hetzner-ansible-dns - vars: - record_data: "{{ stage_server_ip }}" - record_name: "{{ keycloak_external_subdomain }}" - when: keycloak_external_subdomain is defined - -- name: "Check if {{ keycloak_id }}/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/{{ keycloak_id }}/docker-compose.yml' - register: check_docker_compose_file - -- name: "Deploy docker templates for {{ keycloak_id }}" - include_role: - name: hetzner-ansible-sma-deploy - tasks_from: templates - vars: - current_config: "keycloak-compact" - current_base_path: "{{ service_base_path }}" - current_destination: "{{ keycloak_id }}" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - -- name: "Stop {{ keycloak_id }}" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ keycloak_id }}' - state: absent - when: check_docker_compose_file.stat.exists - -- name: "Start {{ keycloak_id }}" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/{{ keycloak_id }}' - state: present - -- name: "Setting local keycloak url" - set_fact: - shared_service_url_keycloak: "http://localhost:{{ service_port_keycloak_external }}" - -- name: "Wait for " - wait_for: - host: "localhost" - port: '{{ service_port_keycloak_external }}' - delay: 30 \ No newline at end of file diff --git a/smardigo.yml b/smardigo.yml index d558a8e..b4cdabd 100644 --- a/smardigo.yml +++ b/smardigo.yml @@ -67,12 +67,6 @@ - role: backup when: "'backup' in group_names" - - role: keycloak_compact - when: "'keycloak_compact' in group_names" - - - role: connect_compact - when: "'connect_compact' in group_names" - - role: mpmx when: "'mpmx' in group_names" diff --git a/tasks/autodiscover_pre_tasks.yml b/tasks/autodiscover_pre_tasks.yml index c576b39..07fdad4 100644 --- a/tasks/autodiscover_pre_tasks.yml +++ b/tasks/autodiscover_pre_tasks.yml @@ -192,7 +192,7 @@ tags: - always -- name: "Printing autodicoverd values for <{{ inventory_hostname }}> on stage <{{ stage }}/{{ stage_kube }}>" +- name: "Printing autodiscovered values for <{{ inventory_hostname }}> on stage <{{ stage }}/{{ stage_kube }}>" debug: msg: - "host: <{{ inventory_hostname }}>" diff --git a/templates/connect-compact/config/application-linked-applications.yml.j2 b/templates/connect-compact/config/application-linked-applications.yml.j2 deleted file mode 100644 index 6df8166..0000000 --- a/templates/connect-compact/config/application-linked-applications.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -smardigo: - linked-applications: - - - name: Password Change - url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password - - - name: User Management - url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console - - - name: MPM Process Mining - url: https://mehrwerk-demo.eu.qlikcloud.com \ No newline at end of file diff --git a/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 b/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 deleted file mode 100644 index 4bf1121..0000000 --- a/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 +++ /dev/null @@ -1,10 +0,0 @@ ---- - -cluster.name: "{{ connect_id }}-elastic" -network.host: 0.0.0.0 - -discovery.type: single-node - -xpack.security.enabled: true -xpack.license.self_generated.type: basic -xpack.monitoring.collection.enabled: true diff --git a/templates/connect-compact/docker-compose.yml.j2 b/templates/connect-compact/docker-compose.yml.j2 deleted file mode 100644 index 7575b31..0000000 --- a/templates/connect-compact/docker-compose.yml.j2 +++ /dev/null @@ -1,182 +0,0 @@ -version: '3.7' - -networks: - back-tier: - external: True - front-tier: - external: True - -volumes: - {{ connect_id }}-postgres-data: {} - {{ connect_id }}-elastic-data: {} - -services: - {{ connect_id }}: - image: "{{ connect_image_name }}:{{ connect_version }}" - container_name: "{{ connect_id }}" - restart: always - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ connect_id }}.service={{ connect_id }}" - - "traefik.http.routers.{{ connect_id }}.rule=Host(`{{ connect_id }}.{{ domain }}`)" - - "traefik.http.routers.{{ connect_id }}.entrypoints=websecure" - - "traefik.http.routers.{{ connect_id }}.tls=true" - - "traefik.http.routers.{{ connect_id }}.tls.certresolver={{ connect_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080" - - - "traefik.http.routers.{{ connect_id }}-admin.service={{ connect_id }}-admin" - - "traefik.http.routers.{{ connect_id }}-admin.rule=Host(`{{ connect_id }}.{{ domain }}`)" - - "traefik.http.routers.{{ connect_id }}-admin.entrypoints=admin-service" - - "traefik.http.routers.{{ connect_id }}-admin.tls=true" - - "traefik.http.routers.{{ connect_id }}-admin.tls.certresolver={{ connect_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ connect_id }}-admin.loadbalancer.server.port={{ management_port }}" -{% if - connect_external_subdomain is defined -%} - - - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern" - - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)" - - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure" - - "traefik.http.routers.{{ connect_id }}-extern.tls=true" - - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver={{ connect_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port=8080" -{% endif %} - environment: - TZ: "Europe/Berlin" - NAME: "MPM eXecution 2.0" - - TENANT_ID: "{{ connect_id }}" - ADMIN_LOGIN: "{{ connect_admin_username }}" - ADMIN_PASSWORD: "{{ connect_admin_password }}" - - DATASOURCE_URL: "jdbc:postgresql://{{ connect_id }}-postgres:5432/connect-postgres" - DATASOURCE_USERNAME: "{{ connect_postgres_username }}" - DATASOURCE_PASSWORD: "{{ connect_postgres_password }}" - - MAIL_PROTOCOL: "smtp" - MAIL_HOST: "smtp.web.de" - MAIL_PORT: "587" - MAIL_USER: "{{ connect_email_username }}" - MAIL_PASSWORD: "{{ connect_email_password }}" - MAIL_PROPERTIES_SIMULATION: "false" - MAIL_PROPERTIES_BASE_URL: "https://{{ connect_id }}.{{ domain }}" - MAIL_PROPERTIES_BASE_URL_EXTERN: "https://{{ connect_id }}.{{ domain }}" - MAIL_PROPERTIES_SENDER: "smardigo.email@web.de" - MAIL_PROPERTIES_SENDER_ALIAS: "noreply-connect" - MAIL_PROPERTIES_SMTP_AUTH: "true" - MAIL_PROPERTIES_SMTP_STARTTLS_ENABLE: "true" - MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: "true" - - AUTH_MODULE: "oidc" - OIDC_CLIENT_ID: "{{ connect_id }}" - OIDC_CLIENT_SECRET: "{{ connect_id }}" - OIDC_REGISTRATION_ID: "{{ connect_id }}" - OIDC_ISSUER_URI: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}" - PASSWORD_CHANGE_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password" - USER_MANAGEMENT_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console" - - IAM_MODULE: "external" - IAM_CLIENT_ENABLED: "true" - EXTERNAL_IAM_SERVER_URL: "http://{{ connect_id }}-iam:8080" - - PROCESS_SEARCH_MODULE: "embedded" - ELASTIC_HOST: "{{ connect_id }}-elastic" - ELASTIC_PREFIX: "{{ connect_id }}" - ELASTIC_USERNAME: "{{ elasticsearch_username }}" - ELASTIC_PASSWORD: "{{ elasticsearch_password }}" - ELASTIC_SEARCH_INDEX: "search" - ELASTIC_MESSAGE_INDEX: "message" - ELASTIC_ANALYSIS_INDEX: "analysis" - - SPRING_PROFILES_INCLUDE: "linked-applications, swagger, elastic" - PROCESS_SEARCH_MODULE: "external" - - SPRINGDOC_SERVER_URL: "https://{{ connect_id }}.{{ domain }}" - SMA_CORS_ORIGINS: "https://{{ connect_id }}.{{ domain }}" - SMA_CORS_ALLOWED_METHODS: "*" - SMA_CORS_ALLOWED_HEADERS: "*" - SMA_CORS_PATH_PATTERN: "/**" - SMA_LANGUAGE_CODE: "en" - - SMA_JWT_ENABLED: "True" - SMA_JWT_SECRET: "{{ sma_jwt_secret }}" - - RESUBMISSION_ENABLED: "true" - ELEMENT_TEMPLATE_ENABLED: "true" - CONFIG_DELETE_SCOPE_ENABLED: "true" - EXTERNAL_TASK_SCRIPT_WORKER_ENABLED: "false" - CONFIG_DELETE_SCOPE_ENABLED: "true" - CONFIG_LOCAL_IMPORT_ENABLED: "true" - SMA_WORKFLOW_HEATMAP_ENABLED: "true" - - LOG_LEVEL_CAMUNDA: "OFF" - LOG_LEVEL_JASYPT: "ERROR" - LOG_LEVEL_MESSAGE_QUEUE: "INFO" - LOG_LEVEL_DOCUMENT_INDEX: "INFO" - LOG_LEVEL_WORKFLOW_INDEX: "INFO" - LOG_LEVEL_WORKFLOW_ANALYSIS: "INFO" - volumes: - - "./config/application-linked-applications.yml:/config/application-linked-applications.yml" - networks: - - "back-tier" - - "front-tier" - {{ connect_id }}-postgres: - image: "postgres:12" - container_name: "{{ connect_id }}-postgres" - restart: always - environment: - POSTGRES_DB: "connect-postgres" - POSTGRES_USER: "{{ connect_postgres_username }}" - POSTGRES_PASSWORD: "{{ connect_postgres_password }}" - volumes: - - "{{ connect_id }}-postgres-data:/var/lib/postgresql/data" - networks: - - "back-tier" - {{ connect_id }}-elastic: - image: "docker.elastic.co/elasticsearch/elasticsearch:7.16.3" - container_name: "{{ connect_id }}-elastic" - restart: always - environment: - ES_JAVA_OPTS: "-Xmx2G -Xms2G" - ELASTIC_PASSWORD: "{{ elasticsearch_password }}" - volumes: - - "./config/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro" - - "{{ connect_id }}-elastic-data:/usr/share/elasticsearch/data" - networks: - - "back-tier" - {{ connect_id }}-kibana: - image: "docker.elastic.co/kibana/kibana:7.16.3" - container_name: "{{ connect_id }}-kibana" - restart: always - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ connect_id }}-kibana.service={{ connect_id }}-kibana" - - "traefik.http.routers.{{ connect_id }}-kibana.rule=Host(`{{ kibana_id }}.{{ domain }}`)" - - "traefik.http.routers.{{ connect_id }}-kibana.entrypoints=websecure" - - "traefik.http.routers.{{ connect_id }}-kibana.tls=true" - - "traefik.http.routers.{{ connect_id }}-kibana.tls.certresolver={{ connect_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ connect_id }}-kibana.loadbalancer.server.port=5601" - - "traefik.http.routers.{{ connect_id }}-kibana.middlewares={{ connect_id }}-kibana-ipwhitelist" - - "traefik.http.middlewares.{{ connect_id }}-kibana-ipwhitelist.ipwhitelist.sourcerange={{ ( ip_whitelist_netgo ) | join(',') }}" - mem_limit: 1G - volumes: - - "./config/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml:ro" - networks: - - "back-tier" - - "front-tier" - {{ connect_id }}-iam: - image: "{{ iam_image_name }}:{{ iam_version }}" - container_name: "{{ connect_id }}-iam" - restart: always - environment: - SERVER_ERROR_INCLUDE_MESSAGE: "always" - IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth" - IAM_KEYCLOAK_ADMIN_USER: "{{ keycloak_admin_username }}" - IAM_KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}" - IAM_JWT_CONFIG_READ_TIMEOUT: 3000 - IAM_CACHE_TENANTS_TTL: "3600" - IAM_CACHE_ROLES_TTL: "60" - IAM_CACHE_USERS_TTL: "60" - IAM_CACHE_JWKS_TTL: "3600" - networks: - - "back-tier" diff --git a/templates/keycloak-compact/docker-compose.yml.j2 b/templates/keycloak-compact/docker-compose.yml.j2 deleted file mode 100644 index f9d50ca..0000000 --- a/templates/keycloak-compact/docker-compose.yml.j2 +++ /dev/null @@ -1,61 +0,0 @@ -version: '3.7' - -networks: - back-tier: - external: True - front-tier: - external: True - -volumes: - {{ keycloak_id }}-postgres-data: {} - -services: - {{ keycloak_id }}: - image: "{{ keycloak_image_name }}:{{ keycloak_version }}" - container_name: "{{ keycloak_id }}" - command: "start" - restart: always - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}" - - "traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ keycloak_id }}.smardigo.digital`)" - - "traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure" - - "traefik.http.routers.{{ keycloak_id }}.tls=true" - - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver={{ keycloak_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080" -{% if - keycloak_external_subdomain is defined -%} - - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern" - - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_subdomain }}.smardigo.digital`)" - - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure" - - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true" - - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver={{ keycloak_compact_tls_cert_resolver }}" - - "traefik.http.services.{{ keycloak_id }}-extern.loadbalancer.server.port=8080" -{% endif %} - environment: - KEYCLOAK_USER: "{{ keycloak_admin_username }}" - KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}" - KC_PROXY: "edge" - KC_HOSTNAME: "{{ keycloak_id }}.{{ domain_env }}" - KC_DB: "postgres" - KC_DB_USERNAME: "{{ keycloak_postgres_username }}" - KC_DB_PASSWORD: "{{ keycloak_postgres_password }}" - KC_DB_URL: "jdbc:postgresql://{{ keycloak_id }}-postgres:{{ service_port_postgres }}/keycloak-postgres" - networks: - - "back-tier" - - "front-tier" - ports: - - "8110:8080" - {{ keycloak_id }}-postgres: - image: "postgres:12" - container_name: "{{ keycloak_id }}-postgres" - restart: always - environment: - POSTGRES_DB: "keycloak-postgres" - POSTGRES_USER: "{{ keycloak_postgres_username }}" - POSTGRES_PASSWORD: "{{ keycloak_postgres_password }}" - volumes: - - "{{ keycloak_id }}-postgres-data:/var/lib/postgresql/data" - networks: - - "back-tier"