diff --git a/roles/access/defaults/main.yml b/roles/access/defaults/main.yml deleted file mode 100644 index c29effdbf..000000000 --- a/roles/access/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -access_manage_provision_oidcrp_client_id: "{{ access.oidc_client_id }}" -access_manage_provision_oidcrp_name_en: "{{ instance_name }} Access" -access_manage_provision_oidcrp_description_en: "{{ instance_name }} Access" -access_manage_provision_oidcrp_secret: "{{ access.oidc_secret }}" -access_manage_provision_oidcrp_redirecturls: "https://access.{{ base_domain }}/redirect" -access_manage_provision_oidcrp_grants: "authorization_code" -access_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ access.resource_server_id }}"}' -access_manage_provision_oidcrp_is_public_client: false - -access_manage_provision_oauth_rs_name_en: "{{ instance_name }} Access Resource Server" -access_manage_provision_oauth_rs_description_en: "{{ instance_name }} Access Resource Server" -access_manage_provision_oauth_rs_client_id: "{{ access.resource_server_id }}" -access_manage_provision_oauth_rs_rp_secret: "{{ access.resource_server_secret }}" -access_manage_provision_oauth_rs_scopes: "openid" diff --git a/roles/access/vars/main.yml b/roles/access/vars/main.yml deleted file mode 100644 index eb3938753..000000000 --- a/roles/access/vars/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -manage_provision_oidcrp_client_id: "{{ access_manage_provision_oidcrp_client_id }}" -manage_provision_oidcrp_name_en: "{{ access_manage_provision_oidcrp_name_en }}" -manage_provision_oidcrp_description_en: "{{ access_manage_provision_oidcrp_description_en }}" -manage_provision_oidcrp_secret: "{{ access_manage_provision_oidcrp_secret }}" -manage_provision_oidcrp_redirecturls: "{{ access_manage_provision_oidcrp_redirecturls }}" -manage_provision_oidcrp_grants: "{{ access_manage_provision_oidcrp_grants }}" -manage_provision_oidcrp_allowed_resource_servers: "{{ access_manage_provision_oidcrp_allowed_resource_servers }}" -manage_provision_oidcrp_is_public_client: "{{ access_manage_provision_oidcrp_is_public_client }}" -manage_provision_oauth_rs_name_en: "{{ access_manage_provision_oauth_rs_name_en }}" -manage_provision_oauth_rs_description_en: "{{ access_manage_provision_oauth_rs_description_en }}" -manage_provision_oauth_rs_client_id: "{{ access_manage_provision_oauth_rs_client_id }}" -manage_provision_oauth_rs_secret: "{{ access_manage_provision_oauth_rs_rp_secret }}" -manage_provision_oauth_rs_scopes: "{{ access_manage_provision_oauth_rs_scopes }}" diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml new file mode 100644 index 000000000..5b9500f20 --- /dev/null +++ b/roles/invite/defaults/main.yml @@ -0,0 +1,14 @@ +invite_manage_provision_oidcrp_client_id: "{{ invite.oidc_client_id }}" +invite_manage_provision_oidcrp_name_en: "{{ instance_name }} invite" +invite_manage_provision_oidcrp_description_en: "{{ instance_name }} invite" +invite_manage_provision_oidcrp_secret: "{{ invite.oidc_secret }}" +invite_manage_provision_oidcrp_redirecturls: "https://invite.{{ base_domain }}/redirect" +invite_manage_provision_oidcrp_grants: "authorization_code" +invite_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ invite.resource_server_id }}"}' +invite_manage_provision_oidcrp_is_public_client: false + +invite_manage_provision_oauth_rs_name_en: "{{ instance_name }} invite Resource Server" +invite_manage_provision_oauth_rs_description_en: "{{ instance_name }} invite Resource Server" +invite_manage_provision_oauth_rs_client_id: "{{ invite.resource_server_id }}" +invite_manage_provision_oauth_rs_rp_secret: "{{ invite.resource_server_secret }}" +invite_manage_provision_oauth_rs_scopes: "openid" diff --git a/roles/access/tasks/main.yml b/roles/invite/tasks/main.yml similarity index 63% rename from roles/access/tasks/main.yml rename to roles/invite/tasks/main.yml index 200dceb65..cb40f0654 100644 --- a/roles/access/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Create directory to keep configfile ansible.builtin.file: - dest: "/opt/openconext/access" + dest: "/opt/openconext/invite" state: directory owner: root group: root @@ -10,7 +10,7 @@ - name: Place the serverapplication configfiles ansible.builtin.template: src: "{{ item }}.j2" - dest: /opt/openconext/access/{{ item }} + dest: /opt/openconext/invite/{{ item }} owner: root group: root mode: "0644" @@ -21,7 +21,7 @@ - name: Place the mockapplication configfiles ansible.builtin.template: src: "{{ item }}.j2" - dest: /opt/openconext/access/{{ item }} + dest: /opt/openconext/invite/{{ item }} owner: root group: root mode: "0644" @@ -31,15 +31,15 @@ - name: Create and start the server container community.docker.docker_container: - name: openconextaccessserver - image: ghcr.io/openconext/openconext-access/accessserver:{{ access_server_version }} + name: inviteserver + image: ghcr.io/openconext/openconext-invite/inviteserver:{{ invite_server_version }} pull: true restart_policy: "always" state: started networks: - name: "loadbalancer" mounts: - - source: /opt/openconext/access/serverapplication.yml + - source: /opt/openconext/invite/serverapplication.yml target: /application.yml type: bind command: '--spring.config.location=./' @@ -50,8 +50,8 @@ - name: Create and (re)start the server container community.docker.docker_container: - name: openconextaccessserver - image: ghcr.io/openconext/openconext-access/accessserver:{{ access_server_version }} + name: openconextinviteserver + image: ghcr.io/openconext/openconext-invite/inviteserver:{{ invite_server_version }} pull: true restart_policy: "always" state: started @@ -59,7 +59,7 @@ networks: - name: "loadbalancer" mounts: - - source: /opt/openconext/access/serverapplication.yml + - source: /opt/openconext/invite/serverapplication.yml target: /application.yml type: bind command: '--spring.config.location=./' @@ -70,82 +70,82 @@ - name: Create the client container community.docker.docker_container: - name: accessclient - image: ghcr.io/openconext/openconext-access/accessclient:{{ access_client_version }} + name: inviteclient + image: ghcr.io/openconext/openconext-invite/inviteclient:{{ invite_client_version }} pull: true restart_policy: "always" state: started networks: - name: "loadbalancer" labels: - traefik.http.routers.accessclient.rule: "Host(`access.{{ base_domain }}`)" - traefik.http.routers.accessclient.tls: "true" + traefik.http.routers.inviteclient.rule: "Host(`invite.{{ base_domain }}`)" + traefik.http.routers.inviteclient.tls: "true" traefik.enable: "true" - name: Create the welcome container community.docker.docker_container: - name: accesswelcome - image: ghcr.io/openconext/openconext-access/accessswelcome:{{ access_welcome_version }} + name: invitewelcome + image: ghcr.io/openconext/openconext-invite/invitewelcome:{{ invite_welcome_version }} pull: true restart_policy: "always" state: started networks: - name: "loadbalancer" labels: - traefik.http.routers.accesswelcome.rule: "Host(`welcome.{{ base_domain }}`)" - traefik.http.routers.accesswelcome.tls: "true" + traefik.http.routers.invitewelcome.rule: "Host(`welcome.{{ base_domain }}`)" + traefik.http.routers.invitewelcome.tls: "true" traefik.enable: "true" - name: Create and start the mock provisioning container community.docker.docker_container: - name: accesssprovisioningmock - image: ghcr.io/openconext/openconext-access/accesssprovisioningmock:{{ access_mock_version }} + name: inviteprovisioningmock + image: ghcr.io/openconext/openconext-invite/inviteprovisioningmock:{{ invite_mock_version }} pull: true restart_policy: "always" state: started command: '--spring.config.location=./' mounts: - - source: /opt/openconext/access/mockapplication.yml + - source: /opt/openconext/invite/mockapplication.yml target: /application.yml type: bind networks: - name: "loadbalancer" labels: - traefik.http.routers.accessmock.rule: "Host(`mock.{{ base_domain }}`)" - traefik.http.routers.accessmock.tls: "true" - traefik.http.services.accessmock.loadbalancer.server.port: "8081" + traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)" + traefik.http.routers.invitemock.tls: "true" + traefik.http.services.invitemock.loadbalancer.server.port: "8081" traefik.enable: "true" when: not mockconfigfiles.changed - name: Create and (re)start the mock provisioning container community.docker.docker_container: - name: accesssprovisioningmock - image: ghcr.io/openconext/openconext-access/accesssprovisioningmock:{{ access_mock_version }} + name: inviteprovisioningmock + image: ghcr.io/openconext/openconext-invite/inviteprovisioningmock:{{ invite_mock_version }} pull: true restart_policy: "always" restart: true state: started command: '--spring.config.location=./' mounts: - - source: /opt/openconext/access/mockapplication.yml + - source: /opt/openconext/invite/mockapplication.yml target: /application.yml type: bind networks: - name: "loadbalancer" labels: - traefik.http.routers.accessmock.rule: "Host(`mock.{{ base_domain }}`)" - traefik.http.routers.accessmock.tls: "true" - traefik.http.services.accessmock.loadbalancer.server.port: "8081" + traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)" + traefik.http.routers.invitemock.tls: "true" + traefik.http.services.invitemock.loadbalancer.server.port: "8081" traefik.enable: "true" when: mockconfigfiles.changed -- name: Include the role manage_provision_entities to provision access client to Manage +- name: Include the role manage_provision_entities to provision invite client to Manage ansible.builtin.include_role: name: manage_provision_entities vars: entity_type: oidc10_rp -- name: Include the role manage_provision_entities to provision access client to Manage +- name: Include the role manage_provision_entities to provision invite client to Manage ansible.builtin.include_role: name: manage_provision_entities vars: diff --git a/roles/access/templates/mockapplication.yml.j2 b/roles/invite/templates/mockapplication.yml.j2 similarity index 83% rename from roles/access/templates/mockapplication.yml.j2 rename to roles/invite/templates/mockapplication.yml.j2 index 15887f908..001f065b8 100644 --- a/roles/access/templates/mockapplication.yml.j2 +++ b/roles/invite/templates/mockapplication.yml.j2 @@ -14,9 +14,9 @@ spring: open-in-view: false datasource: driver-class-name: com.mysql.cj.jdbc.Driver - url: jdbc:mysql://{{ access.db_host }}/access - username: {{ access.db_user }} - password: {{ access.db_secret }} + url: jdbc:mysql://{{ invite.db_host }}/invite + username: {{ invite.db_user }} + password: {{ invite.db_secret }} server: port: 8081 diff --git a/roles/access/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 similarity index 76% rename from roles/access/templates/serverapplication.yml.j2 rename to roles/invite/templates/serverapplication.yml.j2 index f3e2c7766..f31499398 100644 --- a/roles/access/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -26,8 +26,8 @@ spring: client: registration: oidcng: - client-id: "{{ access.oidc_client_id }}" - client-secret: "{{ access.oidc_secret }}" + client-id: "{{ invite.oidc_client_id }}" + client-secret: "{{ invite.oidc_secret }}" redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}" authorization-grant-type: "authorization_code" scope: openid @@ -47,9 +47,9 @@ spring: open-in-view: false datasource: driver-class-name: com.mysql.cj.jdbc.Driver - url: jdbc:mysql://{{ access.db_host }}/access - username: {{ access.db_user }} - password: {{ access.db_secret }} + url: jdbc:mysql://{{ invite.db_host }}/invite + username: {{ invite.db_user }} + password: {{ invite.db_secret }} flyway: locations: classpath:db/{vendor}/migration fail-on-missing-locations: true @@ -68,34 +68,34 @@ cron: oidcng: discovery-url: "https://connect.{{ base_domain }}/oidc/.well-known/openid-configuration" introspect-url: "https://connect.{{ base_domain }}/oidc/introspect" - resource-server-id: {{ access.resource_server_id }} - resource-server-secret: "{{ access.resource_server_secret }}" - base-url: https://access.{{ base_domain }} + resource-server-id: {{ invite.resource_server_id }} + resource-server-secret: "{{ invite.resource_server_secret }}" + base-url: https://invite.{{ base_domain }} super-admin: - users: {{ access.super_admins }} + users: {{ invite.super_admins }} config: - client-url: "https://access.{{ base_domain}}" + client-url: "https://invite.{{ base_domain}}" welcome-url: "https://welcome.{{ base_domain}}" - server-url: "https://access.{{ base_domain }}" + server-url: "https://invite.{{ base_domain }}" server-welcome-url: "https://welcome.{{ base_domain }}" eduid-entity-id: "https://login.{{ myconext_base_domain }}" role-search-required: false - past-date-allowed: {{ access.past_date_allowed }} + past-date-allowed: {{ invite.past_date_allowed }} voot: - user: {{ access.vootuser}} - password: {{ access.vootsecret}} - group_urn_domain: urn:mace:surf.nl:test.surfaccess.nl + user: {{ invite.vootuser}} + password: {{ invite.vootsecret}} + group_urn_domain: urn:mace:surf.nl:test.surfinvite.nl attribute-aggregation: - user: {{ access.attribute_aggregation_user }} - password: {{ access.attribute_aggregation_secret }} + user: {{ invite.attribute_aggregation_user }} + password: {{ invite.attribute_aggregation_secret }} lifecyle: - user: {{ access.lifecyle_user }} - password: {{ access.lifecyle_secret }} + user: {{ invite.lifecyle_user }} + password: {{ invite.lifecyle_secret }} email: from: "{{ noreply_email }}" @@ -106,8 +106,8 @@ email: manage: enabled: true url: "https://manage.{{ base_domain }}" - user: {{ access.manageuser }} - password: {{ access.managesecret }} + user: {{ invite.manageuser }} + password: {{ invite.managesecret }} springdoc: pathsToMatch: "/api/external/v1/**" diff --git a/roles/invite/vars/main.yml b/roles/invite/vars/main.yml new file mode 100644 index 000000000..bf126475d --- /dev/null +++ b/roles/invite/vars/main.yml @@ -0,0 +1,13 @@ +manage_provision_oidcrp_client_id: "{{ invite_manage_provision_oidcrp_client_id }}" +manage_provision_oidcrp_name_en: "{{ invite_manage_provision_oidcrp_name_en }}" +manage_provision_oidcrp_description_en: "{{ invite_manage_provision_oidcrp_description_en }}" +manage_provision_oidcrp_secret: "{{ invite_manage_provision_oidcrp_secret }}" +manage_provision_oidcrp_redirecturls: "{{ invite_manage_provision_oidcrp_redirecturls }}" +manage_provision_oidcrp_grants: "{{ invite_manage_provision_oidcrp_grants }}" +manage_provision_oidcrp_allowed_resource_servers: "{{ invite_manage_provision_oidcrp_allowed_resource_servers }}" +manage_provision_oidcrp_is_public_client: "{{ invite_manage_provision_oidcrp_is_public_client }}" +manage_provision_oauth_rs_name_en: "{{ invite_manage_provision_oauth_rs_name_en }}" +manage_provision_oauth_rs_description_en: "{{ invite_manage_provision_oauth_rs_description_en }}" +manage_provision_oauth_rs_client_id: "{{ invite_manage_provision_oauth_rs_client_id }}" +manage_provision_oauth_rs_secret: "{{ invite_manage_provision_oauth_rs_rp_secret }}" +manage_provision_oauth_rs_scopes: "{{ invite_manage_provision_oauth_rs_scopes }}"