From 02847664367c6160c659d48e7e9848e1d68fbf51 Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Thu, 21 Sep 2023 09:42:00 +0100 Subject: [PATCH] Add jaas module Support deploying a Juju-as-a-Service test environment. --- jaas/common | 1 + jaas/generate-bundle.sh | 1 + jaas/jaas.yaml.template | 138 +++++++++++++++++++++++++ jaas/module_defaults | 8 ++ jaas/overlays | 1 + jaas/pipeline/00setup | 19 ++++ jaas/pipeline/01import-config-defaults | 4 + jaas/pipeline/02configure | 48 +++++++++ jaas/pipeline/03build | 5 + jaas/ssl | 1 + 10 files changed, 226 insertions(+) create mode 120000 jaas/common create mode 120000 jaas/generate-bundle.sh create mode 100644 jaas/jaas.yaml.template create mode 100644 jaas/module_defaults create mode 120000 jaas/overlays create mode 100644 jaas/pipeline/00setup create mode 100644 jaas/pipeline/01import-config-defaults create mode 100644 jaas/pipeline/02configure create mode 100644 jaas/pipeline/03build create mode 120000 jaas/ssl diff --git a/jaas/common b/jaas/common new file mode 120000 index 00000000..60d3b0a6 --- /dev/null +++ b/jaas/common @@ -0,0 +1 @@ +../common \ No newline at end of file diff --git a/jaas/generate-bundle.sh b/jaas/generate-bundle.sh new file mode 120000 index 00000000..394558ee --- /dev/null +++ b/jaas/generate-bundle.sh @@ -0,0 +1 @@ +common/generate-bundle.sh \ No newline at end of file diff --git a/jaas/jaas.yaml.template b/jaas/jaas.yaml.template new file mode 100644 index 00000000..5ae62393 --- /dev/null +++ b/jaas/jaas.yaml.template @@ -0,0 +1,138 @@ +# This is a Juju bundle template and is part of +# https://github.com/canonical/stsstack-bundles +# The template is used in conjunction with the provided generate-bundle.sh tool +# to generate a Juju bundle along with optional overlays. If you need to make +# modifications it is suggested to make them to the template then re-generate +# your bundle. + +# Variables +ssl_ca: &ssl_ca __SSL_CA__ +ssl_cert: &ssl_cert __SSL_CERT__ +ssl_key: &ssl_key __SSL_KEY__ +candid-location: &candid-location "https://candid.se" +jimm-dns-name: &jimm-dns-name "jimm.se" +jaas-controller-admin: &jaas-controller-admin "ubuntu" +jimm-uuid: &jimm-uuid "e36c3d32-654d-446d-989a-97399a5a2c63" + +series: __SERIES__ +applications: + postgresql: + charm: postgresql + channel: 14/stable + num_units: 1 + tls-certificates-operator: + charm: tls-certificates-operator + num_units: 1 + options: + generate-self-signed-certificates: true + ca-common-name: "Internal JAAS CA" + candid: + series: focal + charm: candid + channel: latest/candidate + num_units: 1 + options: + location: *candid-location + rendezvous-timeout: 10m + admin-agent-public-key: __CANDID_ADMIN_AGENT_KEY__ + private-key: __CANDID_PRIV_KEY__ + public-key: __CANDID_PUB_KEY__ + identity-providers: | + - type: static + name: static + domain: se + description: Static Identity Provider + users: + user1: + name: User One + email: user1@se + password: password1 + groups: [group1, group2] + user2: + name: User Two + email: user2@se + password: password2 + groups: [group1, group2] + central-admin: + name: central admin + email: central-admin@se + password: central-admin + groups: [group1, group5] + hidden: false + candid-haproxy: + series: jammy + charm: haproxy + num_units: 1 + options: + default_mode: tcp + enable_monitoring: True + peering_mode: active-active + ssl_cert: *ssl_cert + ssl_key: *ssl_key + services: | + - service_name: app-candid + service_host: "0.0.0.0" + service_port: 443 + service_options: + - mode http + - balance source # JIRA: #CSS-4991 + - cookie SRVNAME insert + - timeout server 12m + - option httpchk GET /debug/info HTTP/1.0 + - acl metrics path -i /metrics + - http-request deny if metrics + crts: [DEFAULT] + server_options: check inter 2000 rise 2 fall 5 maxconn 4096 + - service_name: api_http + service_host: "0.0.0.0" + service_port: 80 + service_options: + - mode http + - http-request redirect scheme https + jimm-haproxy: + series: jammy + charm: haproxy + num_units: 1 + options: + default_mode: tcp + enable_monitoring: True + peering_mode: active-active + ssl_cert: *ssl_cert + ssl_key: *ssl_key + services: | + - service_name: app-jimm + service_host: "0.0.0.0" + service_port: 443 + service_options: + - mode http + - balance leastconn + - cookie SRVNAME insert + - option httpchk GET /debug/info HTTP/1.0 + - acl metrics path -i /metrics + - http-request deny if metrics + server_options: check inter 2000 rise 2 fall 5 maxconn 4096 + crts: [DEFAULT] + - service_name: api_http + service_host: "0.0.0.0" + service_port: 80 + service_options: + - mode http + - http-request redirect scheme https + jimm: + series: focal + charm: juju-jimm + channel: 1/candidate + num_units: 1 + options: + candid-url: *candid-location + controller-admins: *jaas-controller-admin + uuid: *jimm-uuid + dns-name: *jimm-dns-name + +relations: +- ["tls-certificates-operator", "postgresql"] +- ["candid", "postgresql:db"] +- ["candid-haproxy:reverseproxy", "candid:website"] +- ["jimm-haproxy:reverseproxy", "jimm:website"] +- ["jimm", "postgresql"] + diff --git a/jaas/module_defaults b/jaas/module_defaults new file mode 100644 index 00000000..e6e16871 --- /dev/null +++ b/jaas/module_defaults @@ -0,0 +1,8 @@ +# This file must contain defaults for all variables used in bundles/ovelays. +# They are used to render to final product in the event they are not provided +# elsewhere. It is inserted into the global context at the start of the +# pipeline. +# +# You can check that none are missing by running lint/check_var_defaults.sh +# + diff --git a/jaas/overlays b/jaas/overlays new file mode 120000 index 00000000..0d44a21c --- /dev/null +++ b/jaas/overlays @@ -0,0 +1 @@ +../overlays \ No newline at end of file diff --git a/jaas/pipeline/00setup b/jaas/pipeline/00setup new file mode 100644 index 00000000..c720459b --- /dev/null +++ b/jaas/pipeline/00setup @@ -0,0 +1,19 @@ +#!/bin/bash + +# Globals +export MOD_NAME=jaas +export MOD_BASE_TEMPLATE=jaas.yaml.template +export MOD_SSL_STATE_DIR=${MOD_NAME} +[ -n "${MASTER_OPTS[BUNDLE_NAME]}" ] && \ + MOD_SSL_STATE_DIR="${MOD_SSL_STATE_DIR}-${MASTER_OPTS[BUNDLE_NAME]}" + +# opts that 02configure does not recognise that get passed to the generator +export -a MOD_PASSTHROUGH_OPTS=() + +# Collection of messages to display at the end +export -A MOD_MSGS=() + +# Array list of overlays to use with this deployment. +export -a MOD_OVERLAYS=() + +export -A MOD_PARAMS=() diff --git a/jaas/pipeline/01import-config-defaults b/jaas/pipeline/01import-config-defaults new file mode 100644 index 00000000..c1b7565b --- /dev/null +++ b/jaas/pipeline/01import-config-defaults @@ -0,0 +1,4 @@ +# Start with dependency defaults in case we want to override any locally + +# Current module imports +. $MOD_DIR/module_defaults diff --git a/jaas/pipeline/02configure b/jaas/pipeline/02configure new file mode 100644 index 00000000..3839a0c2 --- /dev/null +++ b/jaas/pipeline/02configure @@ -0,0 +1,48 @@ +#!/bin/bash +# Global variables are first defined in 00setup and module +# dependencies are defined in 01import-config-defaults +# +# All overlay/bundle variables (MOD_PARAMS) defaults must go into +# the /module_defaults file. + +if ! `juju --version| egrep -q "^3.2"`; then + echo "ERROR: juju version 3.2 or above is required for deploying JAAS" + exit 1 +fi + +if ! `snap list| grep -q candid`; then + sudo snap install candid --channel latest/candidate +fi + +candid_keys=$(pwd)/keys +mkdir -p $candid_keys +/snap/candid/current/bin/bakery-keygen > ${candid_keys}/bakery-key.json +cat ${candid_keys}/bakery-key.json | jq -r .public | tr -d '\n' > ${candid_keys}/public-key +cat ${candid_keys}/bakery-key.json | jq -r .private | tr -d '\n' > ${candid_keys}/private-key +CANDID_URL=https://candid.sts candid create-agent --admin -f ${candid_keys}/admin.agent +cat ${candid_keys}/admin.agent | jq -r .key.public | tr -d '\n' > ${candid_keys}/admin-agent-public-key + +(cd ssl; . ./create_ca_cert.sh $MOD_SSL_STATE_DIR;) +ssl_results="ssl/$MOD_SSL_STATE_DIR/results" +MOD_PARAMS[__SSL_PATH__]=$ssl_results +MOD_PARAMS[__CANDID_PUB_KEY__]=`cat $candid_keys/public-key` +MOD_PARAMS[__CANDID_PRIV_KEY__]=`cat $candid_keys/private-key` +MOD_PARAMS[__CANDID_ADMIN_AGENT_KEY__]=`cat $candid_keys/admin-agent-public-key` +MOD_PARAMS[__SSL_CA__]=`base64 ${ssl_results}/cacert.pem| tr -d '\n'` +MOD_PARAMS[__SSL_CERT__]=`base64 ${ssl_results}/servercert.pem| tr -d '\n'` +MOD_PARAMS[__SSL_KEY__]=`base64 ${ssl_results}/serverkey.pem| tr -d '\n'` + +# Skip processing input if it includes exclusive passthrough options +! has_excl_passthrough_opt && \ +while (($# > 0)) +do + case "$1" in + *) + echo "ERROR: invalid input '$1'" + _usage + exit 1 + ;; + esac + shift +done + diff --git a/jaas/pipeline/03build b/jaas/pipeline/03build new file mode 100644 index 00000000..62dd78f9 --- /dev/null +++ b/jaas/pipeline/03build @@ -0,0 +1,5 @@ +#!/bin/bash +. $MOD_DIR/common/generate_bundle_base + +print_msgs + diff --git a/jaas/ssl b/jaas/ssl new file mode 120000 index 00000000..99a52664 --- /dev/null +++ b/jaas/ssl @@ -0,0 +1 @@ +../ssl \ No newline at end of file