From ea45d111d98685410ecb490f34605f7aa3e25bcf Mon Sep 17 00:00:00 2001 From: Sven Ketelsen Date: Wed, 23 Jun 2021 00:33:49 +0200 Subject: [PATCH] SMARCH-46: smardigo self service portal (wip) --- docker/dregsy/config.yaml | 12 +- group_vars/all/plain.yml | 2 + group_vars/all/vault.yml | 112 +++++++----- host_vars/dev-elastic-stack-01.yml | 3 + host_vars/dev-elastic-stack-02.yml | 3 + host_vars/dev-elastic-stack-03.yml | 3 + host_vars/dev-keycloak-01.yml | 171 +++++------------- host_vars/dev-management-smardigo-01.yml | 17 ++ roles/common/configs/docker/config.json.j2 | 2 +- roles/common/tasks/main.yml | 1 + roles/connect/defaults/main.yml | 2 +- .../hcloud/templates/firewall-docker.json.j2 | 3 +- roles/keycloak/tasks/create_realm_groups.yml | 61 +++++++ roles/keycloak/tasks/main.yml | 13 ++ .../keycloak-realm-create-group.json.j2 | 3 + stage-dev | 1 + 16 files changed, 226 insertions(+), 183 deletions(-) create mode 100644 host_vars/dev-management-smardigo-01.yml create mode 100644 roles/keycloak/tasks/create_realm_groups.yml create mode 100644 roles/keycloak/templates/keycloak-realm-create-group.json.j2 diff --git a/docker/dregsy/config.yaml b/docker/dregsy/config.yaml index ff4868f..9983fa3 100644 --- a/docker/dregsy/config.yaml +++ b/docker/dregsy/config.yaml @@ -25,7 +25,7 @@ lister: # list of sync tasks tasks: - - name: connect-whitelabel-app # required + - name: smardigo # required # interval in seconds at which the task should be run; when omitted, # the task is only run once at start-up @@ -49,7 +49,7 @@ tasks: auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg== target: registry: dev-docker-registry-01.smardigo.digital - auth: eyJ1c2VybmFtZSI6ImRvY2tlci1hZG1pbiIsInBhc3N3b3JkIjoieVlUZFdjUTFLTVRlbGw4RU5UeURWOWRlZFFRZlVOOFIifQo= + auth: eyJ1c2VybmFtZSI6ImRvY2tlci1hZG1pbiIsInBhc3N3b3JkIjoieVlUZFdjUTFLTVRlbGw4RU5UeURWOWRlZFFRZlVOIn0K # 'mappings' is a list of 'from':'to' pairs that define mappings of image # paths in the source registry to paths in the destination; 'from' is @@ -64,3 +64,11 @@ tasks: to: smardigo/connect-whitelabel-app tags: - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' + - from: smardigo/iam-app + to: smardigo/iam-app + tags: + - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' + - from: smardigo/caddy + to: smardigo/caddy + tags: + - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$' diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 88c3dd9..0f9f626 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -107,6 +107,8 @@ hetzner_ssh_keys: #reverse_proxy_admin_password: "< see vault >" #mattermost_hook_smardigo: "< see vault >" +#teams_hook_smardigo: "< see vault >" + #hetzner_authentication_token: "< see vault >" #digitalocean_authentication_token: "< see vault >" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 13ebaf9..7bf11be 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,51 +1,63 @@ $ANSIBLE_VAULT;1.1;AES256 -34633465613364373734643738376434323433343232643832666466316130393530656561613535 -3831303063333037663562313465313238646638613538660a626463313530653536366133343664 -33393566366134323736626165306436363231346239643837363032393066636163346563626333 -6565626333343033370a323666313165393639306439333639313732646539613430333238316632 -33383832623631303265376135333538383732663234383334663636306236616366656136383830 -36336633396430666333663339306235663233396435633431343335666233646231363364326434 -65623836633133383761366533353339623139356363326538646566326237356332623839386362 -31356139396532646233666563663133393662373237326639383066643832373162366564386230 -32333464383738663639656237663936313132323531623864623737376662326234366265383561 -61356538663432336635613664616363326662343639356432383165663561333032313466333630 -65633766623032616632613962623737656163303238626264393264386638303637373136366237 -31343730373637303937356331663665333332333235643936396466633839623062663338316333 -34313635316661373030346633643934353430333431303063643363646664393566613231663135 -36656238333163323338653033333163343063363161313765666561613133626437623338326337 -37623438613330363966376636613035356138373139383966323333396161356661663161306564 -37373763316461656632303236333236356464376234666164643734623633386230356133363463 -37643066643636626133616461633434326231333134616431333239336539346239663635396630 -38366336333865373033393830613365313366613064643130656435633161346237623030373435 -31623630376233366463353961633162656137343866373431333165383363653434663836626437 -64353535313632353062653833633863373666356537306133323833343465323238376331346264 -39613665633032653935646532643466383237316263383130323966393031373866323234363937 -33353836656538373964656235353662303132303861623938353939353135323936306236366330 -30303963313863316632656538633433656631656236343732616537623034393930653939326563 -39373736306137656363366536633234666239333038393364383239393238646366653466643231 -33613131613637363365373265653037353964663537653234366361356431656364616432303038 -39393865376137613161303638356466653632396464323336343263323536306235333030303866 -30623933316335346264613465323832383531366666383939663738333531656138623565306462 -37313465376263643966666330646466663239306665363434626431613562633433346530623232 -63363434393263643232633337643138633931626533653366353135326130643230633464393534 -36643935663561326132653565353331306238353665323765663961636461323066346564376561 -35326661643066616136646662616635336262336133346232326264306261333663316135336537 -33633663313363396130346431336636396636636262386566316165616463363235643336316461 -64643866343538656364393436353838366639613135636137333636393562313461373033663932 -66313834356334336234326563666630313562663534636464303165346436666666626532653838 -38393465643539326530643134356231353635363963633935353633313736623537323335353462 -38396230643032306165633333366436303134356362383062383735623031646565613163663432 -39616163303934333534393265666133636365393361386532646166666334363331333861613639 -34633736336431613934343138313132663238663563373338653039383134303339636164396163 -32326230373733306662306232363539323463393134356362376333616338336164396333323866 -38336333376337626266393733626161633238306630623831396132616162393361313731313337 -62373439653266366239656230323766653366326161613761353334303036376662316135353933 -36316532373361303039333734313862656636316563656636613339613531653864306263626265 -30656265363063303165303936623131316663643236363866396162653530373463366537616266 -65346532373130646361613431636636633335383565306234363631643366376630643030393535 -33643963373332626661353661626364356233363464366637623862316133356566656236633534 -30646438336537393764333831303135383634616165666533306662393466303230303738376266 -32366237643061613264333964613534613831636232396365393833373639306561353131333638 -61353837363431336634366432386533386437313364386662643236633931653337303466393833 -65646365663437396262343065363135346264363164376334343365626462386261393462343236 -3830303437326237373533636335613632333133643232326262 +37343961396162613432633164313634356664303235373937373235323338383735373836323636 +6661373233623733303261383366303933373565383164310a393664666533356230303064356230 +61613238333837636362306233316464383839626336373438623861643764656433343338313162 +3461623661313838640a643662353363303965383765363535613133393636373365393931323936 +34393063646536373365373533316339333139623666656430303163666433636461633964383662 +30396463636534366139373233373161356334323538373164386464323839613438663564346362 +35316533633662663637366263306164313861323330643064343536326637616538383862363634 +30623636393266386138633032313839663530333736623034383738306464363366303033366337 +37306466643939336330666136333835623239323931633537626235656239383637653865643232 +65653831386337613762663739613538646637653061613063356631363634633038386663613437 +35323965666237343334336366323266643363393862326232303566663861613536653734333432 +30303465616134366430383565613164396135363130366439653737383463313861656661373061 +36643931323737626462336664666232363930643639356365613636656262366163393033383035 +65623865343861636330633235363162313961366130366436646361316531623861356531323231 +38353539393662313637353636663730303761653433366431326336363338653837346164386538 +66663936653634616264626137313864623561613561373463663138333461313434373266316664 +39623063323361376639316134623535383730373838313838643938333430346362623962396537 +66343861626665363730633037626364646639666538393235386639633639633234316334383666 +34656132333563383532333538376163316233636236373235376336643863626435613930343531 +63373237383138623636326631343935323863383762643564366238626362646434653761316539 +37393435336539306163353531396461316230643065653932353264616635343234633165656431 +62333433366435306538613561643963663666313432663038656330303438373035666238303239 +64343964383435396630393030646265663061623532356534666331626331386437346565353238 +36636233393465626636336637303733623130633765643237373266653231396266396633623634 +66663232343666353965663666656530376265653837643739363462363631336633323537353666 +33376534633134623230663238623764633637313030376663646230366639646639376235323938 +63333430393966326537316363303134323363653633323563313239363331636433316236346234 +39653565623438653233643834313330633130383263383334313962653761326363303432643365 +36383734326565343231333031346461366535643566333761386533613539353536386630373865 +63623966613665646166396265663137613739356538306238383639373536386532616566326161 +62393435343731333333666635336139316261666135353164643964383136343136303665616639 +64346262663965323735396232636338333664303338663465623864336263653636343566643330 +63353931623437336665663034353838633535656636653336643731333664663139633939623234 +33663664313162386330626635313131663134656664616262303862313536306335396365623332 +62336637666438306264313731396438323732363832393038633062626137373464303363613766 +61626334643036386230313162313835336163393332623762323534336330393265356531626132 +33386464663561633133383430303461623862663864356538363263646333316463646364396333 +35343137383265633165663334373664613030303432396431383063636235646165383366353563 +34393666336138346631373932633639386232343936383634363736313534343035303066613061 +39636234616530653566376538363565643362356338316331636335386230366639333230366637 +36303766383438383334353939316164623830383464336138376636343666626635366336376439 +34343666363035306632323464353835316365383462363239306430363933393731386636653839 +64303035363234646263643361303530633833653035666666616563333739663036396430626462 +38653730303130376136383161633339633739623736353631373032656437373066366264366339 +36643235656665306165613737363334346436333135313634353136306665653230653363653434 +66303335326562316234316261353638373064316534326265656331643739613332613631333462 +32623931323566333035383537343261663536623237623838653465343866666530656562373636 +31616432393033626538623663373431323462383439646439303839386635373934653164326534 +34393962346230633335346233623663643662643631643438363139633964636666363039343839 +64386431323564343363396663366465623261616337396165363030313231616666353931306164 +30656435653938303530363937323939336331653662316539626662626231336439333839623430 +30376133353030643061323466326137336334306131353331306330303935666536346138613766 +30633534636533333463356537376639623535336532396538383433326432383931393562383664 +35613631343064326238333834353466336539393735313461336366633339333033363133383234 +64393632356637653434313566363337663961393263386434653234653265353261646461333630 +62303865323839356561316433363161313932636633653961343365646266303733663964333363 +39616436396563366132643737343165626533613535383239333365623939643862666163363365 +63636362656437646439323935383836326333353937316638393461393038306638306434613264 +62373037616565333366646231656130623237306235626238393837303939316532633934623036 +30346137306137323566306362613631663432383737303635663137353631373536386563393337 +30613762626164393132343964383433363437353738666635356639333332623361663631323638 +6137366437383364303766666631313336613732333038633335 diff --git a/host_vars/dev-elastic-stack-01.yml b/host_vars/dev-elastic-stack-01.yml index ff06f50..61e3733 100644 --- a/host_vars/dev-elastic-stack-01.yml +++ b/host_vars/dev-elastic-stack-01.yml @@ -6,4 +6,7 @@ hetzner_server_type: cx31 smardigo_plattform_users: - 'elastic' + - 'peter.heise' - 'sven.ketelsen' + - 'vanphuong.ma' + - 'daniel.dz' diff --git a/host_vars/dev-elastic-stack-02.yml b/host_vars/dev-elastic-stack-02.yml index ff06f50..61e3733 100644 --- a/host_vars/dev-elastic-stack-02.yml +++ b/host_vars/dev-elastic-stack-02.yml @@ -6,4 +6,7 @@ hetzner_server_type: cx31 smardigo_plattform_users: - 'elastic' + - 'peter.heise' - 'sven.ketelsen' + - 'vanphuong.ma' + - 'daniel.dz' diff --git a/host_vars/dev-elastic-stack-03.yml b/host_vars/dev-elastic-stack-03.yml index ff06f50..61e3733 100644 --- a/host_vars/dev-elastic-stack-03.yml +++ b/host_vars/dev-elastic-stack-03.yml @@ -6,4 +6,7 @@ hetzner_server_type: cx31 smardigo_plattform_users: - 'elastic' + - 'peter.heise' - 'sven.ketelsen' + - 'vanphuong.ma' + - 'daniel.dz' diff --git a/host_vars/dev-keycloak-01.yml b/host_vars/dev-keycloak-01.yml index 609fc63..0b4d49b 100644 --- a/host_vars/dev-keycloak-01.yml +++ b/host_vars/dev-keycloak-01.yml @@ -5,12 +5,51 @@ hetzner_server_labels: "stage={{ stage }} service=keycloak" keycloak: { realms: [ { - name: 'management-smardigo', - display_name: 'management-smardigo', + name: 'docker', + display_name: 'docker', users: [ { - "username": "management-admin", - "password": "management-admin", + "username": "docker-admin", + "password": "docker-admin", + "email": "sven.ketelsen@arxes-tolina.de" + } + ], + groups: [ + { + "name": "admin", + }, + { + "name": "sensw", + }, + { + "name": "smardigo", + }, + ], + clients: [ + { + clientId: 'dev-docker-registry-01', + name: 'dev-docker-registry-01', + admin_url: '', + root_url: '', + redirect_uris: ' + [ + "https://dev-docker-registry-01.smardigo.digital/*" + ]', + secret: 'f1f852b4-2e75-448a-9596-3c77d53ce405', + web_origins: ' + [ + "https://dev-docker-registry-01.smardigo.digital", + ]', + } + ] + }, + { + name: 'smardigo', + display_name: 'smardigo', + users: [ + { + "username": "connect-admin", + "password": "connect-admin", } ], clients: [ @@ -89,131 +128,7 @@ keycloak: { "https://dev-connect-03.smardigo.digital", ]', }, - { - clientId: 'connect-04', - name: 'connect-04', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-04.smardigo.digital/*", - "http://dev-connect-04.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-04.smardigo.digital", - ]', - }, - { - clientId: 'connect-05', - name: 'connect-05', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-05.smardigo.digital/*", - "http://dev-connect-05.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-05.smardigo.digital", - ]', - }, - { - clientId: 'connect-06', - name: 'connect-06', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-06.smardigo.digital/*", - "http://dev-connect-06.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-06.smardigo.digital", - ]', - }, - { - clientId: 'connect-07', - name: 'connect-07', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-07.smardigo.digital/*", - "http://dev-connect-07.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-07.smardigo.digital", - ]', - }, - { - clientId: 'connect-08', - name: 'connect-08', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-08.smardigo.digital/*", - "http://dev-connect-08.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-08.smardigo.digital", - ]', - }, - { - clientId: 'connect-09', - name: 'connect-09', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-connect-09.smardigo.digital/*", - "http://dev-connect-09.smardigo.digital/*", - ]', - secret: '9e234965-1041-4653-8a0e-db964c04bc26', - web_origins: ' - [ - "https://dev-connect-09.smardigo.digital", - ]', - } ] }, - { - name: 'smardigo-02', - display_name: 'smardigo-02', - users: [ - { - "username": "docker-admin", - "password": "docker-admin", - "email": "sven.ketelsen@arxes-tolina.de" - } - ], - clients: [ - { - clientId: 'dev-docker-registry-01', - name: 'dev-docker-registry-01', - admin_url: '', - root_url: '', - redirect_uris: ' - [ - "https://dev-docker-registry-01.smardigo.digital/*" - ]', - secret: 'f1f852b4-2e75-448a-9596-3c77d53ce405', - web_origins: ' - [ - "https://dev-docker-registry-01.smardigo.digital", - ]', - } - ] - } ] } \ No newline at end of file diff --git a/host_vars/dev-management-smardigo-01.yml b/host_vars/dev-management-smardigo-01.yml new file mode 100644 index 0000000..57f5d36 --- /dev/null +++ b/host_vars/dev-management-smardigo-01.yml @@ -0,0 +1,17 @@ +--- + +hetzner_server_labels: "stage={{ stage }} service=connect" + +hetzner_server_type: cpx21 + +connect_auth_module: oidc +connect_oidc_client_id: management-smardigo +connect_oidc_client_secret: f1f852b4-2e75-889a-2453-3c55d53ce405 +connect_oidc_registration_id: management-smardigo +connect_oidc_issuer_uri: https://{{ keycloak_hostname }}/auth/realms/smardigo + +connect_password_change_url: https://{{ keycloak_hostname }}/auth/realms/smardigo/account/password +connect_iam_user_management_url: https://{{ keycloak_hostname }}/auth/admin/smardigo/console + +spring_profiles_include_suffix: ",hetzner" +ribbon_display_on_active_profiles: "hetzner" diff --git a/roles/common/configs/docker/config.json.j2 b/roles/common/configs/docker/config.json.j2 index a0f4f31..d631aed 100644 --- a/roles/common/configs/docker/config.json.j2 +++ b/roles/common/configs/docker/config.json.j2 @@ -1,7 +1,7 @@ { "auths": { "dev-docker-registry-01.smardigo.digital": { - "auth": "ZG9ja2VyLWFkbWluOnlZVGRXY1ExS01UZWxsOEVOVHlEVjlkZWRRUWZVTjhS" + "auth": "ZG9ja2VyLWFkbWluOnlZVGRXY1ExS01UZWxsOEVOVHlEVjlkZWRRUWZVTg==" } }, "HttpHeaders": { diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f75c803..9982551 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -103,6 +103,7 @@ loop: '{{ smardigo_plattform_users }}' tags: - users + - config - name: "Install common dependencies" apt: diff --git a/roles/connect/defaults/main.yml b/roles/connect/defaults/main.yml index 9efad9d..252e6c8 100644 --- a/roles/connect/defaults/main.yml +++ b/roles/connect/defaults/main.yml @@ -2,7 +2,7 @@ connect_image_name: "{{ docker_registry }}/smardigo/connect-whitelabel-app" -connect_version: '8.2.0-SNAPSHOT' +connect_version: 'latest' connect_admin_username: "connect-admin" connect_admin_password: "connect-admin" diff --git a/roles/hcloud/templates/firewall-docker.json.j2 b/roles/hcloud/templates/firewall-docker.json.j2 index 5e527c9..815af46 100644 --- a/roles/hcloud/templates/firewall-docker.json.j2 +++ b/roles/hcloud/templates/firewall-docker.json.j2 @@ -10,7 +10,8 @@ "source_ips": [ "116.203.130.110/32", "157.90.236.71/32", - "162.55.54.246/32" + "162.55.54.246/32", + "159.69.46.214/32" ], "destination_ips": [ ] diff --git a/roles/keycloak/tasks/create_realm_groups.yml b/roles/keycloak/tasks/create_realm_groups.yml new file mode 100644 index 0000000..b79205c --- /dev/null +++ b/roles/keycloak/tasks/create_realm_groups.yml @@ -0,0 +1,61 @@ +--- + +- name: Read groups of realm {{ current_realm_name }} + uri: + url: http://localhost:{{ service_port_keycloak_external }}/auth/admin/realms/{{ current_realm_name }}/groups + method: GET + headers: + Authorization: "Bearer {{ access_token}} " + status_code: [200] + register: realm_groups + tags: + - create_groups + - update_realms + +- name: Print realm groups + debug: + msg: "{{ realm_groups }}" + tags: + - create_groups + - update_realms + +- name: Save realm groups as variable (fact) + set_fact: + realm_groups_json: "{{ realm_groups.json }}" + tags: + - create_groups + - update_realms + +- name: Read realm group names + set_fact: + realm_groupnames: "{{ realm_groups_json | json_query(jmesquery) }}" + vars: + jmesquery: '[*].name' + tags: + - create_groups + - update_realms + +- name: Print realm groupnames + debug: + msg: "{{ realm_groupnames }}" + tags: + - create_groups + - update_realms + +- name: "Create groups for realm {{ current_realm_name }}" + uri: + url: http://localhost:{{ service_port_keycloak_external }}/auth/admin/realms/{{ current_realm_name }}/groups + method: POST + body_format: json + body: "{{ lookup('template','keycloak-realm-create-group.json.j2') }}" + headers: + Content-Type: "application/json" + Authorization: "Bearer {{ access_token }}" + status_code: [201] + with_items: "{{ current_realm_groups }}" + when: current_realm_group.name not in realm_groupnames + loop_control: + loop_var: current_realm_group + tags: + - create_groups + - update_realms diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 1f5f9f5..ae28fed 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -2,6 +2,7 @@ ### tags: ### create_users +### create_groups ### update_realms ### update_deployment @@ -111,6 +112,7 @@ register: keycloak_authentication tags: - create_users + - create_groups - update_realms - name: "Create user storage provider in master realm" @@ -157,6 +159,17 @@ - create_users - update_realms +- name: "Create realm groups" + include_tasks: create_realm_groups.yml + vars: + current_realm_name: "{{ item.name }}" + current_realm_groups: "{{ item.groups | default([]) }}" + access_token: "{{ keycloak_authentication.json.access_token }}" + with_items: "{{ keycloak.realms }}" + tags: + - create_groups + - update_realms + - name: "Send mattermost messsge" uri: url: "{{ mattermost_hook_smardigo }}" diff --git a/roles/keycloak/templates/keycloak-realm-create-group.json.j2 b/roles/keycloak/templates/keycloak-realm-create-group.json.j2 new file mode 100644 index 0000000..2ce0d3c --- /dev/null +++ b/roles/keycloak/templates/keycloak-realm-create-group.json.j2 @@ -0,0 +1,3 @@ +{ + "name": "{{ current_realm_group.name }}" +} \ No newline at end of file diff --git a/stage-dev b/stage-dev index cb6bb89..c551623 100644 --- a/stage-dev +++ b/stage-dev @@ -1,5 +1,6 @@ [connect] # --- +dev-management-smardigo-01 dev-connect-01 dev-connect-02 dev-connect-03