Merge remote-tracking branch 'origin/main' into feature/acme-harica

Author: baszoetekouw

provision.yml

@@ -57,8 +57,6 @@
         - inventory_hostname in groups['dbcluster_nodes']
       tags: ['core', 'db_mysql', 'keepalived']
     - role: galera_create_users
-      when:
-        - inventory_hostname in groups['dbcluster']
       tags: ['core', 'db_mysql', 'galera', 'galera_create_users']
 
 - hosts: mongo_servers
@@ -122,6 +120,7 @@
   become: true
   roles:
     - { role: engineblock,      tags: ["eb"] }
+    - { role: stepupgateway,    tags: [ 'stepupgateway' , 'stepup' ] }
 
 - hosts: docker_mariadb
   become: true

roles/attribute-aggregation/handlers/main.yml

@@ -3,4 +3,7 @@
     name: aaserver
     state: started
     restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
   when: aaservercontainer is success and aaservercontainer is not change

roles/attribute-aggregation/tasks/main.yml

@@ -64,80 +64,3 @@
       retries: 3
       start_period: 10s
   register: aaservercontainer
-
-- name: Create the gui container
-  community.docker.docker_container:
-    name: aagui
-    image: ghcr.io/openconext/openconext-attribute-aggregation/aa-gui:{{ attribute_aggregation_gui_version }}
-    pull: true
-    restart_policy: "always"
-    state: started
-    networks:
-      - name: "loadbalancer"
-    labels:
-      traefik.http.routers.attribute-aggregationgui.rule: "Host(`aa.{{ base_domain }}`)"
-      traefik.http.routers.attribute-aggregationgui.tls: "true"
-      traefik.enable: "true"
-    healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost/internal/health"]
-      interval: 10s
-      timeout: 10s
-      retries: 3
-      start_period: 10s
-    hostname: attribute-aggregation
-    mounts:
-      - source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - source: /opt/openconext/common/favicon.ico
-        target: /var/www/favicon.ico
-        type: bind
-    env:
-      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
-      HTTPD_SERVERNAME: "aa.{{ base_domain }}"
-      OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
-      OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
-      OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
-      SHIB_ENTITYID: "https://aa.{{ base_domain }}/shibboleth"
-      SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
-      SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
-
-- name: Create the gui link container
-  community.docker.docker_container:
-    name: aalink
-    image: ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
-    pull: true
-    restart_policy: "always"
-    state: started
-    networks:
-      - name: "loadbalancer"
-    labels:
-      traefik.http.routers.attribute-aggregationlink.rule: "Host(`link.{{ base_domain }}`)"
-      traefik.http.routers.attribute-aggregationlink.tls: "true"
-      traefik.enable: "true"
-    healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost/internal/health"]
-      interval: 10s
-      timeout: 10s
-      retries: 3
-      start_period: 10s
-    mounts:
-      - source: /opt/openconext/attribute-aggregation/apachelink.conf
-        target: /etc/apache2/sites-enabled/000-default.conf
-        type: bind
-      - source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - source: /opt/openconext/common/favicon.ico
-        target: /var/www/favicon.ico
-        type: bind
-    hostname: attribute-link
-    env:
-      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
-      HTTPD_SERVERNAME: "link.{{ base_domain }}"
-      OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
-      OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
-      OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
-      SHIB_ENTITYID: "https://link.{{ base_domain }}/shibboleth"
-      SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
-      SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"

roles/attribute-aggregation/templates/serverapplication.yml.j2

@@ -44,7 +44,6 @@ spring:
     properties:
       hibernate:
         naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy
-        dialect: org.hibernate.dialect.MariaDB53Dialect
     open-in-view: true
   datasource:
     driver-class-name: org.mariadb.jdbc.Driver

roles/dashboard/handlers/main.yml

@@ -3,4 +3,7 @@
     name: dashboardserver
     state: started
     restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
   when: dashboardservercontainer is success and dashboardservercontainer is not change

roles/engineblock/handlers/main.yml

@@ -4,4 +4,7 @@
     name: engineblock
     state: started
     restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
   when: ebcontainer is success and ebcontainer is not change

roles/haproxy/tasks/get_acme_certs.yml

@@ -19,6 +19,7 @@
   changed_when: false
   loop: "{{ haproxy_ssl_hosts }}"
   delegate_to: "localhost"
+  check_mode: false  # this is safe run run, even in check mode
   run_once: true
 
 - name: Update certificates on one host at a time
@@ -29,7 +30,8 @@
         cmd: |
           /home/acme/.acme.sh/acme.sh
             --issue
-            --keylength 2048
+            --ecc
+            --keylength ec-384
             --days "{{ haproxy_acme_renewal_days }}"
             --dns dns_acmedns
             --stateless

roles/lifecycle/handlers/main.yml

@@ -4,4 +4,7 @@
     name: lifecycle
     state: started
     restart: true
-  when: lifecycleservercontainer is success and lifecycleservercontainer is not change
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
+  when: lifecyclecontainer is success and lifecyclecontainer is not change

roles/manage/handlers/main.yml

@@ -3,4 +3,7 @@
     name: manageserver
     state: started
     restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
   when: manageservercontainer is success and manageservercontainer is not change

roles/manage/templates/metadata_configuration/provisioning.schema.json.j2

@@ -85,6 +85,10 @@
           "type": "string",
           "info": "The password of the SCIM endpoint. Will be stored symmetrically encrypted."
         },
+        "scim_bearer_token": {
+            "type": "string",
+            "info": "The bearer token of the SCIM endpoint. Will be stored symmetrically encrypted."
+        },
         "scim_update_role_put_method": {
           "type": "boolean",
           "default": false,