From b9e48a3260ae528a2c3903867f653d1825d5e3d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20H=C3=A4hnel?= Date: Fri, 7 Oct 2022 16:24:09 +0000 Subject: [PATCH] DEV-601 added playbook for bdev demo setup --- group_vars/all/versions.yml | 2 +- group_vars/stage_ext/plain.yml | 7 +- group_vars/stage_ext/vault.yml | 61 +++++---- host_vars/ext-bdev-demo01-01.yml | 4 +- host_vars/ext-bdev-mpmexec-01.yml | 4 +- host_vars/ext-bdev-mpmexec-02.yml | 10 ++ roles/ansible-role-docker/tasks/main.yml | 2 +- roles/connect/tasks/main.yml | 2 - roles/connect_compact/defaults/main.yml | 19 +++ roles/connect_compact/tasks/main.yml | 46 +++++++ roles/hcloud/defaults/main.yml | 4 + roles/hcloud/tasks/main.yml | 9 +- roles/keycloak/tasks/_authenticate.yml | 2 - roles/keycloak/tasks/_configure_realm.yml | 2 +- roles/keycloak/tasks/main.yml | 2 +- roles/keycloak_compact/defaults/main.yml | 31 +++++ roles/keycloak_compact/tasks/main.yml | 87 ++++++++++++ roles/traefik/defaults/main.yml | 1 + roles/traefik/vars/main.yml | 2 +- smardigo.yml | 6 + stage-ext | 9 ++ .../config/elasticsearch/elasticsearch.yml.j2 | 10 ++ .../connect-compact/docker-compose.yml.j2 | 125 ++++++++++++++++++ .../keycloak-compact/docker-compose.yml.j2 | 60 +++++++++ 24 files changed, 460 insertions(+), 47 deletions(-) create mode 100644 host_vars/ext-bdev-mpmexec-02.yml create mode 100644 roles/connect_compact/defaults/main.yml create mode 100644 roles/connect_compact/tasks/main.yml create mode 100644 roles/keycloak_compact/defaults/main.yml create mode 100644 roles/keycloak_compact/tasks/main.yml create mode 100644 templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 create mode 100644 templates/connect-compact/docker-compose.yml.j2 create mode 100644 templates/keycloak-compact/docker-compose.yml.j2 diff --git a/group_vars/all/versions.yml b/group_vars/all/versions.yml index 5fbbea5..95aa0bd 100644 --- a/group_vars/all/versions.yml +++ b/group_vars/all/versions.yml @@ -13,7 +13,7 @@ prom_grafana_version: "9.1.5" harbor_version: "v2.4.1" -keycloak_version: "14.0.0.1" +keycloak_version: "14.0.0.2" pgadmin4_version: "6.14" diff --git a/group_vars/stage_ext/plain.yml b/group_vars/stage_ext/plain.yml index 86b8fd0..7469896 100644 --- a/group_vars/stage_ext/plain.yml +++ b/group_vars/stage_ext/plain.yml @@ -1,6 +1,8 @@ --- stage: "ext" +tenant: 'bdev' +hetzner_networks: [] docker_enabled: true docker_config_enabled: false @@ -8,9 +10,6 @@ traefik_enabled: true filebeat_enabled: false node_exporter_enabled: false -# TODO read configuration with hetzner rest api -shared_service_network: "10.2.0.0/16" - shared_service_hosts: [] # Note: all dollar signs in the hash need to be doubled for escaping. @@ -18,3 +17,5 @@ shared_service_hosts: [] # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g traefik_admin_username: "{{ traefik_admin_username_vault }}" traefik_admin_password_htpasswd: "{{ traefik_admin_password_htpasswd_vault }}" + +shared_service_harbor_hostname: "prodnso-harbor-01.smardigo.digital" diff --git a/group_vars/stage_ext/vault.yml b/group_vars/stage_ext/vault.yml index 72fa94b..7489e07 100644 --- a/group_vars/stage_ext/vault.yml +++ b/group_vars/stage_ext/vault.yml @@ -1,25 +1,38 @@ $ANSIBLE_VAULT;1.1;AES256 -32326337373064373735346334386264393032616133313664643030323966616365646138346230 -6265326531666132626636363932643331626565373636310a383435366438326462613137633466 -38626531326637306233346666343836366665343539386362613730613639396136666465313332 -3932396633323266640a323763643234346533656531343463316532383061323761306435386130 -37613136663236636133376664393039366135646562383961346361323764356135636265396464 -66616365636139343363653366613963666339303638313662653065373839373339303238366364 -61343065633233636433323138393831623533373739336461306133386637616637656334646463 -63386261383635353838323966346334636131653161613831306462346631373533333866366165 -61646534306535386464623030316132653531623638333433313330393734393634363233323838 -64333130633836396132373732663437623061666336656337303639326264613666336137666233 -38326437646636353763353435303530313835626130383063336431353732323065626431663732 -34656635643865613762333061646333313164613134313939383662323462643433336538613839 -31643536653364393461323831363564343065623839353831623165386632326539613437666365 -63343438363866346433393362353836643862343864336266633462343534393966303039373237 -63646262353038373465303339323961373532303432633932343738663665333532643234333661 -30396662313462633031313164623534393765383035376266363437613539306432386463616631 -66303563336233656533633036666266353362306634363463376238396537386561383561653437 -36306236613265343739613630343531623362323732653631653861623234306439636636363733 -33376338616463663565376538346563313332626465623134643565646632376234343438396463 -64323439616632613061333038373161366537356637373230616230306335653430613031306330 -31633337386464366431333138613334626530323733303136613562663037636536333133303564 -61656165306638666138616162383036346230353366336232313139376133356263343539323533 -35346335636130313266343133326564346266303632636361653435616236626461306431316230 -30653531633530653064 +33333066376262633237653637383134356335306635366566643965653262646262323932323466 +6561333261383931663562626166333362353932623534350a373062623534626365343035383837 +36663935633235646665373231353664666130323565633136383463333164326634366338353032 +6335343236613638660a376231336538303665343563343234323737623139666665316131333563 +66393733336333396364353833363431346633636231393936376163623961336361313231323962 +64646636363366663633633837636131663965373336323230303866373138306533393162323031 +36313765343365376661663539313739363334623561336135333565336461363132653766626239 +63666536663935643838373530653633663635313631343036373438643134313733323339386638 +63343633616438646266396434633232343831663936313966666434366462333533656362306665 +62333533633139646135336563623332643635663932623762656366383464376130643732323233 +63376433366564336533346234376662353436333736663061356662346561303838383064646538 +62326564373737633139646162663131363066376365396665396361623339666632313061353862 +30653865613263616362363532666136363738386662396537643834313862393332643966326661 +66346234323534363762663335356633363262323039613136326535363133343262613863663731 +66643565366464366433666462316332643638366536663536386434616232656265343364346537 +37636161343763343335343635656565333431376264346161313934303564656335393630353264 +36616363396231633236393663633032333537633531316539633634323834663161313137313661 +39616634303238653765643233646634323930613937663262653732326532303439343462383939 +36356163346565666331613636633836623534336465643137306238336362303637633163393666 +33353230373230393163373839633661353932336464343162643638333733393066616632386639 +38356336653135326437666536346166613064353839356166383763646236363236633566393730 +39623861373434663661623731396138333162316362323239633838336532633933363537663439 +62326265376463393862613666613132666130316537626136303137356339613063313631333130 +39343832613138333539646436363934333061386361313665643230393531383663353465376466 +66623439653036643339343666373232376231626638646339316230643439343630653634343430 +31616235393365376636326561393930326333633733303265633362633338636266343162666435 +36393337646332343264646334313162326563306234663533396465626539616663333366346232 +65626136646534306535663830613733306235643031633538303132303234373431643461373734 +35346438303930353838383737356563613034373764376465643235653562386165643261366466 +66373730333162363230666661323233336633343637653964333237306564396433303131646538 +31613865386234396165303231653862663936396436393134353339613265613734356439353937 +32616463363236613138633831326337643338613164383030646437333832316262616134616262 +31363533326632336235643432393562393562626466303162336162373835313232363933383763 +66633065336664636535393735343034613237363335393563353630363866356238383936653232 +66373939653039636436353932623439646239356661646634613865363833356365636334313437 +66326634333030613030343833346237353061313238383566343561633166613763396639616535 +38316133366539383461643035623337353866393364656135633438383534626363 diff --git a/host_vars/ext-bdev-demo01-01.yml b/host_vars/ext-bdev-demo01-01.yml index ce4bd11..9b99593 100644 --- a/host_vars/ext-bdev-demo01-01.yml +++ b/host_vars/ext-bdev-demo01-01.yml @@ -1,5 +1,5 @@ --- -hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev" +hetzner_server_labels: "stage={{ stage }} service=connect tenant={{ tenant }}" -hetzner_server_type: cpx21 +hetzner_server_type: 'cpx21' diff --git a/host_vars/ext-bdev-mpmexec-01.yml b/host_vars/ext-bdev-mpmexec-01.yml index ce4bd11..9b99593 100644 --- a/host_vars/ext-bdev-mpmexec-01.yml +++ b/host_vars/ext-bdev-mpmexec-01.yml @@ -1,5 +1,5 @@ --- -hetzner_server_labels: "stage={{ stage }} service=connect tenant=bdev" +hetzner_server_labels: "stage={{ stage }} service=connect tenant={{ tenant }}" -hetzner_server_type: cpx21 +hetzner_server_type: 'cpx21' diff --git a/host_vars/ext-bdev-mpmexec-02.yml b/host_vars/ext-bdev-mpmexec-02.yml new file mode 100644 index 0000000..6b61cfe --- /dev/null +++ b/host_vars/ext-bdev-mpmexec-02.yml @@ -0,0 +1,10 @@ +--- + +hetzner_server_labels: "stage={{ stage }} service=connect_simple tenant={{ tenant }}" + +hetzner_server_type: 'cpx31' + +connect_external_domain: "ext-bdev-mpmexec-connect" +keycloak_external_domain: "ext-bdev-mpmexec-keycloak" + +traefik_dns_01_challenge: false diff --git a/roles/ansible-role-docker/tasks/main.yml b/roles/ansible-role-docker/tasks/main.yml index dfcb38c..9091812 100644 --- a/roles/ansible-role-docker/tasks/main.yml +++ b/roles/ansible-role-docker/tasks/main.yml @@ -2,7 +2,7 @@ - name: "Install docker via include_role" include_role: - name: geerlingguy.docker + name: geerlingguy.docker - name: "Create crontab entry to remove unused docker objects" ansible.builtin.cron: diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index c5edd2d..b1be845 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -3,8 +3,6 @@ ### tags: ### update_certs ### update_deployment -### update_connections -### update_configuration - name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" include_role: diff --git a/roles/connect_compact/defaults/main.yml b/roles/connect_compact/defaults/main.yml new file mode 100644 index 0000000..100c451 --- /dev/null +++ b/roles/connect_compact/defaults/main.yml @@ -0,0 +1,19 @@ +--- + +connect_id: "{{ inventory_hostname }}-connect" +connect_admin_username: "connect-admin" +connect_admin_password: "{{ connect_admin_password_vault }}" +connect_postgres_username: "connect-postgres-username" +connect_postgres_password: "{{ connect_postgres_password_vault }}" +connect_image_name: "{{ shared_service_harbor_hostname }}/smardigo/connect-whitelabel-app" + +keycloak_id: "{{ inventory_hostname }}-keycloak" +keycloak_admin_username: "keycloak-admin" +keycloak_admin_password: "{{ keycloak_admin_password_vault }}" +keycloak_postgres_username: "keycloak_postgres" +keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}" +keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak" + +elasticsearch_id: "{{ inventory_hostname }}-elastic" +elasticsearch_username: "elastic" +elasticsearch_password: "{{ elasticsearch_password_vault }}" diff --git a/roles/connect_compact/tasks/main.yml b/roles/connect_compact/tasks/main.yml new file mode 100644 index 0000000..19b07bf --- /dev/null +++ b/roles/connect_compact/tasks/main.yml @@ -0,0 +1,46 @@ +--- + +- name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" + include_role: + name: sma_digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ connect_id }}" + +- name: "Setup DNS configuration for <{{ connect_external_domain }}> to <{{ stage_server_ip }}>" + include_role: + name: sma_digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ connect_external_domain }}" + when: connect_external_domain is defined + +- name: "Check if {{ connect_id }}/docker-compose.yml exists" + stat: + path: '{{ service_base_path }}/{{ connect_id }}/docker-compose.yml' + register: check_docker_compose_file_connect + +- name: "Stop {{ connect_id }}" + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ connect_id }}' + state: absent + when: check_docker_compose_file_connect.stat.exists + +- name: "Deploy docker templates for {{ connect_id }}" + include_role: + name: sma_deploy + tasks_from: templates + vars: + current_config: "connect-compact" + current_base_path: "{{ service_base_path }}" + current_destination: "{{ connect_id }}" + current_owner: "{{ docker_owner }}" + current_group: "{{ docker_group }}" + +- name: "Restart {{ connect_id }}" + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ connect_id }}' + restarted: yes + build: no diff --git a/roles/hcloud/defaults/main.yml b/roles/hcloud/defaults/main.yml index e850c1b..0b5ce03 100644 --- a/roles/hcloud/defaults/main.yml +++ b/roles/hcloud/defaults/main.yml @@ -3,3 +3,7 @@ server_state: "present" max_retries: 15 retry_delay: 60 + +hetzner_networks: + - name: "{{ stage }}" + label_selector: "stage={{ stage }}" diff --git a/roles/hcloud/tasks/main.yml b/roles/hcloud/tasks/main.yml index bd880d4..6bd29de 100644 --- a/roles/hcloud/tasks/main.yml +++ b/roles/hcloud/tasks/main.yml @@ -63,18 +63,13 @@ # tags: # - update_networks -- name: "Checking present state for networks" +- name: "Checking present state for networks: {{ hetzner_networks }}" include_tasks: configure-network.yml vars: current_network_name: '{{ current_network.name }}' current_network_labels: 'stage={{ stage }}' current_server_label_selector: '{{ current_network.label_selector }}' - with_items: [ - { - "name": "{{ stage }}", - "label_selector": "stage={{ stage }}", - } - ] + loop: "{{ hetzner_networks }}" loop_control: loop_var: current_network tags: diff --git a/roles/keycloak/tasks/_authenticate.yml b/roles/keycloak/tasks/_authenticate.yml index ab677e5..94f2123 100644 --- a/roles/keycloak/tasks/_authenticate.yml +++ b/roles/keycloak/tasks/_authenticate.yml @@ -6,7 +6,6 @@ body_format: form-urlencoded body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password' register: keycloak_authentication - delegate_to: 127.0.0.1 become: false retries: 5 delay: 5 @@ -18,7 +17,6 @@ - name: "Printing access_token for keycloak server" debug: msg: "{{ access_token }}" - delegate_to: 127.0.0.1 become: false when: - debug \ No newline at end of file diff --git a/roles/keycloak/tasks/_configure_realm.yml b/roles/keycloak/tasks/_configure_realm.yml index ba2aafe..a3304d5 100644 --- a/roles/keycloak/tasks/_configure_realm.yml +++ b/roles/keycloak/tasks/_configure_realm.yml @@ -4,7 +4,7 @@ enabled: true id: "{{ current_realm_name }}" realm: "{{ current_realm_name }}" - display_name: "{{ current_realm_display_name }}" + display_name: "{{ current_realm_display_name | default(current_realm_name) }}" auth_realm: "master" auth_client_id: "admin-cli" auth_username: "{{ keycloak_admin_username }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 9201285..be06fc1 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -63,7 +63,7 @@ keycloak_server_url: "http://localhost:{{ service_port_keycloak_external }}" when: "'keycloak' in group_names" -- name: "Wait for " +- name: "Wait for " wait_for: host: "localhost" port: '{{ service_port_keycloak_external }}' diff --git a/roles/keycloak_compact/defaults/main.yml b/roles/keycloak_compact/defaults/main.yml new file mode 100644 index 0000000..98e4316 --- /dev/null +++ b/roles/keycloak_compact/defaults/main.yml @@ -0,0 +1,31 @@ +--- + +keycloak_id: "{{ inventory_hostname }}-keycloak" +keycloak_admin_username: "keycloak-admin" +keycloak_admin_password: "{{ keycloak_admin_password_vault }}" +keycloak_postgres_username: "keycloak_postgres" +keycloak_postgres_password: "{{ keycloak_postgres_password_vault }}" +keycloak_image_name: "{{ shared_service_harbor_hostname }}/smardigo/keycloak" + +shared_service_mail_hostname: "not_available" + +connect_client_id: connect +current_realm_name: connect + +current_realm_clients: [ + { + name: '{{ connect_client_id }}', + clientId: "{{ connect_client_id }}", + admin_url: '', + root_url: '', + redirect_uris: [ + "{{ http_s }}://{{ connect_base_url }}/*", + "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*" + ], + secret: '{{ connect_client_id }}', + web_origins: [ + "{{ http_s }}://{{ connect_base_url }}", + "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}" + ] + } +] diff --git a/roles/keycloak_compact/tasks/main.yml b/roles/keycloak_compact/tasks/main.yml new file mode 100644 index 0000000..902b3be --- /dev/null +++ b/roles/keycloak_compact/tasks/main.yml @@ -0,0 +1,87 @@ +--- + +### tags: +### configure_realm + +- name: "Setup DNS configuration for <{{ keycloak_id }}> to <{{ stage_server_ip }}>" + include_role: + name: sma_digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ keycloak_id }}" + +- name: "Setup DNS configuration for <{{ keycloak_external_domain }}> to <{{ stage_server_ip }}>" + include_role: + name: sma_digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ keycloak_external_domain }}" + when: keycloak_external_domain is defined + +- name: "Check if {{ keycloak_id }}/docker-compose.yml exists" + stat: + path: '{{ service_base_path }}/{{ keycloak_id }}/docker-compose.yml' + register: check_docker_compose_file + +- name: "Stop {{ keycloak_id }}" + community.docker.docker_compose: + project_src: '{{ service_base_path }}/{{ keycloak_id }}' + state: absent + when: check_docker_compose_file.stat.exists + +- name: "Deploy docker templates for {{ keycloak_id }}" + include_role: + name: sma_deploy + tasks_from: templates + vars: + current_config: "keycloak-compact" + current_base_path: "{{ service_base_path }}" + current_destination: "{{ keycloak_id }}" + current_owner: "{{ docker_owner }}" + current_group: "{{ docker_group }}" + +# TODO DEV-XXX check why docker-compose up works and the comnuity role not... -> postgres/keycloak +- name: "Start {{ keycloak_id }}" # noqa command-instead-of-shell no-changed-when + shell: docker-compose up -d + args: + chdir: '{{ service_base_path }}/{{ keycloak_id }}' + +#- name: "Restart {{ keycloak_id }}" +# community.docker.docker_compose: +# project_src: '{{ service_base_path }}/{{ keycloak_id }}' +# restarted: yes +# build: no + +- name: "Setting local keycloak url" + set_fact: + keycloak_server_url: "http://localhost:{{ service_port_keycloak_external }}" + tags: + - configure_realm + +- name: "Wait for " + wait_for: + host: "localhost" + port: '{{ service_port_keycloak_external }}' + delay: 60 + +- name: "Setup realm for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _authenticate + apply: + tags: + - configure_realm + tags: + - configure_realm + +- name: "Setup realm for {{ inventory_hostname }}" + include_role: + name: keycloak + tasks_from: _configure_realm + apply: + tags: + - configure_realm + tags: + - configure_realm diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index 5c6e1ae..5de8182 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -1,3 +1,4 @@ --- traefik_image_name: "traefik" +traefik_dns_01_challenge: true diff --git a/roles/traefik/vars/main.yml b/roles/traefik/vars/main.yml index 9e302a3..162d311 100644 --- a/roles/traefik/vars/main.yml +++ b/roles/traefik/vars/main.yml @@ -15,7 +15,7 @@ traefik_docker: { image_name: "{{ traefik_image_name }}", image_version: "{{ traefik_version }}", environment: [ - 'DO_AUTH_TOKEN: "{{ digitalocean_authentication_token }}"', + 'DO_AUTH_TOKEN: "{% if traefik_dns_01_challenge %}{{ digitalocean_authentication_token }}{% else %}{% endif %}"', ], volumes: [ '"./acme.json:/acme.json"', diff --git a/smardigo.yml b/smardigo.yml index 45beb1a..773e622 100644 --- a/smardigo.yml +++ b/smardigo.yml @@ -75,6 +75,12 @@ - role: backup when: "'backup' in group_names" + - role: keycloak_compact + when: "'keycloak_compact' in group_names" + + - role: connect_compact + when: "'connect_compact' in group_names" + # just for certificate updates - do not run without -t update_certs # - role: connect # when: "'connect' in group_names" diff --git a/stage-ext b/stage-ext index b18be8c..0f30306 100644 --- a/stage-ext +++ b/stage-ext @@ -1,9 +1,18 @@ [bdev] ext-bdev-demo01-01 ext-bdev-mpmexec-01 +ext-bdev-mpmexec-02 + +[connect_compact] +ext-bdev-mpmexec-02 + +[keycloak_compact] +ext-bdev-mpmexec-02 [stage_ext:children] bdev +connect_compact +keycloak_compact [all:children] stage_ext diff --git a/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 b/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 new file mode 100644 index 0000000..4830c34 --- /dev/null +++ b/templates/connect-compact/config/elasticsearch/elasticsearch.yml.j2 @@ -0,0 +1,10 @@ +--- + +cluster.name: "{{ elasticsearch_id }}" +network.host: 0.0.0.0 + +discovery.type: single-node + +xpack.security.enabled: true +xpack.license.self_generated.type: basic +xpack.monitoring.collection.enabled: true diff --git a/templates/connect-compact/docker-compose.yml.j2 b/templates/connect-compact/docker-compose.yml.j2 new file mode 100644 index 0000000..aa3f3da --- /dev/null +++ b/templates/connect-compact/docker-compose.yml.j2 @@ -0,0 +1,125 @@ +version: '3.7' + +networks: + back-tier: + external: True + front-tier: + external: True + +volumes: + {{ connect_id }}-postgres-data: {} + {{ elasticsearch_id }}-data: {} + +services: + {{ connect_id }}: + image: "{{ connect_image_name }}:{{ connect_version }}" + container_name: "{{ connect_id }}" + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.{{ connect_id }}.service={{ connect_id }}" + - "traefik.http.routers.{{ connect_id }}.rule=Host(`{{ connect_id }}.smardigo.digital`)" + - "traefik.http.routers.{{ connect_id }}.entrypoints=websecure" + - "traefik.http.routers.{{ connect_id }}.tls=true" + - "traefik.http.routers.{{ connect_id }}.tls.certresolver=letsencrypt-http" + - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080" +{% if + connect_external_domain is defined +%} + - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern" + - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_domain }}.smardigo.digital`)" + - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure" + - "traefik.http.routers.{{ connect_id }}-extern.tls=true" + - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt-http" + - "traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port=8080" +{% endif %} + environment: + TENANT_ID: "connect" + ADMIN_LOGIN: "{{ connect_admin_username }}" + ADMIN_PASSWORD: "{{ connect_admin_password }}" + + DATASOURCE_URL: "jdbc:postgresql://{{ connect_id }}-postgres:5432/connect-postgres" + DATASOURCE_USERNAME: "{{ connect_postgres_username }}" + DATASOURCE_PASSWORD: "{{ connect_postgres_password }}" + + MAIL_PROTOCOL: "smtp" + MAIL_HOST: "smtp.web.de" + MAIL_PORT: "587" + MAIL_USER: "smardigo.email@web.de" + MAIL_PASSWORD: "MUqzILYtspSYGmw0k34F" + MAIL_PROPERTIES_SIMULATION: "false" + MAIL_PROPERTIES_BASE_URL: "https://{{ connect_id }}.smardigo.digital" + MAIL_PROPERTIES_BASE_URL_EXTERN: "https://{{ connect_id }}.smardigo.digital" + MAIL_PROPERTIES_SENDER: "smardigo.email@web.de" + MAIL_PROPERTIES_SENDER_ALIAS: "noreply-connect" + MAIL_PROPERTIES_SMTP_AUTH: "true" + MAIL_PROPERTIES_SMTP_STARTTLS_ENABLE: "true" + MAIL_PROPERTIES_SMTP_STARTTLS_REQUIRED: "true" + + AUTH_MODULE: "oidc" + OIDC_CLIENT_ID: "connect" + OIDC_CLIENT_SECRET: "connect" + OIDC_REGISTRATION_ID: "connect" + OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.smardigo.digital/auth/realms/connect" + PASSWORD_CHANGE_URL: "" + USER_MANAGEMENT_URL: "" + + IAM_MODULE: "embedded" + IAM_CLIENT_ENABLED: "false" + + PROCESS_SEARCH_MODULE: "embedded" + ELASTIC_HOST: "{{ elasticsearch_id }}" + ELASTIC_PREFIX: "{{ connect_id }}" + ELASTIC_USERNAME: "{{ elasticsearch_username }}" + ELASTIC_PASSWORD: "{{ elasticsearch_password }}" + ELASTIC_SEARCH_INDEX: "search" + ELASTIC_MESSAGE_INDEX: "message" + ELASTIC_ANALYSIS_INDEX: "analysis" + + SPRINGDOC_SERVER_URL: "https://{{ connect_id }}.smardigo.digital" + SMA_CORS_ORIGINS: "https://{{ connect_id }}.smardigo.digital" + SMA_CORS_ALLOWED_METHODS: "*" + SMA_CORS_ALLOWED_HEADERS: "*" + SMA_CORS_PATH_PATTERN: "/**" + + RESUBMISSION_ENABLED: "true" + ELEMENT_TEMPLATE_ENABLED: "true" + CONFIG_DELETE_SCOPE_ENABLED: "true" + EXTERNAL_TASK_SCRIPT_WORKER_ENABLED: "false" + CONFIG_DELETE_SCOPE_ENABLED: "true" + CONFIG_LOCAL_IMPORT_ENABLED: "true" + SMA_WORKFLOW_HEATMAP_ENABLED: "true" + + LOG_LEVEL_CAMUNDA: "OFF" + LOG_LEVEL_JASYPT: "ERROR" + LOG_LEVEL_MESSAGE_QUEUE: "INFO" + LOG_LEVEL_DOCUMENT_INDEX: "INFO" + LOG_LEVEL_WORKFLOW_INDEX: "INFO" + LOG_LEVEL_WORKFLOW_ANALYSIS: "INFO" + networks: + - "back-tier" + - "front-tier" + {{ connect_id }}-postgres: + image: "postgres:12" + container_name: "{{ connect_id }}-postgres" + restart: always + environment: + POSTGRES_DB: "connect-postgres" + POSTGRES_USER: "{{ connect_postgres_username }}" + POSTGRES_PASSWORD: "{{ connect_postgres_password }}" + volumes: + - "{{ connect_id }}-postgres-data:/var/lib/postgresql/data" + networks: + - "back-tier" + {{ elasticsearch_id }}: + image: "docker.elastic.co/elasticsearch/elasticsearch:7.16.3" + container_name: "{{ elasticsearch_id }}" + restart: always + environment: + ES_JAVA_OPTS: "-Xmx2G -Xms2G" + ELASTIC_PASSWORD: "{{ elasticsearch_password }}" + volumes: + - "./config/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro" + - "{{ elasticsearch_id }}-data:/usr/share/elasticsearch/data" + networks: + - "back-tier" diff --git a/templates/keycloak-compact/docker-compose.yml.j2 b/templates/keycloak-compact/docker-compose.yml.j2 new file mode 100644 index 0000000..0db02b1 --- /dev/null +++ b/templates/keycloak-compact/docker-compose.yml.j2 @@ -0,0 +1,60 @@ +version: '3.7' + +networks: + back-tier: + external: True + front-tier: + external: True + +volumes: + {{ keycloak_id }}-postgres-data: {} + +services: + {{ keycloak_id }}: + image: "{{ keycloak_image_name }}:{{ keycloak_version }}" + container_name: "{{ keycloak_id }}" + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.{{ keycloak_id }}.service={{ keycloak_id }}" + - "traefik.http.routers.{{ keycloak_id }}.rule=Host(`{{ keycloak_id }}.smardigo.digital`)" + - "traefik.http.routers.{{ keycloak_id }}.entrypoints=websecure" + - "traefik.http.routers.{{ keycloak_id }}.tls=true" + - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt-http" + - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080" +{% if + keycloak_external_domain is defined +%} + - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern" + - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_domain }}.smardigo.digital`)" + - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure" + - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true" + - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver=letsencrypt-http" + - "traefik.http.services.{{ keycloak_id }}-extern.loadbalancer.server.port=8080" +{% endif %} + environment: + KEYCLOAK_USER: "{{ keycloak_admin_username }}" + KEYCLOAK_PASSWORD: "{{ keycloak_admin_password }}" + PROXY_ADDRESS_FORWARDING: "true" + DB_VENDOR: postgres + DB_DATABASE: "keycloak-postgres" + DB_USER: "{{ keycloak_postgres_username }}" + DB_PASSWORD: "{{ keycloak_postgres_password }}" + DB_ADDR: "{{ keycloak_id }}-postgres" + networks: + - "back-tier" + - "front-tier" + ports: + - "8110:8080" + {{ keycloak_id }}-postgres: + image: "postgres:12" + container_name: "{{ keycloak_id }}-postgres" + restart: always + environment: + POSTGRES_DB: "keycloak-postgres" + POSTGRES_USER: "{{ keycloak_postgres_username }}" + POSTGRES_PASSWORD: "{{ keycloak_postgres_password }}" + volumes: + - "{{ keycloak_id }}-postgres-data:/var/lib/postgresql/data" + networks: + - "back-tier"