DEV-628 pmci: added spk bz prod configuration as host_vars file

3 years ago · d912762383
parent 4e191e4e02
commit d912762383
14 changed files with 148 additions and 47 deletions
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -2,3 +2,7 @@ keycloak_https_whitelisted_ips:
  - 195.200.47.243/32 # DEV-230 - sparda berlin
  - 195.200.47.244/32 # DEV-230 - sparda berlin
  - 92.42.192.157/32 # MOB-28 - mobene
  - 195.140.123.0/24 # DEV-628 - spk bautzen
  - 195.140.44.0/24 # DEV-628 - spk bautzen
  - 62.181.145.0/24 # DEV-628 - spk bautzen
  - 62.181.146.0/24 # DEV-628 - spk bautzen
--- a/host_vars/ext-bdev-mpmexec-02/plain.yml
+++ b/host_vars/ext-bdev-mpmexec-02/plain.yml
@ -4,8 +4,8 @@ hetzner_server_labels: "stage={{ stage }} service=connect_simple tenant={{ tenan
 hetzner_server_type: 'cpx31'
-connect_external_domain: "ext-bdev-mpmexec-connect"
+connect_external_subdomain: "ext-bdev-mpmexec-connect"
-keycloak_external_domain: "ext-bdev-mpmexec-keycloak"
+keycloak_external_subdomain: "ext-bdev-mpmexec-keycloak"
 traefik_dns_01_challenge: false
--- a/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml
+++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml
@ -0,0 +1,50 @@
 ---
 dns: hetzner
 domain: "kfzbrief-bautzen.de"
 domain_env: "smardigo.digital"
 traefik_letsencrypt_provider: "hetzner"
 # hetzner mail server
 connect_mail_protocol: "smtp"
 connect_mail_host: "mail.your-server.de"
 connect_mail_port: "587"
 connect_mail_user: "{{ connect_mail_user_vault }}"
 connect_mail_password: "{{ connect_mail_password_vault }}"
 connect_mail_properties_simulation: false
 connect_mail_properties_base_url: "https://smardigo.kfzbrief-bautzen.de"
 connect_mail_properties_base_url_extern: "https://smardigo.kfzbrief-bautzen.de"
 connect_mail_properties_sender: "{{ connect_mail_user_vault }}"
 connect_mail_properties_sender_alias: "noreply-smardigo"
 connect_mail_properties_smtp_auth: true
 connect_mail_properties_smtp_starttls_enable: true
 connect_mail_properties_smtp_starttls_required: true
 # smardigo.fzbrief-bautzen.de
 connect_external_subdomain: "smardigo"
 connect_labels_additional: [
  '"traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"',
  '"traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"',
  '"traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"',
  '"traefik.http.routers.{{ connect_id }}-extern.tls=true"',
  '"traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt"',
  '"traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port={{ service_port }}"',
 ]
 server_hcloud_firewall_objects:
   -
     name: "customer-access-to-{{ inventory_hostname }}"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ additional_ip_adresses_vault }}"
        destination_ips: []
        description: customer specific access to https services
     apply_to:
     -
       type: server
       server:
         id: '{{ stage_server_id }}'
--- a/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml
+++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml
@ -0,0 +1,17 @@
 $ANSIBLE_VAULT;1.1;AES256
 33623661396231316264336334366662616361383165643162333435636164376537633634353831
 6330346162656138303539323433353034376635363731640a666263336165643661633039343131
 32376432373666363639336465363835636139663963666433623266663965623063636236393135
 6163313838323639300a643236656466613463633332383033376466373362306239333034343633
 31386235326366306238373664633338303233336134333537373930663333383536343465373161
 38336666343765356463383934373939306338376465623266323735643535363339383733396364
 66373937663432663765326437376465326566303863333033643833663734613061333066663134
 30306563376536646538616361653630646463316334373634336435613537663238666235323766
 33333538326639353366363736393735306238383466653834636531623233613639393732613466
 39333266396531326166346566353533613536646637613131663462663934623363663363653163
 61336139653036373566616335396565353537366263396236306261363439623236316430633532
 37663137313437326534646230613561343435343266666665383561666365323863316464393839
 34303665623265383064313965643630613938656538363162656139613365616633346666353761
 63363864666163633661616664623937616366383138333763636135356334346337323132656538
 36316565383935363136666437393133393063636230366237303030386665373133306665623933
 62326562333931373764
--- a/inventory_plugins/netgo-hcloud.py
+++ b/inventory_plugins/netgo-hcloud.py
@ -212,7 +212,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
                        if networkId == privateNet["network"]:
                            serverPrivateIp = privateNet["ip"]
-            display.display("server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">")
+            display.display("id: <" + str(serverId) + ">, server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">")
            self.inventory.add_group(group=serverService)
            self.inventory.add_group(group="stage_" + serverStage)
@ -227,6 +227,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
            if serverService == "kube_control_plane" or serverService == "kube_node":
                self.inventory.add_host(serverName, group="k8s_cluster")
            self.inventory.set_variable(serverName, 'stage_server_id', serverId)
            self.inventory.set_variable(serverName, 'stage_server_ip', serverPublicIp)
            self.inventory.set_variable(serverName, 'ansible_ssh_host', serverPublicIp)
            self.inventory.set_variable(serverName, 'stage_private_server_ip', serverPrivateIp)
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -4,6 +4,26 @@
 ###   update_certs
 ###   update_deployment
 - name: "Setup hcloud firewalls for <{{ inventory_hostname }}>"
  include_role:
    name: hcloud
    tasks_from: configure-firewall2
  loop: "{{ server_hcloud_firewall_objects }}"
  loop_control:
    loop_var: firewall_object
  when:
    - server_hcloud_firewall_objects is defined
 - name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
  vars:
    record_data: "{{ stage_server_ip }}"
    record_name: "{{ connect_external_subdomain }}"
  when:
    - connect_external_subdomain is defined
 - name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
--- a/roles/connect_compact/defaults/main.yml
+++ b/roles/connect_compact/defaults/main.yml
@ -32,12 +32,12 @@ current_realm_clients: [
    root_url: '',
    redirect_uris: [
      "{{ http_s }}://{{ connect_base_url }}/*",
-      "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*",
+      "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}/*",
    ],
    secret: '{{ connect_client_id }}',
    web_origins: [
        "{{ http_s }}://{{ connect_base_url }}",
-        "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}",
+        "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}",
    ]
  },{
    name: 'mpm',
--- a/roles/connect_compact/tasks/main.yml
+++ b/roles/connect_compact/tasks/main.yml
@ -7,13 +7,13 @@
    record_data: "{{ stage_server_ip }}"
    record_name: "{{ connect_id }}"
- name: "Setup DNS configuration for <{{ connect_external_domain }}> to <{{ stage_server_ip }}>"
+- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
  vars:
    record_data: "{{ stage_server_ip }}"
-    record_name: "{{ connect_external_domain }}"
+    record_name: "{{ connect_external_subdomain }}"
-  when: connect_external_domain is defined
+  when: connect_external_subdomain is defined
 - name: "Setup realm for {{ connect_id }}"
  include_role:
--- a/roles/connect_realm/defaults/main.yml
+++ b/roles/connect_realm/defaults/main.yml
@ -3,21 +3,27 @@
 connect_client_admin_password: "C0nnect-Admin!"
 connect_realm_admin_password: "C0nnect-Realm-Admin!"
 client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}"
 client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}"
 client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}"
 current_realm_clients: [
  {
-    name: '{{ connect_client_id }}',
+    name: "{{ connect_client_id }}",
    clientId: "{{ connect_client_id }}",
-    admin_url: '',
+    admin_url: "",
-    root_url: '',
+    root_url: "",
-    redirect_uris: [
+    redirect_uris: "{{
-      "{{ http_s }}://{{ connect_base_url }}/*",
+      [client_web_origin_connect + '/*'] +
-      "{{ http_s }}://{{ wordpress_base_url }}/*",
+      ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) +
-    ],
+      ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else [])
    }}",
    secret: '{{ connect_client_id }}',
-    web_origins: [
+    web_origins: "{{
-        "{{ http_s }}://{{ connect_base_url }}",
+      [client_web_origin_connect] +
-        "{{ http_s }}://{{ wordpress_base_url }}",
+      ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) +
-    ]
+      ([client_web_origin_connect_external] if connect_external_subdomain is defined else [])
    }}",
  }
 ]
--- a/roles/keycloak_compact/tasks/main.yml
+++ b/roles/keycloak_compact/tasks/main.yml
@ -10,13 +10,13 @@
    record_data: "{{ stage_server_ip }}"
    record_name: "{{ keycloak_id }}"
- name: "Setup DNS configuration for <{{ keycloak_external_domain }}> to <{{ stage_server_ip }}>"
+- name: "Setup DNS configuration for <{{ keycloak_external_subdomain }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
  vars:
    record_data: "{{ stage_server_ip }}"
-    record_name: "{{ keycloak_external_domain }}"
+    record_name: "{{ keycloak_external_subdomain }}"
-  when: keycloak_external_domain is defined
+  when: keycloak_external_subdomain is defined
 - name: "Check if {{ keycloak_id }}/docker-compose.yml exists"
  stat:
--- a/tasks/autodiscover_pre_tasks.yml
+++ b/tasks/autodiscover_pre_tasks.yml
@ -103,7 +103,7 @@
        {% if server.labels.manual is not defined %}\
          {% for private_net in server.private_net %}\
            {% if private_net.network == stage_private_network_id|int %}\
-              {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name}) }}\
+              {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name, 'id': server.id}) }}\
            {% endif %}\
          {% endfor %}\
        {% endif %}\
@ -122,33 +122,36 @@
  when:
    - debug
- name: "Reading private ip address for {{ inventory_hostname }}"
+- name: "Reading server id for {{ inventory_hostname }}"
  set_fact:
-    stage_private_server_ip: "{% for server in hetzner_servers %}\
+    stage_server_id: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
-      {% if server.name == inventory_hostname %}\
+  vars:
-        {% for private_net in server.private_net %}\
+    querystr: "[?name=='{{ inventory_hostname }}'].id"
          {% if private_net.network == stage_private_network_id|int %}\
            {{ private_net.ip }}\
          {% endif %}\
          {% endfor %}\
        {% endif %}\
      {% endfor %}"
  delegate_to: 127.0.0.1
  tags:
    - always
 - name: "Reading public ip address for {{ inventory_hostname }}"
  set_fact:
-    stage_server_ip: "{{ hetzner_servers | json_query(querystr) | first | default('') }}"
+    stage_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
  vars:
    querystr: "[?name=='{{ inventory_hostname }}'].public_ip"
  delegate_to: 127.0.0.1
  tags:
    - always
 - name: "Reading private ip address for {{ inventory_hostname }}"
  set_fact:
    stage_private_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
  vars:
-    querystr: "[?name=='{{ inventory_hostname }}'].public_net.ipv4.ip"
+    querystr: "[?name=='{{ inventory_hostname }}'].private_ip"
  delegate_to: 127.0.0.1
  tags:
    - always
 - name: "Printing ip addresses for {{ inventory_hostname }}"
  debug:
-    msg: "{{ stage_server_ip }} / {{ stage_private_server_ip }}"
+    msg: "{{ stage_server_id }} / {{ stage_server_ip }} / {{ stage_private_server_ip }}"
  delegate_to: 127.0.0.1
  tags:
    - always
--- a/templates/connect-compact/config/application-linked-applications.yml.j2
+++ b/templates/connect-compact/config/application-linked-applications.yml.j2
@ -2,10 +2,10 @@ smardigo:
  linked-applications:
    -
      name: Password Change
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
+      url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
    -
      name: User Management
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
+      url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
    - 
      name: MPM Process Mining
      url: https://mehrwerk-demo.eu.qlikcloud.com
--- a/templates/connect-compact/docker-compose.yml.j2
+++ b/templates/connect-compact/docker-compose.yml.j2
@ -24,10 +24,10 @@ services:
      - "traefik.http.routers.{{ connect_id }}.tls.certresolver=letsencrypt-http"
      - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080"
 {% if
-  connect_external_domain is defined
+  connect_external_subdomain is defined
 %}
      - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"
-      - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_domain }}.{{ domain }}`)"
+      - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"
      - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"
      - "traefik.http.routers.{{ connect_id }}-extern.tls=true"
      - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt-http"
@ -62,9 +62,9 @@ services:
      OIDC_CLIENT_ID: "{{ connect_id }}"
      OIDC_CLIENT_SECRET: "{{ connect_id }}"
      OIDC_REGISTRATION_ID: "{{ connect_id }}"
-      OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
+      OIDC_ISSUER_URI: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
-      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
+      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
-      USER_MANAGEMENT_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"
+      USER_MANAGEMENT_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"
      IAM_MODULE: "external"
      IAM_CLIENT_ENABLED: "true"
@ -141,7 +141,7 @@ services:
    restart: always
    environment:
      SERVER_ERROR_INCLUDE_MESSAGE: "always"
-      IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth"
+      IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth"
      IAM_KEYCLOAK_ADMIN_USER: "{{ keycloak_admin_username }}"
      IAM_KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
      IAM_JWT_CONFIG_READ_TIMEOUT: 3000
--- a/templates/keycloak-compact/docker-compose.yml.j2
+++ b/templates/keycloak-compact/docker-compose.yml.j2
@ -23,10 +23,10 @@ services:
      - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt-http"
      - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080"
 {% if
-  keycloak_external_domain is defined
+  keycloak_external_subdomain is defined
 %}
      - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern"
-      - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_domain }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_subdomain }}.smardigo.digital`)"
      - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure"
      - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true"
      - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver=letsencrypt-http"