DEV-628 pmci: added spk bz prod configuration as host_vars file

3 years ago · d912762383
parent 4e191e4e02
commit d912762383
14 changed files with 148 additions and 47 deletions
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -1,4 +1,8 @@
 keycloak_https_whitelisted_ips:
  - 195.200.47.243/32 # DEV-230 - sparda berlin
  - 195.200.47.244/32 # DEV-230 - sparda berlin
-  - 92.42.192.157/32 # MOB-28 - mobene
+  - 92.42.192.157/32 # MOB-28 - mobene
+  - 195.140.123.0/24 # DEV-628 - spk bautzen
+  - 195.140.44.0/24 # DEV-628 - spk bautzen
+  - 62.181.145.0/24 # DEV-628 - spk bautzen
+  - 62.181.146.0/24 # DEV-628 - spk bautzen
--- a/host_vars/ext-bdev-mpmexec-02/plain.yml
+++ b/host_vars/ext-bdev-mpmexec-02/plain.yml
@ -4,8 +4,8 @@ hetzner_server_labels: "stage={{ stage }} service=connect_simple tenant={{ tenan

 hetzner_server_type: 'cpx31'

-connect_external_domain: "ext-bdev-mpmexec-connect"
-keycloak_external_domain: "ext-bdev-mpmexec-keycloak"
+connect_external_subdomain: "ext-bdev-mpmexec-connect"
+keycloak_external_subdomain: "ext-bdev-mpmexec-keycloak"

 traefik_dns_01_challenge: false

--- a/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml
+++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml
@ -0,0 +1,50 @@
+---
+
+dns: hetzner
+domain: "kfzbrief-bautzen.de"
+domain_env: "smardigo.digital"
+traefik_letsencrypt_provider: "hetzner"
+
+# hetzner mail server
+connect_mail_protocol: "smtp"
+connect_mail_host: "mail.your-server.de"
+connect_mail_port: "587"
+connect_mail_user: "{{ connect_mail_user_vault }}"
+connect_mail_password: "{{ connect_mail_password_vault }}"
+connect_mail_properties_simulation: false
+connect_mail_properties_base_url: "https://smardigo.kfzbrief-bautzen.de"
+connect_mail_properties_base_url_extern: "https://smardigo.kfzbrief-bautzen.de"
+connect_mail_properties_sender: "{{ connect_mail_user_vault }}"
+connect_mail_properties_sender_alias: "noreply-smardigo"
+connect_mail_properties_smtp_auth: true
+connect_mail_properties_smtp_starttls_enable: true
+connect_mail_properties_smtp_starttls_required: true
+
+# smardigo.fzbrief-bautzen.de
+connect_external_subdomain: "smardigo"
+connect_labels_additional: [
+  '"traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"',
+  '"traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"',
+  '"traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"',
+  '"traefik.http.routers.{{ connect_id }}-extern.tls=true"',
+  '"traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port={{ service_port }}"',
+]
+
+server_hcloud_firewall_objects:
+   -
+     name: "customer-access-to-{{ inventory_hostname }}"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ additional_ip_adresses_vault }}"
+        destination_ips: []
+        description: customer specific access to https services
+     apply_to:
+     -
+       type: server
+       server:
+         id: '{{ stage_server_id }}'
--- a/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml
+++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml
@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+33623661396231316264336334366662616361383165643162333435636164376537633634353831
+6330346162656138303539323433353034376635363731640a666263336165643661633039343131
+32376432373666363639336465363835636139663963666433623266663965623063636236393135
+6163313838323639300a643236656466613463633332383033376466373362306239333034343633
+31386235326366306238373664633338303233336134333537373930663333383536343465373161
+38336666343765356463383934373939306338376465623266323735643535363339383733396364
+66373937663432663765326437376465326566303863333033643833663734613061333066663134
+30306563376536646538616361653630646463316334373634336435613537663238666235323766
+33333538326639353366363736393735306238383466653834636531623233613639393732613466
+39333266396531326166346566353533613536646637613131663462663934623363663363653163
+61336139653036373566616335396565353537366263396236306261363439623236316430633532
+37663137313437326534646230613561343435343266666665383561666365323863316464393839
+34303665623265383064313965643630613938656538363162656139613365616633346666353761
+63363864666163633661616664623937616366383138333763636135356334346337323132656538
+36316565383935363136666437393133393063636230366237303030386665373133306665623933
+62326562333931373764
--- a/inventory_plugins/netgo-hcloud.py
+++ b/inventory_plugins/netgo-hcloud.py
@ -212,7 +212,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
                        if networkId == privateNet["network"]:
                            serverPrivateIp = privateNet["ip"]

-            display.display("server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">")
+            display.display("id: <" + str(serverId) + ">, server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">")

            self.inventory.add_group(group=serverService)
            self.inventory.add_group(group="stage_" + serverStage)
@ -227,6 +227,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
            if serverService == "kube_control_plane" or serverService == "kube_node":
                self.inventory.add_host(serverName, group="k8s_cluster")

+            self.inventory.set_variable(serverName, 'stage_server_id', serverId)
            self.inventory.set_variable(serverName, 'stage_server_ip', serverPublicIp)
            self.inventory.set_variable(serverName, 'ansible_ssh_host', serverPublicIp)
            self.inventory.set_variable(serverName, 'stage_private_server_ip', serverPrivateIp)
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -4,6 +4,26 @@
 ###   update_certs
 ###   update_deployment

+
+- name: "Setup hcloud firewalls for <{{ inventory_hostname }}>"
+  include_role:
+    name: hcloud
+    tasks_from: configure-firewall2
+  loop: "{{ server_hcloud_firewall_objects }}"
+  loop_control:
+    loop_var: firewall_object
+  when:
+    - server_hcloud_firewall_objects is defined
+
+- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>"
+  include_role:
+    name: dns
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ connect_external_subdomain }}"
+  when:
+    - connect_external_subdomain is defined
+
 - name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
--- a/roles/connect_compact/defaults/main.yml
+++ b/roles/connect_compact/defaults/main.yml
@ -32,12 +32,12 @@ current_realm_clients: [
    root_url: '',
    redirect_uris: [
      "{{ http_s }}://{{ connect_base_url }}/*",
-      "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*",
+      "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}/*",
    ],
    secret: '{{ connect_client_id }}',
    web_origins: [
        "{{ http_s }}://{{ connect_base_url }}",
-        "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}",
+        "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}",
    ]
  },{
    name: 'mpm',
--- a/roles/connect_compact/tasks/main.yml
+++ b/roles/connect_compact/tasks/main.yml
@ -7,13 +7,13 @@
    record_data: "{{ stage_server_ip }}"
    record_name: "{{ connect_id }}"

- name: "Setup DNS configuration for <{{ connect_external_domain }}> to <{{ stage_server_ip }}>"
+- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
  vars:
    record_data: "{{ stage_server_ip }}"
-    record_name: "{{ connect_external_domain }}"
-  when: connect_external_domain is defined
+    record_name: "{{ connect_external_subdomain }}"
+  when: connect_external_subdomain is defined

 - name: "Setup realm for {{ connect_id }}"
  include_role:
--- a/roles/connect_realm/defaults/main.yml
+++ b/roles/connect_realm/defaults/main.yml
@ -3,21 +3,27 @@
 connect_client_admin_password: "C0nnect-Admin!"
 connect_realm_admin_password: "C0nnect-Realm-Admin!"

+client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}"
+client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}"
+client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}"
+
 current_realm_clients: [
  {
-    name: '{{ connect_client_id }}',
+    name: "{{ connect_client_id }}",
    clientId: "{{ connect_client_id }}",
-    admin_url: '',
-    root_url: '',
-    redirect_uris: [
-      "{{ http_s }}://{{ connect_base_url }}/*",
-      "{{ http_s }}://{{ wordpress_base_url }}/*",
-    ],
+    admin_url: "",
+    root_url: "",
+    redirect_uris: "{{
+      [client_web_origin_connect + '/*'] +
+      ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) +
+      ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else [])
+    }}",
    secret: '{{ connect_client_id }}',
-    web_origins: [
-        "{{ http_s }}://{{ connect_base_url }}",
-        "{{ http_s }}://{{ wordpress_base_url }}",
-    ]
+    web_origins: "{{
+      [client_web_origin_connect] +
+      ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) +
+      ([client_web_origin_connect_external] if connect_external_subdomain is defined else [])
+    }}",
  }
 ]

--- a/roles/keycloak_compact/tasks/main.yml
+++ b/roles/keycloak_compact/tasks/main.yml
@ -10,13 +10,13 @@
    record_data: "{{ stage_server_ip }}"
    record_name: "{{ keycloak_id }}"

- name: "Setup DNS configuration for <{{ keycloak_external_domain }}> to <{{ stage_server_ip }}>"
+- name: "Setup DNS configuration for <{{ keycloak_external_subdomain }}> to <{{ stage_server_ip }}>"
  include_role:
    name: dns
  vars:
    record_data: "{{ stage_server_ip }}"
-    record_name: "{{ keycloak_external_domain }}"
-  when: keycloak_external_domain is defined
+    record_name: "{{ keycloak_external_subdomain }}"
+  when: keycloak_external_subdomain is defined

 - name: "Check if {{ keycloak_id }}/docker-compose.yml exists"
  stat:
--- a/tasks/autodiscover_pre_tasks.yml
+++ b/tasks/autodiscover_pre_tasks.yml
@ -103,7 +103,7 @@
        {% if server.labels.manual is not defined %}\
          {% for private_net in server.private_net %}\
            {% if private_net.network == stage_private_network_id|int %}\
-              {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name}) }}\
+              {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name, 'id': server.id}) }}\
            {% endif %}\
          {% endfor %}\
        {% endif %}\
@ -122,33 +122,36 @@
  when:
    - debug

- name: "Reading private ip address for {{ inventory_hostname }}"
+- name: "Reading server id for {{ inventory_hostname }}"
  set_fact:
-    stage_private_server_ip: "{% for server in hetzner_servers %}\
-      {% if server.name == inventory_hostname %}\
-        {% for private_net in server.private_net %}\
-          {% if private_net.network == stage_private_network_id|int %}\
-            {{ private_net.ip }}\
-          {% endif %}\
-          {% endfor %}\
-        {% endif %}\
-      {% endfor %}"
+    stage_server_id: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
+  vars:
+    querystr: "[?name=='{{ inventory_hostname }}'].id"
  delegate_to: 127.0.0.1
  tags:
    - always

 - name: "Reading public ip address for {{ inventory_hostname }}"
  set_fact:
-    stage_server_ip: "{{ hetzner_servers | json_query(querystr) | first | default('') }}"
+    stage_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
+  vars:
+    querystr: "[?name=='{{ inventory_hostname }}'].public_ip"
+  delegate_to: 127.0.0.1
+  tags:
+    - always
+
+- name: "Reading private ip address for {{ inventory_hostname }}"
+  set_fact:
+    stage_private_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}"
  vars:
-    querystr: "[?name=='{{ inventory_hostname }}'].public_net.ipv4.ip"
+    querystr: "[?name=='{{ inventory_hostname }}'].private_ip"
  delegate_to: 127.0.0.1
  tags:
    - always

 - name: "Printing ip addresses for {{ inventory_hostname }}"
  debug:
-    msg: "{{ stage_server_ip }} / {{ stage_private_server_ip }}"
+    msg: "{{ stage_server_id }} / {{ stage_server_ip }} / {{ stage_private_server_ip }}"
  delegate_to: 127.0.0.1
  tags:
    - always
--- a/templates/connect-compact/config/application-linked-applications.yml.j2
+++ b/templates/connect-compact/config/application-linked-applications.yml.j2
@ -2,10 +2,10 @@ smardigo:
  linked-applications:
    -
      name: Password Change
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
+      url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password
    -
      name: User Management
-      url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
+      url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console
    - 
      name: MPM Process Mining
      url: https://mehrwerk-demo.eu.qlikcloud.com
--- a/templates/connect-compact/docker-compose.yml.j2
+++ b/templates/connect-compact/docker-compose.yml.j2
@ -24,10 +24,10 @@ services:
      - "traefik.http.routers.{{ connect_id }}.tls.certresolver=letsencrypt-http"
      - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080"
 {% if
-  connect_external_domain is defined
+  connect_external_subdomain is defined
 %}
      - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"
-      - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_domain }}.{{ domain }}`)"
+      - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"
      - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"
      - "traefik.http.routers.{{ connect_id }}-extern.tls=true"
      - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt-http"
@ -62,9 +62,9 @@ services:
      OIDC_CLIENT_ID: "{{ connect_id }}"
      OIDC_CLIENT_SECRET: "{{ connect_id }}"
      OIDC_REGISTRATION_ID: "{{ connect_id }}"
-      OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
-      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
-      USER_MANAGEMENT_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"
+      OIDC_ISSUER_URI: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}"
+      PASSWORD_CHANGE_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password"
+      USER_MANAGEMENT_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console"

      IAM_MODULE: "external"
      IAM_CLIENT_ENABLED: "true"
@ -141,7 +141,7 @@ services:
    restart: always
    environment:
      SERVER_ERROR_INCLUDE_MESSAGE: "always"
-      IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth"
+      IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth"
      IAM_KEYCLOAK_ADMIN_USER: "{{ keycloak_admin_username }}"
      IAM_KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
      IAM_JWT_CONFIG_READ_TIMEOUT: 3000
--- a/templates/keycloak-compact/docker-compose.yml.j2
+++ b/templates/keycloak-compact/docker-compose.yml.j2
@ -23,10 +23,10 @@ services:
      - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt-http"
      - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080"
 {% if
-  keycloak_external_domain is defined
+  keycloak_external_subdomain is defined
 %}
      - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern"
-      - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_domain }}.smardigo.digital`)"
+      - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_subdomain }}.smardigo.digital`)"
      - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure"
      - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true"
      - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver=letsencrypt-http"