From 9d9b657360954815b3fe5f56bd7b7ab5a279a3af Mon Sep 17 00:00:00 2001 From: dbildungs-iam-server-gha Date: Tue, 17 Dec 2024 07:47:26 +0000 Subject: [PATCH] dbildungs-iam-server --- automation/dbildungs-iam-server/Chart.yaml | 4 +-- .../dbildungs-iam-server/config/config.json | 11 +++++-- .../dbildungs-iam-server/cron/Dockerfile | 2 ++ .../cron/scripts/get_access_token.sh | 20 ++++++------- .../templates/_dbildungs-iam-server-envs.tpl | 30 +++++++++++++++++++ .../templates/cronjob.yaml | 22 +++++++------- .../templates/secret.yaml | 6 ++++ automation/dbildungs-iam-server/values.yaml | 11 +++++-- 8 files changed, 79 insertions(+), 27 deletions(-) diff --git a/automation/dbildungs-iam-server/Chart.yaml b/automation/dbildungs-iam-server/Chart.yaml index 8e2b53988..c47bea767 100644 --- a/automation/dbildungs-iam-server/Chart.yaml +++ b/automation/dbildungs-iam-server/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: SPSH-1529 +appVersion: SPSH-1034 description: dBildungs-IAM-server name: dbildungs-iam-server type: application -version: 0.0.0-spsh-1529-20241217-0730 +version: 0.0.0-spsh-1034-20241217-0746 diff --git a/automation/dbildungs-iam-server/config/config.json b/automation/dbildungs-iam-server/config/config.json index fc765aba5..c2fac1396 100644 --- a/automation/dbildungs-iam-server/config/config.json +++ b/automation/dbildungs-iam-server/config/config.json @@ -33,8 +33,7 @@ "LDAP": { "URL": "ldap://spsh-xxx.svc.cluster.local", "BIND_DN": "cn=admin,dc=schule-sh,dc=de", - "ADMIN_PASSWORD": "password", - "BASE_DN": "dc=schule-sh,dc=de" + "ADMIN_PASSWORD": "password" }, "DATA": { "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057" @@ -82,5 +81,13 @@ "RENAME_WAITING_TIME_IN_SECONDS": 3, "STEP_UP_TIMEOUT_ENABLED": "true", "STEP_UP_TIMEOUT_IN_SECONDS": 10 + }, + "VIDIS": { + "BASE_URL": "https://service-stage.vidis.schule", + "USERNAME": "", + "PASSWORD": "", + "REGION_NAME": "test-region", + "KEYCLOAK_GROUP": "VIDIS-service", + "KEYCLOAK_ROLE": "VIDIS-user" } } diff --git a/automation/dbildungs-iam-server/cron/Dockerfile b/automation/dbildungs-iam-server/cron/Dockerfile index a05b37677..6d3099a88 100644 --- a/automation/dbildungs-iam-server/cron/Dockerfile +++ b/automation/dbildungs-iam-server/cron/Dockerfile @@ -1,5 +1,7 @@ FROM alpine:3.19 +ENV LOG_FILE_PATH=/var/log/cron.log + # Install necessary packages RUN apk update && \ apk add --no-cache bash cronie jq openssl vim wget diff --git a/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh b/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh index 52be637af..878999566 100644 --- a/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh +++ b/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh @@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then # JWKS_FILE_PATH is set, use the file jwks=$(cat "$JWKS_FILE_PATH") else - echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log + echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}" exit 1 fi # Check if environment variables are set if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then - echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log + echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}" exit 1 fi @@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]') # Check if key_json is empty if [[ -z "$key_json" ]]; then - echo "Error: No keys found in JWKS." >> /var/log/cron.log + echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}" exit 1 fi @@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec qi=INTEGER:0x$qi_dec EOF -echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log +echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}" # Generate the PEM-formatted private key temp_key_file=$(mktemp) openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1 -echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log +echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}" # Remove temporary files rm "$asn1_structure" "$temp_key_file" @@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload") # Combine header and payload header_payload="$header_base64.$payload_base64" -echo "Payload created" >> /var/log/cron.log +echo "Payload created" >> "${LOG_FILE_PATH}" # Sign the JWT signature=$(echo -n "$header_payload" | \ openssl dgst -sha256 -sign "$temp_key_file.pem" | \ openssl enc -base64 -A | tr '+/' '-_' | tr -d '=') -echo "Signed the JWT" >> /var/log/cron.log +echo "Signed the JWT" >> "${LOG_FILE_PATH}" # Remove the temporary PEM key file rm "$temp_key_file.pem" @@ -166,7 +166,7 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien --header "Content-Type: application/x-www-form-urlencoded" \ "$kc_token_url") -echo "Access token requested" >> /var/log/cron.log +echo "Access token requested" >> "${LOG_FILE_PATH}" # Check if the response contains an access token if echo "$response" | grep -q '"access_token"'; then @@ -174,7 +174,7 @@ if echo "$response" | grep -q '"access_token"'; then access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p') echo "$access_token" else - echo "Failed to retrieve access token. Response:" >> /var/log/cron.log - echo "$response" >> /var/log/cron.log + echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}" + echo "$response" >> "${LOG_FILE_PATH}" exit 1 fi diff --git a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl index ab47c9675..f848b2f9e 100644 --- a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl +++ b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl @@ -91,4 +91,34 @@ secretKeyRef: name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} key: redis-password + - name: VIDIS_BASE_URL + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-base-url + - name: VIDIS_USERNAME + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-username + - name: VIDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-password + - name: VIDIS_REGION_NAME + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-region-name + - name: VIDIS_KEYCLOAK_GROUP + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-keycloak-group + - name: VIDIS_KEYCLOAK_ROLE + valueFrom: + secretKeyRef: + name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} + key: vidis-keycloak-role {{- end}} diff --git a/automation/dbildungs-iam-server/templates/cronjob.yaml b/automation/dbildungs-iam-server/templates/cronjob.yaml index b2b72b23f..629512553 100644 --- a/automation/dbildungs-iam-server/templates/cronjob.yaml +++ b/automation/dbildungs-iam-server/templates/cronjob.yaml @@ -8,6 +8,8 @@ metadata: spec: schedule: {{ $job_options.schedule }} startingDeadlineSeconds: 300 + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 jobTemplate: spec: backoffLimit: 0 @@ -22,10 +24,9 @@ spec: image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}" imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}} securityContext: - # not yet possible since we need to install some tools - # privileged: false - # runAsUser: 1000 - # runAsNonRoot: true + privileged: false + runAsUser: 1000 + runAsNonRoot: true capabilities: drop: - ALL @@ -41,6 +42,8 @@ spec: value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}" - name: HTTP_METHOD value: "{{ $job_options.httpMethod }}" + - name: LOG_FILE_PATH + value: "/tmp/log/cron.log" resources: limits: memory: "128Mi" @@ -52,11 +55,9 @@ spec: - "sh" - "-c" - | - mkdir /scripts && - cp /scripts_tmp/*.sh /scripts/ && - chmod +x /scripts/*.sh && - touch /var/log/cron.log && - chmod 644 /var/log/cron.log && + mkdir /tmp/log/ && + touch /tmp/log/cron.log && + chmod 644 /tmp/log/cron.log && cd {{ $.Values.cronjobs.scriptDir }} && bash {{ $job_options.script }} volumeMounts: @@ -65,7 +66,7 @@ spec: subPath: jwks.json readOnly: true - name: script-volume - mountPath: /scripts_tmp + mountPath: /scripts readOnly: false ports: - containerPort: {{ $.Values.cronjobs.port }} @@ -74,6 +75,7 @@ spec: - name: script-volume configMap: name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap + defaultMode: 0555 - name: secret-volume-jwks secret: secretName: dbildungs-iam-server diff --git a/automation/dbildungs-iam-server/templates/secret.yaml b/automation/dbildungs-iam-server/templates/secret.yaml index 10e959f4e..4b0c37d22 100644 --- a/automation/dbildungs-iam-server/templates/secret.yaml +++ b/automation/dbildungs-iam-server/templates/secret.yaml @@ -24,4 +24,10 @@ data: pi-user-realm: {{ .Values.auth.pi_user_realm }} secrets-json: {{ .Values.auth.secrets_json }} redis-password: {{ .Values.auth.redis_password }} + vidis-base-url: {{ .Values.auth.vidis_base_url }} + vidis-username: {{ .Values.auth.vidis_username }} + vidis-password: {{ .Values.auth.vidis_password }} + vidis-region-name: {{ .Values.auth.vidis_region_name }} + vidis-keycloak-group: {{ .Values.auth.vidis_keycloak_group }} + vidis-keycloak-role: {{ .Values.auth.vidis_keycloak_role }} {{- end }} diff --git a/automation/dbildungs-iam-server/values.yaml b/automation/dbildungs-iam-server/values.yaml index 27a8c6cb7..b175bda68 100644 --- a/automation/dbildungs-iam-server/values.yaml +++ b/automation/dbildungs-iam-server/values.yaml @@ -33,7 +33,6 @@ ldap: bindDN: cn=admin,dc=schule-sh,dc=de oeffentlicheSchulenDomain: schule-sh.de ersatzschulenDomain: ersatzschule-sh.de - base_dn: dc=schule-sh,dc=de itslearning: root: sh @@ -59,6 +58,12 @@ auth: pi_user_resolver: '' pi_user_realm: '' redis_password: '' + vidis_base_url: '' + vidis_username: '' + vidis_password: '' + vidis_region_name: '' + vidis_keycloak_group: '' + vidis_keycloak_role: '' backend: replicaCount: 1 @@ -157,8 +162,8 @@ status: cronjobs: enabled: true image: - tag: DBP-1083-latest - repository: ghcr.io/hpi-schul-cloud/cron-tools + tag: '1.1.0' + repository: docker.io/schulcloud/cron-tools pullPolicy: IfNotPresent port: 5656 keycloakTokenUrl: '/realms/SPSH/protocol/openid-connect/token'