SMA-2501 add new process-search to PMCI

2 years ago · 81f5e65b3d
parent afa0552d4e
commit 81f5e65b3d
10 changed files with 216 additions and 28 deletions
--- a/group_vars/all/connect.yml
+++ b/group_vars/all/connect.yml
@ -5,6 +5,7 @@ shared_service_connect_data_password: "{{ elastic_connect_data_password_vault |

 connect_id: "{{ inventory_hostname }}-connect"
 connect_base_url: "{{ connect_id }}.{{ domain }}"
+process_search_id: "{{ inventory_hostname }}-process-search"
 wordpress_id: "{{ inventory_hostname }}-wordpress"
 wordpress_base_url: "{{ wordpress_id }}.{{ domain }}"

--- a/group_vars/all/versions.yml
+++ b/group_vars/all/versions.yml
@ -25,6 +25,7 @@ traefik_version: "v2.10.3"

 connect_version: "10.5"
 iam_version: "10.5"
+process_search_version: "1.3"

 ansible_minimal_version: "2.12.0"

--- a/group_vars/connect/plain.yml
+++ b/group_vars/connect/plain.yml
@ -34,3 +34,8 @@ connect_mail_properties_simulation: false

 connect_csrf_token_name: "21f4d682-dbad-45e5-b3b5-47d274b9772d"
 connect_csrf_token_value: "4d2ef8cc-f7d9-46d4-b4d6-f20f9dc48040"
+
+process_search_postgres_host: "{{ shared_service_postgres_primary }}"
+process_search_postgres_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_process_search"
+process_search_postgres_username: "{{ process_search_postgres_database }}"
+process_search_postgres_password: "connect-postgres-admin"
--- a/library/smardigo_user_token.py
+++ b/library/smardigo_user_token.py
@ -1,36 +1,89 @@
 #!/usr/bin/python

-DOCUMENTATION = '''
+from __future__ import (absolute_import, division, print_function)
+from ansible.module_utils.basic import AnsibleModule
+__metaclass__ = type
+
+DOCUMENTATION = r'''
 ---
 module: smardigo_user_token
 short_description: create smardigo user token
 '''
-EXAMPLES = '''
- hosts: localhost
-  tasks:
+
+EXAMPLES = r'''
+# Pass in secret and user_id
 - name: create smardigo user token
  smardigo_user_token:
-      secret: ""
-      user_id: ""
-    register: result
-  - debug: var=result
+    secret: "some-secret"
+    user_id: "some-user"
+
+# Also pass in realm and client_id
+- name: create smardigo user token
+  smardigo_user_token:
+    secret: "some-secret"
+    user_id: "some-user"
+    realm: "some-some"
+    client_id: "some-client"
+'''
+
+RETURN = r'''
+token:
+    description: The generated user token.
+    type: str
+    returned: always
+    sample: 'eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..Q1NwxoSW8iHpceK8PhEycA.XNJc_8h5rW2aQ2788hpw6XumG-bKIiNIdDxWaRrvIyc._BJSwA_Y_0RlvgM5R8gaXA'
+changed:
+    description: A user token was generated.
+    type: bool
+    returned: always
+    sample: true
 '''

 from jose import jwe
-from ansible.module_utils.basic import *
+import json

-def main():
+def run_module():
+    module_args = dict(
+        secret=dict(type='str', required=True),
+        user_id=dict(type='str', required=True),
+        realm=dict(type='str', required=False, default=''),
+        client_id=dict(type='str', required=False, default='')
+    )
+
+    module = AnsibleModule(
+        argument_spec=module_args,
+        supports_check_mode=True
+    )
+
+    result = dict(
+        changed=False,
+        token=''
+    )
+
+    claims = dict(
+        sub=module.params["user_id"],
+    )

-    fields = {
-        "secret": {"default": False, "type": "str"},
-        "user_id": {"default": False, "type": "str"}
-    }
+    if module.params['realm'] and module.params['client_id']:
+        claims['iam'] = dict(
+            realm=module.params['realm'],
+            clientId=module.params['client_id'],
+            client_id=module.params['client_id'],
+        )
+    elif module.params['realm'] or module.params['client_id']:
+        module.fail_json(
+            msg='Please specify both \'realm\' and \'client_id\'', **result)

-    module = AnsibleModule(argument_spec=fields)
+    result['token'] = jwe.encrypt(json.dumps(
+        claims), module.params["secret"], algorithm='dir', encryption='A128CBC-HS256')
+    result['changed'] = True

-    token = jwe.encrypt('{"sub":"' +  module.params["user_id"] + '"}', module.params["secret"], algorithm='dir', encryption='A128CBC-HS256')
+    module.exit_json(**result)
+
+
+def main():
+    run_module()

-    module.exit_json(changed=True, token=token)

 if __name__ == '__main__':
    main()
--- a/roles/connect/defaults/main.yml
+++ b/roles/connect/defaults/main.yml
@ -1,6 +1,7 @@
 ---

 connect_image_name: "{{ shared_service_hostname_harbor }}/smardigo/connect-whitelabel-app"
+process_search_image_name: "{{ shared_service_hostname_harbor }}/smardigo/process-search"

 connect_mail_host: "{{ shared_service_mail_hostname }}"
 connect_mail_properties_base_url: "{{ http_s }}://{{ connect_base_url }}"
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -4,6 +4,35 @@
 ###   update_certs
 ###   update_deployment

+- name: "Creating smardigo user token"
+  smardigo_user_token:
+    secret:  "{{ connect_jwt_secret }}"
+    user_id: "{{ connect_client_admin_username }}"
+  register: smardigo_user_token_result
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_deployment
+
+- name: "Creating iam user token"
+  smardigo_user_token:
+    secret:  "{{ iam_jwt_secret }}"
+    user_id: "{{ connect_client_admin_username }}"
+    realm: "{{ current_realm_name }}"
+    client_id: "{{ connect_oidc_client_id }}"
+  register: iam_user_token_result
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_deployment
+
+- name: "Setting smardigo_auth_token_value and iam_auth_token_value as fact"
+  set_fact:
+    smardigo_auth_token_value: "{{ smardigo_user_token_result.token }}"
+    iam_auth_token_value: "{{ iam_user_token_result.token }}"
+  tags:
+    - update_deployment
+
 - name: "Setup hcloud firewalls for <{{ inventory_hostname }}>"
  include_role:
    name: hetzner-ansible-hcloud
--- a/roles/connect/vars/main.yml
+++ b/roles/connect/vars/main.yml
@ -1,14 +1,15 @@
 ---

+connect_process_search_module: "{{ connect_search_elastic_enabled | ternary((connect_version is version('11.1', '>=') | ternary('external_v2', 'external')), 'embedded') }}"
+
 connect_spring_profiles_include:
  - "{{ (true) | ternary('prod','') }}"
  - "{{ (true) | ternary('postgres','') }}"
  - "{{ connect_swagger_enabled | ternary('swagger','') }}"
-  - "{{ connect_search_elastic_enabled  | ternary('elastic','') }}"
+  - "{{ (connect_process_search_module == 'external') | ternary('elastic','') }}"
+  - "{{ (connect_process_search_module == 'external_v2') | ternary('cloudevents','') }}"
  - "{{ connect_ribbon_display | default('') }}"

-connect_process_search_module: "{{ 'external' if connect_search_elastic_enabled else 'embedded' }}"
-
 connect_labels: [
  '"traefik.enable=true"',
  '"traefik.http.routers.{{ connect_id }}.service={{ connect_id }}"',
@ -79,6 +80,7 @@ connect_environment: [
  "EXTERNAL_IAM_SERVER_URL: \"{{ smardigo_iam_client_server_url | default('') }}\"",

  "PROCESS_SEARCH_MODULE: \"{{ connect_process_search_module }}\"",
+  "PROCESS_SEARCH_BASE_PATH: \"http://{{ process_search_id }}:{{ service_port }}\"",

  "ELASTIC_HOST: \"{{ connect_elastic_host | default('') }}\"",
  "ELASTIC_PREFIX: \"{{ connect_elastic_prefix | replace('-','_') }}\"",
@ -123,6 +125,53 @@ connect_environment: [
  "SMA_CUSTOM_SCRIPTING_WHITELIST_FILE: \"/usr/share/smardigo/custom-whitelist\"",
 ]

+process_search_labels: []
+
+process_search_environment: [
+  "TZ: \"{{ connect_time_zone | default('Europe/Berlin') }}\"",
+  "KNATIVE_BROKER_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+
+  "IAM_URL: \"{{ smardigo_iam_client_server_url | default('') }}\"",
+  "IAM_API_KEY_VALUE: \"{{ iam_auth_token_value }}\"",
+  "IAM_LEGACY: \"true\"",
+  "IAM_LEGACY_USER_PERMISSION_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "IAM_LEGACY_USER_PERMISSION_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "RUNTIME_CONFIG_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "RUNTIME_CONFIG_LEGACY: \"true\"",
+  "RUNTIME_CONFIG_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "PROCESS_PERSISTENCE_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "PROCESS_PERSISTENCE_LEGACY: \"true\"",
+  "PROCESS_PERSISTENCE_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "PROCESS_ACCESS_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "PROCESS_ACCESS_LEGACY: \"true\"",
+  "PROCESS_ACCESS_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "PROCESS_RESUBMISSION_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "PROCESS_RESUBMISSION_LEGACY: \"true\"",
+  "PROCESS_RESUBMISSION_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "PROCESS_TWO_PERSON_RULE_URL: \"http://{{ connect_id }}:{{ service_port }}\"",
+  "PROCESS_TWO_PERSON_RULE_API_KEY_VALUE: \"{{ smardigo_auth_token_value }}\"",
+
+  "DATASOURCE_URL: \"{{ process_search_postgres_host }}:{{ service_port_postgres }}/{{ process_search_postgres_database }}?sslmode=require\"",
+  "DATASOURCE_USERNAME: \"{{ process_search_postgres_username }}\"",
+  "DATASOURCE_PASSWORD: \"{{ process_search_postgres_password }}\"",
+  "FLYWAY_ENABLED: \"true\"",
+
+  "OS_PROTOCOL: \"{{ connect_elastic_protocol | default('https') }}\"",
+  "OS_HOSTS: \"{{ connect_elastic_host | default('') }}:{{ service_port_elasticsearch }}\"",
+  "OS_USERNAME: \"{{ connect_elastic_username | default('') }}\"",
+  "OS_PASSWORD: \"{{ connect_elastic_password | default('') }}\"",
+  "OS_CERTS_URI: \"{{ connect_elastic_ca | default('') }}\"",
+  # "OS_LOG_LEVEL: \"DEBUG\""
+  "INDEX_PREFIX: \"{{ connect_elastic_prefix | replace('-','_') }}-{{ connect_elastic_search_index | default('search') }}\"",
+  "QUARKUS_PROFILE: \"elastic\"",
+  "QUARKUS_REBUILD: \"true\"",
+]
+
 connect_docker: {
  networks: [
    {
@ -145,12 +194,28 @@ connect_docker: {
      volumes: [
        '"./certs/ca/ca.crt:/usr/share/smardigo/ca.crt:ro"',
        '"./config/custom-whitelist:/usr/share/smardigo/custom-whitelist:ro"',
+        "./config/application-cloudevents.yml:/config/application-cloudevents.yml:ro"
      ],
      networks: [
        '"back-tier"',
        '"front-tier"',
      ],
      extra_hosts: "{{ connect_extra_hosts | default([]) }}",
+    },
+    {
+      active: "{{ connect_process_search_module == 'external_v2' }}",
+      name: "{{ process_search_id }}",
+      image_name: "{{ process_search_image_name }}",
+      image_version: "{{ process_search_version }}",
+      labels: "{{ process_search_labels + ( process_search_labels_additional | default([])) }}",
+      restart: "{{ process_search_service_restart | default('always') }}",
+      environment: "{{ process_search_environment + ( process_search_environment_additional | default([])) }}",
+      volumes: [
+        '"./certs/ca/ca.crt:/usr/share/smardigo/ca.crt:ro"',
+      ],
+      networks: [
+        '"back-tier"',
+      ],
    }
  ],
 }
--- a/roles/connect_postgres/defaults/main.yml
+++ b/roles/connect_postgres/defaults/main.yml
@ -3,4 +3,7 @@
 postgres_acls:
  - name: "{{ connect_postgres_database }}"
    password: "{{ connect_postgres_password }}"
-    trusted_cidr_entry: "{{ shared_service_network }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
+  - name: "{{ process_search_postgres_database }}"
+    password: "{{ process_search_postgres_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
--- a/templates/_docker/docker-compose.yml.j2
+++ b/templates/_docker/docker-compose.yml.j2
@ -38,6 +38,10 @@ volumes:
 {# ################################################## services #}
 services:
 {% for service in current_docker.services %}
+{% if
+  service.active is not defined
+  or service.active
+%}
  {{ service.name }}:
    image: "{{ service.image_name }}:{{ service.image_version }}"
    container_name: "{{ service.name }}"
@ -219,5 +223,6 @@ services:
 {% endfor %}
 {% endif %}
 {# ########################################### lines #}
+{% endif %}
 {% endfor %}
 {# ################################################## services #}
--- a/templates/connect/config/application-cloudevents.yml.j2
+++ b/templates/connect/config/application-cloudevents.yml.j2
@ -0,0 +1,25 @@
+smardigo:
+  cloudevents:
+    event-distributor:
+      rest:
+        connect-timeout: PT1S
+        read-timeout: PT30S
+      consumers:
+      - type: process-created
+        urls:
+        - "http://{{ process_search_id }}:8080/process-created"
+      - type: process-data-updated
+        urls:
+        - "http://{{ process_search_id }}:8080/process-data-updated"
+      - type: process-deleted
+        urls:
+        - "http://{{ process_search_id }}:8080/process-deleted"
+      - type: delete-scope
+        urls:
+        - "http://{{ process_search_id }}:8080/delete-scope"
+      - type: activate-config
+        urls:
+        - "http://{{ process_search_id }}:8080/activate-config"
+      - type: index-rebuild
+        urls:
+        - "http://{{ process_search_id }}:8080/index-rebuild"