Merge pull request #139 from dosaboy/add-jaas-module

Add jaas module

jaas/common

@@ -0,0 +1 @@
+../common

jaas/generate-bundle.sh

@@ -0,0 +1 @@
+common/generate-bundle.sh

jaas/jaas.yaml.template

@@ -0,0 +1,138 @@
+# This is a Juju bundle template and is part of
+# https://github.com/canonical/stsstack-bundles
+# The template is used in conjunction with the provided generate-bundle.sh tool
+# to generate a Juju bundle along with optional overlays. If you need to make
+# modifications it is suggested to make them to the template then re-generate
+# your bundle.
+
+# Variables
+ssl_ca:                     &ssl_ca                    __SSL_CA__
+ssl_cert:                   &ssl_cert                  __SSL_CERT__
+ssl_key:                    &ssl_key                   __SSL_KEY__
+candid-location:            &candid-location           "https://candid.se"
+jimm-dns-name:              &jimm-dns-name             "jimm.se"
+jaas-controller-admin:      &jaas-controller-admin     "ubuntu"
+jimm-uuid:                  &jimm-uuid                 "e36c3d32-654d-446d-989a-97399a5a2c63"
+
+series: __SERIES__
+applications:
+  postgresql:
+    charm: postgresql
+    channel: 14/stable
+    num_units: 1
+  tls-certificates-operator:
+    charm: tls-certificates-operator
+    num_units: 1
+    options:
+      generate-self-signed-certificates: true
+      ca-common-name: "Internal JAAS CA"
+  candid:
+    series: focal
+    charm: candid
+    channel: latest/candidate
+    num_units: 1
+    options:
+      location: *candid-location
+      rendezvous-timeout: 10m
+      admin-agent-public-key: __CANDID_ADMIN_AGENT_KEY__
+      private-key: __CANDID_PRIV_KEY__
+      public-key: __CANDID_PUB_KEY__
+      identity-providers: |
+        - type: static
+          name: static
+          domain: se
+          description: Static Identity Provider
+          users:
+            user1:
+              name: User One
+              email: user1@se
+              password: password1
+              groups: [group1, group2]
+            user2:
+              name: User Two
+              email: user2@se
+              password: password2
+              groups: [group1, group2]
+            central-admin:
+              name: central admin
+              email: central-admin@se
+              password: central-admin
+              groups: [group1, group5]
+          hidden: false
+  candid-haproxy:
+    series: jammy
+    charm: haproxy
+    num_units: 1
+    options:
+      default_mode: tcp
+      enable_monitoring: True
+      peering_mode: active-active
+      ssl_cert: *ssl_cert
+      ssl_key: *ssl_key
+      services: |
+        - service_name: app-candid
+          service_host: "0.0.0.0"
+          service_port: 443
+          service_options:
+            - mode http
+            - balance source # JIRA: #CSS-4991
+            - cookie SRVNAME insert
+            - timeout server 12m
+            - option httpchk GET /debug/info HTTP/1.0
+            - acl metrics path -i /metrics
+            - http-request deny if metrics
+          crts: [DEFAULT]
+          server_options: check inter 2000 rise 2 fall 5 maxconn 4096
+        - service_name: api_http
+          service_host: "0.0.0.0"
+          service_port: 80
+          service_options:
+            - mode http
+            - http-request redirect scheme https
+  jimm-haproxy:
+    series: jammy
+    charm: haproxy
+    num_units: 1
+    options:
+      default_mode: tcp
+      enable_monitoring: True
+      peering_mode: active-active
+      ssl_cert: *ssl_cert
+      ssl_key: *ssl_key
+      services: |
+        - service_name: app-jimm
+          service_host: "0.0.0.0"
+          service_port: 443
+          service_options:
+            - mode http
+            - balance leastconn
+            - cookie SRVNAME insert
+            - option httpchk GET /debug/info HTTP/1.0
+            - acl metrics path -i /metrics
+            - http-request deny if metrics
+          server_options: check inter 2000 rise 2 fall 5 maxconn 4096
+          crts: [DEFAULT]
+        - service_name: api_http
+          service_host: "0.0.0.0"
+          service_port: 80
+          service_options:
+            - mode http
+            - http-request redirect scheme https
+  jimm:
+    series: focal
+    charm: juju-jimm
+    channel: 1/candidate
+    num_units: 1
+    options:
+      candid-url: *candid-location
+      controller-admins: *jaas-controller-admin
+      uuid: *jimm-uuid
+      dns-name: *jimm-dns-name
+
+relations:
+- ["tls-certificates-operator", "postgresql"]
+- ["candid", "postgresql:db"]
+- ["candid-haproxy:reverseproxy", "candid:website"]
+- ["jimm-haproxy:reverseproxy", "jimm:website"]
+- ["jimm", "postgresql"]
+

jaas/module_defaults

@@ -0,0 +1,8 @@
+# This file must contain defaults for all variables used in bundles/ovelays.
+# They are used to render to final product in the event they are not provided
+# elsewhere. It is inserted into the global context at the start of the
+# pipeline.
+#
+# You can check that none are missing by running lint/check_var_defaults.sh
+#
+

jaas/overlays

@@ -0,0 +1 @@
+../overlays

jaas/pipeline/00setup

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Globals
+export MOD_NAME=jaas
+export MOD_BASE_TEMPLATE=jaas.yaml.template
+export MOD_SSL_STATE_DIR=${MOD_NAME}
+[ -n "${MASTER_OPTS[BUNDLE_NAME]}" ] && \
+    MOD_SSL_STATE_DIR="${MOD_SSL_STATE_DIR}-${MASTER_OPTS[BUNDLE_NAME]}"
+
+# opts that 02configure does not recognise that get passed to the generator
+export -a MOD_PASSTHROUGH_OPTS=()
+
+# Collection of messages to display at the end
+export -A MOD_MSGS=()
+
+# Array list of overlays to use with this deployment.
+export -a MOD_OVERLAYS=()
+
+export -A MOD_PARAMS=()

jaas/pipeline/01import-config-defaults

@@ -0,0 +1,4 @@
+# Start with dependency defaults in case we want to override any locally
+
+# Current module imports
+. $MOD_DIR/module_defaults

jaas/pipeline/02configure

@@ -0,0 +1,48 @@
+#!/bin/bash
+# Global variables are first defined in 00setup and module
+# dependencies are defined in 01import-config-defaults
+#
+# All overlay/bundle variables (MOD_PARAMS) defaults must go into
+# the <module>/module_defaults file.
+
+if ! `juju --version| egrep -q "^3.2"`; then
+    echo "ERROR: juju version 3.2 or above is required for deploying JAAS"
+    exit 1
+fi
+
+if ! `snap list| grep -q candid`; then
+    sudo snap install candid --channel latest/candidate    
+fi
+
+candid_keys=$(pwd)/keys
+mkdir -p $candid_keys
+/snap/candid/current/bin/bakery-keygen > ${candid_keys}/bakery-key.json
+cat ${candid_keys}/bakery-key.json | jq -r .public | tr -d '\n' > ${candid_keys}/public-key
+cat ${candid_keys}/bakery-key.json | jq -r .private | tr -d '\n' > ${candid_keys}/private-key
+CANDID_URL=https://candid.sts candid create-agent --admin   -f ${candid_keys}/admin.agent
+cat ${candid_keys}/admin.agent | jq -r .key.public | tr -d '\n' > ${candid_keys}/admin-agent-public-key
+
+(cd ssl; . ./create_ca_cert.sh $MOD_SSL_STATE_DIR;)
+ssl_results="ssl/$MOD_SSL_STATE_DIR/results"
+MOD_PARAMS[__SSL_PATH__]=$ssl_results
+MOD_PARAMS[__CANDID_PUB_KEY__]=`cat $candid_keys/public-key`
+MOD_PARAMS[__CANDID_PRIV_KEY__]=`cat $candid_keys/private-key`
+MOD_PARAMS[__CANDID_ADMIN_AGENT_KEY__]=`cat $candid_keys/admin-agent-public-key`
+MOD_PARAMS[__SSL_CA__]=`base64 ${ssl_results}/cacert.pem| tr -d '\n'`
+MOD_PARAMS[__SSL_CERT__]=`base64 ${ssl_results}/servercert.pem| tr -d '\n'`
+MOD_PARAMS[__SSL_KEY__]=`base64 ${ssl_results}/serverkey.pem| tr -d '\n'`
+
+# Skip processing input if it includes exclusive passthrough options
+! has_excl_passthrough_opt && \
+while (($# > 0))
+do
+    case "$1" in
+        *)
+            echo "ERROR: invalid input '$1'"
+            _usage
+            exit 1
+            ;;
+    esac
+    shift
+done
+

jaas/pipeline/03build

@@ -0,0 +1,5 @@
+#!/bin/bash
+. $MOD_DIR/common/generate_bundle_base
+
+print_msgs
+

jaas/ssl

@@ -0,0 +1 @@
+../ssl