From ce0ce3ec032667e23612068759512840158b67d6 Mon Sep 17 00:00:00 2001 From: dbildungs-iam-server-gha Date: Tue, 17 Dec 2024 08:06:27 +0000 Subject: [PATCH] dbildungs-iam-server --- automation/dbildungs-iam-server/Chart.yaml | 4 +-- .../dbildungs-iam-server/config/config.json | 25 ++++++++----- .../dbildungs-iam-server/cron/Dockerfile | 2 -- .../cron/scripts/get_access_token.sh | 20 +++++------ .../templates/_dbildungs-iam-server-envs.tpl | 35 ------------------- .../templates/backend-deployment.yaml | 2 +- .../templates/configmap.yaml | 5 --- .../templates/cronjob.yaml | 22 ++++++------ .../templates/secret.yaml | 9 +---- automation/dbildungs-iam-server/values.yaml | 18 ++-------- 10 files changed, 43 insertions(+), 99 deletions(-) diff --git a/automation/dbildungs-iam-server/Chart.yaml b/automation/dbildungs-iam-server/Chart.yaml index cb89c4b82..f3f383162 100644 --- a/automation/dbildungs-iam-server/Chart.yaml +++ b/automation/dbildungs-iam-server/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: SPSH-1393 +appVersion: SPSH-1571 description: dBildungs-IAM-server name: dbildungs-iam-server type: application -version: 0.0.0-spsh-1393-20241217-0804 +version: 0.0.0-spsh-1571-20241217-0805 diff --git a/automation/dbildungs-iam-server/config/config.json b/automation/dbildungs-iam-server/config/config.json index 17cb5d368..5fd3be1f9 100644 --- a/automation/dbildungs-iam-server/config/config.json +++ b/automation/dbildungs-iam-server/config/config.json @@ -30,6 +30,11 @@ "PASSWORD": "", "USE_TLS": false }, + "LDAP": { + "URL": "ldap://spsh-xxx.svc.cluster.local", + "BIND_DN": "cn=admin,dc=schule-sh,dc=de", + "ADMIN_PASSWORD": "password" + }, "DATA": { "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057" }, @@ -46,10 +51,22 @@ "BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug" }, "ITSLEARNING": { + "ENABLED": false, + "ENDPOINT": "https://itslearning.example.com", + "USERNAME": "username", + "PASSWORD": "password", "ROOT": "sh", "ROOT_OEFFENTLICH": "oeffentlich", "ROOT_ERSATZ": "ersatz" }, + "OX": { + "ENABLED": false, + "ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService", + "CONTEXT_ID": "1337", + "CONTEXT_NAME": "contextname", + "USERNAME": "username", + "PASSWORD": "password" + }, "PRIVACYIDEA": { "ENDPOINT": "http://localhost:5000", "USERNAME": "admin", @@ -64,13 +81,5 @@ "RENAME_WAITING_TIME_IN_SECONDS": 3, "STEP_UP_TIMEOUT_ENABLED": "true", "STEP_UP_TIMEOUT_IN_SECONDS": 10 - }, - "VIDIS": { - "BASE_URL": "https://service-stage.vidis.schule", - "USERNAME": "", - "PASSWORD": "", - "REGION_NAME": "test-region", - "KEYCLOAK_GROUP": "VIDIS-service", - "KEYCLOAK_ROLE": "VIDIS-user" } } diff --git a/automation/dbildungs-iam-server/cron/Dockerfile b/automation/dbildungs-iam-server/cron/Dockerfile index 6d3099a88..a05b37677 100644 --- a/automation/dbildungs-iam-server/cron/Dockerfile +++ b/automation/dbildungs-iam-server/cron/Dockerfile @@ -1,7 +1,5 @@ FROM alpine:3.19 -ENV LOG_FILE_PATH=/var/log/cron.log - # Install necessary packages RUN apk update && \ apk add --no-cache bash cronie jq openssl vim wget diff --git a/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh b/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh index 878999566..52be637af 100644 --- a/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh +++ b/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh @@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then # JWKS_FILE_PATH is set, use the file jwks=$(cat "$JWKS_FILE_PATH") else - echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}" + echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log exit 1 fi # Check if environment variables are set if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then - echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}" + echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log exit 1 fi @@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]') # Check if key_json is empty if [[ -z "$key_json" ]]; then - echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}" + echo "Error: No keys found in JWKS." >> /var/log/cron.log exit 1 fi @@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec qi=INTEGER:0x$qi_dec EOF -echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}" +echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log # Generate the PEM-formatted private key temp_key_file=$(mktemp) openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1 -echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}" +echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log # Remove temporary files rm "$asn1_structure" "$temp_key_file" @@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload") # Combine header and payload header_payload="$header_base64.$payload_base64" -echo "Payload created" >> "${LOG_FILE_PATH}" +echo "Payload created" >> /var/log/cron.log # Sign the JWT signature=$(echo -n "$header_payload" | \ openssl dgst -sha256 -sign "$temp_key_file.pem" | \ openssl enc -base64 -A | tr '+/' '-_' | tr -d '=') -echo "Signed the JWT" >> "${LOG_FILE_PATH}" +echo "Signed the JWT" >> /var/log/cron.log # Remove the temporary PEM key file rm "$temp_key_file.pem" @@ -166,7 +166,7 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien --header "Content-Type: application/x-www-form-urlencoded" \ "$kc_token_url") -echo "Access token requested" >> "${LOG_FILE_PATH}" +echo "Access token requested" >> /var/log/cron.log # Check if the response contains an access token if echo "$response" | grep -q '"access_token"'; then @@ -174,7 +174,7 @@ if echo "$response" | grep -q '"access_token"'; then access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p') echo "$access_token" else - echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}" - echo "$response" >> "${LOG_FILE_PATH}" + echo "Failed to retrieve access token. Response:" >> /var/log/cron.log + echo "$response" >> /var/log/cron.log exit 1 fi diff --git a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl index b911656c5..ab47c9675 100644 --- a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl +++ b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl @@ -91,39 +91,4 @@ secretKeyRef: name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} key: redis-password - - name: VIDIS_BASE_URL - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-base-url - - name: VIDIS_USERNAME - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-username - - name: VIDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-password - - name: VIDIS_REGION_NAME - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-region-name - - name: VIDIS_KEYCLOAK_GROUP - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-keycloak-group - - name: VIDIS_KEYCLOAK_ROLE - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: vidis-keycloak-role - - name: OX_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default .Values.auth.existingSecret .Values.auth.secretName }} - key: ox-password {{- end}} diff --git a/automation/dbildungs-iam-server/templates/backend-deployment.yaml b/automation/dbildungs-iam-server/templates/backend-deployment.yaml index b36630482..0c5b14b06 100644 --- a/automation/dbildungs-iam-server/templates/backend-deployment.yaml +++ b/automation/dbildungs-iam-server/templates/backend-deployment.yaml @@ -44,7 +44,7 @@ spec: securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} command: [ "node", "dist/src/console/main.js", "keycloak", "update-clients", "dev" ] env: - {{- include "dbildungs-iam-server-backend-envs" . | indent 12 }} + {{- include "dbildungs-iam-server-backend-envs" . | indent 12 }} {{- if .Values.backend.extraEnvVars }} {{ toYaml .Values.backend.extraEnvVars | nindent 12 }} {{- end }} diff --git a/automation/dbildungs-iam-server/templates/configmap.yaml b/automation/dbildungs-iam-server/templates/configmap.yaml index eb769795d..6603a8e9f 100644 --- a/automation/dbildungs-iam-server/templates/configmap.yaml +++ b/automation/dbildungs-iam-server/templates/configmap.yaml @@ -22,11 +22,6 @@ data: LDAP_OEFFENTLICHE_SCHULEN_DOMAIN: "{{ .Values.ldap.oeffentlicheSchulenDomain }}" LDAP_ERSATZSCHULEN_DOMAIN: "{{ .Values.ldap.ersatzschulenDomain }}" STATUS_REDIRECT_URL: "{{ .Values.status.url }}" - OX_ENABLED: "{{ .Values.ox.enabled }}" - OX_USERNAME: "{{ .Values.ox.username }}" - OX_ENDPOINT: "{{ .Values.ox.endpoint }}" - OX_CONTEXT_ID: "{{ .Values.ox.contextId }}" - OX_CONTEXT_NAME: "{{ .Values.ox.contextName }}" SYSTEM_RENAME_WAITING_TIME_IN_SECONDS: "{{ .Values.backend.env.renameWaitingTimeInSeconds }}" SYSTEM_STEP_UP_TIMEOUT_ENABLED: "{{ .Values.backend.env.stepUpTimeoutEnabled }}" SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS: "{{ .Values.backend.env.stepUpTimeoutInSeconds }}" diff --git a/automation/dbildungs-iam-server/templates/cronjob.yaml b/automation/dbildungs-iam-server/templates/cronjob.yaml index 629512553..b2b72b23f 100644 --- a/automation/dbildungs-iam-server/templates/cronjob.yaml +++ b/automation/dbildungs-iam-server/templates/cronjob.yaml @@ -8,8 +8,6 @@ metadata: spec: schedule: {{ $job_options.schedule }} startingDeadlineSeconds: 300 - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 jobTemplate: spec: backoffLimit: 0 @@ -24,9 +22,10 @@ spec: image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}" imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}} securityContext: - privileged: false - runAsUser: 1000 - runAsNonRoot: true + # not yet possible since we need to install some tools + # privileged: false + # runAsUser: 1000 + # runAsNonRoot: true capabilities: drop: - ALL @@ -42,8 +41,6 @@ spec: value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}" - name: HTTP_METHOD value: "{{ $job_options.httpMethod }}" - - name: LOG_FILE_PATH - value: "/tmp/log/cron.log" resources: limits: memory: "128Mi" @@ -55,9 +52,11 @@ spec: - "sh" - "-c" - | - mkdir /tmp/log/ && - touch /tmp/log/cron.log && - chmod 644 /tmp/log/cron.log && + mkdir /scripts && + cp /scripts_tmp/*.sh /scripts/ && + chmod +x /scripts/*.sh && + touch /var/log/cron.log && + chmod 644 /var/log/cron.log && cd {{ $.Values.cronjobs.scriptDir }} && bash {{ $job_options.script }} volumeMounts: @@ -66,7 +65,7 @@ spec: subPath: jwks.json readOnly: true - name: script-volume - mountPath: /scripts + mountPath: /scripts_tmp readOnly: false ports: - containerPort: {{ $.Values.cronjobs.port }} @@ -75,7 +74,6 @@ spec: - name: script-volume configMap: name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap - defaultMode: 0555 - name: secret-volume-jwks secret: secretName: dbildungs-iam-server diff --git a/automation/dbildungs-iam-server/templates/secret.yaml b/automation/dbildungs-iam-server/templates/secret.yaml index 68a57d6f3..10e959f4e 100644 --- a/automation/dbildungs-iam-server/templates/secret.yaml +++ b/automation/dbildungs-iam-server/templates/secret.yaml @@ -24,11 +24,4 @@ data: pi-user-realm: {{ .Values.auth.pi_user_realm }} secrets-json: {{ .Values.auth.secrets_json }} redis-password: {{ .Values.auth.redis_password }} - vidis-base-url: {{ .Values.auth.vidis_base_url }} - vidis-username: {{ .Values.auth.vidis_username }} - vidis-password: {{ .Values.auth.vidis_password }} - vidis-region-name: {{ .Values.auth.vidis_region_name }} - vidis-keycloak-group: {{ .Values.auth.vidis_keycloak_group }} - vidis-keycloak-role: {{ .Values.auth.vidis_keycloak_role }} - ox-password: {{ .Values.auth.ox_password }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/automation/dbildungs-iam-server/values.yaml b/automation/dbildungs-iam-server/values.yaml index 1c74fcde1..5050e647e 100644 --- a/automation/dbildungs-iam-server/values.yaml +++ b/automation/dbildungs-iam-server/values.yaml @@ -58,20 +58,6 @@ auth: pi_user_resolver: '' pi_user_realm: '' redis_password: '' - vidis_base_url: '' - vidis_username: '' - vidis_password: '' - vidis_region_name: '' - vidis_keycloak_group: '' - vidis_keycloak_role: '' - ox_password: '' - -ox: - enabled: false - username: '' - endpoint: '' - contextId: '' - contextName: '' backend: replicaCount: 1 @@ -170,8 +156,8 @@ status: cronjobs: enabled: true image: - tag: '1.1.0' - repository: docker.io/schulcloud/cron-tools + tag: DBP-1083-latest + repository: ghcr.io/hpi-schul-cloud/cron-tools pullPolicy: IfNotPresent port: 5656 keycloakTokenUrl: '/realms/SPSH/protocol/openid-connect/token'