Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPSEXP-2304 Configure SSO in repository #673

Merged
merged 33 commits into from
Oct 2, 2023
Merged
Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
a84e9c1
Configure SSO in repository
gionn Sep 22, 2023
d8cbc23
support latest rockylinux minor
gionn Sep 22, 2023
ffab672
fixup identity arguments
gionn Sep 22, 2023
fd77e92
fixup client vars
gionn Sep 22, 2023
cbf07e7
handle http port
gionn Sep 25, 2023
3ffc4f7
do not fail playbook if transformers is empty
gionn Sep 25, 2023
77a5c64
fixup properties injection
gionn Sep 25, 2023
4b208c6
configure nginx in front of keycloak
gionn Sep 25, 2023
be6df8e
hook realm in playbook
gionn Sep 26, 2023
4b6a0c8
use variable for port
gionn Sep 26, 2023
e9b48c8
identity url as role argument for repository
gionn Sep 26, 2023
1496470
Add identity integration test
gionn Sep 26, 2023
234a021
revert 8.8
gionn Sep 26, 2023
d658d05
fixup
gionn Sep 26, 2023
24ca8a8
add verify for identity
gionn Sep 26, 2023
65d1b7e
known urls as identity argument
gionn Sep 26, 2023
e58c9a7
really run identity in the enterprise workflow
gionn Sep 26, 2023
d4bff87
default prepare playbook is a requirement
gionn Sep 26, 2023
be207d8
more tests
gionn Sep 26, 2023
7498df0
pipeline for ent search int
gionn Sep 27, 2023
17cac5c
fixup conditional
gionn Sep 27, 2023
d9d0535
cleanup
gionn Sep 27, 2023
95027c0
fallback to empty identity url
gionn Sep 27, 2023
35bbeb0
cleanup molecule ports
gionn Sep 28, 2023
803b563
fixup string default
gionn Sep 28, 2023
e5b0927
fixup secrets
gionn Sep 29, 2023
5900fd9
support remaining arguments for identity role
gionn Oct 2, 2023
7e0c4c8
workaround keycloak redirecting to http
gionn Oct 2, 2023
8126210
configure keycloak host
gionn Oct 2, 2023
19ddce6
simplify because other variables are not available under identity group
gionn Oct 2, 2023
f90c337
revert localhost on identity because seems not good
gionn Oct 2, 2023
4d29f52
revert workaround
gionn Oct 2, 2023
c84317a
apply review suggestions
gionn Oct 2, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/enteprise.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ jobs:
scenario:
- name: elasticsearch
- name: pki
include:
- scenario:
name: identity
molecule_distro:
image: rockylinux:8.7
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
16 changes: 13 additions & 3 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,16 @@
"is_secret": false
}
],
"molecule/identity/verify.yml": [
{
"type": "Secret Keyword",
"filename": "molecule/identity/verify.yml",
"hashed_secret": "3f42f2d120c36646b79792b8dccee509e1480ad0",
"is_verified": false,
"line_number": 38,
"is_secret": false
}
],
"molecule/pki/host_vars/localhost.yaml": [
{
"type": "Secret Keyword",
Expand All @@ -144,7 +154,7 @@
"filename": "playbooks/acs.yml",
"hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9",
"is_verified": false,
"line_number": 345,
"line_number": 360,
"is_secret": false
}
],
Expand Down Expand Up @@ -182,7 +192,7 @@
{
"type": "Secret Keyword",
"filename": "roles/identity/tasks/realm.yml",
"hashed_secret": "973503d55aba40e89d4ab4c16783bc9a159c512e",
"hashed_secret": "95fd8196fcf819b3e2c33a18c5d16be8c7eb7960",
"is_verified": false,
"line_number": 13,
"is_secret": false
Expand Down Expand Up @@ -269,5 +279,5 @@
}
]
},
"generated_at": "2023-09-29T07:22:26Z"
"generated_at": "2023-10-02T10:23:47Z"
}
2 changes: 1 addition & 1 deletion group_vars/repository.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ global_properties:
cluster:
enabled: "{{ (groups['repository'] | length > 1 and not (cluster_keepoff | bool)) | lower }}"
share:
host: "{{ fqdn_alfresco | default(known_urls[0]) | default(nginx_host) }}"
host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}"
gionn marked this conversation as resolved.
Show resolved Hide resolved
port: "{{ acs_play_port }}"
protocol: "{{ acs_play_proto }}"
messaging:
Expand Down
4 changes: 3 additions & 1 deletion molecule/elasticsearch/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ platforms:
dockerfile: ../../tests/molecule/Dockerfile-noprivs.j2
command: "/lib/systemd/systemd"
published_ports:
- 80/tcp
- 0.0.0.0:443:443/tcp
privileged: true
tmpfs:
Expand All @@ -33,6 +32,9 @@ platforms:
- trusted_resource_consumers
provisioner:
name: ansible
config_options:
defaults:
pipelining: True
ansible_args:
- -e
- "@tests/test-ssl.yml"
Expand Down
5 changes: 5 additions & 0 deletions molecule/identity/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: Run the playbook
ansible.builtin.import_playbook: ../../playbooks/acs.yml
vars:
autogen_unsecure_secrets: true
1 change: 1 addition & 0 deletions molecule/identity/host_vars/identity-instance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ansible_user: ansible
45 changes: 45 additions & 0 deletions molecule/identity/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: identity-instance
image: $MOLECULE_ROLE_IMAGE
dockerfile: ../../tests/molecule/Dockerfile-noprivs.j2
command: "/lib/systemd/systemd"
privileged: true
tmpfs:
- /run
- /run/lock
- /tmp
volume_mounts:
- "/sys/fs/cgroup:/sys/fs/cgroup:ro"
groups:
- database
- activemq
- repository
- trusted_resource_consumers
- identity
- nginx
published_ports:
- 0.0.0.0:443:443/tcp

provisioner:
name: ansible
config_options:
defaults:
pipelining: True
ansible_args:
- -e
- "@tests/test-extra-vars.yml"
- -e
- "@tests/test-ssl.yml"
inventory:
links:
group_vars: ../../group_vars
host_vars: host_vars
playbooks:
prepare: ../default/prepare.yml
verifier:
name: ansible
50 changes: 50 additions & 0 deletions molecule/identity/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
- name: Verify Identity
hosts: identity
gather_facts: true
tasks:
- name: Populate services facts
ansible.builtin.service_facts:

- name: Check services up
ansible.builtin.assert:
that:
- ansible_facts.services['alfresco-content.service'].state == "running"
- ansible_facts.services['keycloak.service'].state == "running"

- name: Retrieve contents of alfresco-global.properties
become: true
ansible.builtin.slurp:
src: /etc/opt/alfresco/content-services/classpath/alfresco-global.properties
register: slurp_global_properties

- name: Check alfresco-global.properties contains expected identity properties
vars:
global_properties_content: "{{ slurp_global_properties['content'] | b64decode }}"
expected_auth_chain: "authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm"
expected_service_resource: "identity-service.resource=alfresco"
expected_service_credentials: "identity-service.credentials.secret="
expected_auth_url_regex: 'identity-service\.auth-server-url=http:\/\/.*\/'
ansible.builtin.assert:
that:
- "expected_auth_chain in global_properties_content"
- "expected_service_resource in global_properties_content"
- "expected_service_credentials in global_properties_content"
- "global_properties_content | regex_search(expected_auth_url_regex)"
msg: "{{ global_properties_content }}"

- name: Fetch realm
community.general.keycloak_realm_info:
auth_keycloak_url: "http://localhost:8082"
realm: alfresco
register: result_realm_info

- ansible.builtin.debug:
var: result_realm_info
gionn marked this conversation as resolved.
Show resolved Hide resolved

- name: Assert that realm is consistent
ansible.builtin.assert:
that:
- result_realm_info.realm_info['realm'] == "alfresco"
- result_realm_info.realm_info['account-service'] == "http://localhost/auth/realms/alfresco/account"
- result_realm_info.realm_info['public_key'] is defined
4 changes: 3 additions & 1 deletion molecule/local/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ platforms:
- acc
- nginx
published_ports:
- 80/tcp
- 0.0.0.0:443:443/tcp

provisioner:
name: ansible
config_options:
defaults:
pipelining: true
ansible_args:
- -e
- "@tests/test-extra-vars.yml"
Expand Down
21 changes: 18 additions & 3 deletions playbooks/acs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,18 @@
roles:
- role: "../roles/identity"
identity_admin_username: admin
identity_admin_pasword: "{{ hostvars.localhost.identity_admin_password }}"
when: acs.edition == "Enterprise" and not groups.external_identity | default([])
identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}"
identity_keycloak_http_port: "{{ ports_cfg.identity.http }}"
when: not groups.external_identity | default([])
tasks:
- name: Configure Realm
vars:
identity_admin_username: admin
identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}"
identity_keycloak_http_port: "{{ ports_cfg.identity.http }}"
ansible.builtin.include_role:
name: "../roles/identity"
tasks_from: realm
tags:
- identity

Expand Down Expand Up @@ -162,7 +172,7 @@
- name: Check wether we want mTLS for Repostory
ansible.builtin.set_fact:
repo_mtls_required: >-
{{ groups.repository | difference(groups.transformers) | length > 0 }}
{{ groups.repository | difference(groups.transformers | default([])) | length > 0 }}
- name: Build keystore role argument
ansible.builtin.set_fact:
repository_keystore:
Expand All @@ -176,11 +186,16 @@
when:
- repo_mtls_required
- ats_mtls_capable
- name: Enable identity service
when: ((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0
ansible.builtin.set_fact:
identity_url: "http://{{ identity_host }}:{{ ports_cfg.identity.http }}/"
roles:
- role: "../roles/repository"
repo_keystore: "{{ repository_keystore | default({}) }}"
repository_properties: "{{ global_properties }}"
raw_properties: "{{ properties_snippets }}"
repository_identity_url: "{{ identity_url | default('') }}"
post_tasks:
- name: Update installation status file with ACS
become: true
Expand Down
2 changes: 2 additions & 0 deletions roles/common/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,8 @@ ports_cfg:
admin: 9093
elasticsearch:
http: "{{- groups.external_elasticsearch | default([]) | map('extract', hostvars, ['elasticsearch_port']) | first | default('9200') -}}"
identity:
http: "{{- groups.external_identity | default([]) | map('extract', hostvars, ['identity_port']) | first | default('8082') -}}"

# Default download location of necessary artefacts
download_location: /tmp/ansible_artefacts
Expand Down
11 changes: 9 additions & 2 deletions roles/identity/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,12 @@
identity_admin_username: admin
identity_admin_password: null

identity_keycloak_quarkus_version: 21.1.2
identity_alfresco_theme_version: 0.3.5
identity_keycloak_quarkus_version: "21.1.2"
identity_alfresco_theme_version: "0.3.5"

identity_keycloak_http_port: 8080
identity_keycloak_start_dev: true
identity_keycloak_proxy_mode: edge
identity_keycloak_host: localhost

identity_known_urls: []
26 changes: 26 additions & 0 deletions roles/identity/meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,29 @@ argument_specs:
required: true
description: |
Password of the keycloak instance admin user
identity_keycloak_http_port:
type: int
default: 8080
description: |
Port where to expose the keycloak instance
identity_keycloak_start_dev:
type: bool
default: true
description: |
If keycloak should be started in development mode. Not suitable for production
identity_keycloak_proxy_mode:
type: str
default: edge
description: |
Fine tune specific behaviour when running keycloak behind a proxy
identity_keycloak_host:
type: str
default: localhost
description: |
Hostname where clients can reach the keycloak instance
identity_known_urls:
type: list
elements: str
default: []
description: |
A list of possible origin URLs which are allowed to interact with the configured realm
9 changes: 5 additions & 4 deletions roles/identity/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@
vars:
keycloak_quarkus_admin_pass: "{{ identity_admin_password }}"
keycloak_quarkus_version: "{{ identity_keycloak_quarkus_version }}"
keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_host: localhost
keycloak_quarkus_http_relative_path: ''
keycloak_quarkus_start_dev: "{{ identity_keycloak_start_dev }}"
keycloak_quarkus_proxy_mode: "{{ identity_keycloak_proxy_mode }}"
keycloak_quarkus_host: "{{ identity_keycloak_host }}"
keycloak_quarkus_http_port: "{{ identity_keycloak_http_port }}"
keycloak_quarkus_http_relative_path: auth
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak_quarkus
6 changes: 4 additions & 2 deletions roles/identity/tasks/realm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
- name: Configure Alfresco Keycloak realm
community.general.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: http://localhost:8080
auth_keycloak_url: "http://localhost:{{ identity_keycloak_http_port }}"
auth_realm: master
auth_username: "{{ identity_admin_username }}"
auth_password: "{{ identity_admin_password }}"
Expand Down Expand Up @@ -44,11 +44,13 @@
- name: Configure basic alfresco client
community.general.keycloak_client:
auth_client_id: admin-cli
auth_keycloak_url: http://localhost:8080
auth_keycloak_url: "http://localhost:{{ identity_keycloak_http_port }}"
auth_realm: master
auth_username: "{{ identity_admin_username }}"
auth_password: "{{ identity_admin_password }}"
realm: alfresco
client_id: alfresco
enabled: true
redirect_uris: "{{ identity_known_urls | map('regex_replace', '(.*)$', '\\1*') | list }}"
web_origins: "{{ identity_known_urls }}"
state: present
14 changes: 10 additions & 4 deletions roles/nginx/templates/alfresco_proxy.j2
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
proxy_pass_header Set-Cookie;
}

location /api-explorer/ {
Expand All @@ -71,6 +70,16 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
}

location /auth/ {
proxy_pass http://{{ identity_host }}:{{ ports_cfg.identity.http }}/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
gionn marked this conversation as resolved.
Show resolved Hide resolved
}

Expand All @@ -84,7 +93,6 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
proxy_pass_header Set-Cookie;
}

location /workspace/ {
Expand All @@ -96,7 +104,6 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
proxy_pass_header Set-Cookie;
}

location /control-center/ {
Expand All @@ -108,6 +115,5 @@
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
proxy_pass_header Set-Cookie;
}
{% endif %}
5 changes: 5 additions & 0 deletions roles/repository/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,8 @@ keystore_src: >-
{%- endif %}
repo_keystore: {}
repository_monitored_startup_timeout_seconds: 300

# Identity service arguments
repository_identity_url: ''
repository_identity_client_id: alfresco
repository_identity_client_secret: ''
Loading
Loading