Merge pull request #603 from OpenConext/release/625

AA Release 625

Author: baszoetekouw

.ansible-lint

@@ -0,0 +1,3 @@
+---
+profile: "production"
+offline: false

environments/template/group_vars/template.yml

@@ -28,8 +28,7 @@ relp_remote:
 
 php_display_errors: 1
 
-attribute_aggregation_gui_version: "3.0.6"
-attribute_aggregation_server_version: "3.0.6"
+attribute_aggregation_version: "3.0.6"
 oidc_playground_client_version: "3.0.0"
 oidc_playground_server_version: "3.0.0"
 engine_version: "6.15.0"

provision.yml

@@ -115,7 +115,7 @@
     - { role: teams,      tags: ["teams"] }
     - { role: pdp,        tags: ["pdp"] }
     - { role: voot,       tags: ["voot"] }
-    - { role: attribute-aggregation, tags: ["aa", "attribute-aggregation"] }
+    - { role: attribute_aggregation, tags: ["aa", "attribute-aggregation"] }
     - { role: oidc-playground, tags: ["oidc-playground"] }
     - { role: myconext,    tags: ["myconext"] }
     - { role: manage,    tags: ["manage"] }

roles/attribute-aggregation/handlers/main.yml

@@ -0,0 +1,19 @@
+- name: "Restart attribute-aggregationserver"
+  community.docker.docker_container:
+    name: aaserver
+    state: started
+    restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
+  when: "aa_servercontainer is success and aa_servercontainer is not changed"
+
+- name: "Restart attribute-aggregationlink"
+  community.docker.docker_container:
+    name: aalink
+    state: started
+    restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': ignore
+  when: "aa_linkcontainer is success and aa_linkcontainer is not changed"

roles/attribute-aggregation/tasks/main.yml

@@ -0,0 +1,143 @@
+---
+- name: Create directory to keep configfile
+  ansible.builtin.file:
+    dest: "/opt/openconext/attribute-aggregation"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0770"
+
+- name: Place the server application configfiles
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/opt/openconext/attribute-aggregation/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - "serverapplication.yml"
+    - "logback.xml"
+    - "attributeAuthorities.yml"
+    - "serviceProviderConfig.json"
+  notify:
+    - "Restart attribute-aggregationserver"
+
+- name: Place the link application configfiles
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/opt/openconext/attribute-aggregation/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  with_items:
+    - "apachelink.conf"
+  notify:
+    - "Restart attribute-aggregationlink"
+
+- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker
+  ansible.builtin.set_fact:
+    aa_docker_networks:
+      - name: "loadbalancer"
+      - name: "openconext_mariadb"
+  when: "mariadb_in_docker | default(false) | bool"
+
+- name: Create and start the server container
+  community.docker.docker_container:
+    name: "aaserver"
+    image: "ghcr.io/openconext/openconext-attribute-aggregation/aa-server:{{ attribute_aggregation_version }}"
+    pull: true
+    restart_policy: "always"
+    state: "started"
+    networks: "{{ aa_docker_networks }}"
+    mounts:
+      - source: "/opt/openconext/attribute-aggregation/serverapplication.yml"
+        target: "/application.yml"
+        read_only: true
+        type: "bind"
+      - source: "/opt/openconext/attribute-aggregation/logback.xml"
+        target: "/logback.xml"
+        read_only: true
+        type: "bind"
+      - source: "/opt/openconext/attribute-aggregation/attributeAuthorities.yml"
+        target: "/attributeAuthorities.yml"
+        read_only: true
+        type: "bind"
+      - source: "/opt/openconext/attribute-aggregation/serviceProviderConfig.json"
+        target: "/serviceProviderConfig.json"
+        read_only: true
+        type: "bind"
+    command: "-Xmx128m --spring.config.location=./"
+    etc_hosts:
+      host.docker.internal: "host-gateway"
+    labels:
+      traefik.http.routers.aaserver.rule: "Host(`aa.{{ base_domain }}`)"
+      traefik.http.routers.aaserver.tls: "true"
+      traefik.enable: "true"
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "-no-verbose",
+          "--tries=1",
+          "--spider",
+          "http://localhost:8080/internal/health",
+        ]
+      interval: "10s"
+      timeout: "10s"
+      retries: 3
+      start_period: "10s"
+  notify: "Restart attribute-aggregationserver"
+  register: "aa_servercontainer"
+
+- name: Create the gui link container
+  community.docker.docker_container:
+    name: "aalink"
+    image: "ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest"
+    pull: true
+    restart_policy: "always"
+    state: "started"
+    networks: "{{ aa_docker_networks }}"
+    mounts:
+      - source: "/opt/openconext/attribute-aggregation/apachelink.conf"
+        target: "/etc/apache2/sites-enabled/000-default.conf"
+        read_only: true
+        type: "bind"
+      - source: "/etc/localtime"
+        target: "/etc/localtime"
+        read_only: true
+        type: "bind"
+      - source: "/opt/openconext/common/favicon.ico"
+        target: "/var/www/favicon.ico"
+        read_only: true
+        type: "bind"
+    etc_hosts:
+      host.docker.internal: "host-gateway"
+    labels:
+      traefik.http.routers.aalink.rule: "Host(`link.{{ base_domain }}`)"
+      traefik.http.routers.aalink.tls: "true"
+      traefik.enable: "true"
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost/internal/health"]
+      interval: "10s"
+      timeout: "10s"
+      retries: 3
+      start_period: "10s"
+    hostname: "attribute-link"
+    env:
+      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
+      HTTPD_SERVERNAME: "link.{{ base_domain }}"
+      OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
+      OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
+      OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
+      SHIB_ENTITYID: "https://link.{{ base_domain }}/shibboleth"
+      SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
+      SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
+  register: "aa_linkcontainer"
+
+- name: Remove obsolete pdp containers
+  community.docker.docker_container:
+    name: "{{ item }}"
+    state: "absent"
+  loop:
+    - "aagui"

…/attribute-aggregation/defaults/main.yml …/attribute_aggregation/defaults/main.ymlroles/attribute-aggregation/defaults/main.yml renamed to roles/attribute_aggregation/defaults/main.yml roles/attribute-aggregation/defaults/main.yml renamed to roles/attribute_aggregation/defaults/main.yml

@@ -12,8 +12,8 @@ Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html
 ProxyPass /Shibboleth.sso !
 
 ProxyPass /redirect http://aaserver:8080/aa/api/redirect
-ProxyPass /internal/health http://aaserver:8080/aa/api/internal/health
-ProxyPass /internal/info http://aaserver:8080/aa/api/internal/info
+ProxyPass /internal/health http://aaserver:8080/internal/health
+ProxyPass /internal/info http://aaserver:8080/internal/info
 
 ProxyPass /aa/api http://aaserver:8080/aa/api
 ProxyPassReverse /aa/api http://aaserver:8080/aa/api
@@ -22,3 +22,18 @@ ProxyPassReverse /aa/api/client http://aaserver:8080/aa/api/client
 Header always set X-Frame-Options "DENY"
 Header always set Referrer-Policy "strict-origin-when-cross-origin"
 Header always set X-Content-Type-Options "nosniff"
+
+<Location />
+  AuthType shibboleth
+  ShibUseHeaders On
+  ShibRequireSession On
+  Require valid-user
+</Location>
+
+<Location ~ "/internal/(health|info)">
+  Require all granted
+</Location>
+
+<Location ~ "/aa/api/internal/">
+  Require all denied
+</Location>