diff --git a/create-database.yml b/create-database.yml
index d10afc3..3e1bb16 100644
--- a/create-database.yml
+++ b/create-database.yml
@@ -30,35 +30,38 @@
#############################################################
- hosts: "stage_{{ stage }}"
- serial: "{{ serial_number | default(5) }}"
+ serial: "{{ serial_number | default(1) }}"
remote_user: root
pre_tasks:
- - name: "Gather current server infos"
+ - name: "Gathering current server infos from hetzner"
hcloud_server_info:
api_token: "{{ hetzner_authentication_token }}"
register: hetzner_server_infos
delegate_to: 127.0.0.1
become: false
- - name: "Set current server infos as fact: hetzner_server_infos_json"
+ - name: "Setting current server infos as fact: hetzner_server_infos_json"
set_fact:
hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
delegate_to: 127.0.0.1
become: false
- - name: "Read ip address for {{ inventory_hostname }}"
+ - name: "Reading ip address for {{ inventory_hostname }}"
set_fact:
- stage_server_ip: "{{ item.ipv4_address }}"
- when: item.name == inventory_hostname
- with_items: "{{ hetzner_server_infos_json }}"
+ stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+ vars:
+ querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
delegate_to: 127.0.0.1
become: false
-# - name: Print the gathered infos
-# debug:
-# var: stage_server_ip
-# delegate_to: 127.0.0.1
+ - name: "Printing ip address for {{ inventory_hostname }}"
+ debug:
+ msg: "{{ stage_server_ip }}"
+ delegate_to: 127.0.0.1
+ become: false
+ when:
+ - debug
roles:
- role: connect-postgres
diff --git a/create-realm.yml b/create-realm.yml
index d345abf..b20fd4c 100644
--- a/create-realm.yml
+++ b/create-realm.yml
@@ -30,33 +30,35 @@
#############################################################
- hosts: "stage_{{ stage }}"
- serial: "{{ serial_number | default(5) }}"
- become: false
+ serial: "{{ serial_number | default(1) }}"
gather_facts: false
+ become: false
pre_tasks:
- - name: "Gather current server infos"
+ - name: "Gathering current server infos from hetzner"
hcloud_server_info:
api_token: "{{ hetzner_authentication_token }}"
register: hetzner_server_infos
delegate_to: 127.0.0.1
- - name: "Set current server infos as fact: hetzner_server_infos_json"
+ - name: "Setting current server infos as fact: hetzner_server_infos_json"
set_fact:
hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
delegate_to: 127.0.0.1
- - name: "Read ip address for {{ inventory_hostname }}"
+ - name: "Reading ip address for {{ inventory_hostname }}"
set_fact:
- stage_server_ip: "{{ item.ipv4_address }}"
- when: item.name == inventory_hostname
- with_items: "{{ hetzner_server_infos_json }}"
+ stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr)| first }}"
+ vars:
+ querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
delegate_to: 127.0.0.1
- - name: Print the gathered infos
+ - name: "Printing ip address for {{ inventory_hostname }}"
debug:
- var: stage_server_ip
+ msg: "{{ stage_server_ip }}"
delegate_to: 127.0.0.1
+ when:
+ - debug
roles:
- role: connect-realm
diff --git a/create-server.yml b/create-server.yml
index 006ece4..11731f0 100644
--- a/create-server.yml
+++ b/create-server.yml
@@ -74,7 +74,7 @@
#############################################################
- hosts: "stage_{{ stage }}"
- serial: "{{ serial_number | default(5) }}"
+ serial: "{{ serial_number | default(1) }}"
remote_user: root
pre_tasks:
@@ -94,31 +94,30 @@
state: 'absent'
when: ansible_distribution == "Ubuntu"
- - name: "Gather current server infos"
+ - name: "Gathering current server infos from hetzner"
hcloud_server_info:
api_token: "{{ hetzner_authentication_token }}"
register: hetzner_server_infos
delegate_to: 127.0.0.1
- become: false
- - name: "Set current server infos as fact: hetzner_server_infos_json"
+ - name: "Setting current server infos as fact: hetzner_server_infos_json"
set_fact:
hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
delegate_to: 127.0.0.1
- become: false
- - name: "Read ip address for {{ inventory_hostname }}"
+ - name: "Reading ip address for {{ inventory_hostname }}"
set_fact:
- stage_server_ip: "{{ item.ipv4_address }}"
- when: item.name == inventory_hostname
- with_items: "{{ hetzner_server_infos_json }}"
+ stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+ vars:
+ querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
delegate_to: 127.0.0.1
- become: false
-# - name: Print the gathered infos
-# debug:
-# var: stage_server_ip
-# delegate_to: 127.0.0.1
+ - name: "Printing ip address for {{ inventory_hostname }}"
+ debug:
+ msg: "{{ stage_server_ip }}"
+ delegate_to: 127.0.0.1
+ when:
+ - debug
roles:
- role: ansible-role-docker
diff --git a/create-service.yml b/create-service.yml
index 0d823f7..e124231 100644
--- a/create-service.yml
+++ b/create-service.yml
@@ -30,32 +30,34 @@
#############################################################
- hosts: "stage_{{ stage }}"
- serial: "{{ serial_number | default(5) }}"
+ serial: "{{ serial_number | default(1) }}"
remote_user: root
pre_tasks:
- - name: "Gather current server infos"
+ - name: "Gathering current server infos from hetzner"
hcloud_server_info:
api_token: "{{ hetzner_authentication_token }}"
register: hetzner_server_infos
delegate_to: 127.0.0.1
- - name: "Set current server infos as fact: hetzner_server_infos_json"
+ - name: "Setting current server infos as fact: hetzner_server_infos_json"
set_fact:
hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
delegate_to: 127.0.0.1
- - name: "Read ip address for {{ inventory_hostname }}"
+ - name: "Reading ip address for {{ inventory_hostname }}"
set_fact:
- stage_server_ip: "{{ item.ipv4_address }}"
- when: item.name == inventory_hostname
- with_items: "{{ hetzner_server_infos_json }}"
+ stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
+ vars:
+ querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
delegate_to: 127.0.0.1
- - name: Print the gathered infos
+ - name: "Printing ip address for {{ inventory_hostname }}"
debug:
- var: stage_server_ip
+ msg: "{{ stage_server_ip }}"
delegate_to: 127.0.0.1
+ when:
+ - debug
roles:
- role: connect
diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml
index e99da28..740897b 100644
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@@ -1,5 +1,7 @@
---
+debug: false
+
send_status_messages: false
domain: smardigo.digital
diff --git a/group_vars/connect/plain.yml b/group_vars/connect/plain.yml
index b603e7a..e9b80ae 100644
--- a/group_vars/connect/plain.yml
+++ b/group_vars/connect/plain.yml
@@ -5,17 +5,19 @@ service: "connect"
hetzner_server_type: cx21
hetzner_server_labels: "stage={{ stage }} service={{ service }}"
-connect_jwt_enabled: true
-connect_jwt_secret: 908ae14462d049d3be84964ef379c7c6
+connect_client_id: "{{ cluster_name }}"
-connect_postgres_database: "connect-postgres"
-connect_postgres_admin_username: "connect-postgres-admin"
-connect_postgres_admin_password: "connect-postgres-admin"
+current_realm_users: [
+ {
+ "username": "connect-admin",
+ "password": "connect-admin",
+ }
+]
current_realm_clients: [
{
- clientId: 'connect',
- name: 'connect',
+ clientId: "{{ connect_client_id }}",
+ name: '{{ connect_client_id }}',
admin_url: '',
root_url: '',
redirect_uris: '
@@ -30,5 +32,25 @@ current_realm_clients: [
}
]
+connect_iam_module: external
+smardigo_iam_client_enabled: 'true'
+smardigo_iam_client_server_url: https://dev-iam-01.smardigo.digital
+
+connect_auth_module: "oidc"
+connect_oidc_client_id: "{{ connect_client_id }}"
+connect_oidc_client_secret: "{{ cluster_name }}"
+connect_oidc_registration_id: "{{ connect_client_id }}"
+connect_oidc_issuer_uri: "https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ current_realm_name }}"
+
+connect_password_change_url: "https://{{ shared_service_keycloak_hostname }}/auth/realms/{{ current_realm_name }}/account/password"
+connect_iam_user_management_url: "https://{{ shared_service_keycloak_hostname }}/auth/admin/{{ current_realm_name }}/console"
+
+connect_postgres_database: "connect-postgres"
+connect_postgres_admin_username: "connect-postgres-admin"
+connect_postgres_admin_password: "connect-postgres-admin"
+
+connect_jwt_enabled: true
+connect_jwt_secret: 908ae14462d049d3be84964ef379c7c6
+
#connect_csrf_token_name: "< see vault >"
#connect_csrf_token_value: "< see vault >"
diff --git a/group_vars/stage_dev/plain.yml b/group_vars/stage_dev/plain.yml
index 6e55380..1f9bd91 100644
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@@ -2,88 +2,120 @@
stage: "dev"
-keycloak_server_url: "https://dev-keycloak-01.smardigo.digital"
+alertmanager_channel_smardigo: "#monitoring-qa"
+
+# TODO read configuration with hetzner rest api
+shared_service_elastic_01: "10.0.0.2"
+shared_service_elastic_02: "10.0.0.3"
+shared_service_elastic_03: "10.0.0.4"
+shared_service_prometheus_ip: "10.0.0.5"
+shared_service_keycloak_ip: "10.0.0.6"
+shared_service_mail_ip: "10.0.0.8"
+shared_service_iam_ip: "10.0.0.13"
+
+shared_service_iam_hostname: "dev-iam-01.smardigo.digital"
+shared_service_keycloak_hostname: "dev-keycloak-01.smardigo.digital"
+shared_service_mail_hostname: "dev-mail-01.smardigo.digital"
+
+keycloak_server_url: "https://{{ shared_service_keycloak_hostname }}"
docker_registry: dev-docker-registry-01.smardigo.digital
docker_registry_username: "< see vault >"
docker_registry_token: "< see vault >"
-alertmanager_channel_smardigo: "#monitoring-qa"
-
filebeat_certificate: "dev-elastic-stack-filebeat"
logstash_certificate: "dev-elastic-stack-logstash"
# TODO read configuration with hetzner rest api
elastic_stack_network: {
- dev-elastic-stack-01: 10.0.0.2,
- dev-elastic-stack-02: 10.0.0.3,
- dev-elastic-stack-03: 10.0.0.4,
+ dev-elastic-stack-01: "{{ shared_service_elastic_01 }}",
+ dev-elastic-stack-02: "{{ shared_service_elastic_02 }}",
+ dev-elastic-stack-03: "{{ shared_service_elastic_03 }}",
}
-# TODO read configuration with hetzner rest api
logstash_hostname: "dev-elastic-stack-01-logstash"
elastic_extra_hosts: [
{
hostname: dev-elastic-stack-01-elastic,
- ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+ ip: "{{ shared_service_elastic_01 }}",
},
{
hostname: dev-elastic-stack-02-elastic,
- ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+ ip: "{{ shared_service_elastic_02 }}",
},
{
hostname: dev-elastic-stack-03-elastic,
- ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+ ip: "{{ shared_service_elastic_03 }}",
},
]
filebeat_extra_hosts: [
{
hostname: dev-elastic-stack-01-logstash,
- ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+ ip: "{{ shared_service_elastic_01 }}",
},
{
hostname: dev-elastic-stack-02-logstash,
- ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+ ip: "{{ shared_service_elastic_02 }}",
},
{
hostname: dev-elastic-stack-03-logstash,
- ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+ ip: "{{ shared_service_elastic_03 }}",
},
]
kibana_extra_hosts: [
{
hostname: dev-elastic-stack-01-kibana,
- ip: "{{ elastic_stack_network['dev-elastic-stack-01'] }}",
+ ip: "{{ shared_service_elastic_01 }}",
},
{
hostname: dev-elastic-stack-02-kibana,
- ip: "{{ elastic_stack_network['dev-elastic-stack-02'] }}",
+ ip: "{{ shared_service_elastic_02 }}",
},
{
hostname: dev-elastic-stack-03-kibana,
- ip: "{{ elastic_stack_network['dev-elastic-stack-03'] }}",
+ ip: "{{ shared_service_elastic_03 }}",
},
]
-
-# TODO read configuration with hetzner rest api
-keycloak_hostname: "dev-keycloak-01.smardigo.digital"
-mail_hostname: "dev-mail-01.smardigo.digital"
+prometheus_extra_hosts: [
+ {
+ hostname: "{{ shared_service_mail_hostname }}",
+ ip: "{{ shared_service_mail_ip }}",
+ }
+]
connect_extra_hosts: [
{
- hostname: "{{ keycloak_hostname }}",
- ip: 10.1.0.2,
+ hostname: "{{ shared_service_iam_hostname }}",
+ ip: "{{ shared_service_iam_ip }}",
+ },
+ {
+ hostname: "{{ shared_service_keycloak_hostname }}",
+ ip: "{{ shared_service_keycloak_ip }}",
},
{
- hostname: "{{ mail_hostname }}",
- ip: 10.2.0.2,
+ hostname: "{{ shared_service_mail_hostname }}",
+ ip: "{{ shared_service_mail_ip }}",
}
]
keycloak_extra_hosts: [
{
- hostname: "{{ mail_hostname }}",
- ip: 10.2.0.2,
+ hostname: "{{ shared_service_iam_hostname }}",
+ ip: "{{ shared_service_iam_ip }}",
+ },
+ {
+ hostname: "{{ shared_service_mail_hostname }}",
+ ip: "{{ shared_service_mail_ip }}",
+ }
+]
+iam_extra_hosts: [
+ {
+ hostname: "{{ shared_service_keycloak_hostname }}",
+ ip: "{{ shared_service_keycloak_ip }}",
+ },
+ {
+ hostname: "{{ shared_service_mail_hostname }}",
+ ip: "{{ shared_service_mail_ip }}",
}
]
-smardigo_management_url: "http://localhost:8080/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
-smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..xiS4DrBqSprqYdR94ACbUw.OHRxU9nmP25JiGlJMyw9XaSB2Q3GZ4yiG7I7UZlbv9k.q5I2KulPbvhN5yO08bGqfw"
\ No newline at end of file
+smardigo_management_url: "https://dev-management-smardigo-01.smardigo.digital/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
+smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..JgixZcmsSyvovabQvREAjw.Fk7aNYwOjzMhLCqF_9unl5yrWTey26z4scZBeVZjhpE.fnovrqn0MUjM_TA8zVhXdQ"
\ No newline at end of file
diff --git a/host_vars/dev-ansible-01.yml b/host_vars/dev-ansible-01.yml
deleted file mode 100644
index a3943a4..0000000
--- a/host_vars/dev-ansible-01.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=ansible"
-
-hetzner_server_type: cx31
diff --git a/host_vars/dev-connect-01.yml b/host_vars/dev-connect-01.yml
deleted file mode 100644
index ef2d48e..0000000
--- a/host_vars/dev-connect-01.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"
diff --git a/host_vars/dev-connect-02.yml b/host_vars/dev-connect-02.yml
deleted file mode 100644
index c42b8d4..0000000
--- a/host_vars/dev-connect-02.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-connect_auth_module: oidc
-connect_oidc_client_id: connect-02
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-02
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"
diff --git a/host_vars/dev-iam-01.yml b/host_vars/dev-iam-01.yml
new file mode 100644
index 0000000..fa0fa7f
--- /dev/null
+++ b/host_vars/dev-iam-01.yml
@@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cx21
+hetzner_server_labels: "stage={{ stage }} service=iam"
diff --git a/host_vars/dev-management-smardigo-01.yml b/host_vars/dev-management-smardigo-01.yml
index 57f5d36..a0b112c 100644
--- a/host_vars/dev-management-smardigo-01.yml
+++ b/host_vars/dev-management-smardigo-01.yml
@@ -1,17 +1,10 @@
---
-hetzner_server_labels: "stage={{ stage }} service=connect"
-
-hetzner_server_type: cpx21
-
connect_auth_module: oidc
connect_oidc_client_id: management-smardigo
connect_oidc_client_secret: f1f852b4-2e75-889a-2453-3c55d53ce405
connect_oidc_registration_id: management-smardigo
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo
-
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo/console
+connect_oidc_issuer_uri: https://{{ shared_service_keycloak_hostname }}/auth/realms/smardigo
-spring_profiles_include_suffix: ",hetzner"
-ribbon_display_on_active_profiles: "hetzner"
+connect_password_change_url: https://{{ shared_service_keycloak_hostname }}/auth/realms/smardigo/account/password
+connect_iam_user_management_url: https://{{ shared_service_keycloak_hostname }}/auth/admin/smardigo/console
diff --git a/host_vars/dev-sken-01.yml b/host_vars/dev-sken-01.yml
deleted file mode 100644
index c44f29f..0000000
--- a/host_vars/dev-sken-01.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-#############################################################################
-### only for testing purposes -> copy of dynamic_connect
-#############################################################################
-
-hetzner_server_type: cx21
-hetzner_server_labels: "stage={{ stage }} service={{ service }}"
-
-# TODO create realm/client for tenant and service
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",{{ inventory_hostname }}"
-ribbon_display_on_active_profiles: "{{ inventory_hostname }}"
diff --git a/host_vars/dev-sken-02.yml b/host_vars/dev-sken-02.yml
deleted file mode 100644
index c44f29f..0000000
--- a/host_vars/dev-sken-02.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-#############################################################################
-### only for testing purposes -> copy of dynamic_connect
-#############################################################################
-
-hetzner_server_type: cx21
-hetzner_server_labels: "stage={{ stage }} service={{ service }}"
-
-# TODO create realm/client for tenant and service
-connect_auth_module: oidc
-connect_oidc_client_id: connect-01
-connect_oidc_client_secret: 9e234965-1041-4653-8a0e-db964c04bc26
-connect_oidc_registration_id: connect-01
-connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo-01
-connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo-01/account/password
-connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo-01/console
-
-spring_profiles_include_suffix: ",{{ inventory_hostname }}"
-ribbon_display_on_active_profiles: "{{ inventory_hostname }}"
diff --git a/networks.yml b/networks.yml
deleted file mode 100644
index b734287..0000000
--- a/networks.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-
-- name: 'apply setup to {{ host | default("all") }}'
- hosts: '{{ host | default("all") }}'
- serial: "{{ serial_number | default(1) }}"
- gather_facts: no
- become: no
-
- pre_tasks:
- - name: "Check if ansible version is at least 2.10.x"
- assert:
- that:
- - ansible_version.major >= 2
- - ansible_version.minor >= 10
- msg: "The ansible version has to be at least ({{ ansible_version.full }})"
-
- roles:
- - role: hetzner-network
- vars:
- hetzner_state: 'started'
- when: "'hcloud' in group_names"
diff --git a/provisioning.yml b/provisioning.yml
index 2158d12..cc4a06e 100644
--- a/provisioning.yml
+++ b/provisioning.yml
@@ -7,14 +7,14 @@
become: no
pre_tasks:
- - name: "Check if ansible version is at least 2.10.x"
+ - name: "Checking ansible version is at least 2.10.x"
assert:
that:
- ansible_version.major >= 2
- ansible_version.minor >= 10
msg: "The ansible version has to be at least ({{ ansible_version.full }})"
- - name: Get all Firewalls from Hetzner
+ - name: "Getting all firewalls from hetzner"
uri:
url: "https://api.hetzner.cloud/v1/firewalls"
headers:
@@ -23,14 +23,12 @@
return_content: yes
register: hetzner_firewalls_response
delegate_to: 127.0.0.1
- run_once: true
tags:
- update_networks
- - name: Save firewall entries as variable (fact)
+ - name: "Saving firewall entries as fact: hetzner_firewalls_response_json"
set_fact:
hetzner_firewalls_response_json: "{{ hetzner_firewalls_response.json }}"
- run_once: true
tags:
- update_networks
@@ -39,17 +37,24 @@
firewall_records: "{{ hetzner_firewalls_response_json.firewalls | json_query(jmesquery) }}"
vars:
jmesquery: '[*].{id: id, name: name}'
- run_once: true
tags:
- update_networks
- - name: Print firewall entries
+ - name: "Printing firewall entries"
debug:
msg: "{{ firewall_records }}"
- run_once: true
+ delegate_to: 127.0.0.1
+ when:
+ - debug
tags:
- update_networks
roles:
- role: hcloud
when: "'hcloud' in group_names"
+
+- name: 'Apply setup to {{ host | default("all") }}'
+ hosts: '{{ host | default("all") }}'
+ serial: "{{ serial_number | default(1) }}"
+ gather_facts: no
+ become: no
diff --git a/roles/_digitalocean/tasks/domain.yml b/roles/_digitalocean/tasks/domain.yml
index cdd1634..3817fc9 100644
--- a/roles/_digitalocean/tasks/domain.yml
+++ b/roles/_digitalocean/tasks/domain.yml
@@ -39,7 +39,7 @@
tags:
- update_dns
-- name: Delete DNS entry for <{{ record_name }}> if necessary
+- name: Delete DNS entry for <{{ record_data }}:{{ record_name }}> if necessary
uri:
method: DELETE
url: "https://api.digitalocean.com/v2/domains/{{ domain }}/records/{{ domain_record.id }}"
diff --git a/roles/connect-realm/tasks/main.yml b/roles/connect-realm/tasks/main.yml
index 3d85b93..dbfb687 100644
--- a/roles/connect-realm/tasks/main.yml
+++ b/roles/connect-realm/tasks/main.yml
@@ -26,6 +26,11 @@
name: keycloak
tasks_from: _configure_realm
+- name: "Create realm users"
+ include_role:
+ name: keycloak
+ tasks_from: _create_realm_users
+
- name: "Send mattermost messsge"
uri:
url: "{{ mattermost_hook_smardigo }}"
diff --git a/roles/connect/defaults/main.yml b/roles/connect/defaults/main.yml
index f55c581..61e9896 100644
--- a/roles/connect/defaults/main.yml
+++ b/roles/connect/defaults/main.yml
@@ -10,4 +10,3 @@ connect_admin_password: "connect-admin"
connect_mail_properties_base_url: "{{ http_s }}://{{ connect_id }}.{{ domain }}"
connect_mail_properties_base_url_extern: "{{ http_s }}://{{ connect_id }}.{{ domain }}"
-
\ No newline at end of file
diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml
index 4deea06..5b820fc 100644
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@@ -22,7 +22,7 @@
tasks_from: domain
vars:
record_data: "{{ stage_server_ip }}"
- record_name: "{{ connect_service_name }}"
+ record_name: "{{ service_name }}"
- name: "Check if {{ connect_service_name }}/docker-compose.yml exists"
stat:
diff --git a/roles/connect/templates/create-new-user.json.j2 b/roles/connect/templates/create-new-user.json.j2
deleted file mode 100644
index 8021012..0000000
--- a/roles/connect/templates/create-new-user.json.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "id": "{{ current_user.userId }}",
- "firstName": "{{ current_user.firstName | default('null') }}",
- "lastName": "{{ current_user.lastName | default('null') }}"
-}
diff --git a/roles/hcloud/tasks/configure-firewall.yml b/roles/hcloud/tasks/configure-firewall.yml
index 56a2942..b1c7eff 100644
--- a/roles/hcloud/tasks/configure-firewall.yml
+++ b/roles/hcloud/tasks/configure-firewall.yml
@@ -2,19 +2,21 @@
### tags:
-- name: Read firewall entry for <{{ current_firewall_name }}>
+- name: "Reading firewall entry for <{{ current_firewall_name }}>"
set_fact:
firewall_record: "{{ firewall_records | selectattr('name', 'equalto', current_firewall_name) | list | first | default({'name': '-', 'id': '-'}) }}"
tags:
- update_networks
-- name: Print firewall entry for <{{ current_firewall_name }}>
+- name: "Printing firewall entry for <{{ current_firewall_name }}>"
debug:
msg: "{{ firewall_record }}"
+ when:
+ - debug
tags:
- update_networks
-- name: Save firewall entry <{{ current_firewall_name }}>
+- name: "Creating new firewall entry <{{ current_firewall_name }}>"
uri:
method: POST
url: "https://api.hetzner.cloud/v1/firewalls"
@@ -31,7 +33,7 @@
- update_networks
# TODO port changes are not written corectly
-- name: Update firewall entry <{{ current_firewall_name }}>
+- name: "Updating firewall entry <{{ current_firewall_name }}>"
uri:
method: PUT
url: "https://api.hetzner.cloud/v1/firewalls/{{ firewall_record.id }}"
diff --git a/roles/hcloud/tasks/configure-network.yml b/roles/hcloud/tasks/configure-network.yml
index 3a101f5..e505f47 100644
--- a/roles/hcloud/tasks/configure-network.yml
+++ b/roles/hcloud/tasks/configure-network.yml
@@ -1,45 +1,91 @@
---
-- name: "Gather current server infos for network <{{ current_network_name }}>"
- hcloud_server_info:
+#- name: "Gathering current server infos for network <{{ current_network_name }}>"
+# hcloud_server_info:
+# api_token: "{{ hetzner_authentication_token }}"
+# label_selector: "{{ current_server_label_selector }}"
+# register: network_hetzner_server_infos
+# delegate_to: 127.0.0.1
+# become: false
+# tags:
+# - update_networks
+
+#- name: "Setting current server infos for network <{{ current_network_name }}> as fact: network_hetzner_server_infos_json"
+# set_fact:
+# network_hetzner_server_infos_json: "{{ network_hetzner_server_infos.hcloud_server_info }}"
+# delegate_to: 127.0.0.1
+# become: false
+# tags:
+# - update_networks
+
+#- name: "Printing current server infos for network <{{ current_network_name }}>"
+# debug:
+# var: network_hetzner_server_infos_json
+# delegate_to: 127.0.0.1
+# become: false
+# when:
+# - debug
+# tags:
+# - update_networks
+
+#- name: "Setting nerwork server names as fact: network_server_names"
+# set_fact:
+# network_server_names: "{{ network_hetzner_server_infos_json | json_query(jmesquery) }}"
+# vars:
+# jmesquery: '[*].{name: name}'
+# tags:
+# - update_networks
+
+#- name: "Printing nerwork server names"
+# debug:
+# var: network_server_names
+# delegate_to: 127.0.0.1
+# become: false
+# when:
+# - debug
+# tags:
+# - update_networks
+
+- name: "Checking present state for network <{{ current_network_name }}>"
+ hcloud_network:
api_token: "{{ hetzner_authentication_token }}"
- label_selector: "{{ current_server_label_selector }}"
- register: network_hetzner_server_infos
+ name: "{{ current_network_name }}"
+ labels: "{{ current_network_labels }}"
+ ip_range: 10.0.0.0/16
+ state: present
delegate_to: 127.0.0.1
become: false
- tags:
- - update_networks
-- name: "Set current server infos for network <{{ current_network_name }}> as fact: network_hetzner_server_infos_json"
- set_fact:
- network_hetzner_server_infos_json: "{{ network_hetzner_server_infos.hcloud_server_info }}"
+- name: "Checking present state for subnetwork for <{{ current_network_name }}>"
+ hcloud_subnetwork:
+ api_token: "{{ hetzner_authentication_token }}"
+ network: "{{ current_network_name }}"
+ ip_range: 10.0.0.0/16
+ network_zone: eu-central
+ type: cloud
+ state: present
delegate_to: 127.0.0.1
become: false
- tags:
- - update_networks
-#- name: "Print the gathered infos for network <{{ current_network_name }}>"
-# debug:
-# var: network_hetzner_server_infos_json
+#- name: "Checking present state for network servers"
+# hcloud_server_network:
+# api_token: "{{ hetzner_authentication_token }}"
+# network: "{{ current_network_name }}"
+# server: "{{ item.name }}"
+# state: present
+# with_items: "{{ network_server_names }}"
# delegate_to: 127.0.0.1
+# become: false
# tags:
# - update_networks
-- name: "Set nerwork server names as fact: network_server_names"
- set_fact:
- network_server_names: "{{ network_hetzner_server_infos_json | json_query(jmesquery) }}"
- vars:
- jmesquery: '[*].{name: name}'
- tags:
- - update_networks
-
-- name: "Create network <{{ current_network_name }}>"
+- name: "Checking present state for network servers"
hcloud_server_network:
api_token: "{{ hetzner_authentication_token }}"
network: "{{ current_network_name }}"
- server: "{{ item.name }}"
+ server: "{{ inventory_hostname }}"
state: present
- with_items: "{{ network_server_names }}"
delegate_to: 127.0.0.1
+ become: false
tags:
- update_networks
diff --git a/roles/hcloud/tasks/main.yml b/roles/hcloud/tasks/main.yml
index 82d9d25..4f738f0 100644
--- a/roles/hcloud/tasks/main.yml
+++ b/roles/hcloud/tasks/main.yml
@@ -4,7 +4,7 @@
### update_dns
### update_networks
-- name: Create new server {{ inventory_hostname }}
+- name: "Checking present state for server {{ inventory_hostname }}"
hetzner.hcloud.hcloud_server:
api_token: "{{ hetzner_authentication_token }}"
name: "{{ inventory_hostname }}"
@@ -15,8 +15,9 @@
location: nbg1
state: present
delegate_to: 127.0.0.1
+ become: false
-- name: "Gather current server infos"
+- name: "Gathering current server infos from hetzner"
hcloud_server_info:
api_token: "{{ hetzner_authentication_token }}"
register: hetzner_server_infos
@@ -26,7 +27,7 @@
- update_dns
- update_networks
-- name: "Set current server infos as fact: hetzner_server_infos_json"
+- name: "Setting current server infos as fact: hetzner_server_infos_json"
set_fact:
hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
delegate_to: 127.0.0.1
@@ -35,40 +36,29 @@
- update_dns
- update_networks
-#- name: Print the gathered infos
-# debug:
-# var: hetzner_server_infos_json
-# delegate_to: 127.0.0.1
-# tags:
-# - update_dns
-# - update_networks
-
-- name: "Set current server ips as fact: stage_server_ips"
- set_fact:
- stage_server_ips: "{{ hetzner_server_infos_json | json_query(jmesquery) }}"
+- name: "Reading ip address for {{ inventory_hostname }}"
+ set_fact:
+ stage_server_ip: "{{ hetzner_server_infos_json | json_query(querystr) | first }}"
vars:
- jmesquery: '[*].{name: name, ipv4: ipv4_address}'
- tags:
- - update_dns
-
-- name: Read ip for {{ inventory_hostname }}
- set_fact:
- stage_server_ip: "{{ stage_server_ips
- | selectattr('name', 'equalto', inventory_hostname)
- | map(attribute='ipv4')
- | list
- | first }}"
+ querystr: "[?name=='{{ inventory_hostname }}'].ipv4_address"
+ delegate_to: 127.0.0.1
+ become: false
tags:
- update_dns
+ - update_networks
-- name: Print the gathered ip for {{ inventory_hostname }}
+- name: "Printing ip address for {{ inventory_hostname }}"
debug:
- var: stage_server_ip
+ msg: "{{ stage_server_ip }}"
delegate_to: 127.0.0.1
+ become: false
tags:
- update_dns
+ - update_networks
+ when:
+ - debug
-- name: "Setup firewalls"
+- name: "Checking present state for firewalls"
include_tasks: configure-firewall.yml
vars:
current_firewall_name: '{{ current_firewall }}'
@@ -83,31 +73,24 @@
tags:
- update_networks
-- name: "Setup networks"
+- name: "Checking present state for networks"
include_tasks: configure-network.yml
vars:
current_network_name: '{{ current_network.name }}'
+ current_network_labels: 'stage={{ stage }}'
current_server_label_selector: '{{ current_network.label_selector }}'
with_items: [
{
- "name": "{{ stage }}-mail",
- "label_selector": "stage={{ stage }}",
- },
- {
- "name": "{{ stage }}-keycloak",
- "label_selector": "stage={{ stage }}",
- },
- {
- "name": "{{ stage }}-elastic-stack",
+ "name": "{{ stage }}",
"label_selector": "stage={{ stage }}",
- },
+ }
]
loop_control:
loop_var: current_network
tags:
- update_networks
-- name: "Setup DNS configuration for {{ inventory_hostname }}"
+- name: "Checking present state of dns for {{ inventory_hostname }}"
include_role:
name: _digitalocean
tasks_from: domain
diff --git a/roles/hetzner-network/meta/main.yml b/roles/hetzner-network/meta/main.yml
deleted file mode 100644
index ed97d53..0000000
--- a/roles/hetzner-network/meta/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/roles/hetzner-network/tasks/main.yml b/roles/hetzner-network/tasks/main.yml
deleted file mode 100644
index 5ebc25e..0000000
--- a/roles/hetzner-network/tasks/main.yml
+++ /dev/null
@@ -1,61 +0,0 @@
----
-
-### tags:
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-elastic-stack
- server: dev-elastic-stack-01
- ip: 10.0.0.2
- state: present
- delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-elastic-stack
- server: dev-elastic-stack-02
- ip: 10.0.0.3
- state: present
- delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-elastic-stack
- server: dev-elastic-stack-03
- ip: 10.0.0.4
- state: present
- delegate_to: 127.0.0.1
-
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-elastic-stack
- server: "{{ item }}"
- state: present
- with_items: "{{ groups['hcloud'] | difference(groups['elastic']) }}"
- delegate_to: 127.0.0.1
-
-# TODO remove static ip configuration
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-keycloak
- server: dev-keycloak-01
- ip: 10.1.0.2
- state: present
- delegate_to: 127.0.0.1
-
-- name: Create a server network and specify the ip address
- hcloud_server_network:
- api_token: "{{ hetzner_authentication_token }}"
- network: dev-keycloak
- server: "{{ item }}"
- state: present
- with_items: "{{ groups['connect'] }}"
- delegate_to: 127.0.0.1
diff --git a/roles/hetzner-network/vars/main.yml b/roles/hetzner-network/vars/main.yml
deleted file mode 100644
index ed97d53..0000000
--- a/roles/hetzner-network/vars/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/roles/iam/defaults/main.yml b/roles/iam/defaults/main.yml
new file mode 100644
index 0000000..ad48e99
--- /dev/null
+++ b/roles/iam/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+iam_image_name: 'dev-docker-registry-01.smardigo.digital/smardigo/iam-app'
+
+iam_version: '8.1.0-SNAPSHOT'
diff --git a/roles/hetzner-network/defaults/main.yml b/roles/iam/handlers/main.yml
similarity index 100%
rename from roles/hetzner-network/defaults/main.yml
rename to roles/iam/handlers/main.yml
diff --git a/roles/hetzner-network/handlers/main.yml b/roles/iam/meta/main.yml
similarity index 100%
rename from roles/hetzner-network/handlers/main.yml
rename to roles/iam/meta/main.yml
diff --git a/roles/iam/tasks/main.yml b/roles/iam/tasks/main.yml
new file mode 100644
index 0000000..7d98468
--- /dev/null
+++ b/roles/iam/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+
+### tags:
+### create_users
+### update_deployment
+
+- name: "Send mattermost messsge"
+ uri:
+ url: "{{ mattermost_hook_smardigo }}"
+ method: POST
+ body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}"
+ body_format: json
+ headers:
+ Content-Type: "application/json"
+ delegate_to: 127.0.0.1
+ become: false
+ when:
+ - send_status_messages
+
+- name: "Setup DNS configuration for {{ service_name }}"
+ include_role:
+ name: _digitalocean
+ tasks_from: domain
+ vars:
+ record_data: "{{ stage_server_ip }}"
+ record_name: "{{ service_name }}"
+
+- name: "Setup public DNS configuration for {{ service_name }}"
+ include_role:
+ name: _digitalocean
+ tasks_from: domain
+ vars:
+ record_data: "{{ item.ip }}"
+ record_name: "{{ item.name }}"
+ loop: "{{ iam_public_dns_entries }}"
+ when: iam_public_dns_entries is defined
+
+- name: "Check docker networks"
+ include_role:
+ name: _docker
+ tasks_from: networks
+
+- name: "Check if {{ service_name }}/docker-compose.yml exists"
+ stat:
+ path: '{{ service_base_path }}/{{ service_name }}/docker-compose.yml'
+ register: check_docker_compose_file
+ tags:
+ - update_deployment
+
+- name: "Stop {{ service_name }}"
+ shell: docker-compose down
+ args:
+ chdir: '{{ service_base_path }}/{{ service_name }}'
+ when: check_docker_compose_file.stat.exists
+ ignore_errors: yes
+ tags:
+ - update_deployment
+
+- name: "Deploy docker templates for {{ service_name }}"
+ include_role:
+ name: _deploy
+ tasks_from: templates
+ vars:
+ current_config: "_docker"
+ current_base_path: "{{ service_base_path }}"
+ current_destination: "{{ service_name }}"
+ current_owner: "{{ docker_owner }}"
+ current_group: "{{ docker_group }}"
+ current_docker: "{{ iam_docker }}"
+
+- name: "Deploy service templates for {{ service_name }}"
+ include_role:
+ name: _deploy
+ tasks_from: templates
+ vars:
+ current_config: "iam"
+ current_base_path: "{{ service_base_path }}"
+ current_destination: "{{ service_name }}"
+ current_owner: "{{ docker_owner }}"
+ current_group: "{{ docker_group }}"
+
+- name: "Update {{ service_name }}"
+ shell: docker-compose pull
+ args:
+ chdir: '{{ service_base_path }}/{{ service_name }}'
+ tags:
+ - update_deployment
+
+- name: "Start {{ service_name }}"
+ shell: docker-compose up -d
+ args:
+ chdir: '{{ service_base_path }}/{{ service_name }}'
+ tags:
+ - update_deployment
+
+- name: "Update landing page for {{ service_name }}"
+ include_role:
+ name: _deploy
+ tasks_from: caddy_landing_page
+ vars:
+ current_services: [
+ {
+ current_name: "{{ service_name }}",
+ current_url: "{{ http_s }}://{{ iam_id }}.{{ domain }}",
+ current_version: "{{ iam_version }}",
+ current_date: "{{ ansible_date_time.iso8601 }}",
+ },
+ ]
+ tags:
+ - update_deployment
+
+- name: "Send mattermost messsge"
+ uri:
+ url: "{{ mattermost_hook_smardigo }}"
+ method: POST
+ body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}"
+ body_format: json
+ headers:
+ Content-Type: "application/json"
+ delegate_to: 127.0.0.1
+ become: false
+ when:
+ - send_status_messages
diff --git a/roles/iam/vars/main.yml b/roles/iam/vars/main.yml
new file mode 100644
index 0000000..b8d50be
--- /dev/null
+++ b/roles/iam/vars/main.yml
@@ -0,0 +1,72 @@
+---
+
+iam_id: "{{ service_name }}-iam"
+
+iam_cache_timeout: 600s
+
+iam_keycloak_auth_server_url: "https://{{ shared_service_keycloak_hostname }}/auth"
+iam_keycloak_admin_user: "{{ keycloak_admin_username }}"
+iam_keycloak_admin_password: "{{ keycloak_admin_password }}"
+
+iam_labels: [
+ '"traefik.enable=true"',
+ '"traefik.http.routers.{{ iam_id }}.service={{ iam_id }}"',
+ '"traefik.http.routers.{{ iam_id }}.rule=Host(`{{ stage_server_url_host }}`)"',
+ '"traefik.http.routers.{{ iam_id }}.entrypoints=websecure"',
+ '"traefik.http.routers.{{ iam_id }}.tls=true"',
+ '"traefik.http.routers.{{ iam_id }}.tls.certresolver=letsencrypt"',
+ '"traefik.http.services.{{ iam_id }}.loadbalancer.server.port={{ service_port }}"',
+
+ '"traefik.http.routers.{{ iam_id }}-admin.service={{ iam_id }}-admin"',
+ '"traefik.http.routers.{{ iam_id }}-admin.rule=Host(`{{ stage_server_url_host }}`)"',
+ '"traefik.http.routers.{{ iam_id }}-admin.entrypoints=admin-service"',
+ '"traefik.http.routers.{{ iam_id }}-admin.tls=true"',
+ '"traefik.http.routers.{{ iam_id }}-admin.tls.certresolver=letsencrypt"',
+ '"traefik.http.routers.{{ iam_id }}-admin.middlewares={{ iam_id }}-admin-cors"',
+ '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolallowmethods=GET,OPTIONS"',
+ '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolalloworigin=*"',
+ '"traefik.http.middlewares.{{ iam_id }}-admin-cors.headers.accesscontrolallowheaders=SMA_USER"',
+ '"traefik.http.services.{{ iam_id }}-admin.loadbalancer.server.port={{ management_port }}"',
+
+ '"traefik.http.routers.{{ iam_id }}-monitor.service={{ service_name }}-node-exporter"',
+ '"traefik.http.routers.{{ iam_id }}-monitor.rule=Host(`{{ stage_server_url_host }}`)"',
+ '"traefik.http.routers.{{ iam_id }}-monitor.entrypoints=monitoring-system"',
+ '"traefik.http.routers.{{ iam_id }}-monitor.tls=true"',
+ '"traefik.http.routers.{{ iam_id }}-monitor.tls.certresolver=letsencrypt"',
+]
+
+iam_docker: {
+ networks: [
+ {
+ name: back-tier,
+ external: true,
+ },
+ {
+ name: front-tier,
+ external: true,
+ },
+ ],
+ services: [
+ {
+ name: "{{ iam_id }}",
+ image_name: "{{ iam_image_name }}",
+ image_version: "{{ iam_version }}",
+ labels: "{{ iam_labels + ( iam_labels_additional | default([])) }}",
+ restart: "{{ iam_service_restart | default('always') }}",
+ environment: [
+ "SERVER_PORT: \"{{ service_port }}\"",
+ "ADMIN_PORT: \"{{ management_port }}\"",
+ "SERVER_ERROR_INCLUDE_MESSAGE: \"always\"",
+ "SPRING_CACHE_CAFFEINE_SPEC: \"expireAfterAccess={{ iam_cache_timeout }}\"",
+ "IAM_KEYCLOAK_AUTH_SERVER_URL: \"{{ iam_keycloak_auth_server_url }}\"",
+ "IAM_KEYCLOAK_ADMIN_USER: \"{{ iam_keycloak_admin_user }}\"",
+ "IAM_KEYCLOAK_ADMIN_PASSWORD: \"{{ iam_keycloak_admin_password }}\""
+ ],
+ networks: [
+ '"back-tier"',
+ '"front-tier"',
+ ],
+ extra_hosts: "{{ iam_extra_hosts | default([]) }}",
+ }
+ ],
+}
\ No newline at end of file
diff --git a/roles/keycloak/tasks/_authenticate.yml b/roles/keycloak/tasks/_authenticate.yml
index 87b4b68..9baac9c 100644
--- a/roles/keycloak/tasks/_authenticate.yml
+++ b/roles/keycloak/tasks/_authenticate.yml
@@ -1,6 +1,6 @@
---
-- name: "Authenticate with Keycloak server"
+- name: "Authenticating with keycloak server"
uri:
url: "{{ keycloak_server_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
@@ -11,12 +11,14 @@
retries: 5
delay: 5
-- name: Save access_token as variable (fact)
+- name: "Saving access_token as variable (fact)"
set_fact:
access_token: "{{ keycloak_authentication.json.access_token }}"
delegate_to: 127.0.0.1
-- name: Print keycloak access_token
+- name: "Printing access_token for keycloak server"
debug:
msg: "{{ access_token }}"
- delegate_to: 127.0.0.1
\ No newline at end of file
+ delegate_to: 127.0.0.1
+ when:
+ - debug
\ No newline at end of file
diff --git a/roles/keycloak/tasks/_configure_client.yml b/roles/keycloak/tasks/_configure_client.yml
index b4305f3..5c560d7 100644
--- a/roles/keycloak/tasks/_configure_client.yml
+++ b/roles/keycloak/tasks/_configure_client.yml
@@ -1,10 +1,11 @@
---
-#- name: Print client {{ client_id }} for realm {{ realm_name }}
-# debug:
-# msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
-# when: realm_client_ids | selectattr('clientId', 'equalto', client_id) | list | length == 0
-# delegate_to: 127.0.0.1
+- name: Print client {{ client_id }} for realm {{ realm_name }}
+ debug:
+ msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
+ when:
+ - debug
+ delegate_to: 127.0.0.1
- name: Create client {{ client_id }} for realm {{ realm_name }}
uri:
diff --git a/roles/keycloak/tasks/_configure_realm.yml b/roles/keycloak/tasks/_configure_realm.yml
index edcd2ef..8c82d13 100644
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@@ -22,6 +22,13 @@
jmesquery: '[*].id'
delegate_to: 127.0.0.1
+- name: "Printing realm ids"
+ debug:
+ msg: "{{ realm_ids }}"
+ delegate_to: 127.0.0.1
+ when:
+ - debug
+
- name: Create realm {{ current_realm_name }}
uri:
url: "{{ keycloak_server_url }}/auth/admin/realms"
@@ -56,10 +63,12 @@
jmesquery: '[*].{id: id, clientId: clientId}'
delegate_to: 127.0.0.1
-- name: Print client ids
+- name: "Printing client ids from realm {{ current_realm_name }}"
debug:
msg: "{{ realm_client_ids }}"
delegate_to: 127.0.0.1
+ when:
+ - debug
- name: "Create clients from realm {{ current_realm_name }}"
include_tasks: _configure_client.yml
diff --git a/roles/keycloak/tasks/_create_realm_users.yml b/roles/keycloak/tasks/_create_realm_users.yml
new file mode 100644
index 0000000..bd408e1
--- /dev/null
+++ b/roles/keycloak/tasks/_create_realm_users.yml
@@ -0,0 +1,53 @@
+---
+
+- name: "Reading users of realm {{ current_realm_name }}"
+ uri:
+ url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
+ method: GET
+ headers:
+ Authorization: "Bearer {{ access_token}} "
+ status_code: [200]
+ register: realm_users
+ delegate_to: 127.0.0.1
+
+- name: "Printing realm users"
+ debug:
+ msg: "{{ realm_users }}"
+ delegate_to: 127.0.0.1
+ when:
+ - debug
+
+- name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
+ set_fact:
+ realm_users_json: "{{ realm_users.json }}"
+ delegate_to: 127.0.0.1
+
+- name: "Reading user ids of realm {{ current_realm_name }}"
+ set_fact:
+ realm_user_usernames: "{{ realm_users_json | json_query(jmesquery) }}"
+ vars:
+ jmesquery: '[*].username'
+ delegate_to: 127.0.0.1
+
+- name: "Printing usernames of realm {{ current_realm_name }}"
+ debug:
+ msg: "{{ realm_user_usernames }}"
+ delegate_to: 127.0.0.1
+ when:
+ - debug
+
+- name: "Creating users for realm {{ current_realm_name }}"
+ uri:
+ url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
+ method: POST
+ body_format: json
+ body: "{{ lookup('template','keycloak-realm-create-user.json.j2') }}"
+ headers:
+ Content-Type: "application/json"
+ Authorization: "Bearer {{ access_token }}"
+ status_code: [201]
+ with_items: "{{ current_realm_users }}"
+ when: current_realm_user.username not in realm_user_usernames
+ loop_control:
+ loop_var: current_realm_user
+ delegate_to: 127.0.0.1
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
index f622f2c..b752235 100644
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -14,7 +14,7 @@ keycloak_labels: [
'"traefik.http.routers.{{ keycloak_id }}-monitor.service={{ service_name }}-node-exporter"',
'"traefik.http.routers.{{ keycloak_id }}-monitor.rule=Host(`{{ stage_server_url_host }}`)"',
- '"traefik.http.routers.{{ keycloak_id }}-monitor.entrypoints=admin-system"',
+ '"traefik.http.routers.{{ keycloak_id }}-monitor.entrypoints=monitoring-system"',
'"traefik.http.routers.{{ keycloak_id }}-monitor.tls=true"',
'"traefik.http.routers.{{ keycloak_id }}-monitor.tls.certresolver=letsencrypt"',
]
diff --git a/smardigo.yml b/smardigo.yml
index 6bc881b..d9bb8f7 100644
--- a/smardigo.yml
+++ b/smardigo.yml
@@ -50,15 +50,19 @@
- update_networks
roles:
- - role: connect
- when: "'connect' in group_names"
- - role: keycloak
- when: "'keycloak' in group_names"
- role: postfix
when: "'postfix' in group_names"
+ - role: keycloak
+ when: "'keycloak' in group_names"
+
- role: harbor
when: "'harbor' in group_names"
- role: elastic
when: "'elastic' in group_names"
- role: prometheus
when: "'prometheus' in group_names"
+
+ - role: iam
+ when: "'iam' in group_names"
+ - role: connect
+ when: "'connect' in group_names"
diff --git a/smardigo/provisioning/form/tenant.json b/smardigo/provisioning/form/tenant.json
index bb0fa15..6d33c69 100644
--- a/smardigo/provisioning/form/tenant.json
+++ b/smardigo/provisioning/form/tenant.json
@@ -31,7 +31,7 @@
"eq" : ""
},
"data" : {
- "url" : "http://localhost:8080/api/v1/scopes/{{context.scopeId}}/tags/{{context.scopeTag}}/datasources/tenants/query?id={{data.tenant_id}}",
+ "url" : "api/v1/scopes/{{context.scopeId}}/tags/{{context.scopeTag}}/datasources/tenants/query?id={{data.tenant_id}}",
"method" : "GET",
"values" : [ { } ]
},
diff --git a/smardigo/provisioning/process/simple-connect.bpmn b/smardigo/provisioning/process/simple-connect.bpmn
index 743342f..a3052d2 100644
--- a/smardigo/provisioning/process/simple-connect.bpmn
+++ b/smardigo/provisioning/process/simple-connect.bpmn
@@ -500,11 +500,6 @@ Keycloak Realm mit Administrator Account
-
-
-
-
-
Flow_13nom3k
diff --git a/stage-dev b/stage-dev
index d118825..0579b3a 100644
--- a/stage-dev
+++ b/stage-dev
@@ -1,25 +1,18 @@
-[ansible]
-dev-ansible-01
-
[connect]
# ---
dev-management-smardigo-01
-dev-connect-01
-dev-connect-02
-dev-connect-03
-
-# only for testing purposes -> dynamic-provisioning
-dev-sken-01
-dev-sken-02
-
-[harbor]
-dev-docker-registry-01
[elastic]
dev-elastic-stack-01
dev-elastic-stack-02
dev-elastic-stack-03
+[harbor]
+dev-docker-registry-01
+
+[iam]
+dev-iam-01
+
[keycloak]
dev-keycloak-01
@@ -30,10 +23,10 @@ dev-mail-01
dev-prometheus-01
[stage_dev:children]
-ansible
connect
elastic
harbor
+iam
keycloak
postfix
prometheus