Skip to content

Commit

Permalink
Merge pull request #3995 from zowe/apiml/v3/sercurity-conf
Browse files Browse the repository at this point in the history
move security configuration back to gateway
  • Loading branch information
MarkAckert authored Sep 18, 2024
2 parents d2f64cc + f57d956 commit ee75e1a
Show file tree
Hide file tree
Showing 16 changed files with 50 additions and 51 deletions.
4 changes: 2 additions & 2 deletions bin/commands/internal/start/prepare/index.sh
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,9 @@ global_validate() {
if [[ ${ZWE_ENABLED_COMPONENTS} == *"discovery"* ]]; then
validate_this "validate_zosmf_host_and_port \"${ZOSMF_HOST}\" \"${ZOSMF_PORT}\" 2>&1" "zwe-internal-start-prepare,global_validate:${LINENO}"
else
if [ "${ZWE_components_zaas_apiml_security_auth_provider}" = "zosmf" ]; then
if [ "${ZWE_components_gateway_apiml_security_auth_provider}" = "zosmf" ]; then
let "ZWE_PRIVATE_ERRORS_FOUND=${ZWE_PRIVATE_OLD_ERRORS_FOUND}+1"
print_error "Using z/OSMF as 'components.zaas.apiml.security.auth.provider' is not possible: discovery is disabled."
print_error "Using z/OSMF as 'components.gateway.apiml.security.auth.provider' is not possible: discovery is disabled."
print_formatted_info "ZWELS" "zwe-internal-start-prepare,global_validate:${LINENO}" "Zosmf validation failed"
fi
fi
Expand Down
4 changes: 2 additions & 2 deletions bin/commands/internal/start/prepare/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -172,9 +172,9 @@ function globalValidate(enabledComponents:string[]): void {
privateErrors++;
common.printFormattedError('ZWELS', "zwe-internal-start-prepare,global_validate", "Zosmf validation failed");
}
} else if (std.getenv('ZWE_components_zaas_apiml_security_auth_provider') == "zosmf") {
} else if (std.getenv('ZWE_components_gateway_apiml_security_auth_provider') == "zosmf") {
privateErrors++;
common.printError("Using z/OSMF as 'components.zaas.apiml.security.auth.provider' is not possible: discovery is disabled.");
common.printError("Using z/OSMF as 'components.gateway.apiml.security.auth.provider' is not possible: discovery is disabled.");
common.printFormattedError('ZWELS', "zwe-internal-start-prepare,global_validate", "Zosmf validation failed");
}
}
Expand Down
10 changes: 5 additions & 5 deletions bin/commands/migrate/for/kubernetes/index.sh
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ done

update_zowe_yaml "${temp_dir}/zowe.yaml" "zowe.externalPort" "${ZWE_CLI_PARAMETER_EXTERNAL_PORT}"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.gateway.port" "7554"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.zaas.port" "7563"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.zaas.port" "7558"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.discovery.port" "7553"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.api-catalog.port" "7552"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.caching-service.port" "7555"
Expand All @@ -220,13 +220,13 @@ update_zowe_yaml "${temp_dir}/zowe.yaml" "components.explorer-jes.enabled" "true
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.explorer-mvs.enabled" "true"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.explorer-uss.enabled" "true"

update_zowe_yaml "${temp_dir}/zowe.yaml" "components.zaas.apiml.security.x509.externalMapperUrl" ""
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.zaas.apiml.security.authorization.endpoint.url" ""
zaas_auth_provider=$(read_yaml "${temp_dir}/zowe.yaml" ".components.zaas.apiml.security.authorization.endpoint.provider")
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.gateway.apiml.security.x509.externalMapperUrl" ""
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.gateway.apiml.security.authorization.endpoint.url" ""
zaas_auth_provider=$(read_yaml "${temp_dir}/zowe.yaml" ".components.gateway.apiml.security.authorization.endpoint.provider")
if [ "${zaas_auth_provider}" != "" ]; then
print_message "Zowe APIML ZAAS authorization provider is suggested to be empty when running in Kubernetes. 'native' is not supported off Z platform."
fi
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.zaas.apiml.security.authorization.endpoint.provider" ""
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.gateway.apiml.security.authorization.endpoint.provider" ""
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.discovery.replicas" "1"
update_zowe_yaml "${temp_dir}/zowe.yaml" "components.caching-service.storage.mode" ""

Expand Down
2 changes: 1 addition & 1 deletion containers/kubernetes/samples/config-cm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ data:
zaas:
enabled: true
port: 7563
port: 7558
debug: false
discovery:
Expand Down
2 changes: 1 addition & 1 deletion containers/kubernetes/samples/zaas-service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ spec:
ports:
- name: zaas
protocol: TCP
port: 7563
port: 7558
targetPort: zaas-port
appProtocol: https
6 changes: 3 additions & 3 deletions containers/kubernetes/workloads/zaas-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,17 +61,17 @@ spec:
cpu: "700m"
ports:
- name: zaas-port
containerPort: 7563
containerPort: 7558
protocol: TCP
startupProbe:
tcpSocket:
port: 7563
port: 7558
# this should give 90 * periodSeconds(default to 10) seconds about 15 minutes to confirm it's ready
periodSeconds: 10
failureThreshold: 90
livenessProbe:
tcpSocket:
port: 7563
port: 7558
# this should give 3 * periodSeconds(default to 10) seconds about 30 seconds to confirm it's offline
periodSeconds: 10
failureThreshold: 3
Expand Down
24 changes: 12 additions & 12 deletions example-zowe.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -518,18 +518,6 @@ components:
enabled: true
port: 7554
debug: false

# If we customize this to use different external certificate, than should also
# define "server.internal.ssl.certificate" and enable "server.internal.ssl.enabled".
# certificate:
# keystore:
# alias: ""

# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
zaas:
enabled: true
port: 7563
debug: false
apiml:
security:
auth:
Expand All @@ -543,6 +531,18 @@ components:
provider: "native"
x509:
enabled: false

# If we customize this to use different external certificate, than should also
# define "server.internal.ssl.certificate" and enable "server.internal.ssl.enabled".
# certificate:
# keystore:
# alias: ""

# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
zaas:
enabled: true
port: 7558
debug: false
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
api-catalog:
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion files/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ components:
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
cloud-gateway:
enabled: false
port: 7563
port: 7558
debug: false

# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Expand Down
2 changes: 1 addition & 1 deletion playbooks/all_host_vars_list.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ zos_zosmf_user: IZUSVR
zowe_apiml_catalog_port: 7552
zowe_apiml_discovery_port: 7553
zowe_apiml_gateway_port: 7554
zowe_apiml_zaas_port: 7563
zowe_apiml_zaas_port: 7558
zowe_apiml_gateway_timeout_millis: 600000
zowe_apiml_nonstrict_verify_certficates_of_services: true
zowe_apiml_security_auth_provider: zosmf
Expand Down
16 changes: 8 additions & 8 deletions playbooks/roles/configfmid/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -290,14 +290,14 @@
"components.gateway.apiml.gateway.timeoutMillis": "{{ zowe_apiml_gateway_timeout_millis }}"

# zaas settings
"components.zaas.apiml.security.x509.enabled": "{{ zowe_apiml_security_x509_enabled|string|lower }}"
"components.zaas.apiml.security.auth.provider": "{{ zowe_apiml_security_auth_provider|string|lower }}"
"components.zaas.apiml.security.auth.zosmf.jwtAutoconfiguration": "{{ zowe_apiml_security_zosmf_jwt_autoconfiguration_mode }}"
"components.zaas.apiml.security.oidc.enabled": "{{ zowe_apiml_security_oidc_enabled|string|lower }}"
"components.zaas.apiml.security.oidc.clientId": "{{ zowe_apiml_security_oidc_client_id|string }}"
"components.zaas.apiml.security.oidc.clientSecret": "{{ zowe_apiml_security_oidc_client_secret|string }}"
"components.zaas.apiml.security.oidc.registry": "{{ zowe_apiml_security_oidc_registry|string }}"
"components.zaas.apiml.security.oidc.jwks.uri": "{{ zowe_apiml_security_oidc_jwks_uri|string }}"
"components.gateway.apiml.security.x509.enabled": "{{ zowe_apiml_security_x509_enabled|string|lower }}"
"components.gateway.apiml.security.auth.provider": "{{ zowe_apiml_security_auth_provider|string|lower }}"
"components.gateway.apiml.security.auth.zosmf.jwtAutoconfiguration": "{{ zowe_apiml_security_zosmf_jwt_autoconfiguration_mode }}"
"components.gateway.apiml.security.oidc.enabled": "{{ zowe_apiml_security_oidc_enabled|string|lower }}"
"components.gateway.apiml.security.oidc.clientId": "{{ zowe_apiml_security_oidc_client_id|string }}"
"components.gateway.apiml.security.oidc.clientSecret": "{{ zowe_apiml_security_oidc_client_secret|string }}"
"components.gateway.apiml.security.oidc.registry": "{{ zowe_apiml_security_oidc_registry|string }}"
"components.gateway.apiml.security.oidc.jwks.uri": "{{ zowe_apiml_security_oidc_jwks_uri|string }}"
# desktop customizations
"zowe.environments.ZWED_SSH_PORT": "{{ zowe_zlux_terminal_ssh_port }}"
"zowe.environments.ZWED_TN3270_PORT": "{{ zowe_zlux_terminal_telnet_port }}"
Expand Down
2 changes: 1 addition & 1 deletion playbooks/roles/configure/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ zos_zosmf_ca:
zowe_apiml_catalog_port: 7552
zowe_apiml_discovery_port: 7553
zowe_apiml_gateway_port: 7554
zowe_apiml_zaas_port: 7563
zowe_apiml_zaas_port: 7558
zowe_apiml_verify_certficates_of_services: true
zowe_apiml_nonstrict_verify_certficates_of_services: true
# APIML configuration properties
Expand Down
17 changes: 8 additions & 9 deletions playbooks/roles/configure/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -290,18 +290,17 @@
"components.zss.port": "{{ zowe_zss_port }}"
# other gateway configs
"components.gateway.apiml.gateway.timeoutMillis": "{{ zowe_apiml_gateway_timeout_millis }}"
"components.gateway.apiml.security.x509.enabled": "{{ zowe_apiml_security_x509_enabled|string|lower }}"
"components.gateway.apiml.service.forwardClientCertEnabled": "{{ zowe_apiml_service_forwardClientCertEnabled|string|lower }}"

# zaas configs
"components.zaas.apiml.security.x509.enabled": "{{ zowe_apiml_security_x509_enabled|string|lower }}"
"components.zass.apiml.security.auth.provider": "{{ zowe_apiml_security_auth_provider|string|lower }}"
"components.zaas.apiml.security.auth.zosmf.jwtAutoconfiguration": "{{ zowe_apiml_security_zosmf_jwt_autoconfiguration_mode }}"
"components.zaas.apiml.security.oidc.enabled": "{{ zowe_apiml_security_oidc_enabled|string|lower }}"
"components.zaas.apiml.security.oidc.clientId": "{{ zowe_apiml_security_oidc_client_id|string }}"
"components.zaas.apiml.security.oidc.clientSecret": "{{ zowe_apiml_security_oidc_client_secret|string }}"
"components.zaas.apiml.security.oidc.registry": "{{ zowe_apiml_security_oidc_registry|string }}"
"components.zaas.apiml.security.oidc.jwks.uri": "{{ zowe_apiml_security_oidc_jwks_uri|string }}"
"components.gateway.apiml.security.x509.enabled": "{{ zowe_apiml_security_x509_enabled|string|lower }}"
"components.gateway.apiml.security.auth.provider": "{{ zowe_apiml_security_auth_provider|string|lower }}"
"components.gateway.apiml.security.auth.zosmf.jwtAutoconfiguration": "{{ zowe_apiml_security_zosmf_jwt_autoconfiguration_mode }}"
"components.gateway.apiml.security.oidc.enabled": "{{ zowe_apiml_security_oidc_enabled|string|lower }}"
"components.gateway.apiml.security.oidc.clientId": "{{ zowe_apiml_security_oidc_client_id|string }}"
"components.gateway.apiml.security.oidc.clientSecret": "{{ zowe_apiml_security_oidc_client_secret|string }}"
"components.gateway.apiml.security.oidc.registry": "{{ zowe_apiml_security_oidc_registry|string }}"
"components.gateway.apiml.security.oidc.jwks.uri": "{{ zowe_apiml_security_oidc_jwks_uri|string }}"
# desktop customizations
"zowe.environments.ZWED_SSH_PORT": "{{ zowe_zlux_terminal_ssh_port }}"
"zowe.environments.ZWED_TN3270_PORT": "{{ zowe_zlux_terminal_telnet_port }}"
Expand Down
2 changes: 1 addition & 1 deletion playbooks/roles/custom_for_test/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ zos_zosmf_ca:
zowe_apiml_catalog_port: 7552
zowe_apiml_discovery_port: 7553
zowe_apiml_gateway_port: 7554
zowe_apiml_cloud_gateway_port: 7563
zowe_apiml_zaas_port: 7558
zowe_apiml_verify_certficates_of_services: true
zowe_apiml_nonstrict_verify_certficates_of_services: true
# APIML configuration properties
Expand Down
2 changes: 1 addition & 1 deletion playbooks/roles/verify/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,6 @@ zowe_job_prefix: ZWE
zowe_proclib_membername: ZWESLSTC
zowe_instance_id: 1
# ports will be tested
zowe_apiml_zaas_port: 7563
zowe_apiml_zaas_port: 7558
zowe_apiml_gateway_port: 7554
zowe_zlux_port: 7556
2 changes: 1 addition & 1 deletion workflows/files/ZWECONF.properties
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,7 @@ components_zaas_enabled=true
# Category: components
# Description:
# Port for the APIML ZAAS
components_zaas_port=7563
components_zaas_port=7558

# components_zaas_debug
# Label: ZAAS debug
Expand Down
4 changes: 2 additions & 2 deletions workflows/files/ZWECONF.xml
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ How we want to verify SSL certificates of services. Valid values are:
<integer>
<!-- Put validation here -->
<!-- Specify choices here -->
<default>7563</default>
<default>7558</default>
</integer>
</variable>
<variable name="components_zaas_debug" scope="instance" visibility="public">
Expand Down Expand Up @@ -2022,7 +2022,7 @@ echo ' enabled: ${instance-components_zaas_apiml_security_x509_enabled}
#if (${instance-components_zaas_enabled} == "false" )
echo ' zaas:' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' enabled: ${instance-components_zaas_enabled}' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' port: 7563' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' port: 7558' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' debug: false' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' apiml:' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
echo ' security:' >> "${instance-zowe_runtimeDirectory}/zowe.yaml"
Expand Down

0 comments on commit ee75e1a

Please sign in to comment.