SMARCH-46: smardigo self service portal (wip)

create-database.yml

@@ -30,35 +30,38 @@
 #############################################################
 
 - hosts: "stage_{{ stage }}"
-  serial: "{{ serial_number | default(5) }}"
+  serial: "{{ serial_number | default(1) }}"
   remote_user: root
 
   pre_tasks:
-    - name: "Gather current server infos"
+    - name: "Gathering current server infos from hetzner"
       hcloud_server_info:
         api_token: "{{ hetzner_authentication_token }}"
       register: hetzner_server_infos
       delegate_to: 127.0.0.1
       become: false
 
-    - name: "Set current server infos as fact: hetzner_server_infos_json"
+    - name: "Setting current server infos as fact: hetzner_server_infos_json"
       set_fact: 
         hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
       delegate_to: 127.0.0.1
       become: false
 
-    - name: "Read ip address for {{ inventory_hostname }}"
+    - name: "Reading ip address for {{ inventory_hostname }}"
       set_fact:
-        stage_server_ip: "{{ item.ipv4_address }}"
-      when: item.name == inventory_hostname
-      with_items: "{{ hetzner_server_infos_json }}"
+        stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+      vars:
+        querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
       delegate_to: 127.0.0.1
       become: false
 
-#    - name: Print the gathered infos
-#      debug:
-#        var: stage_server_ip
-#      delegate_to: 127.0.0.1
+    - name: "Printing ip address for {{ inventory_hostname }}"
+      debug:
+        msg: "{{ stage_server_ip }}"
+      delegate_to: 127.0.0.1
+      become: false
+      when:
+       - debug
 
   roles:
     - role: connect-postgres

create-realm.yml

@@ -30,33 +30,35 @@
 #############################################################
 
 - hosts: "stage_{{ stage }}"
-  serial: "{{ serial_number | default(5) }}"
-  become: false
+  serial: "{{ serial_number | default(1) }}"
   gather_facts: false
+  become: false
 
   pre_tasks:
-    - name: "Gather current server infos"
+    - name: "Gathering current server infos from hetzner"
       hcloud_server_info:
         api_token: "{{ hetzner_authentication_token }}"
       register: hetzner_server_infos
       delegate_to: 127.0.0.1
 
-    - name: "Set current server infos as fact: hetzner_server_infos_json"
+    - name: "Setting current server infos as fact: hetzner_server_infos_json"
       set_fact: 
         hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
       delegate_to: 127.0.0.1
 
-    - name: "Read ip address for {{ inventory_hostname }}"
+    - name: "Reading ip address for {{ inventory_hostname }}"
       set_fact:
-        stage_server_ip: "{{ item.ipv4_address }}"
-      when: item.name == inventory_hostname
-      with_items: "{{ hetzner_server_infos_json }}"
+        stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr)| first }}"
+      vars:
+        querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
       delegate_to: 127.0.0.1
 
-    - name: Print the gathered infos
+    - name: "Printing ip address for {{ inventory_hostname }}"
       debug:
-        var: stage_server_ip
+        msg: "{{ stage_server_ip }}"
       delegate_to: 127.0.0.1
+      when:
+       - debug
 
   roles:
     - role: connect-realm

create-server.yml

@@ -74,7 +74,7 @@
 #############################################################
 
 - hosts: "stage_{{ stage }}"
-  serial: "{{ serial_number | default(5) }}"
+  serial: "{{ serial_number | default(1) }}"
   remote_user: root
 
   pre_tasks:
@@ -94,31 +94,30 @@
         state: 'absent'
       when: ansible_distribution == "Ubuntu"
 
-    - name: "Gather current server infos"
+    - name: "Gathering current server infos from hetzner"
       hcloud_server_info:
         api_token: "{{ hetzner_authentication_token }}"
       register: hetzner_server_infos
       delegate_to: 127.0.0.1
-      become: false
 
-    - name: "Set current server infos as fact: hetzner_server_infos_json"
+    - name: "Setting current server infos as fact: hetzner_server_infos_json"
       set_fact: 
         hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
       delegate_to: 127.0.0.1
-      become: false
 
-    - name: "Read ip address for {{ inventory_hostname }}"
+    - name: "Reading ip address for {{ inventory_hostname }}"
       set_fact:
-        stage_server_ip: "{{ item.ipv4_address }}"
-      when: item.name == inventory_hostname
-      with_items: "{{ hetzner_server_infos_json }}"
+        stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+      vars:
+        querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
       delegate_to: 127.0.0.1
-      become: false
 
-#    - name: Print the gathered infos
-#      debug:
-#        var: stage_server_ip
-#      delegate_to: 127.0.0.1
+    - name: "Printing ip address for {{ inventory_hostname }}"
+      debug:
+        msg: "{{ stage_server_ip }}"
+      delegate_to: 127.0.0.1
+      when:
+       - debug
 
   roles:
     - role: ansible-role-docker

create-service.yml

@@ -30,32 +30,34 @@
 #############################################################
 
 - hosts: "stage_{{ stage }}"
-  serial: "{{ serial_number | default(5) }}"
+  serial: "{{ serial_number | default(1) }}"
   remote_user: root
 
   pre_tasks:
-    - name: "Gather current server infos"
+    - name: "Gathering current server infos from hetzner"
       hcloud_server_info:
         api_token: "{{ hetzner_authentication_token }}"
       register: hetzner_server_infos
       delegate_to: 127.0.0.1
 
-    - name: "Set current server infos as fact: hetzner_server_infos_json"
+    - name: "Setting current server infos as fact: hetzner_server_infos_json"
       set_fact: 
         hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
       delegate_to: 127.0.0.1
 
-    - name: "Read ip address for {{ inventory_hostname }}"
+    - name: "Reading ip address for {{ inventory_hostname }}"
       set_fact:
-        stage_server_ip: "{{ item.ipv4_address }}"
-      when: item.name == inventory_hostname
-      with_items: "{{ hetzner_server_infos_json }}"
+        stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+      vars:
+        querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
       delegate_to: 127.0.0.1
 
-    - name: Print the gathered infos
+    - name: "Printing ip address for {{ inventory_hostname }}"
       debug:
-        var: stage_server_ip
+        msg: "{{ stage_server_ip }}"
       delegate_to: 127.0.0.1
+      when:
+       - debug
 
   roles:
     - role: connect

group_vars/all/plain.yml

@@ -1,5 +1,7 @@
 ---
 
+debug: false
+
 send_status_messages: false
 
 domain: smardigo.digital

group_vars/connect/plain.yml

@@ -5,17 +5,19 @@ service: "connect"
 hetzner_server_type: cx21
 hetzner_server_labels: "stage={{ stage }} service={{ service }}"
 
-connect_jwt_enabled: true
-connect_jwt_secret: 908ae14462d049d3be84964ef379c7c6
+connect_client_id: "{{ cluster_name }}"
 
-connect_postgres_database: "connect-postgres"
-connect_postgres_admin_username: "connect-postgres-admin"
-connect_postgres_admin_password: "connect-postgres-admin"
+current_realm_users: [
+  {
+    "username": "connect-admin",
+    "password": "connect-admin",
+  }
+]
 
 current_realm_clients: [
   {
-    clientId: 'connect',
-    name: 'connect',
+    clientId: "{{ connect_client_id }}",
+    name: '{{ connect_client_id }}',
     admin_url: '',
     root_url: '',
     redirect_uris: '
@@ -30,5 +32,25 @@ current_realm_clients: [
   }
 ]
 
+connect_iam_module: external
+smardigo_iam_client_enabled: 'true'
+smardigo_iam_client_server_url: https://dev-iam-01.smardigo.digital
+
+connect_auth_module: "oidc"
+connect_oidc_client_id: "{{ connect_client_id }}"
+connect_oidc_client_secret: "{{ cluster_name }}"
+connect_oidc_registration_id: "{{ connect_client_id }}"
+connect_oidc_issuer_uri: "https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ current_realm_name }}"
+
+connect_password_change_url: "https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ current_realm_name }}/account/password"
+connect_iam_user_management_url: "https://{{ shared_service_keycloak_hostname }}/auth/admin/{{ current_realm_name }}/console"
+
+connect_postgres_database: "connect-postgres"
+connect_postgres_admin_username: "connect-postgres-admin"
+connect_postgres_admin_password: "connect-postgres-admin"
+
+connect_jwt_enabled: true
+connect_jwt_secret: 908ae14462d049d3be84964ef379c7c6
+
 #connect_csrf_token_name: "< see vault >"
 #connect_csrf_token_value: "< see vault >"

group_vars/stage_dev/plain.yml

@@ -2,88 +2,120 @@
 
 stage: "dev"
 
-keycloak_server_url: "https://dev-keycloak-01.smardigo.digital"
+alertmanager_channel_smardigo: "#monitoring-qa"
+
+# TODO read configuration with hetzner rest api
+shared_service_elastic_01: "10.0.0.2"
+shared_service_elastic_02: "10.0.0.3"
+shared_service_elastic_03: "10.0.0.4"
+shared_service_prometheus_ip: "10.0.0.5"
+shared_service_keycloak_ip: "10.0.0.6"
+shared_service_mail_ip: "10.0.0.8"
+shared_service_iam_ip: "10.0.0.13"
+
+shared_service_iam_hostname: "dev-iam-01.smardigo.digital"
+shared_service_keycloak_hostname: "dev-keycloak-01.smardigo.digital"
+shared_service_mail_hostname: "dev-mail-01.smardigo.digital"
+
+keycloak_server_url: "https://{{ shared_service_keycloak_hostname }}"
 
 docker_registry: dev-docker-registry-01.smardigo.digital
 docker_registry_username: "< see vault >"
 docker_registry_token: "< see vault >"
 
-alertmanager_channel_smardigo: "#monitoring-qa"
-
 filebeat_certificate: "dev-elastic-stack-filebeat"
 logstash_certificate: "dev-elastic-stack-logstash"
 
 # TODO read configuration with hetzner rest api
 elastic_stack_network: {
-  dev-elastic-stack-01: 10.0.0.2,
-  dev-elastic-stack-02: 10.0.0.3,
-  dev-elastic-stack-03: 10.0.0.4,
+  dev-elastic-stack-01: "{{ shared_service_elastic_01 }}",
+  dev-elastic-stack-02: "{{ shared_service_elastic_02 }}",
+  dev-elastic-stack-03: "{{ shared_service_elastic_03 }}",
 }
 
-# TODO read configuration with hetzner rest api
 logstash_hostname: "dev-elastic-stack-01-logstash"
 elastic_extra_hosts: [
   {
     hostname: dev-elastic-stack-01-elastic,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+    ip: "{{ shared_service_elastic_01 }}",
   },
   {
     hostname: dev-elastic-stack-02-elastic,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+    ip: "{{ shared_service_elastic_02 }}",
   },
   {
     hostname: dev-elastic-stack-03-elastic,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+    ip: "{{ shared_service_elastic_03 }}",
   },
 ]
 filebeat_extra_hosts: [
   {
     hostname: dev-elastic-stack-01-logstash,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+    ip: "{{ shared_service_elastic_01 }}",
   },
   {
     hostname: dev-elastic-stack-02-logstash,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+    ip: "{{ shared_service_elastic_02 }}",
   },
   {
     hostname: dev-elastic-stack-03-logstash,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+    ip: "{{ shared_service_elastic_03 }}",
   },
 ]
 kibana_extra_hosts: [
   {
     hostname: dev-elastic-stack-01-kibana,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+    ip: "{{ shared_service_elastic_01 }}",
   },
   {
     hostname: dev-elastic-stack-02-kibana,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+    ip: "{{ shared_service_elastic_02 }}",
   },
   {
     hostname: dev-elastic-stack-03-kibana,
-    ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+    ip: "{{ shared_service_elastic_03 }}",
   },
 ]
-
-# TODO read configuration with hetzner rest api
-keycloak_hostname: "dev-keycloak-01.smardigo.digital"
-mail_hostname: "dev-mail-01.smardigo.digital"
+prometheus_extra_hosts: [
+  {
+    hostname: "{{ shared_service_mail_hostname }}",
+    ip: "{{ shared_service_mail_ip }}",
+  }
+]
 connect_extra_hosts: [
   {
-    hostname: "{{ keycloak_hostname }}",
-    ip: 10.1.0.2,
+    hostname: "{{ shared_service_iam_hostname }}",
+    ip: "{{ shared_service_iam_ip }}",
+  },
+  {
+    hostname: "{{ shared_service_keycloak_hostname }}",
+    ip: "{{ shared_service_keycloak_ip }}",
   },
   {
-    hostname: "{{ mail_hostname }}",
-    ip: 10.2.0.2,
+    hostname: "{{ shared_service_mail_hostname }}",
+    ip: "{{ shared_service_mail_ip }}",
   }
 ]
 keycloak_extra_hosts: [
   {
-    hostname: "{{ mail_hostname }}",
-    ip: 10.2.0.2,
+    hostname: "{{ shared_service_iam_hostname }}",
+    ip: "{{ shared_service_iam_ip }}",
+  },
+  {
+    hostname: "{{ shared_service_mail_hostname }}",
+    ip: "{{ shared_service_mail_ip }}",
+  }
+]
+iam_extra_hosts: [
+  {
+    hostname: "{{ shared_service_keycloak_hostname }}",
+    ip: "{{ shared_service_keycloak_ip }}",
+  },
+  {
+    hostname: "{{ shared_service_mail_hostname }}",
+    ip: "{{ shared_service_mail_ip }}",
   }
 ]
 
-smardigo_management_url: "http://localhost:8080/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
-smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..xiS4DrBqSprqYdR94ACbUw.OHRxU9nmP25JiGlJMyw9XaSB2Q3GZ4yiG7I7UZlbv9k.q5I2KulPbvhN5yO08bGqfw"
+smardigo_management_url: "https://dev-management-smardigo-01.smardigo.digital/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
+smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..JgixZcmsSyvovabQvREAjw.Fk7aNYwOjzMhLCqF_9unl5yrWTey26z4scZBeVZjhpE.fnovrqn0MUjM_TA8zVhXdQ"

host_vars/dev-ansible-01.yml

@@ -1,5 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=ansible"
-
-hetzner_server_type: cx31

host_vars/dev-connect-01.yml

@@ -1,15 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"

host_vars/dev-connect-02.yml

@@ -1,15 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-connect_auth_module: oidc
-connect_oidc_client_id: connect-02
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-02
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"

host_vars/dev-iam-01.yml

@@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cx21
+hetzner_server_labels: "stage={{ stage }} service=iam"

host_vars/dev-management-smardigo-01.yml

@@ -1,17 +1,10 @@
 ---
 
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-hetzner_server_type: cpx21
-
 connect_auth_module: oidc
 connect_oidc_client_id: management-smardigo
 connect_oidc_client_secret: f1f852b4-2e75-889a-2453-3c55d53ce405
 connect_oidc_registration_id: management-smardigo
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo/console
+connect_oidc_issuer_uri: https://{{ shared_service_keycloak_hostname }}/auth/realms/smardigo
 
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"
+connect_password_change_url: https://{{ shared_service_keycloak_hostname }}/auth/realms/smardigo/account/password
+connect_iam_user_management_url: https://{{ shared_service_keycloak_hostname }}/auth/admin/smardigo/console

host_vars/dev-sken-01.yml

@@ -1,20 +0,0 @@
----
-
-#############################################################################
-### only for testing purposes -> copy of dynamic_connect
-#############################################################################
-
-hetzner_server_type: cx21
-hetzner_server_labels: "stage={{ stage }} service={{ service }}"
-
-# TODO create realm/client for tenant and service
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",{{ inventory_hostname }}"
-ribbon_display_on_active_profiles: "{{ inventory_hostname }}"

host_vars/dev-sken-02.yml

@@ -1,20 +0,0 @@
----
-
-#############################################################################
-### only for testing purposes -> copy of dynamic_connect
-#############################################################################
-
-hetzner_server_type: cx21
-hetzner_server_labels: "stage={{ stage }} service={{ service }}"
-
-# TODO create realm/client for tenant and service
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",{{ inventory_hostname }}"
-ribbon_display_on_active_profiles: "{{ inventory_hostname }}"

networks.yml

@@ -1,21 +0,0 @@
----
-
-- name: 'apply setup to {{ host | default("all") }}'
-  hosts: '{{ host | default("all") }}'
-  serial: "{{ serial_number | default(1) }}"
-  gather_facts: no
-  become: no
-
-  pre_tasks:
-    - name: "Check if ansible version is at least 2.10.x"
-      assert:
-        that:
-          - ansible_version.major >= 2
-          - ansible_version.minor >= 10
-        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
-
-  roles:
-    - role: hetzner-network
-      vars:
-        hetzner_state: 'started'
-      when: "'hcloud' in group_names"

provisioning.yml

@@ -7,14 +7,14 @@
   become: no
 
   pre_tasks:
-    - name: "Check if ansible version is at least 2.10.x"
+    - name: "Checking ansible version is at least 2.10.x"
       assert:
         that:
           - ansible_version.major >= 2
           - ansible_version.minor >= 10
         msg: "The ansible version has to be at least ({{ ansible_version.full }})"
 
-    - name: Get all Firewalls from Hetzner
+    - name: "Getting all firewalls from hetzner"
       uri:
         url: "https://api.hetzner.cloud/v1/firewalls"
         headers:
@@ -23,14 +23,12 @@
         return_content: yes
       register: hetzner_firewalls_response
       delegate_to: 127.0.0.1
-      run_once: true
       tags:
         - update_networks
 
-    - name: Save firewall entries as variable (fact)
+    - name: "Saving firewall entries as fact: hetzner_firewalls_response_json"
       set_fact: 
         hetzner_firewalls_response_json: "{{ hetzner_firewalls_response.json }}"
-      run_once: true
       tags:
         - update_networks
 
@@ -39,17 +37,24 @@
         firewall_records: "{{ hetzner_firewalls_response_json.firewalls | json_query(jmesquery) }}"
       vars:
         jmesquery: '[*].{id: id, name: name}'
-      run_once: true
       tags:
         - update_networks
     
-    - name: Print firewall entries
+    - name: "Printing firewall entries"
       debug:
         msg: "{{ firewall_records }}"
-      run_once: true
+      delegate_to: 127.0.0.1
+      when:
+       - debug
       tags:
         - update_networks
 
   roles:
     - role: hcloud
       when: "'hcloud' in group_names"
+
+- name: 'Apply setup to {{ host | default("all") }}'
+  hosts: '{{ host | default("all") }}'
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: no
+  become: no

roles/_digitalocean/tasks/domain.yml

@@ -39,7 +39,7 @@
   tags:
     - update_dns
 
-- name: Delete DNS entry for <{{ record_name }}> if necessary
+- name: Delete DNS entry for <{{ record_data }}:{{ record_name }}> if necessary
   uri:
     method: DELETE
     url: "https://api.digitalocean.com/v2/domains/{{ domain }}/records/{{ domain_record.id }}"

roles/connect-realm/tasks/main.yml

@@ -26,6 +26,11 @@
     name: keycloak
     tasks_from: _configure_realm
 
+- name: "Create realm users"
+  include_role:
+    name: keycloak
+    tasks_from: _create_realm_users
+
 - name: "Send mattermost messsge"
   uri:
     url: "{{ mattermost_hook_smardigo }}"

roles/connect/defaults/main.yml

@@ -10,4 +10,3 @@ connect_admin_password: "connect-admin"
 
 connect_mail_properties_base_url: "{{ http_s }}://{{ connect_id }}.{{ domain }}"
 connect_mail_properties_base_url_extern: "{{ http_s }}://{{ connect_id }}.{{ domain }}"
-  

roles/connect/tasks/main.yml

@@ -22,7 +22,7 @@
     tasks_from: domain
   vars:
     record_data: "{{ stage_server_ip }}"
-    record_name: "{{ connect_service_name }}"
+    record_name: "{{ service_name }}"
 
 - name: "Check if {{ connect_service_name }}/docker-compose.yml exists"
   stat:

roles/connect/templates/create-new-user.json.j2

@@ -1,5 +0,0 @@
-{
-  "id": "{{ current_user.userId }}",
-  "firstName": "{{ current_user.firstName | default('null') }}",
-  "lastName": "{{ current_user.lastName | default('null') }}"
-}

roles/hcloud/tasks/configure-firewall.yml

@@ -2,19 +2,21 @@
 
 ### tags:
 
-- name: Read firewall entry for <{{ current_firewall_name }}>
+- name: "Reading firewall entry for <{{ current_firewall_name }}>"
   set_fact:  
     firewall_record: "{{ firewall_records | selectattr('name', 'equalto', current_firewall_name) | list | first | default({'name': '-', 'id': '-'}) }}"
   tags:
     - update_networks
 
-- name: Print firewall entry for <{{ current_firewall_name }}>
+- name: "Printing firewall entry for <{{ current_firewall_name }}>"
   debug:
     msg: "{{ firewall_record }}"
+  when:
+   - debug
   tags:
     - update_networks
 
-- name: Save firewall entry <{{ current_firewall_name }}>
+- name: "Creating new firewall entry <{{ current_firewall_name }}>"
   uri:
     method: POST
     url: "https://api.hetzner.cloud/v1/firewalls"
@@ -31,7 +33,7 @@
     - update_networks
 
 # TODO port changes are not written corectly
-- name: Update firewall entry <{{ current_firewall_name }}>
+- name: "Updating firewall entry <{{ current_firewall_name }}>"
   uri:
     method: PUT
     url: "https://api.hetzner.cloud/v1/firewalls/{{ firewall_record.id }}"

roles/hcloud/tasks/configure-network.yml

@@ -1,45 +1,91 @@
 ---
 
-- name: "Gather current server infos for network <{{ current_network_name }}>"
-  hcloud_server_info:
+#- name: "Gathering current server infos for network <{{ current_network_name }}>"
+#  hcloud_server_info:
+#    api_token: "{{ hetzner_authentication_token }}"
+#    label_selector: "{{ current_server_label_selector }}"
+#  register: network_hetzner_server_infos
+#  delegate_to: 127.0.0.1
+#  become: false
+#  tags:
+#    - update_networks
+
+#- name: "Setting current server infos for network <{{ current_network_name }}> as fact: network_hetzner_server_infos_json"
+#  set_fact: 
+#    network_hetzner_server_infos_json: "{{ network_hetzner_server_infos.hcloud_server_info }}"
+#  delegate_to: 127.0.0.1
+#  become: false
+#  tags:
+#    - update_networks
+
+#- name: "Printing current server infos for network <{{ current_network_name }}>"
+#  debug:
+#    var: network_hetzner_server_infos_json
+#  delegate_to: 127.0.0.1
+#  become: false
+#  when:
+#   - debug
+#  tags:
+#    - update_networks
+
+#- name: "Setting nerwork server names as fact: network_server_names"
+#  set_fact:  
+#    network_server_names: "{{ network_hetzner_server_infos_json | json_query(jmesquery) }}"
+#  vars:
+#    jmesquery: '[*].{name: name}'
+#  tags:
+#    - update_networks
+
+#- name: "Printing nerwork server names"
+#  debug:
+#    var: network_server_names
+#  delegate_to: 127.0.0.1
+#  become: false
+#  when:
+#   - debug
+#  tags:
+#    - update_networks
+
+- name: "Checking present state for network <{{ current_network_name }}>"
+  hcloud_network:
     api_token: "{{ hetzner_authentication_token }}"
-    label_selector: "{{ current_server_label_selector }}"
-  register: network_hetzner_server_infos
+    name: "{{ current_network_name }}"
+    labels: "{{ current_network_labels }}"
+    ip_range: 10.0.0.0/16
+    state: present
   delegate_to: 127.0.0.1
   become: false
-  tags:
-    - update_networks
 
-- name: "Set current server infos for network <{{ current_network_name }}> as fact: network_hetzner_server_infos_json"
-  set_fact: 
-    network_hetzner_server_infos_json: "{{ network_hetzner_server_infos.hcloud_server_info }}"
+- name: "Checking present state for subnetwork for <{{ current_network_name }}>"
+  hcloud_subnetwork:
+    api_token: "{{ hetzner_authentication_token }}"
+    network: "{{ current_network_name }}"
+    ip_range: 10.0.0.0/16
+    network_zone: eu-central
+    type: cloud
+    state: present
   delegate_to: 127.0.0.1
   become: false
-  tags:
-    - update_networks
 
-#- name: "Print the gathered infos for network <{{ current_network_name }}>"
-#  debug:
-#    var: network_hetzner_server_infos_json
+#- name: "Checking present state for network servers"
+#  hcloud_server_network:
+#    api_token: "{{ hetzner_authentication_token }}"
+#    network: "{{ current_network_name }}"
+#    server: "{{ item.name }}"
+#    state: present
+#  with_items: "{{ network_server_names }}"
 #  delegate_to: 127.0.0.1
+#  become: false
 #  tags:
 #    - update_networks
 
-- name: "Set nerwork server names as fact: network_server_names"
-  set_fact:  
-    network_server_names: "{{ network_hetzner_server_infos_json | json_query(jmesquery) }}"
-  vars:
-    jmesquery: '[*].{name: name}'
-  tags:
-    - update_networks
-
-- name: "Create network <{{ current_network_name }}>"
+- name: "Checking present state for network servers"
   hcloud_server_network:
     api_token: "{{ hetzner_authentication_token }}"
     network: "{{ current_network_name }}"
-    server: "{{ item.name }}"
+    server: "{{ inventory_hostname }}"
     state: present
-  with_items: "{{ network_server_names }}"
   delegate_to: 127.0.0.1
+  become: false
   tags:
     - update_networks

roles/hcloud/tasks/main.yml

@@ -4,7 +4,7 @@
 ###   update_dns
 ###   update_networks
 
-- name: Create new server {{ inventory_hostname }}
+- name: "Checking present state for server {{ inventory_hostname }}"
   hetzner.hcloud.hcloud_server:
     api_token: "{{ hetzner_authentication_token }}"
     name: "{{ inventory_hostname }}"
@@ -15,8 +15,9 @@
     location: nbg1
     state: present
   delegate_to: 127.0.0.1
+  become: false
 
-- name: "Gather current server infos"
+- name: "Gathering current server infos from hetzner"
   hcloud_server_info:
     api_token: "{{ hetzner_authentication_token }}"
   register: hetzner_server_infos
@@ -26,7 +27,7 @@
     - update_dns
     - update_networks
 
-- name: "Set current server infos as fact: hetzner_server_infos_json"
+- name: "Setting current server infos as fact: hetzner_server_infos_json"
   set_fact: 
     hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
   delegate_to: 127.0.0.1
@@ -35,40 +36,29 @@
     - update_dns
     - update_networks
 
-#- name: Print the gathered infos
-#  debug:
-#    var: hetzner_server_infos_json
-#  delegate_to: 127.0.0.1
-#  tags:
-#    - update_dns
-#    - update_networks
-
-- name: "Set current server ips as fact: stage_server_ips"
-  set_fact:  
-    stage_server_ips: "{{ hetzner_server_infos_json | json_query(jmesquery) }}"
+- name: "Reading ip address for {{ inventory_hostname }}"
+  set_fact:
+    stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
   vars:
-    jmesquery: '[*].{name: name, ipv4: ipv4_address}'
-  tags:
-    - update_dns
-
-- name: Read ip for {{ inventory_hostname }}
-  set_fact:  
-    stage_server_ip: "{{ stage_server_ips
-      | selectattr('name', 'equalto', inventory_hostname)
-      | map(attribute='ipv4') 
-      | list
-      | first }}"
+    querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
+  delegate_to: 127.0.0.1
+  become: false
   tags:
     - update_dns
+    - update_networks
 
-- name: Print the gathered ip for {{ inventory_hostname }}
+- name: "Printing ip address for {{ inventory_hostname }}"
   debug:
-    var: stage_server_ip
+    msg: "{{ stage_server_ip }}"
   delegate_to: 127.0.0.1
+  become: false
   tags:
     - update_dns
+    - update_networks
+  when:
+   - debug
 
-- name: "Setup firewalls"
+- name: "Checking present state for firewalls"
   include_tasks: configure-firewall.yml
   vars:
     current_firewall_name: '{{ current_firewall }}'
@@ -83,31 +73,24 @@
   tags:
     - update_networks
 
-- name: "Setup networks"
+- name: "Checking present state for networks"
   include_tasks: configure-network.yml
   vars:
     current_network_name: '{{ current_network.name }}'
+    current_network_labels: 'stage={{ stage }}'
     current_server_label_selector: '{{ current_network.label_selector }}'
   with_items: [
     {
-      "name": "{{ stage }}-mail",
-      "label_selector": "stage={{ stage }}",
-    },
-    {
-      "name": "{{ stage }}-keycloak",
-      "label_selector": "stage={{ stage }}",
-    },
-    {
-      "name": "{{ stage }}-elastic-stack",
+      "name": "{{ stage }}",
       "label_selector": "stage={{ stage }}",
-    },
+    }
   ]
   loop_control:
     loop_var: current_network
   tags:
     - update_networks
 
-- name: "Setup DNS configuration for {{ inventory_hostname }}"
+- name: "Checking present state of dns for {{ inventory_hostname }}"
   include_role:
     name: _digitalocean
     tasks_from: domain

roles/hetzner-network/meta/main.yml

@@ -1 +0,0 @@
----

roles/hetzner-network/tasks/main.yml

@@ -1,61 +0,0 @@
----
-
-### tags:
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-elastic-stack
-    server: dev-elastic-stack-01
-    ip: 10.0.0.2
-    state: present
-  delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-elastic-stack
-    server: dev-elastic-stack-02
-    ip: 10.0.0.3
-    state: present
-  delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-elastic-stack
-    server: dev-elastic-stack-03
-    ip: 10.0.0.4
-    state: present
-  delegate_to: 127.0.0.1
-
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-elastic-stack
-    server: "{{ item }}"
-    state: present
-  with_items: "{{ groups['hcloud'] | difference(groups['elastic']) }}"
-  delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-keycloak
-    server: dev-keycloak-01
-    ip: 10.1.0.2
-    state: present
-  delegate_to: 127.0.0.1
-
-- name: Create a server network and specify the ip address
-  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
-    network: dev-keycloak
-    server: "{{ item }}"
-    state: present
-  with_items: "{{ groups['connect'] }}"
-  delegate_to: 127.0.0.1

roles/hetzner-network/vars/main.yml

@@ -1 +0,0 @@
----

roles/iam/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+iam_image_name: 'dev-docker-registry-01.smardigo.digital/smardigo/iam-app'
+
+iam_version: '8.1.0-SNAPSHOT'

roles/iam/tasks/main.yml

@@ -0,0 +1,123 @@
+---
+
+### tags:
+###   create_users
+###   update_deployment
+
+- name: "Send mattermost messsge"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages
+
+- name: "Setup DNS configuration for {{ service_name }}"
+  include_role:
+    name: _digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ service_name }}"
+
+- name: "Setup public DNS configuration for {{ service_name }}"
+  include_role:
+    name: _digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ item.ip }}"
+    record_name: "{{ item.name }}"
+  loop: "{{ iam_public_dns_entries }}"
+  when: iam_public_dns_entries is defined
+
+- name: "Check docker networks"
+  include_role:
+    name: _docker
+    tasks_from: networks
+
+- name: "Check if {{ service_name }}/docker-compose.yml exists"
+  stat:
+    path: '{{ service_base_path }}/{{ service_name }}/docker-compose.yml'
+  register: check_docker_compose_file
+  tags:
+    - update_deployment
+
+- name: "Stop {{ service_name }}"
+  shell: docker-compose down
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  when: check_docker_compose_file.stat.exists
+  ignore_errors: yes
+  tags:
+    - update_deployment
+
+- name: "Deploy docker templates for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: templates
+  vars:
+    current_config: "_docker"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ service_name }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+    current_docker: "{{ iam_docker }}"
+
+- name: "Deploy service templates for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: templates
+  vars:
+    current_config: "iam"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ service_name }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+
+- name: "Update {{ service_name }}"
+  shell: docker-compose pull
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  tags:
+    - update_deployment
+
+- name: "Start {{ service_name }}"
+  shell: docker-compose up -d
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  tags:
+    - update_deployment
+
+- name: "Update landing page for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: caddy_landing_page
+  vars:
+    current_services: [
+      {
+        current_name: "{{ service_name }}",
+        current_url: "{{ http_s }}://{{ iam_id }}.{{ domain }}",
+        current_version: "{{ iam_version }}",
+        current_date: "{{ ansible_date_time.iso8601 }}",
+      },
+    ]
+  tags:
+    - update_deployment
+
+- name: "Send mattermost messsge"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages

roles/iam/vars/main.yml

@@ -0,0 +1,72 @@
+---
+
+iam_id: "{{ service_name }}-iam"
+
+iam_cache_timeout: 600s
+
+iam_keycloak_auth_server_url: "https://{{ shared_service_keycloak_hostname }}/auth"
+iam_keycloak_admin_user: "{{ keycloak_admin_username }}"
+iam_keycloak_admin_password: "{{ keycloak_admin_password }}"
+
+iam_labels: [
+  '"traefik.enable=true"',
+  '"traefik.http.routers.{{ iam_id }}.service={{ iam_id }}"',
+  '"traefik.http.routers.{{ iam_id }}.rule=Host(`{{ stage_server_url_host }}`)"',
+  '"traefik.http.routers.{{ iam_id }}.entrypoints=websecure"',
+  '"traefik.http.routers.{{ iam_id }}.tls=true"',
+  '"traefik.http.routers.{{ iam_id }}.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ iam_id }}.loadbalancer.server.port={{ service_port }}"',
+
+  '"traefik.http.routers.{{ iam_id }}-admin.service={{ iam_id }}-admin"',
+  '"traefik.http.routers.{{ iam_id }}-admin.rule=Host(`{{ stage_server_url_host }}`)"',
+  '"traefik.http.routers.{{ iam_id }}-admin.entrypoints=admin-service"',
+  '"traefik.http.routers.{{ iam_id }}-admin.tls=true"',
+  '"traefik.http.routers.{{ iam_id }}-admin.tls.certresolver=letsencrypt"',
+  '"traefik.http.routers.{{ iam_id }}-admin.middlewares={{ iam_id }}-admin-cors"',
+  '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolallowmethods=GET,OPTIONS"',
+  '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolalloworigin=*"',
+  '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolallowheaders=SMA_USER"',
+  '"traefik.http.services.{{ iam_id }}-admin.loadbalancer.server.port={{ management_port }}"',
+
+  '"traefik.http.routers.{{ iam_id }}-monitor.service={{ service_name }}-node-exporter"',
+  '"traefik.http.routers.{{ iam_id }}-monitor.rule=Host(`{{ stage_server_url_host }}`)"',
+  '"traefik.http.routers.{{ iam_id }}-monitor.entrypoints=monitoring-system"',
+  '"traefik.http.routers.{{ iam_id }}-monitor.tls=true"',
+  '"traefik.http.routers.{{ iam_id }}-monitor.tls.certresolver=letsencrypt"',
+]
+
+iam_docker: {
+  networks: [
+    {
+      name: back-tier,
+      external: true,
+    },
+    {
+      name: front-tier,
+      external: true,
+    },
+  ],
+  services: [
+    {
+      name: "{{ iam_id }}",
+      image_name: "{{ iam_image_name }}",
+      image_version: "{{ iam_version }}",
+      labels: "{{ iam_labels + ( iam_labels_additional | default([])) }}",
+      restart: "{{ iam_service_restart | default('always') }}",
+      environment: [
+        "SERVER_PORT: \"{{ service_port }}\"",
+        "ADMIN_PORT: \"{{ management_port }}\"",
+        "SERVER_ERROR_INCLUDE_MESSAGE: \"always\"",
+        "SPRING_CACHE_CAFFEINE_SPEC: \"expireAfterAccess={{ iam_cache_timeout }}\"",
+        "IAM_KEYCLOAK_AUTH_SERVER_URL: \"{{ iam_keycloak_auth_server_url }}\"",
+        "IAM_KEYCLOAK_ADMIN_USER: \"{{ iam_keycloak_admin_user }}\"",
+        "IAM_KEYCLOAK_ADMIN_PASSWORD: \"{{ iam_keycloak_admin_password }}\""
+      ],
+      networks: [
+        '"back-tier"',
+        '"front-tier"',
+      ],
+      extra_hosts: "{{ iam_extra_hosts | default([]) }}",
+    }
+  ],
+}

roles/keycloak/tasks/_authenticate.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "Authenticate with Keycloak server"
+- name: "Authenticating with keycloak server"
   uri:
     url: "{{ keycloak_server_url }}/auth/realms/master/protocol/openid-connect/token"
     method: POST
@@ -11,12 +11,14 @@
   retries: 5
   delay: 5
 
-- name: Save access_token as variable (fact)
+- name: "Saving access_token as variable (fact)"
   set_fact: 
     access_token: "{{ keycloak_authentication.json.access_token }}"
   delegate_to: 127.0.0.1
 
-- name: Print keycloak access_token
+- name: "Printing access_token for keycloak server"
   debug:
     msg: "{{ access_token }}"
-  delegate_to: 127.0.0.1
+  delegate_to: 127.0.0.1
+  when:
+   - debug

roles/keycloak/tasks/_configure_client.yml

@@ -1,10 +1,11 @@
 ---
 
-#- name: Print client {{ client_id }} for realm {{ realm_name }}
-#  debug:
-#    msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
-#  when: realm_client_ids | selectattr('clientId', 'equalto', client_id) | list | length == 0
-#  delegate_to: 127.0.0.1
+- name: Print client {{ client_id }} for realm {{ realm_name }}
+  debug:
+    msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
+  when:
+   - debug
+  delegate_to: 127.0.0.1
 
 - name: Create client {{ client_id }} for realm {{ realm_name }}
   uri:

roles/keycloak/tasks/_configure_realm.yml

@@ -22,6 +22,13 @@
     jmesquery: '[*].id'
   delegate_to: 127.0.0.1
 
+- name: "Printing realm ids"
+  debug:
+    msg: "{{ realm_ids }}"
+  delegate_to: 127.0.0.1
+  when:
+   - debug
+
 - name: Create realm {{ current_realm_name }}
   uri:
     url: "{{ keycloak_server_url }}/auth/admin/realms"
@@ -56,10 +63,12 @@
     jmesquery: '[*].{id: id, clientId: clientId}'
   delegate_to: 127.0.0.1
 
-- name: Print client ids
+- name: "Printing client ids from realm {{ current_realm_name }}"
   debug:
     msg: "{{ realm_client_ids }}"
   delegate_to: 127.0.0.1
+  when:
+   - debug
 
 - name: "Create clients from realm {{ current_realm_name }}"
   include_tasks: _configure_client.yml

roles/keycloak/tasks/_create_realm_users.yml

@@ -0,0 +1,53 @@
+---
+
+- name: "Reading users of realm {{ current_realm_name }}"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ access_token}} "
+    status_code: [200]
+  register: realm_users
+  delegate_to: 127.0.0.1
+
+- name: "Printing realm users"
+  debug:
+    msg: "{{ realm_users }}"
+  delegate_to: 127.0.0.1
+  when:
+   - debug
+
+- name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
+  set_fact: 
+    realm_users_json: "{{ realm_users.json }}"
+  delegate_to: 127.0.0.1
+
+- name: "Reading user ids of realm {{ current_realm_name }}"
+  set_fact:  
+    realm_user_usernames:  "{{ realm_users_json | json_query(jmesquery) }}"
+  vars:
+    jmesquery: '[*].username'
+  delegate_to: 127.0.0.1
+
+- name: "Printing usernames of realm {{ current_realm_name }}"
+  debug:
+    msg: "{{ realm_user_usernames }}"
+  delegate_to: 127.0.0.1
+  when:
+   - debug
+
+- name: "Creating users for realm {{ current_realm_name }}"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
+    method: POST
+    body_format: json
+    body: "{{ lookup('template','keycloak-realm-create-user.json.j2') }}"
+    headers:
+      Content-Type: "application/json"
+      Authorization: "Bearer {{ access_token }}"
+    status_code: [201]
+  with_items: "{{ current_realm_users }}"
+  when: current_realm_user.username not in realm_user_usernames
+  loop_control:
+    loop_var: current_realm_user
+  delegate_to: 127.0.0.1

roles/keycloak/vars/main.yml

@@ -14,7 +14,7 @@ keycloak_labels: [
 
   '"traefik.http.routers.{{ keycloak_id }}-monitor.service={{ service_name }}-node-exporter"',
   '"traefik.http.routers.{{ keycloak_id }}-monitor.rule=Host(`{{ stage_server_url_host }}`)"',
-  '"traefik.http.routers.{{ keycloak_id }}-monitor.entrypoints=admin-system"',
+  '"traefik.http.routers.{{ keycloak_id }}-monitor.entrypoints=monitoring-system"',
   '"traefik.http.routers.{{ keycloak_id }}-monitor.tls=true"',
   '"traefik.http.routers.{{ keycloak_id }}-monitor.tls.certresolver=letsencrypt"',
 ]

smardigo.yml

@@ -50,15 +50,19 @@
         - update_networks
 
   roles:
-    - role: connect
-      when: "'connect' in group_names"
-    - role: keycloak
-      when: "'keycloak' in group_names"
     - role: postfix
       when: "'postfix' in group_names"
+    - role: keycloak
+      when: "'keycloak' in group_names"
+
     - role: harbor
       when: "'harbor' in group_names"
     - role: elastic
       when: "'elastic' in group_names"
     - role: prometheus
       when: "'prometheus' in group_names"
+
+    - role: iam
+      when: "'iam' in group_names"
+    - role: connect
+      when: "'connect' in group_names"

smardigo/provisioning/form/tenant.json

@@ -31,7 +31,7 @@
       "eq" : ""
     },
     "data" : {
-      "url" : "http://localhost:8080/api/v1/scopes/{{context.scopeId}}/tags/{{context.scopeTag}}/datasources/tenants/query?id={{data.tenant_id}}",
+      "url" : "api/v1/scopes/{{context.scopeId}}/tags/{{context.scopeTag}}/datasources/tenants/query?id={{data.tenant_id}}",
       "method" : "GET",
       "values" : [ { } ]
     },

smardigo/provisioning/process/simple-connect.bpmn

@@ -500,11 +500,6 @@ Keycloak Realm mit Administrator Account
     <bpmn2:sequenceFlow id="Flow_0gcsmj7" sourceRef="Event_0tax83l" targetRef="Activity_136brby" />
     <bpmn2:sequenceFlow id="Flow_01qpec5" sourceRef="Activity_1elfmkh" targetRef="Activity_0r5wmiv" />
     <bpmn2:startEvent id="Event_02kqmmg" camunda:formKey="simple-connect-create">
-      <bpmn2:extensionElements>
-        <camunda:executionListener event="end">
-          <camunda:script scriptFormat="groovy" resource="ansible-start.groovy" />
-        </camunda:executionListener>
-      </bpmn2:extensionElements>
       <bpmn2:outgoing>Flow_13nom3k</bpmn2:outgoing>
     </bpmn2:startEvent>
     <bpmn2:scriptTask id="Activity_1elfmkh" name="ansible-start.groovy" scriptFormat="groovy" camunda:resultVariable="ansibleCommand" camunda:resource="ansible-start.groovy">

stage-dev

@@ -1,25 +1,18 @@
-[ansible]
-dev-ansible-01
-
 [connect]
 # <stage>-<tenant>-<name>-<node>
 dev-management-smardigo-01
-dev-connect-01
-dev-connect-02
-dev-connect-03
-
-# only for testing purposes -> dynamic-provisioning
-dev-sken-01
-dev-sken-02
-
-[harbor]
-dev-docker-registry-01
 
 [elastic]
 dev-elastic-stack-01
 dev-elastic-stack-02
 dev-elastic-stack-03
 
+[harbor]
+dev-docker-registry-01
+
+[iam]
+dev-iam-01
+
 [keycloak]
 dev-keycloak-01
 
@@ -30,10 +23,10 @@ dev-mail-01
 dev-prometheus-01
 
 [stage_dev:children]
-ansible
 connect
 elastic
 harbor
+iam
 keycloak
 postfix
 prometheus