SMARCH-106: added stuff for multi tenant setup

- workflow-index-postgres - workflow-proxy-postgres - workflow-proxy-realm
4 years ago · aeabec152c
parent 0dcdc9a13c
commit aeabec152c
18 changed files with 130 additions and 8 deletions
--- a/create-database.yml
+++ b/create-database.yml
@ -51,7 +51,7 @@
        - "{{ item }}"
      changed_when: False
      with_items: "{{ cluster_services }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea']
+      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'workflow_index', 'workflow_proxy']
    - name: Add maria servers to hosts if necessary
      add_host:
@ -94,6 +94,12 @@
    - role: webdav-postgres
      when: "'webdav' in group_names"
    - role: workflow-index-postgres
      when: "'workflow_index' in group_names"
    - role: workflow-proxy-postgres
      when: "'workflow_proxy' in group_names"
    - role: connect-wordpress-maria
      when: "'connect_wordpress' in group_names"
--- a/create-realm.yml
+++ b/create-realm.yml
@ -72,6 +72,9 @@
    - role: gitea-realm
      when: '"gitea" in cluster_services'
    - role: workflow-proxy-realm
      when: '"workflow-proxy" in cluster_services'
 #############################################################
 # Sending smardigo management message to process
 #############################################################
@ -97,3 +100,7 @@
      retries: 5
      delay: 5
      delegate_to: 127.0.0.1
      when:
        - scope_id is defined
        - process_instance_id is defined
        - smardigo_management_action is defined
--- a/create-server.yml
+++ b/create-server.yml
@ -153,3 +153,7 @@
      retries: 5
      delay: 5
      delegate_to: 127.0.0.1
      when:
        - scope_id is defined
        - process_instance_id is defined
        - smardigo_management_action is defined
--- a/create-service.yml
+++ b/create-service.yml
@ -109,3 +109,7 @@
      retries: 5
      delay: 5
      delegate_to: 127.0.0.1
      when:
        - scope_id is defined
        - process_instance_id is defined
        - smardigo_management_action is defined
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -70,7 +70,7 @@ smardigo_plattform_users:
 ip_whitelist:
  - "212.121.131.106" # tolina
  - "149.233.6.129" # sShelter
-  - "87.141.83.195" # sven
+  - "87.150.38.134" # sven
  - "212.86.56.112" # peter
  - "{{ shared_service_network }}"
--- a/kubernetes.yml
+++ b/kubernetes.yml
@ -28,5 +28,4 @@
    - { role: kubernetes/container-storage-interface }
    - { role: kubernetes/cert-manager }
    - { role: kubernetes/ingress-controller }
-    - { role: kubernetes/apps, tags: prometheus }
+    - { role: kubernetes/apps }
    - { role: kubernetes/apps, tags: argo-cd }
--- a/roles/connect-realm/defaults/main.yml
+++ b/roles/connect-realm/defaults/main.yml
@ -18,7 +18,7 @@ current_realm_clients: [
        "{{ http_s }}://{{ connect_base_url }}/*",
        "{{ http_s }}://{{ wordpress_base_url }}/*",
      ]',
-    secret: '{{ cluster_name }}',
+    secret: '{{ connect_client_id }}',
    web_origins: '
      [
        "{{ http_s }}://{{ connect_base_url }}",
--- a/roles/kubernetes/apps/defaults/main.yml
+++ b/roles/kubernetes/apps/defaults/main.yml
@ -120,7 +120,7 @@ k8s_argocd_helm__release_values:
        cert-manager.io/issue-temporary-certificate: "true"
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}"
-        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      hosts:
--- a/roles/kubernetes/ingress-controller/defaults/main.yml
+++ b/roles/kubernetes/ingress-controller/defaults/main.yml
@ -7,11 +7,13 @@ k8s_ingress_helm__release_values:
  controller:
    replicaCount: 3
    config:
      use-forwarded-headers: "true"
      compute-full-forwarded-for: "true"
      use-proxy-protocol: "true"
      ssl-ciphers: "EECDH+AESGCM:EDH+AESGCM"
      ssl-protocols: "TLSv1.3"
      ssl-redirect: false
      use-forwarded-headers: "true"
      use-proxy-protocol: "true"
      whitelist-source-range: "{{ ip_whitelist | join(',') }}"
    service:
      externalTrafficPolicy: Local
      healthCheckNodePort: &healthchecknodeport 31066
--- a/roles/workflow-index-postgres/defaults/main.yml
+++ b/roles/workflow-index-postgres/defaults/main.yml
@ -0,0 +1,9 @@
 ---
 workflow_index_postgres_database: "{{ stage }}_{{ tenant_id }}_workflow_index"
 workflow_index_postgres_password: "workflow-index-postgres-admin"
 postgres_acls:
  - name: "{{ workflow_index_postgres_database }}"
    password: "{{ workflow_index_postgres_password }}"
    trusted_cidr_entry: "{{ shared_service_network }}"
--- a/roles/workflow-index-postgres/tasks/main.yml
+++ b/roles/workflow-index-postgres/tasks/main.yml
@ -0,0 +1,9 @@
 ---
 ### tags:
 ###     - remove-data
 - name: "Setup <workflow_index> postgres database on {{ inventory_hostname }}"
  include_role:
    name: postgres
    tasks_from: _postgres-acls
--- a/roles/workflow-proxy-postgres/defaults/main.yml
+++ b/roles/workflow-proxy-postgres/defaults/main.yml
@ -0,0 +1,9 @@
 ---
 workflow_proxy_postgres_database: "{{ stage }}_{{ tenant_id }}_workflow_proxy"
 workflow_proxy_postgres_password: "workflow-proxy-postgres-admin"
 postgres_acls:
  - name: "{{ workflow_proxy_postgres_database }}"
    password: "{{ workflow_proxy_postgres_password }}"
    trusted_cidr_entry: "{{ shared_service_network }}"
--- a/roles/workflow-proxy-postgres/tasks/main.yml
+++ b/roles/workflow-proxy-postgres/tasks/main.yml
@ -0,0 +1,9 @@
 ---
 ### tags:
 ###     - remove-data
 - name: "Setup <workflow_index> postgres database on {{ inventory_hostname }}"
  include_role:
    name: postgres
    tasks_from: _postgres-acls
--- a/roles/workflow-proxy-realm/defaults/main.yml
+++ b/roles/workflow-proxy-realm/defaults/main.yml
@ -0,0 +1,38 @@
 ---
 workflow_proxy_client_id: "{{ cluster_name }}"
 workflow_proxy_base_url: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}.{{ domain }}"
 current_realm_clients: [
  {
    name: '{{ workflow_proxy_client_id }}',
    clientId: "{{ workflow_proxy_client_id }}",
    admin_url: '',
    root_url: '',
    redirect_uris: '
      [
        "http://{{ workflow_proxy_base_url }}/*",
        "https://{{ workflow_proxy_base_url }}/*",
      ]',
    secret: '{{ workflow_proxy_client_id }}',
    web_origins: '
      [
        "http://{{ workflow_proxy_base_url }}/*",
        "https://{{ workflow_proxy_base_url }}/*",
      ]',
  }
 ]
 current_realm_users: [
  {
    "username": "{{ connect_client_admin_username }}",
    "password": "{{ connect_client_admin_password }}",
  }
 ]
 current_realm_admin_users: [
  {
    "username": "{{ connect_realm_admin_username }}",
    "password": "{{ connect_realm_admin_password }}",
  }
 ]
--- a/roles/workflow-proxy-realm/handlers/main.yml
+++ b/roles/workflow-proxy-realm/handlers/main.yml
@ -0,0 +1 @@
 ---
--- a/roles/workflow-proxy-realm/meta/main.yml
+++ b/roles/workflow-proxy-realm/meta/main.yml
@ -0,0 +1 @@
 ---
--- a/roles/workflow-proxy-realm/tasks/main.yml
+++ b/roles/workflow-proxy-realm/tasks/main.yml
@ -0,0 +1,23 @@
 ---
 ### tags:
 - name: "Setup realm for {{ inventory_hostname }}"
  include_role:
    name: keycloak
    tasks_from: _authenticate
 - name: "Setup realm for {{ inventory_hostname }}"
  include_role:
    name: keycloak
    tasks_from: _configure_realm
 - name: "Create realm users"
  include_role:
    name: keycloak
    tasks_from: _create_realm_users
 - name: "Create realm admin"
  include_role:
    name: keycloak
    tasks_from: _create_realm_admin
--- a/roles/workflow-proxy-realm/vars/main.yml
+++ b/roles/workflow-proxy-realm/vars/main.yml
@ -0,0 +1 @@
 ---