From 81f5e65b3d57877e68bf08370cd7453a15b44287 Mon Sep 17 00:00:00 2001 From: "Eichhorn, Philipp" Date: Fri, 29 Sep 2023 17:00:48 +0000 Subject: [PATCH] SMA-2501 add new process-search to PMCI --- group_vars/all/connect.yml | 1 + group_vars/all/versions.yml | 1 + group_vars/connect/plain.yml | 5 + library/smardigo_user_token.py | 91 +++++++++++++++---- roles/connect/defaults/main.yml | 1 + roles/connect/tasks/main.yml | 29 ++++++ roles/connect/vars/main.yml | 81 +++++++++++++++-- roles/connect_postgres/defaults/main.yml | 5 +- templates/_docker/docker-compose.yml.j2 | 5 + .../config/application-cloudevents.yml.j2 | 25 +++++ 10 files changed, 216 insertions(+), 28 deletions(-) create mode 100644 templates/connect/config/application-cloudevents.yml.j2 diff --git a/group_vars/all/connect.yml b/group_vars/all/connect.yml index affa9c5..ac626dc 100644 --- a/group_vars/all/connect.yml +++ b/group_vars/all/connect.yml @@ -5,6 +5,7 @@ shared_service_connect_data_password: "{{ elastic_connect_data_password_vault | connect_id: "{{ inventory_hostname }}-connect" connect_base_url: "{{ connect_id }}.{{ domain }}" +process_search_id: "{{ inventory_hostname }}-process-search" wordpress_id: "{{ inventory_hostname }}-wordpress" wordpress_base_url: "{{ wordpress_id }}.{{ domain }}" diff --git a/group_vars/all/versions.yml b/group_vars/all/versions.yml index 6a4def0..612b360 100644 --- a/group_vars/all/versions.yml +++ b/group_vars/all/versions.yml @@ -25,6 +25,7 @@ traefik_version: "v2.10.3" connect_version: "10.5" iam_version: "10.5" +process_search_version: "1.3" ansible_minimal_version: "2.12.0" diff --git a/group_vars/connect/plain.yml b/group_vars/connect/plain.yml index 8cdd469..9a43665 100644 --- a/group_vars/connect/plain.yml +++ b/group_vars/connect/plain.yml @@ -34,3 +34,8 @@ connect_mail_properties_simulation: false connect_csrf_token_name: "21f4d682-dbad-45e5-b3b5-47d274b9772d" connect_csrf_token_value: "4d2ef8cc-f7d9-46d4-b4d6-f20f9dc48040" + +process_search_postgres_host: "{{ shared_service_postgres_primary }}" +process_search_postgres_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_process_search" +process_search_postgres_username: "{{ process_search_postgres_database }}" +process_search_postgres_password: "connect-postgres-admin" diff --git a/library/smardigo_user_token.py b/library/smardigo_user_token.py index cde6512..49a8060 100644 --- a/library/smardigo_user_token.py +++ b/library/smardigo_user_token.py @@ -1,36 +1,89 @@ #!/usr/bin/python -DOCUMENTATION = ''' +from __future__ import (absolute_import, division, print_function) +from ansible.module_utils.basic import AnsibleModule +__metaclass__ = type + +DOCUMENTATION = r''' --- module: smardigo_user_token short_description: create smardigo user token ''' -EXAMPLES = ''' -- hosts: localhost - tasks: - - name: create smardigo user token - smardigo_user_token: - secret: "" - user_id: "" - register: result - - debug: var=result + +EXAMPLES = r''' +# Pass in secret and user_id +- name: create smardigo user token + smardigo_user_token: + secret: "some-secret" + user_id: "some-user" + +# Also pass in realm and client_id +- name: create smardigo user token + smardigo_user_token: + secret: "some-secret" + user_id: "some-user" + realm: "some-some" + client_id: "some-client" +''' + +RETURN = r''' +token: + description: The generated user token. + type: str + returned: always + sample: 'eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..Q1NwxoSW8iHpceK8PhEycA.XNJc_8h5rW2aQ2788hpw6XumG-bKIiNIdDxWaRrvIyc._BJSwA_Y_0RlvgM5R8gaXA' +changed: + description: A user token was generated. + type: bool + returned: always + sample: true ''' from jose import jwe -from ansible.module_utils.basic import * +import json -def main(): +def run_module(): + module_args = dict( + secret=dict(type='str', required=True), + user_id=dict(type='str', required=True), + realm=dict(type='str', required=False, default=''), + client_id=dict(type='str', required=False, default='') + ) - fields = { - "secret": {"default": False, "type": "str"}, - "user_id": {"default": False, "type": "str"} - } + module = AnsibleModule( + argument_spec=module_args, + supports_check_mode=True + ) - module = AnsibleModule(argument_spec=fields) + result = dict( + changed=False, + token='' + ) - token = jwe.encrypt('{"sub":"' + module.params["user_id"] + '"}', module.params["secret"], algorithm='dir', encryption='A128CBC-HS256') + claims = dict( + sub=module.params["user_id"], + ) + + if module.params['realm'] and module.params['client_id']: + claims['iam'] = dict( + realm=module.params['realm'], + clientId=module.params['client_id'], + client_id=module.params['client_id'], + ) + elif module.params['realm'] or module.params['client_id']: + module.fail_json( + msg='Please specify both \'realm\' and \'client_id\'', **result) + + result['token'] = jwe.encrypt(json.dumps( + claims), module.params["secret"], algorithm='dir', encryption='A128CBC-HS256') + result['changed'] = True + + module.exit_json(**result) + + +def main(): + run_module() - module.exit_json(changed=True, token=token) if __name__ == '__main__': main() diff --git a/roles/connect/defaults/main.yml b/roles/connect/defaults/main.yml index 157ce28..fc7d4c4 100644 --- a/roles/connect/defaults/main.yml +++ b/roles/connect/defaults/main.yml @@ -1,6 +1,7 @@ --- connect_image_name: "{{ shared_service_hostname_harbor }}/smardigo/connect-whitelabel-app" +process_search_image_name: "{{ shared_service_hostname_harbor }}/smardigo/process-search" connect_mail_host: "{{ shared_service_mail_hostname }}" connect_mail_properties_base_url: "{{ http_s }}://{{ connect_base_url }}" diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index c409489..e2fcb74 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -4,6 +4,35 @@ ### update_certs ### update_deployment +- name: "Creating smardigo user token" + smardigo_user_token: + secret: "{{ connect_jwt_secret }}" + user_id: "{{ connect_client_admin_username }}" + register: smardigo_user_token_result + delegate_to: 127.0.0.1 + become: false + tags: + - update_deployment + +- name: "Creating iam user token" + smardigo_user_token: + secret: "{{ iam_jwt_secret }}" + user_id: "{{ connect_client_admin_username }}" + realm: "{{ current_realm_name }}" + client_id: "{{ connect_oidc_client_id }}" + register: iam_user_token_result + delegate_to: 127.0.0.1 + become: false + tags: + - update_deployment + +- name: "Setting smardigo_auth_token_value and iam_auth_token_value as fact" + set_fact: + smardigo_auth_token_value: "{{ smardigo_user_token_result.token }}" + iam_auth_token_value: "{{ iam_user_token_result.token }}" + tags: + - update_deployment + - name: "Setup hcloud firewalls for <{{ inventory_hostname }}>" include_role: name: hetzner-ansible-hcloud diff --git a/roles/connect/vars/main.yml b/roles/connect/vars/main.yml index d3b47be..7bd2f7c 100644 --- a/roles/connect/vars/main.yml +++ b/roles/connect/vars/main.yml @@ -1,14 +1,15 @@ --- +connect_process_search_module: "{{ connect_search_elastic_enabled | ternary((connect_version is version('11.1', '>=') | ternary('external_v2', 'external')), 'embedded') }}" + connect_spring_profiles_include: - - "{{ (true) | ternary('prod','') }}" - - "{{ (true) | ternary('postgres','') }}" - - "{{ connect_swagger_enabled | ternary('swagger','') }}" - - "{{ connect_search_elastic_enabled | ternary('elastic','') }}" + - "{{ (true) | ternary('prod','') }}" + - "{{ (true) | ternary('postgres','') }}" + - "{{ connect_swagger_enabled | ternary('swagger','') }}" + - "{{ (connect_process_search_module == 'external') | ternary('elastic','') }}" + - "{{ (connect_process_search_module == 'external_v2') | ternary('cloudevents','') }}" - "{{ connect_ribbon_display | default('') }}" -connect_process_search_module: "{{ 'external' if connect_search_elastic_enabled else 'embedded' }}" - connect_labels: [ '"traefik.enable=true"', '"traefik.http.routers.{{ connect_id }}.service={{ connect_id }}"', @@ -79,12 +80,13 @@ connect_environment: [ "EXTERNAL_IAM_SERVER_URL: \"{{ smardigo_iam_client_server_url | default('') }}\"", "PROCESS_SEARCH_MODULE: \"{{ connect_process_search_module }}\"", + "PROCESS_SEARCH_BASE_PATH: \"http://{{ process_search_id }}:{{ service_port }}\"", "ELASTIC_HOST: \"{{ connect_elastic_host | default('') }}\"", "ELASTIC_PREFIX: \"{{ connect_elastic_prefix | replace('-','_') }}\"", "ELASTIC_USERNAME: \"{{ connect_elastic_username | default('') }}\"", - "ELASTIC_PASSWORD: \"{{ connect_elastic_password | default('') }}\"", - "ELASTIC_CA: \"{{ connect_elastic_ca | default('') }}\"", + "ELASTIC_PASSWORD: \"{{ connect_elastic_password | default('') }}\"", + "ELASTIC_CA: \"{{ connect_elastic_ca | default('') }}\"", "ELASTIC_SEARCH_INDEX: \"{{ connect_elastic_search_index | default('search') }}\"", "ELASTIC_MESSAGE_INDEX: \"{{ connect_elastic_message_index | default('message') }}\"", "ELASTIC_ANALYSIS_INDEX: \"{{ connect_elastic_analysis_index | default('analysis') }}\"", @@ -123,6 +125,53 @@ connect_environment: [ "SMA_CUSTOM_SCRIPTING_WHITELIST_FILE: \"/usr/share/smardigo/custom-whitelist\"", ] +process_search_labels: [] + +process_search_environment: [ + "TZ: \"{{ connect_time_zone | default('Europe/Berlin') }}\"", + "KNATIVE_BROKER_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + + "IAM_URL: \"{{ smardigo_iam_client_server_url | default('') }}\"", + "IAM_API_KEY_VALUE: \"{{ iam_auth_token_value }}\"", + "IAM_LEGACY: \"true\"", + "IAM_LEGACY_USER_PERMISSION_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "IAM_LEGACY_USER_PERMISSION_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "RUNTIME_CONFIG_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "RUNTIME_CONFIG_LEGACY: \"true\"", + "RUNTIME_CONFIG_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "PROCESS_PERSISTENCE_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "PROCESS_PERSISTENCE_LEGACY: \"true\"", + "PROCESS_PERSISTENCE_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "PROCESS_ACCESS_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "PROCESS_ACCESS_LEGACY: \"true\"", + "PROCESS_ACCESS_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "PROCESS_RESUBMISSION_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "PROCESS_RESUBMISSION_LEGACY: \"true\"", + "PROCESS_RESUBMISSION_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "PROCESS_TWO_PERSON_RULE_URL: \"http://{{ connect_id }}:{{ service_port }}\"", + "PROCESS_TWO_PERSON_RULE_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"", + + "DATASOURCE_URL: \"{{ process_search_postgres_host }}:{{ service_port_postgres }}/{{ process_search_postgres_database }}?sslmode=require\"", + "DATASOURCE_USERNAME: \"{{ process_search_postgres_username }}\"", + "DATASOURCE_PASSWORD: \"{{ process_search_postgres_password }}\"", + "FLYWAY_ENABLED: \"true\"", + + "OS_PROTOCOL: \"{{ connect_elastic_protocol | default('https') }}\"", + "OS_HOSTS: \"{{ connect_elastic_host | default('') }}:{{ service_port_elasticsearch }}\"", + "OS_USERNAME: \"{{ connect_elastic_username | default('') }}\"", + "OS_PASSWORD: \"{{ connect_elastic_password | default('') }}\"", + "OS_CERTS_URI: \"{{ connect_elastic_ca | default('') }}\"", + # "OS_LOG_LEVEL: \"DEBUG\"" + "INDEX_PREFIX: \"{{ connect_elastic_prefix | replace('-','_') }}-{{ connect_elastic_search_index | default('search') }}\"", + "QUARKUS_PROFILE: \"elastic\"", + "QUARKUS_REBUILD: \"true\"", +] + connect_docker: { networks: [ { @@ -145,12 +194,28 @@ connect_docker: { volumes: [ '"./certs/ca/ca.crt:/usr/share/smardigo/ca.crt:ro"', '"./config/custom-whitelist:/usr/share/smardigo/custom-whitelist:ro"', + "./config/application-cloudevents.yml:/config/application-cloudevents.yml:ro" ], networks: [ '"back-tier"', '"front-tier"', ], extra_hosts: "{{ connect_extra_hosts | default([]) }}", + }, + { + active: "{{ connect_process_search_module == 'external_v2' }}", + name: "{{ process_search_id }}", + image_name: "{{ process_search_image_name }}", + image_version: "{{ process_search_version }}", + labels: "{{ process_search_labels + ( process_search_labels_additional | default([])) }}", + restart: "{{ process_search_service_restart | default('always') }}", + environment: "{{ process_search_environment + ( process_search_environment_additional | default([])) }}", + volumes: [ + '"./certs/ca/ca.crt:/usr/share/smardigo/ca.crt:ro"', + ], + networks: [ + '"back-tier"', + ], } ], } diff --git a/roles/connect_postgres/defaults/main.yml b/roles/connect_postgres/defaults/main.yml index 2f51301..38fde50 100644 --- a/roles/connect_postgres/defaults/main.yml +++ b/roles/connect_postgres/defaults/main.yml @@ -3,4 +3,7 @@ postgres_acls: - name: "{{ connect_postgres_database }}" password: "{{ connect_postgres_password }}" - trusted_cidr_entry: "{{ shared_service_network }}" + trusted_cidr_entry: "{{ shared_service_network }}" + - name: "{{ process_search_postgres_database }}" + password: "{{ process_search_postgres_password }}" + trusted_cidr_entry: "{{ shared_service_network }}" diff --git a/templates/_docker/docker-compose.yml.j2 b/templates/_docker/docker-compose.yml.j2 index 033abc1..75f0dc5 100644 --- a/templates/_docker/docker-compose.yml.j2 +++ b/templates/_docker/docker-compose.yml.j2 @@ -38,6 +38,10 @@ volumes: {# ################################################## services #} services: {% for service in current_docker.services %} +{% if + service.active is not defined + or service.active +%} {{ service.name }}: image: "{{ service.image_name }}:{{ service.image_version }}" container_name: "{{ service.name }}" @@ -219,5 +223,6 @@ services: {% endfor %} {% endif %} {# ########################################### lines #} +{% endif %} {% endfor %} {# ################################################## services #} diff --git a/templates/connect/config/application-cloudevents.yml.j2 b/templates/connect/config/application-cloudevents.yml.j2 new file mode 100644 index 0000000..6220e1b --- /dev/null +++ b/templates/connect/config/application-cloudevents.yml.j2 @@ -0,0 +1,25 @@ +smardigo: + cloudevents: + event-distributor: + rest: + connect-timeout: PT1S + read-timeout: PT30S + consumers: + - type: process-created + urls: + - "http://{{ process_search_id }}:8080/process-created" + - type: process-data-updated + urls: + - "http://{{ process_search_id }}:8080/process-data-updated" + - type: process-deleted + urls: + - "http://{{ process_search_id }}:8080/process-deleted" + - type: delete-scope + urls: + - "http://{{ process_search_id }}:8080/delete-scope" + - type: activate-config + urls: + - "http://{{ process_search_id }}:8080/activate-config" + - type: index-rebuild + urls: + - "http://{{ process_search_id }}:8080/index-rebuild"