From ebdde8807e83b9c3d9cfe0c7c98f78f4e02740c9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:27:28 +0100 Subject: [PATCH] All apps that have a MariaDB connection now have the ability to use an internal Docker network to connect to a local MariaDB host in Docker --- roles/attribute-aggregation/defaults/main.yml | 2 ++ roles/attribute-aggregation/tasks/main.yml | 10 ++++++++-- roles/engineblock/defaults/main.yml | 2 ++ roles/engineblock/tasks/main.yml | 10 ++++++++-- roles/invite/defaults/main.yml | 2 ++ roles/invite/tasks/main.yml | 15 ++++++++++----- roles/lifecycle/defaults/main.yml | 2 ++ roles/lifecycle/tasks/main.yml | 10 ++++++++-- roles/manage/defaults/main.yml | 2 ++ roles/manage/tasks/main.yml | 10 ++++++++-- roles/pdp/defaults/main.yml | 2 ++ roles/pdp/tasks/main.yml | 12 +++++++++--- roles/spdashboard/defaults/main.yml | 2 ++ roles/spdashboard/tasks/main.yml | 12 +++++++----- roles/stepupgateway/defaults/main.yml | 2 ++ roles/stepupgateway/tasks/main.yml | 10 ++++++++-- roles/stepupmiddleware/defaults/main.yml | 2 ++ roles/stepupmiddleware/tasks/docker.yml | 10 ++++++++-- roles/stepuptiqr/defaults/main.yml | 2 ++ roles/stepuptiqr/tasks/main.yml | 14 ++++++++++---- roles/stepupwebauthn/defaults/main.yml | 2 ++ roles/stepupwebauthn/tasks/main.yml | 10 ++++++++-- roles/teams/defaults/main.yml | 4 +++- roles/teams/tasks/main.yml | 10 ++++++++-- 24 files changed, 125 insertions(+), 34 deletions(-) create mode 100644 roles/stepupgateway/defaults/main.yml create mode 100644 roles/stepupmiddleware/defaults/main.yml create mode 100644 roles/stepuptiqr/defaults/main.yml create mode 100644 roles/stepupwebauthn/defaults/main.yml diff --git a/roles/attribute-aggregation/defaults/main.yml b/roles/attribute-aggregation/defaults/main.yml index c8fa91b23..d5bae0b6e 100644 --- a/roles/attribute-aggregation/defaults/main.yml +++ b/roles/attribute-aggregation/defaults/main.yml @@ -9,3 +9,5 @@ aa_manage_provision_oidcrp_description_en: "OAuth client to access VOOT for grou aa_manage_provision_oidcrp_grants: "client_credentials" aa_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ voot.oidcng_checkToken_clientId }}"}' aa_spring_flyway_enabled: true +aa_docker_networks: + - name: loadbalancer diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index ab79fefe6..eded44567 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -21,6 +21,13 @@ - apachelink.conf notify: restart attribute-aggregationserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + aa_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: aaserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ aa_docker_networks }}" mounts: - source: /opt/openconext/attribute-aggregation/serverapplication.yml target: /application.yml diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 07f906d37..f267d051d 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -107,3 +107,5 @@ engine_site_notice_show: false engineblock_log_attributes: [] engine_php_memory: 256M +engine_docker_networks: + - name: loadbalancer diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2189ad4c2..7724de46e 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -176,14 +176,20 @@ name: engineblock_sessions state: present +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + engine_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "engineblock" image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ engine_docker_networks}}" labels: traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" traefik.http.routers.engine.service: "engineblock" diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml index 60e35df36..71b3c9b3e 100644 --- a/roles/invite/defaults/main.yml +++ b/roles/invite/defaults/main.yml @@ -15,3 +15,5 @@ invite_manage_provision_oauth_rs_scopes: "openid" invite_mock_install: false # Override is in the dockerX.env host_var files invite_cronjobmaster: true +invite_docker_networks: + - name: loadbalancer diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml index a0b4b7232..06142a85e 100644 --- a/roles/invite/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -48,6 +48,13 @@ when: invite_mock_install notify: restart inviteprovisioningmock +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + invite_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: inviteserver @@ -57,8 +64,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" mounts: - source: /opt/openconext/invite/serverapplication.yml target: /application.yml @@ -80,7 +86,6 @@ start_period: 10s register: inviteservercontainer - - name: Create the client container community.docker.docker_container: name: inviteclient @@ -133,6 +138,7 @@ env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + - name: Create and start the mock provisioning container community.docker.docker_container: name: inviteprovisioningmock @@ -148,8 +154,7 @@ - source: /etc/localtime target: /etc/localtime type: bind - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" labels: traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)" traefik.http.routers.invitemock.tls: "true" diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml index 1338bd91c..cdf563af1 100644 --- a/roles/lifecycle/defaults/main.yml +++ b/roles/lifecycle/defaults/main.yml @@ -11,3 +11,5 @@ lifecycle_api_enabled: true lifecycle_api_password: secret lifecycle_api_username: lifecycle current_release_config_dir_name: /opt/openconext/{{ appname }} +lifecycle_docker_networks: + - name: loadbalancer diff --git a/roles/lifecycle/tasks/main.yml b/roles/lifecycle/tasks/main.yml index 011a3f3aa..102dcccbb 100644 --- a/roles/lifecycle/tasks/main.yml +++ b/roles/lifecycle/tasks/main.yml @@ -33,6 +33,13 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + lifecycle_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" @@ -41,8 +48,7 @@ host.docker.internal: host-gateway pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ lifecycle_docker_networks }}" labels: traefik.http.routers.lifecycle.rule: "Host(`lifecycle.{{ base_domain }}`)" traefik.http.routers.lifecycle.tls: "true" diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index ef5c4271d..a2de6442d 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -30,3 +30,5 @@ manage_tabs_enabled: - single_tenant_template - provisioning - sram +manage_docker_networks: + - name: loadbalancer diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 9a4132c42..292744a11 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -72,6 +72,13 @@ notify: - "restart manageserver" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + manage_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: manageserver @@ -80,8 +87,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ manage_docker_networks}}" mounts: - source: /opt/openconext/manage/ target: /config/ diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml index 4f548db6a..687f5f5ee 100644 --- a/roles/pdp/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -21,3 +21,5 @@ pdp_manage_provision_samlsp_trusted_proxy: false pdp_manage_provision_samlsp_sign: false pdp_spring_flyway_enabled: true pdp_manage_push_testmode: true +pdp_docker_networks: + -name: loadbalancer diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index b1e81edaf..086a6b0f1 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -20,6 +20,13 @@ - xacml.conext.properties notify: restart pdpserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + pdp_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: pdpserver @@ -29,8 +36,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ pdp_docker_networks }}" mounts: - source: /opt/openconext/pdp/serverapplication.properties target: /application.properties @@ -59,7 +65,7 @@ retries: 3 start_period: 10s register: pdpservercontainer - + - name: Create the gui container community.docker.docker_container: name: pdpgui diff --git a/roles/spdashboard/defaults/main.yml b/roles/spdashboard/defaults/main.yml index 9548590a0..bb1c0f3c5 100644 --- a/roles/spdashboard/defaults/main.yml +++ b/roles/spdashboard/defaults/main.yml @@ -37,3 +37,5 @@ spdashboard_oidcng_playground_uri_test: https://oidc-playground.dev.support.surf spdashboard_oidcng_playground_uri_prod: https://oidc-playground.dev.support.surfconext.nl/redirect spdashboard_show_global_notice: False spdashboard_global_notice_date: "01-01-2020" +spdashboard_docker_networks: + - name: loadbalancer diff --git a/roles/spdashboard/tasks/main.yml b/roles/spdashboard/tasks/main.yml index f6cfbaaab..d11b11edd 100644 --- a/roles/spdashboard/tasks/main.yml +++ b/roles/spdashboard/tasks/main.yml @@ -15,9 +15,12 @@ group: root mode: 0644 -- name: Create the spdashboard container network - docker_network: - name: "spdashboard" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + spdashboard_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool - name: Create the container docker_container: @@ -26,8 +29,7 @@ env_file: "/opt/openconext/spdashboard/env" pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ spdashboard_docker_networks }}" labels: traefik.http.routers.spdashboard.rule: "Host(`{{ spdashboard_domain }}`)" traefik.http.routers.spdashboard.tls: "true" diff --git a/roles/stepupgateway/defaults/main.yml b/roles/stepupgateway/defaults/main.yml new file mode 100644 index 000000000..fc9eb42f3 --- /dev/null +++ b/roles/stepupgateway/defaults/main.yml @@ -0,0 +1,2 @@ +gateway_docker_networks: + - name: loadbalancer diff --git a/roles/stepupgateway/tasks/main.yml b/roles/stepupgateway/tasks/main.yml index fe01380d9..f101649d8 100644 --- a/roles/stepupgateway/tasks/main.yml +++ b/roles/stepupgateway/tasks/main.yml @@ -109,14 +109,20 @@ owner: "{{ appname }}" mode: "0600" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + gateway_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ gateway_docker_networks }}" labels: traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)" traefik.http.routers.gateway.tls: "true" diff --git a/roles/stepupmiddleware/defaults/main.yml b/roles/stepupmiddleware/defaults/main.yml new file mode 100644 index 000000000..a9bed70fa --- /dev/null +++ b/roles/stepupmiddleware/defaults/main.yml @@ -0,0 +1,2 @@ +middelware_docker_networks: + - name: loadbalancer diff --git a/roles/stepupmiddleware/tasks/docker.yml b/roles/stepupmiddleware/tasks/docker.yml index 443ecd4b7..48eba81bd 100644 --- a/roles/stepupmiddleware/tasks/docker.yml +++ b/roles/stepupmiddleware/tasks/docker.yml @@ -36,14 +36,20 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + middelware_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-middleware/stepup-middleware:{{ middleware_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ middelware_docker_networks }}" labels: traefik.http.routers.middleware.rule: "Host(`{{ middleware_vhost_name }}`)" traefik.http.routers.middleware.tls: "true" diff --git a/roles/stepuptiqr/defaults/main.yml b/roles/stepuptiqr/defaults/main.yml new file mode 100644 index 000000000..9ebaecc27 --- /dev/null +++ b/roles/stepuptiqr/defaults/main.yml @@ -0,0 +1,2 @@ +tiqr_docker_networks: + - name: loadbalancer diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index dfed7faf2..52608184d 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -45,11 +45,11 @@ when: tiqr_apns_pemfile is defined - name: Write tiqr Firebase service json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json" dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" owner: "{{ appname }}" - mode: 0400 + mode: "0400" when: tiqr_firebase_credentialsfile is defined - name: Place parameters.yml @@ -62,14 +62,20 @@ notify: - restart tiqr +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + tiqr_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ tiqr_docker_networks }}" labels: traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)" traefik.http.routers.tiqr.tls: "true" diff --git a/roles/stepupwebauthn/defaults/main.yml b/roles/stepupwebauthn/defaults/main.yml new file mode 100644 index 000000000..98c9f7204 --- /dev/null +++ b/roles/stepupwebauthn/defaults/main.yml @@ -0,0 +1,2 @@ +webauthn_docker_networks: + - name: loadbalancer diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index 0e63f21e6..a0bfbb3d1 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -97,14 +97,20 @@ with_items: - "01-webauthn-db_init.sh" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + webauthn_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ webauthn_docker_networks }}" labels: traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)" traefik.http.routers.webauthn.tls: "true" diff --git a/roles/teams/defaults/main.yml b/roles/teams/defaults/main.yml index c88534d92..60d344650 100644 --- a/roles/teams/defaults/main.yml +++ b/roles/teams/defaults/main.yml @@ -8,7 +8,7 @@ teams_tos_en: https://example.org teams_tos_nl: https://example.org teams_tos_pt: https://example.org teams_main_link: https://www.openconext.org -teams_organization: "{{ instance_name}}" +teams_organization: "{{ instance_name }}" teams_api_lifecycle_username: teams_api_lifecycle_user teams_oauth2_token_url: "https://connect.{{ base_domain }}/oidc/token" teams_authz_client_id: "teams.{{ base_domain }}" @@ -27,3 +27,5 @@ teams_manage_provision_samlsp_sp_cert: "" teams_manage_provision_samlsp_trusted_proxy: false teams_manage_provision_samlsp_sign: false teams_spring_flyway_enabled: true +teams_docker_networks: + - name: "loadbalancer" diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml index 7561fe6bb..2e250d0af 100644 --- a/roles/teams/tasks/main.yml +++ b/roles/teams/tasks/main.yml @@ -19,6 +19,13 @@ - logback.xml notify: restart teamsserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + teams_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: teamsserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ teams_docker_networks }}" mounts: - source: /opt/openconext/teams/serverapplication.yml target: /application.yml