Skip to content

skoranda/comange-reg-training-ansible-old

f3becc8286
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Go to file
Code

Latest commit

@skoranda
skoranda Fix COMANAGE_REGISTRY_EMAIL_FROM environment variable
f3becc8 Nov 10, 2019
Fix COMANAGE_REGISTRY_EMAIL_FROM environment variable 
Fix the definition of the COMANAGE_REGISTRY_EMAIL_FROM environment
variable in the services stack file.
f3becc8

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
roles
Fix COMANAGE_REGISTRY_EMAIL_FROM environment variable
November 9, 2019 18:45
vars
First commit.
November 7, 2019 15:29
.gitignore
First commit.
November 7, 2019 15:29
README.md
First commit.
November 7, 2019 15:29
ansible.cfg
First commit.
November 7, 2019 15:29
comanage_registry_training.yml
First commit.
November 7, 2019 15:29
ec2.ini
Better management of inventory to pick up tags
November 9, 2019 08:55
hostnames.yml
First commit.
November 7, 2019 15:29
idp_node.yml
First commit.
November 7, 2019 15:29
ssh_bastion.yml
First commit.
November 7, 2019 15:29
ssh_config.j2
First commit.
November 7, 2019 15:29
training_nodes.yml
Better management of inventory to pick up tags
November 9, 2019 08:55
vpc.yml
First commit.
November 7, 2019 15:29
Ansible Deployment for InCommon COmanage Registry Training Secrets Prerequisites Set up Environment Initialization Before Running Playbooks Configuration Provision the COmanage Training Infrastructure SSH Access Deploying the IdP Deploying COmanage Registry

README.md

Ansible Deployment for InCommon COmanage Registry Training

This repository contains the necessary Ansible and other files for deploying the InCommon COmanage Registry Training environment.

The primary Ansible playbook when run will create

  • a AWS Virtual Private Cloud (VPC) with the name comanage_training. All infrastructure is created within the VPC and can be deprovisioned by deleting the VPC.

  • an internet gateway (IG) to connect the VPC to the internet.

  • public and private subnets within the VPC.

  • NATs to allow virtual machines in the private subnets to open connections to the internet (e.g. to execute yum update).

  • appropriate security groups.

  • SSH bastion hosts (one per public subnet).

  • a host for a Shibboleth IdP. The IdP is deployed using the TAP image and a Docker Swarm service stack (compose) file, and includes an LDAP server pre-populated with user accounts for SAML authentication.

  • N hosts for trainees. Each host is a single-node Docker Swarm pre-populated with most details necessary for deploying COmanage Registry using the TAP image.

  • Target groups and an application load balancer (ALB) that terminates TLS and is configured to route web traffic to the IdP and the COmanage Registry hosts.

  • Route53 DNS configurations so that the IdP and the training nodes can all be easily reached.

Secrets

There are no unencrypted secrets in this repository. All secrets, including SAML keys, are encrypted using the Ansible vault tooling. Refer to the Ansible documentation for details on how to manage the encrypted files and strings.

Prerequisites

You will need to have an AWS access key and AWS secret access key provisioned by an administrator for the internet2-training AWS account.

You will need to have the Ansible vault password used with this ansible deployment.

You will need to have the AWS-Trng-1.pem (or other approved key) used for the initial login access to virtual machines.

You will need to use the AWS Console to access the Certificate Manager and provision (or renew) an X.509 wildcard certificate for the domain *.comanage.incommon.training.

Set up Environment

To set up the environment for ansible the first time:

git clone https://github.com/cilogon/comanage-registry-ansible.git
cd comanage-registry-training-deployment
virtualenv -p python3.7 ./
source bin/activate
pip install --upgrade pip
pip install git+https://github.com/ansible/ansible.git@devel
pip install boto
pip install boto3
wget https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py
chmod 755 ec2.py
cp /path/to/AWS-Trng-1.pem .

Some ansible files are encrypted using ansible-vault. When running a playbook ansible needs to be able to find the password for the vault.

Create a file outside of the clone of this repository to hold the vault password, e.g.

touch ~/.vault_pass.txt
chmod 600 ~/.vault_pass.txt

Find the vault password from and enter it into the file you just created.

Initialization Before Running Playbooks

Do this each time to run ansible commands or playbooks to set up the environment:

cd comanage-registry-training-deployment
source bin/activate
export AWS_ACCESS_KEY_ID='XXXXXXXX'
export AWS_SECRET_ACCESS_KEY='XXXXXXXX'
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
export AWS_REGION=us-west-2
rm ./ssh_mux_*
kill $SSH_AGENT_PID
unset SSH_AUTH_SOCK
eval `ssh-agent -s`
ssh-add ./AWS-Trng-1.pem

Configuration

Most of the configurable details, including the number of training nodes to deploye, are set in the file

vars/global.yml

Review that file before running the playbook.

Provision the COmanage Training Infrastructure

To provision the infrastructure execute the playbook:

ansible-playbook -i ./ec2.py comanage_registry_training.yml

SSH Access

Trainers may use their provisioned SSH keys to access all nodes. Each trainer has a dedicated account on each node.

Trainees may SSH using the account training and the provisioned password.

Begin by logging into the bastion node, e.g.

$ ssh training@ssh.comanage.incommon.training
training@ssh.comanage.incommon.training's password: 
Last login: Thu Nov  7 15:12:40 2019 from some/host
[training@ssh ~]$

From there each trainee may SSH into their assigned host:

[training@ssh ~]$ ssh registry1-private
training@registry1-private's password: 
Last login: Thu Nov  7 17:43:27 2019 from ip-192-168-10-10.us-west-2.compute.internal
[training@registry1-private ~]$

Only trainers may SSH into the IdP node:

skoranda@paprika:~$ ssh -A ssh.comanage.incommon.training
Last login: Thu Nov  7 15:01:48 2019 from some.host
[skoranda@ssh ~]$ ssh login-private
Last login: Thu Nov  7 17:43:56 2019 from ip-192-168-10-10.us-west-2.compute.internal

Deploying the IdP

The Ansible tooling does not automatically start the IdP service stack. To start the stack log into the IdP node and execute

docker stack deploy --compose-file /opt/shibboleth-idp-stack.yml idp

Useful Docker Swarm commands for the IdP node are

docker stack ls

docker service ls

docker service ps idp_shibboleth-idp

docker service ps idp_ldap

docker service logs -f idp_shibboleth-idp

docker service logs -f idp_ldap

docker stack rm idp

Deploying COmanage Registry

Each trainee is expected to SSH to the bastion host and then to their assigned node. In the home directory for the training user the trainee will find the Docker Swarm services stack (compose) file for deploying COmanage Registry, a MariaDB database, and an LDAP server.

Before deploying the service stack the trainee must first, as an exercise, create some Docker Swarm secrets (see the training materials for details). Most secrets have been pre-populated using Ansible to save time, but the trainee is expected to create a few secrets.

Once successfully deployed, COmanage Registry is available at the URL

https://registry1.comanage.incommon.training

for node 1, and

https://registry2.comanage.incommon.training

for node 2, and so on.

About

Ansible Deployment for InCommon COmanage Registry Training

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks

Releases

No releases published

Packages

No packages published

Languages