All apps that have a MariaDB connection now have the ability to use an

internal Docker network to connect to a local MariaDB host in Docker
OpenConext · Dec 2, 2024 · 152e5ea · 152e5ea
1 parent 2030a82
commit 152e5ea
Show file tree

Hide file tree

Showing 26 changed files with 133 additions and 35 deletions.
diff --git a/roles/attribute-aggregation/defaults/main.yml b/roles/attribute-aggregation/defaults/main.yml
@@ -9,3 +9,5 @@ aa_manage_provision_oidcrp_description_en: "OAuth client to access VOOT for grou
 aa_manage_provision_oidcrp_grants: "client_credentials"
 aa_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ voot.oidcng_checkToken_clientId }}"}'
 aa_spring_flyway_enabled: true
+aa_docker_networks:
+  name: loadbalancer
diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml
@@ -21,15 +21,21 @@
     - apachelink.conf
   notify: restart attribute-aggregationserver
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    aa_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create and start the server container
   community.docker.docker_container:
     name: aaserver
     image: ghcr.io/openconext/openconext-attribute-aggregation/aa-server:{{ attribute_aggregation_server_version }}
     pull: true
     restart_policy: "always"
     state: started
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ aa_docker_networks }}"
     mounts:
       - source: /opt/openconext/attribute-aggregation/serverapplication.yml
         target: /application.yml

diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml
@@ -107,3 +107,5 @@ engine_site_notice_show: false
 engineblock_log_attributes: []
 
 engine_php_memory: 256M
+engine_docker_networks: 
+  name: loadbalancer
diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml
@@ -176,14 +176,20 @@
     name: engineblock_sessions
     state: present
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    engine_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "engineblock"
     image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }}
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ engine_docker_networks}}"
     labels:
       traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)"
       traefik.http.routers.engine.service: "engineblock"

diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml
@@ -15,3 +15,5 @@ invite_manage_provision_oauth_rs_scopes: "openid"
 invite_mock_install: false
 # Override is in the dockerX.env host_var files
 invite_cronjobmaster: true
+invite_docker_networks:
+  - name: loadbalancer
diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml
@@ -48,6 +48,13 @@
   when: invite_mock_install
   notify: restart inviteprovisioningmock
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    invite_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create and start the server container
   community.docker.docker_container:
     name: inviteserver
@@ -57,8 +64,7 @@
     pull: true
     restart_policy: "always"
     state: started
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ invite_docker_networks }}"
     mounts:
       - source: /opt/openconext/invite/serverapplication.yml
         target: /application.yml
@@ -80,7 +86,6 @@
       start_period: 10s
   register: inviteservercontainer
 
-
 - name: Create the client container
   community.docker.docker_container:
     name: inviteclient
@@ -133,6 +138,7 @@
     env:
       HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}"
 
+
 - name: Create and start the mock provisioning container
   community.docker.docker_container:
     name: inviteprovisioningmock
@@ -148,8 +154,7 @@
       - source: /etc/localtime
         target: /etc/localtime
         type: bind
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ invite_docker_networks }}"
     labels:
       traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)"
       traefik.http.routers.invitemock.tls: "true"

diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml
@@ -11,3 +11,5 @@ lifecycle_api_enabled: true
 lifecycle_api_password: secret
 lifecycle_api_username: lifecycle
 current_release_config_dir_name: /opt/openconext/{{ appname }}
+lifecycle_docker_networks:
+  - name: loadbalancer
diff --git a/roles/lifecycle/tasks/main.yml b/roles/lifecycle/tasks/main.yml
@@ -33,6 +33,13 @@
   notify:
     - restart {{ appname }}
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    lifecycle_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "{{ appname }}"
@@ -41,8 +48,7 @@
       host.docker.internal: host-gateway
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ lifecycle_docker_networks }}"
     labels:
       traefik.http.routers.lifecycle.rule: "Host(`lifecycle.{{ base_domain }}`)"
       traefik.http.routers.lifecycle.tls: "true"

diff --git a/roles/lifecycle/templates/parameters.yml.j2 b/roles/lifecycle/templates/parameters.yml.j2
@@ -20,7 +20,7 @@ parameters:
             password: "{{ teams_api_lifecycle_password }}"
             verify_ssl: true
         invite:
-            url: 'https://invite.{{ base_domain }}/api/'
+            url: 'https://invite.{{ base_domain }}/api/external/v1/'
             username: "{{ invite.lifecycle_user }}"
             password: "{{ invite.lifecycle_secret }}"
             verify_ssl: true

diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml
@@ -30,3 +30,5 @@ manage_tabs_enabled:
   - single_tenant_template
   - provisioning
   - sram
+manage_docker_networks:
+  name: loadbalancer
diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml
@@ -72,6 +72,13 @@
   notify:
     - "restart manageserver"
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    manage_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create and start the server container
   community.docker.docker_container:
     name: manageserver
@@ -80,8 +87,7 @@
     pull: true
     restart_policy: "always"
     state: started
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ manage_docker_networks}}"
     mounts:
       - source: /opt/openconext/manage/
         target: /config/

diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml
@@ -21,3 +21,5 @@ pdp_manage_provision_samlsp_trusted_proxy: false
 pdp_manage_provision_samlsp_sign: false
 pdp_spring_flyway_enabled: true
 pdp_manage_push_testmode: true
+pdp_docker_networks:
+  -name: loadbalancer
diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml
@@ -20,6 +20,13 @@
     - xacml.conext.properties
   notify: restart pdpserver
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    pdp_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create and start the server container
   community.docker.docker_container:
     name: pdpserver
@@ -29,8 +36,7 @@
     pull: true
     restart_policy: "always"
     state: started
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ pdp_docker_networks }}"
     mounts:
       - source: /opt/openconext/pdp/serverapplication.properties
         target: /application.properties
@@ -59,7 +65,7 @@
       retries: 3
       start_period: 10s
   register: pdpservercontainer
-    
+
 - name: Create the gui container
   community.docker.docker_container:
     name: pdpgui

diff --git a/roles/spdashboard/defaults/main.yml b/roles/spdashboard/defaults/main.yml
@@ -37,3 +37,5 @@ spdashboard_oidcng_playground_uri_test: https://oidc-playground.dev.support.surf
 spdashboard_oidcng_playground_uri_prod: https://oidc-playground.dev.support.surfconext.nl/redirect
 spdashboard_show_global_notice: False
 spdashboard_global_notice_date: "01-01-2020"
+spdashboard_docker_networks: 
+  - name: loadbalancer
diff --git a/roles/spdashboard/tasks/main.yml b/roles/spdashboard/tasks/main.yml
@@ -15,9 +15,12 @@
     group: root
     mode: 0644
 
-- name: Create the spdashboard container network
-  docker_network:
-    name: "spdashboard"
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    spdashboard_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
 
 - name: Create the container
   docker_container:
@@ -26,8 +29,7 @@
     env_file: "/opt/openconext/spdashboard/env"
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ spdashboard_docker_networks }}"
     labels:
       traefik.http.routers.spdashboard.rule: "Host(`{{ spdashboard_domain }}`)"
       traefik.http.routers.spdashboard.tls: "true"

diff --git a/roles/stepupgateway/defaults/main.yml b/roles/stepupgateway/defaults/main.yml
@@ -0,0 +1,2 @@
+gateway_docker_networks:
+  name: loadbalancer
diff --git a/roles/stepupgateway/tasks/main.yml b/roles/stepupgateway/tasks/main.yml
@@ -109,14 +109,20 @@
     owner: "{{ appname }}"
     mode: "0600"
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    gateway_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "{{ appname }}"
     image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }}
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ gateway_docker_networks }}"
     labels:
       traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)"
       traefik.http.routers.gateway.tls: "true"

diff --git a/roles/stepupmiddleware/defaults/main.yml b/roles/stepupmiddleware/defaults/main.yml
@@ -0,0 +1,2 @@
+middelware_docker_networks:
+  name: loadbalancer
diff --git a/roles/stepupmiddleware/tasks/bart.yml b/roles/stepupmiddleware/tasks/bart.yml
@@ -0,0 +1,7 @@
+- name: Include docker tasks when running docker
+  include_tasks: docker.yml
+  when: "'docker' in group_names"
+
+- name: Include vm tasks when running on a vm
+  include_tasks: vm.yml
+  when: "'docker' not in group_names"
diff --git a/roles/stepupmiddleware/tasks/docker.yml b/roles/stepupmiddleware/tasks/docker.yml
@@ -36,14 +36,20 @@
   notify:
     - restart {{ appname }}
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    middelware_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "{{ appname }}"
     image: ghcr.io/openconext/stepup-middleware/stepup-middleware:{{ middleware_version }}
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ middelware_docker_networks }}"
     labels:
       traefik.http.routers.middleware.rule: "Host(`{{ middleware_vhost_name }}`)"
       traefik.http.routers.middleware.tls: "true"

diff --git a/roles/stepuptiqr/defaults/main.yml b/roles/stepuptiqr/defaults/main.yml
@@ -0,0 +1,2 @@
+tiqr_docker_networks:
+  name: loadbalancer
diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml
@@ -45,11 +45,11 @@
   when: tiqr_apns_pemfile is defined
 
 - name: Write tiqr Firebase service json
-  copy:
+  ansible.builtin.copy:
     src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json"
     dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json"
     owner: "{{ appname }}"
-    mode: 0400
+    mode: "0400"
   when: tiqr_firebase_credentialsfile is defined
 
 - name: Place parameters.yml
@@ -62,14 +62,20 @@
   notify:
     - restart tiqr
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    tiqr_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "{{ appname }}"
     image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }}
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ tiqr_docker_networks }}"
     labels:
       traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)"
       traefik.http.routers.tiqr.tls: "true"

diff --git a/roles/stepupwebauthn/defaults/main.yml b/roles/stepupwebauthn/defaults/main.yml
@@ -0,0 +1,2 @@
+webauthn_docker_networks:
+  name: loadbalancer
diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml
@@ -97,14 +97,20 @@
   with_items:
     - "01-webauthn-db_init.sh"
 
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    webauthn_docker_networks:
+      - name: loadbalancer
+      - name: openconext_mariadb
+  when: mariadb_in_docker | default(false) | bool
+
 - name: Create the container
   community.docker.docker_container:
     name: "{{ appname }}"
     image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }}
     pull: true
     restart_policy: "always"
-    networks:
-      - name: "loadbalancer"
+    networks: "{{ webauthn_docker_networks }}"
     labels:
       traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)"
       traefik.http.routers.webauthn.tls: "true"

diff --git a/roles/teams/defaults/main.yml b/roles/teams/defaults/main.yml
@@ -8,7 +8,7 @@ teams_tos_en: https://example.org
 teams_tos_nl: https://example.org
 teams_tos_pt: https://example.org
 teams_main_link: https://www.openconext.org
-teams_organization: "{{ instance_name}}"
+teams_organization: "{{ instance_name }}"
 teams_api_lifecycle_username: teams_api_lifecycle_user
 teams_oauth2_token_url: "https://connect.{{ base_domain }}/oidc/token"
 teams_authz_client_id: "teams.{{ base_domain }}"
@@ -27,3 +27,5 @@ teams_manage_provision_samlsp_sp_cert: ""
 teams_manage_provision_samlsp_trusted_proxy: false
 teams_manage_provision_samlsp_sign: false
 teams_spring_flyway_enabled: true
+teams_docker_networks: 
+  - name: "loadbalancer"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		middelware_docker_networks:
		name: loadbalancer