first round of changes for spring 2023 registry and match training

satkinson · Mar 8, 2023 · 46b908c · 46b908c
1 parent 921f2bc
commit 46b908c
Show file tree

Hide file tree

Showing 7 changed files with 253 additions and 21 deletions.
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -49,15 +49,15 @@ vpc_availability_zone:
 
 ssh_bastion_instance_type: t2.nano
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-ssh_bastion_ami_id: ami-066ac52b0a91f4138
+ssh_bastion_ami_id: ami-0c1b4dff690b5d229 
 ssh_bastion_user: admin
 ssh_bastion_device_name: /dev/xvda
 ssh_bastion_volume_type: gp2
 ssh_bastion_volume_size: 10
 
 idp_node_instance_type: t2.small
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-idp_node_ami_id: ami-066ac52b0a91f4138
+idp_node_ami_id: ami-0c1b4dff690b5d229
 idp_node_user: admin
 idp_node_device_name: /dev/xvda
 idp_node_volume_type: gp2
@@ -67,15 +67,15 @@ training_node_count: 2
 
 training_node_instance_type: t2.small
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-training_node_ami_id: ami-066ac52b0a91f4138
+training_node_ami_id: ami-0c1b4dff690b5d229
 training_node_user: admin
 training_node_device_name: /dev/xvda
 training_node_volume_type: gp2
 training_node_volume_size: 20
 
 # Docker version
-docker_ce_package_version: "5:20.10.20~3-0~debian-bullseye"
-docker_ce_cli_package_version: "5:20.10.20~3-0~debian-bullseye"
-containerd_io_package_version: "1.6.8-1"
+docker_ce_package_version: "5:23.0.1-1~debian.11~bullseye"
+docker_ce_cli_package_version: "5:23.0.1-1~debian.11~bullseye"
+containerd_io_package_version: "1.6.18-1"
 
 
diff --git a/roles/training/files/comanage-match-stack.yml b/roles/training/files/comanage-match-stack.yml
@@ -0,0 +1,82 @@
+version: '3.7'
+
+services:
+
+    matchdatabase:
+        image: postgres:14.7
+        volumes: 
+            - /srv/docker/var/lib/postgresql/data:/var/lib/postgresql/data
+            - /srv/docker/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
+        environment:
+            - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+            - COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_match_database_user_password
+        secrets:
+            - comanage_match_database_user_password
+            - postgres_password
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "postgresql-{{.Name}}"
+
+    match:
+        image: i2incommon/comanage-match:1.1.0-internet2-tap-1
+        volumes:
+            - /srv/docker/srv/comanage-match/local:/srv/comanage-match/local
+            - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
+            - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
+            - /srv/docker/etc/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml
+            - /srv/docker/etc/httpd/conf.d/000-comanagematch.conf:/etc/httpd/conf.d/000-comanage.conf
+        environment:
+            - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Carla
+            - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Woo
+            - COMANAGE_MATCH_ADMIN_USERNAME=carla.woo@comanage.incommon.training
+            - COMANAGE_MATCH_DATASOURCE=Database/Postgres
+            - COMANAGE_MATCH_DATABASE=match
+            - COMANAGE_MATCH_DATABASE_HOST=matchdatabase
+            - COMANAGE_MATCH_DATABASE_USER=match_user
+            - COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE=/run/secrets/comanage_match_database_user_password
+            - COMANAGE_MATCH_EMAIL_TRANSPORT=Smtp
+            - COMANAGE_MATCH_EMAIL_HOST=tls://smtp.gmail.com
+            - COMANAGE_MATCH_EMAIL_PORT=465
+            - COMANAGE_MATCH_EMAIL_ACCOUNT=comanagetraining@gmail.com
+            - COMANAGE_MATCH_EMAIL_ACCOUNT_PASSWORD_FILE=/run/secrets/comanage_registry_email_account_password
+            - COMANAGE_MATCH_EMAIL_FROM_EMAIL=comanagetraining@gmail.com
+            - COMANAGE_MATCH_EMAIL_FROM_NAME=Match
+            - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert
+            - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey
+            - SHIBBOLETH_SP_SIGNING_CERT=/run/secrets/shibboleth_sp_signing_cert
+            - SHIBBOLETH_SP_SIGNING_PRIVKEY=/run/secrets/shibboleth_sp_signing_privkey
+        secrets:
+            - comanage_match_database_user_password
+            - comanage_registry_email_account_password
+            - shibboleth_sp_encrypt_cert
+            - shibboleth_sp_encrypt_privkey
+            - shibboleth_sp_signing_cert
+            - shibboleth_sp_signing_privkey
+        ports:
+            - "80:80"
+        deploy:
+            replicas: 1
+        logging:
+            driver: journald
+            options:
+                tag: "match_{{.Name}}"
+
+
+secrets:
+    comanage_registry_email_account_password:
+        external: true
+    shibboleth_sp_encrypt_cert:
+        external: true
+    shibboleth_sp_encrypt_privkey:
+        external: true
+    shibboleth_sp_signing_cert:
+        external: true
+    shibboleth_sp_signing_privkey:
+        external: true
+    comanage_match_database_user_password:
+        external: true
+    postgres_password:
+        external: true
diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml
@@ -1,8 +1,8 @@
-version: '3.7'
+version: '3.8'
 
 services:
     database:
-        image: mariadb:10.4.22
+        image: mariadb:10.4.28
         volumes:
             - /srv/docker/var/lib/mysql:/var/lib/mysql
         environment:
@@ -21,7 +21,7 @@ services:
                 tag: "mariadb-{{.Name}}"
 
     campusdatabase:
-        image: mariadb:10.4.22
+        image: mariadb:10.4.28
         volumes:
             - /srv/docker/var/lib/campussql:/var/lib/mysql
         environment:
@@ -40,17 +40,17 @@ services:
                 tag: "mariadb-{{.Name}}"
 
     registry:
-        image: i2incommon/comanage-registry:4.0.2-20220223
+        image: i2incommon/comanage-registry:4.1.1-20230202
         volumes:
             - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
             - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
             - /srv/docker/etc/shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
             - /srv/docker/etc/shibboleth/idp-metadata.xml:/etc/shibboleth/idp-metadata.xml
             - /srv/docker/etc/httpd/conf.d/000-comanage.conf:/etc/httpd/conf.d/000-comanage.conf
         environment:
-            - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=
-            - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=
-            - COMANAGE_REGISTRY_ADMIN_USERNAME=
+            - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Carla
+            - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Woo
+            - COMANAGE_REGISTRY_ADMIN_USERNAME=carla.woo@comanage.incommon.training
             - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql
             - COMANAGE_REGISTRY_DATABASE=registry
             - COMANAGE_REGISTRY_DATABASE_HOST=database
@@ -85,7 +85,7 @@ services:
                 tag: "registry_{{.Name}}"
 
     cron:
-        image: i2incommon/comanage-registry-cron:4.0.2-20220223
+        image: i2incommon/comanage-registry-cron:4.1.1-20230202
         volumes:
             - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
         environment:
@@ -115,7 +115,7 @@ services:
             - olc_root_pw
             - olc_root_dn_password
         ports:
-            - "389:389"
+                - "389:389"
         deploy:
             replicas: 1
         logging:

diff --git a/roles/training/files/init-user-db.sh b/roles/training/files/init-user-db.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -x
+set -e
+
+declare COMANAGE_MATCH_DATABASE_USER_PASSWORD=$(< ${COMANAGE_MATCH_DATABASE_USER_PASSWORD_FILE})
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE USER match_user  PASSWORD '${COMANAGE_MATCH_DATABASE_USER_PASSWORD}';
+    CREATE DATABASE match;
+    GRANT ALL PRIVILEGES ON DATABASE match TO match_user;
+EOSQL
+
+psql  -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname match  <<-EOSQL
+    CREATE EXTENSION fuzzystrmatch;
+EOSQL
diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml
@@ -33,19 +33,25 @@
       - /srv/docker/etc/apache2/sites-available
       - /srv/docker/etc/httpd/conf.d
       - /srv/docker/ldif
+      - /srv/docker/docker-entrypoint-initdb.d
+      - /srv/docker/var/lib/postgresql/data
+      - /srv/docker/srv/comanage-match/local
 
-  - name: Copy service stack file
+  - name: Copy service stack files
     copy:
-      src: comanage-registry-stack.yml
-      dest: /home/training/comanage-registry-stack.yml
+      src: "{{item}}"
+      dest: "/home/training/{{item}}"
       owner: training
       group: training
       mode: '0644'
       # Do not overwrite an existing file even if it has been
       # modified.
       force: "{{ force_update_stack_file }}"
+    loop:
+      - comanage-registry-stack.yml
+      - comanage-match-stack.yml
     tags:
-      - update_stack_file
+      - update_stack_files
 
   - name: Create userPassword hash for LDIF input file
     command:
@@ -85,6 +91,14 @@
       group: root
       mode: '0644'
 
+  - name: Copy postgres database initialization file
+    copy:
+      src: init-user-db.sh
+      dest: /srv/docker/docker-entrypoint-initdb.d/init-user-db.sh
+      owner: root
+      group: root
+      mode: '0755'
+
   - name: Create secret olc_root_pw
     community.general.docker_secret:
       name: olc_root_pw
@@ -139,6 +153,30 @@
       data: "{{ shibboleth_sp_signing_privkey }}"
       state: present
 
+  - name: Create secret mysql_root_password
+    community.general.docker_secret:
+      name: mysql_root_password
+      data: "{{ mysql_root_password }}"
+      state: present
+
+  - name: Create secret mysql_registry_user_password
+    community.general.docker_secret:
+      name: mysql_registry_user_password
+      data: "{{ mysql_registry_user_password }}"
+      state: present
+
+  - name: Create secret postgres_password
+    community.general.docker_secret:
+      name: postgres_password
+      data: "{{ postgres_password }}"
+      state: present
+
+  - name: Create secret comanage_match_database_user_password
+    community.general.docker_secret:
+      name: comanage_match_database_user_password
+      data: "{{ comanage_match_database_user_password }}"
+      state: present
+
   - name: Copy Shibboleth SP configuration files
     copy:
       src: "{{ item }}"
@@ -160,12 +198,17 @@
 
   - name: Copy Apache configuration file
     template:
-      src: 000-comanage.conf
+      src: "{{item}}"
+      #src: 000-comanage.conf
       #dest: /srv/docker/etc/apache2/sites-available/000-comanage.conf
-      dest: /srv/docker/etc/httpd/conf.d/000-comanage.conf
+      #dest: /srv/docker/etc/httpd/conf.d/000-comanage.conf
+      dest: "/srv/docker/etc/httpd/conf.d/{{item}}"
       owner: root
       group: root
       mode: '0644'
+    loop:
+      - 000-comanage.conf
+      - 000-comanagematch.conf
 
   - name: Copy registar FileSource CSV input file
     copy:

diff --git a/roles/training/templates/000-comanagematch.conf b/roles/training/templates/000-comanagematch.conf
@@ -0,0 +1,65 @@
+# COmanage Match  Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+<VirtualHost *:80>
+
+ServerName https://{{ public_fqdn }}:443
+UseCanonicalName On
+
+DocumentRoot /var/www/html
+
+RedirectMatch ^/$ /match/
+
+PassEnv ENV
+PassEnv USERTOKEN
+
+ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
+ErrorLog /tmp/logpipe
+LogLevel warn
+
+LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
+CustomLog /tmp/logpipe ssl_combined
+
+<Directory /var/www/html/match>
+Options Indexes FollowSymLinks
+DirectoryIndex index.php
+AllowOverride All
+Require all granted
+</Directory>
+
+<Location "/Shibboleth.sso">
+SetHandler shib
+</Location>
+
+<Directory /var/www/html/match/auth/login>
+AuthType shibboleth
+ShibRequestSetting requireSession 1
+Require valid-user
+</Directory>
+
+<Location />
+AuthType shibboleth
+Require shibboleth
+</Location>
+
+RewriteEngine On
+RewriteCond %{QUERY_STRING} !after_redirect
+RewriteRule ^/match/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/match/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>
diff --git a/roles/training/vars/main.yml b/roles/training/vars/main.yml
@@ -451,3 +451,31 @@
           33643666386531646362373336656665316265653666636163353730616262366661323930316532
           33356539396265366332353363393762373537326565666466323937653733386233313136303862
           3766
+   mysql_root_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38336331613735373932376164643734393530356266623964353837316632633231323863316338
+          3266323761623065653764383366313962376137366462370a353830333261623636363464343339
+          38643132663433623432613734386335303230643838643062623830663436633061353934616563
+          6539323431393862350a333837366336643437356662646563363738666336353537386434313464
+          3463
+   mysql_registry_user_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31306164636533333166366439376136643737336430666434376166633761393532396262656463
+          6364373466633437376635323631353966613266653135390a363438613432356434336430363461
+          35303130646562613662666331643039353565666332336132363833653333333432643334373032
+          6133336134663366320a343866626235613434316637656631373263616562356235636265613236
+          3063
+   comanage_match_database_user_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38653265376539646133666537316665393663633165363262623764363862323661653431396266
+          3037653765343939346532333061393937346237653663640a393636306232396533393334623832
+          35376335653065656465626230323339663139343938313036336535383664633666313362343733
+          3937346630323562390a343366396166303936316635666530373630393936666362306361646436
+          3035
+   postgres_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33396235386639346261373239623763313232376235653239366534373563666265356631373966
+          6562666462646266323662633262616661386161393462330a343936376664313130323836393864
+          32663331393732393035323066663030643465323666363161333234663539613137323039306133
+          6430336236633164640a306563343736623437373834333562343339373162326236366631623562
+          3234