From cbbc714cec2e55284f073c9f1801aa4baf9ae1b4 Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Tue, 10 May 2022 16:34:35 +0200 Subject: [PATCH 1/8] feat!: support organization-specific domains for Portal backend and frontend - introduced new configuration parameter `portal_domain` - allow specifying extra labels for customization, backend and frontend container BREAKING CHANGE: Removed support for alias hostnames on the backend BREAKING CHANGE: Removed support for alias hostnames on the frontend BREAKING CHANGE: Removed support for alias hostnames on the customization service BREAKING CHANGE: Dropped support for Portal Backend <10.0.0 BREAKING CHANGE: Dropped support for Portal Frontend <3.0.0 BREAKING CHANGE: Dropped support for Portal Customization <3.0.0 --- README.md | 30 +++++++++++------------- defaults/main.yml | 19 ++++++++------- tasks/backend.yml | 41 +++++---------------------------- tasks/customization_service.yml | 35 +++++----------------------- tasks/frontend.yml | 27 ++++------------------ tasks/reverse_proxy.yml | 12 +++++----- test.yml | 13 +++++++++++ 7 files changed, 59 insertions(+), 118 deletions(-) create mode 100644 test.yml diff --git a/README.md b/README.md index e152141..32587ee 100644 --- a/README.md +++ b/README.md @@ -41,28 +41,14 @@ The password to use to authenticate against the specified docker registry. ### Innoactive Portal - portal_hostname: + portal_domain: -**Mandatory** hostname under which the Portal will be available (this needs to be publicly reachable). - - portal_alias_hostnames: [] - -Alternative or legacy hostnames array. Users accessing it will be redirected to portal_hostname. - - admin_hostname: - -**Mandatory** hostname under which the portal control panel will be available. - - admin_alias_hostnames: [] +**Mandatory** Domain under which the Portal's Backend, Control Panel and Frontend will be acessible (on a per organization basis à la `.`). Alternative or legacy hostnames array. Users accessing it will be redirected to admin_hostname. customization_hostname: -**Mandatory** hostname under shich the customization service will be available. - - customization_alias_hostnames: [] - Alternative or legacy hostnames array. Users accessing it will be redirected to customization_hostname. secret_key: @@ -110,6 +96,10 @@ Optional Google Tag Manager Id. When set, Portal Backend / Control Panel will be Optional mapping of additional environment variables to be passed on to the Portal Backend (e.g. to unlock hidden features). + extra_labels: {} + +Optional mapping of additional labels to be passed on to the Portal Backend container. + extra_volumes: [] Optional mapping of additional volumes on the Portal Backend container. @@ -417,6 +407,10 @@ Optional Google Tag Manager Id. When set, Portal Frontend will be setup to load Optional mapping of additional environment variables to be passed on to the Portal (e.g. to unlock hidden features). + portal_extra_labels: {} + +Optional mapping of additional labels to be set on the Portal container. + #### Portal Customization Service customization_image_version @@ -445,6 +439,10 @@ an oauth client will automatically be retrieved. Optional mapping of additional environment variables to be passed on to the Portal Backend (e.g. to unlock hidden features). + customization_extra_labels: {} + +Optional mapping of additionallabels to be set on the Customization container. + ### Mail Setup In order to send mails, SMTP needs to be set up diff --git a/defaults/main.yml b/defaults/main.yml index 5a0beea..69119b6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,8 +10,7 @@ docker_registry: password: "{{ registry_password }}" # Main Portal Backend Configuration parameters -admin_hostname: -admin_alias_hostnames: [] +portal_domain: "{{ undef(hint='You must specify the base domain for Portal') }}" secret_key: "{{ undef(hint='You must specify a secret key for hashing / encryption') }}" from_email: admin_email: "{{ undef(hint='You must specify an e-mail address for the default admin user') }}" @@ -26,6 +25,7 @@ sentry_dsn: # Google Analytics configuration google_analytics_tracking_id: extra_environment_variables: {} +extra_labels: {} extra_volumes: [] # Secure Communications (SSL / TLS) @@ -85,8 +85,7 @@ image_versions: cloudxr_management: "{{ cloudxr_management_image }}" admin_configuration: - hostname: "{{ admin_hostname }}" - alias_hostnames: "{{ admin_alias_hostnames | trim }}" + domain: "{{ portal_domain }}" secret_key: "{{ secret_key | mandatory }}" from_email: "{{ from_email }}" admin_email: "{{ admin_email | mandatory }}" @@ -100,25 +99,25 @@ admin_configuration: protocol: "{{ 'https' if traefik.enable_tls else 'http' }}" create_admin_user: "{{ create_admin_user }}" extra_environment_variables: "{{ extra_environment_variables }}" + extra_labels: "{{ extra_labels }}" extra_volumes: "{{ extra_volumes }}" google_tag_manager_id: "{{ google_tag_manager_id }}" # Portal Configuration -portal_hostname: -portal_alias_hostnames: [] portal_oauth_client_id: portal_sentry_dsn: portal_signaling_service: "" portal_extra_environment_variables: {} +portal_extra_labels: {} portal_google_maps_api_key: portal_google_tag_manager_id: portal_configuration: - hostname: "{{ portal_hostname }}" - alias_hostnames: "{{ portal_alias_hostnames | trim }}" + domain: "{{ portal_domain }}" oauth2_client_id: "{{ portal_oauth_client_id }}" sentry_dsn: "{{ portal_sentry_dsn }}" extra_environment_variables: "{{ portal_extra_environment_variables }}" + extra_labels: "{{ portal_extra_labels }}" signaling_service: "{{ portal_signaling_service | default('wss://' + portal_hostname, true) }}" google_maps_api_key: "{{ portal_google_maps_api_key }}" google_tag_manager_id: "{{ portal_google_tag_manager_id }}" @@ -213,17 +212,17 @@ desktop_client_configuration: # Customization Configuration customization_hostname: -customization_alias_hostnames: [] customization_oauth_client_id: customization_oauth_client_secret: customization_extra_environment_variables: {} +customization_extra_labels: {} customization_configuration: hostname: "{{ customization_hostname }}" - alias_hostnames: "{{ customization_alias_hostnames | trim }}" oauth2_client_id: "{{ customization_oauth_client_id }}" oauth2_client_secret: "{{ customization_oauth_client_secret }}" extra_environment_variables: "{{ customization_extra_environment_variables }}" + extra_labels: "{{ customization_extra_labels }}" # Mail Configuration smtp_host: diff --git a/tasks/backend.yml b/tasks/backend.yml index f1ac609..ffd2a02 100644 --- a/tasks/backend.yml +++ b/tasks/backend.yml @@ -10,11 +10,10 @@ - name: Collect environment variables for the main application server set_fact: - traefik_admin_alternative_hostnames: "{{ admin_configuration.alias_hostnames | map('regex_replace', '^(.*)$', '`\\1`') | join(',') }}" base_server_environment_variables: - DJANGO_ALLOWED_HOSTS: "{{ ([admin_configuration.hostname] + admin_configuration.alias_hostnames) | join(',') | mandatory }}" + DOMAIN: "{{ admin.configuration.domain }}" DJANGO_SECRET_KEY: "{{ admin_configuration.secret_key | mandatory }}" - FROM_EMAIL: "{{ admin_configuration.from_email | default('admin@' + portal_configuration.hostname, true) }}" + FROM_EMAIL: "{{ admin_configuration.from_email | default('admin@' + admin_configuration.domain, true) }}" RAVEN_DSN: "{{ admin_configuration.sentry_dsn | default('') }}" GOOGLE_ANALYTICS_TRACKING_ID: "{{ admin_configuration.google_analytics_id | default('') }}" EMAIL_HOST: "{{ mail_configuration.smtp.host }}" @@ -24,46 +23,18 @@ EMAIL_USE_TLS: "{{ mail_configuration.smtp.use_tls | ternary('True', 'False') | string }}" EMAIL_USE_SSL: "{{ mail_configuration.smtp.use_ssl | ternary('True', 'False') | string }}" CUSTOMIZATION_SERVICE_API_URL: "{{ admin_configuration.protocol }}://{{ customization_configuration.hostname }}/api" - PORTAL_URL: "{{ admin_configuration.protocol }}://{{ portal_configuration.hostname }}" CLOUD_RENDERING_CLIENT_APPLICATION_CLIENT_ID: "{{ desktop_client_configuration.remote_oauth2_client_id }}" - DEVICE_AUTHORIZATION_VERIFICATION_URL: "{{ admin_configuration.protocol }}://{{ portal_configuration.hostname }}/connect-hmd" GOOGLE_TAG_MANAGER_ID: "{{ admin_configuration.google_tag_manager_id | default('') }}" -- name: Support alternative hostnames - set_fact: - alternative_admin_hostnames_traefik_labels: - # redirect alternative domains to primary - traefik.http.middlewares.redirect-alternative.redirectregex.regex: "(.*?://)([^/]+)(.*)" - traefik.http.middlewares.redirect-alternative.redirectregex.replacement: "${1}{{ admin_configuration.hostname }}${3}" - traefik.http.routers.web-alternative.rule: Host({{ traefik_admin_alternative_hostnames }}) - traefik.http.routers.web-alternative.middlewares: redirect-alternative - traefik.http.routers.web-alternative.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.web-alternative.tls.certresolver: "{{ traefik.certificate_resolver }}" - - # API, OAuth and Websocket Connections / Django-Channels - traefik.http.routers.web-api-alternative.rule: Host({{ traefik_admin_alternative_hostnames }}) && PathPrefix(`/ws`,`/api`,`/oauth`) - traefik.http.routers.web-api-alternative.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.web-api-alternative.tls.certresolver: "{{ traefik.certificate_resolver }}" - traefik.http.routers.web-api-alternative.priority: "100" - - when: admin_configuration.alias_hostnames | default([]) | length > 0 - - name: Start Django Application Server vars: traefik_labels: traefik.enable: "true" - traefik.http.routers.web.rule: Host(`{{ admin_configuration.hostname }}`) + traefik.http.routers.web.rule: HostRegexp(`admin.{subdomain:[\w-_]+}.{{ admin_configuration.domain }}`,`api.{{ admin_configuration.domain }}`,`admin.{{ admin_configuration.domain }}`) traefik.http.routers.web.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" traefik.http.routers.web.tls.certresolver: "{{ traefik.certificate_resolver }}" - - # Websocket Connections / Django-Channels - traefik.http.routers.channels.rule: Host(`{{ admin_configuration.hostname }}`) && PathPrefix(`/ws`) - traefik.http.routers.channels.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.channels.tls.certresolver: "{{ traefik.certificate_resolver }}" - alternative_admin_domain_labels: "{{ alternative_admin_hostnames_traefik_labels | default({}) }}" base_volumes: - "{{ volume_names.media }}:/media" - redirect_http_labels: "{{ http_redirect_traefik_labels | default({}) }}" docker_container: name: "{{ container_names.backend }}" image: "{{ image_versions.portal_backend }}" @@ -72,7 +43,7 @@ restart_policy: unless-stopped volumes: "{{ base_volumes + admin_configuration.extra_volumes }}" env: "{{ base_server_environment_variables | combine(admin_configuration.extra_environment_variables) }}" - labels: "{{ traefik_labels | combine(alternative_admin_domain_labels) }}" + labels: "{{ traefik_labels | combine(admin_configuration.extra_labels) }}" comparisons: # correctly recreate container when any environment variable or labels is changed or added / removed env: strict @@ -110,8 +81,8 @@ shell: "{{ lookup('template', 'run_in_django_shell.sh.j2') }}" # noqa 305 vars: python_script_name: change_site_name_and_domain - site_name: "{{ admin_configuration.hostname[:49] }}" - domain: "{{ admin_configuration.hostname }}" + site_name: "admin.{{ admin_configuration.domain[:49] }}" + domain: "admin.{{ admin_configuration.domain }}" register: site_update_output changed_when: site_update_output.stdout | trim | bool tags: diff --git a/tasks/customization_service.yml b/tasks/customization_service.yml index 7dec788..a736a70 100644 --- a/tasks/customization_service.yml +++ b/tasks/customization_service.yml @@ -10,9 +10,9 @@ client_id: "{{ customization_configuration.oauth2_client_id }}" client_secret: "{{ customization_configuration.oauth2_client_secret }}" redirect_uris: - - "{{ admin_configuration.protocol }}://%s/services/customization/hub/callback/' % '{{ admin_configuration.hostname }}" - - "{{ admin_configuration.protocol }}://%s/microservices/customization/hub/callback/' % '{{ admin_configuration.hostname }}" - - "{{ admin_configuration.protocol }}://%s/hub_services/customization/hub/callback/' % '{{ admin_configuration.hostname }}" + - "{{ admin_configuration.protocol }}://%s/services/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" + - "{{ admin_configuration.protocol }}://%s/microservices/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" + - "{{ admin_configuration.protocol }}://%s/hub_services/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" - "{{ admin_configuration.protocol }}://%s/hub/callback/' % '{{ customization_configuration.hostname }}" register: customization_oauth2_client_output changed_when: customization_oauth2_client_output.stdout | from_json | json_query('changed') @@ -37,32 +37,11 @@ docker_volume: name: "{{ volume_names.customization }}" -- name: Support alternative hostnames - set_fact: - alternative_customization_hostnames_traefik_labels: - # redirect alternative domains to primary - traefik.http.middlewares.redirect-alternative-customization.redirectregex.regex: "(.*?://)([^/]+)(.*)" - traefik.http.middlewares.redirect-alternative-customization.redirectregex.replacement: "${1}{{ customization_configuration.hostname }}${3}" - traefik.http.routers.customization-alternative.rule: Host({{ alias_customization_hostnames }}) - traefik.http.routers.customization-alternative.middlewares: redirect-alternative-customization - traefik.http.routers.customization-alternative.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.customization-alternative.tls.certresolver: "{{ traefik.certificate_resolver }}" - - # API (cannot be redirected, because of failing CORS) - traefik.http.routers.customization-alternative-post.rule: Host({{ alias_customization_hostnames }}) && PathPrefix(`/api`) - traefik.http.routers.customization-alternative-post.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.customization-alternative-post.tls.certresolver: "{{ traefik.certificate_resolver }}" - vars: - # ensure alternative domains are supported in both old and new formats (old.domain and customization.portal.old.domain) - alternative_customization_hostnames: "{{ customization_configuration.alias_hostnames | map('regex_replace', '^(.*)$', '\\1') | list }}" - alias_customization_hostnames: "{{ alternative_customization_hostnames | map('regex_replace', '^(.*)$', '`\\1`') | join(',') }}" - when: customization_configuration.alias_hostnames | default([]) | length > 0 - - name: Start Customization Service vars: - CUSTOMIZATION_SERVICE_ALLOWED_HOSTS: "{{ ([customization_configuration.hostname] + customization_configuration.alias_hostnames) | join(',') | mandatory }}" + CUSTOMIZATION_SERVICE_ALLOWED_HOSTS: "{{ customization_configuration.hostname | mandatory }}" default_environment_variables: - API_ROOT: "{{ admin_configuration.protocol }}://{{ admin_configuration.hostname }}" + API_ROOT: "{{ admin_configuration.protocol }}://admin.{{ admin_configuration.domain }}" CUSTOMIZATION_API_ROOT: "{{ admin_configuration.protocol }}://{{ customization_configuration.hostname }}/api" DB_HOST: db DB_NAME: customization @@ -80,8 +59,6 @@ traefik.http.routers.customization.rule: Host(`{{ customization_configuration.hostname }}`) traefik.http.routers.customization.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" traefik.http.routers.customization.tls.certresolver: "{{ traefik.certificate_resolver }}" - alternative_domain_labels: "{{ alternative_customization_hostnames_traefik_labels | default({}) }}" - redirect_http_labels: "{{ http_redirect_traefik_labels | default({}) }}" docker_container: name: "{{ container_names.customization }}" image: "{{ image_versions.customization }}" @@ -93,7 +70,7 @@ exposed_ports: - "80" env: "{{ default_environment_variables | combine(customization_configuration.extra_environment_variables) }}" - labels: "{{ traefik_labels | combine(alternative_domain_labels) }}" + labels: "{{ traefik_labels | combine(customization_configuration.extra_labels) }}" comparisons: # correctly recreate container when any environment variable or labels is changed or added / removed env: strict diff --git a/tasks/frontend.yml b/tasks/frontend.yml index 806d36b..50a7e73 100644 --- a/tasks/frontend.yml +++ b/tasks/frontend.yml @@ -33,26 +33,12 @@ customization_api_root: "{{ admin_configuration.protocol }}://{{ customization_configuration.hostname }}" when: admin_configuration.setup_customization_service -- name: Support alternative hostnames - set_fact: - alternative_portal_hostnames_traefik_labels: - # redirect alternative domains to primary - # GET & HEAD (can be redirected) - traefik.http.middlewares.redirect-alternative-portal.redirectregex.regex: "(.*?://)([^/]+)(.*)" - traefik.http.middlewares.redirect-alternative-portal.redirectregex.replacement: "${1}{{ portal_configuration.hostname }}${3}" - traefik.http.routers.portal-alternative.rule: Host({{ traefik_portal_alternative_hostnames }}) && Method(`GET`,`HEAD`) - traefik.http.routers.portal-alternative.middlewares: redirect-alternative-portal - traefik.http.routers.portal-alternative.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" - traefik.http.routers.portal-alternative.tls.certresolver: "{{ traefik.certificate_resolver }}" - vars: - traefik_portal_alternative_hostnames: "{{ portal_configuration.alias_hostnames | map('regex_replace', '^(.*)$', '`\\1`') | join(',') }}" - when: portal_configuration.alias_hostnames | default([]) | length > 0 - - name: Start Portal container vars: default_environment_variables: + SPA_portalDomain: "{{ portal_configuration.domain }}" SPA_sentryDSN: "{{ portal_configuration.sentry_dsn }}" - SPA_portalBackendRootUrl: "{{ admin_configuration.protocol }}://{{ admin_configuration.hostname }}" + SPA_portalBackendRootUrl: "{{ admin_configuration.protocol }}://api.{{ admin_configuration.domain }}" SPA_portalOAuth2ClientId: "{{ portal_frontend_oauth2_client_id }}" SPA_portalCustomizationRootUrl: "{{ customization_api_root | default('', true) }}" SPA_portalCloudRenderingSessionManagementRootUrl: "{{ admin_configuration.protocol }}://{{ session_management_configuration.hostname }}" @@ -63,11 +49,9 @@ SPA_gtmId: "{{ portal_configuration.google_tag_manager_id | default('') }}" traefik_labels: traefik.enable: "true" - traefik.http.routers.portal.rule: Host(`{{ portal_configuration.hostname }}`) + traefik.http.routers.portal.rule: HostRegexp(`{subdomain:[\w-_]+}.{{ portal_configuration.domain }}`) traefik.http.routers.portal.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" traefik.http.routers.portal.tls.certresolver: "{{ traefik.certificate_resolver }}" - alternative_portal_domain_labels: "{{ alternative_portal_hostnames_traefik_labels | default({}) }}" - redirect_http_labels: "{{ http_redirect_traefik_labels | default({}) }}" docker_container: name: "{{ container_names.portal_frontend }}" image: "{{ image_versions.portal }}" @@ -76,8 +60,7 @@ container_default_behavior: no_defaults pull: "{{ portal_version_is_latest }}" env: "{{ default_environment_variables | combine(portal_configuration.extra_environment_variables) }}" - labels: "{{ traefik_labels | combine(alternative_portal_domain_labels) }}" - + labels: "{{ traefik_labels | combine(portal_configuration.extra_labels) }}" networks_cli_compatible: true networks: - name: "{{ network_names.main }}" @@ -113,7 +96,7 @@ - "{{ nginx_config_file_path }}:/etc/nginx/conf.d/default.conf" labels: traefik.enable: "true" - traefik.http.routers.signalling-ws-proxy.rule: Host(`{{ portal_configuration.hostname }}`) && PathPrefix(`/signalling/`) + traefik.http.routers.signalling-ws-proxy.rule: HostRegexp(`{subdomain:[\w-_]+}.{{ portal_configuration.domain }}`) && PathPrefix(`/signalling/`) traefik.http.routers.signalling-ws-proxy.entrypoints: http traefik.http.routers.signalling-ws-proxy.tls: "true" traefik.http.routers.signalling-ws-proxy.tls.certresolver: lets-encrypt diff --git a/tasks/reverse_proxy.yml b/tasks/reverse_proxy.yml index 0bc3c70..3022bcc 100644 --- a/tasks/reverse_proxy.yml +++ b/tasks/reverse_proxy.yml @@ -18,10 +18,10 @@ when: traefik.dashboard set_fact: traefik_dashboard_environment_variables: - TREAFIK_API: 'true' - TRAEFIK_API_INSECURE: 'true' - TRAEFIK_API_DASHBOARD: 'true' - TRAEFIK_API_DEBUG: 'true' + TREAFIK_API: "true" + TRAEFIK_API_INSECURE: "true" + TRAEFIK_API_DASHBOARD: "true" + TRAEFIK_API_DEBUG: "true" - name: Start Reverse Proxy (traefik) vars: @@ -72,7 +72,7 @@ - name: "{{ network_names.main }}" aliases: - traefik - - "{{ admin_configuration.hostname }}" + - "admin.{{ admin_configuration.domain }}" + - "api.{{ admin_configuration.domain }}" - "{{ customization_configuration.hostname }}" - - "{{ portal_configuration.hostname }}" register: reverse_proxy_result diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..8f58ce8 --- /dev/null +++ b/test.yml @@ -0,0 +1,13 @@ +- hosts: localhost + connection: local + gather_facts: false + + vars: + bla: "{{ undef(hint='You must specify an API token for IPStack') }}" + blubb: "{{ bla | mandatory }}" + + tasks: + - debug: + var: test + vars: + test: "{{ bla | mandatory }}" From 8f0c617adfe9f842b8120dd774bf8fd3760cee8a Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Tue, 10 May 2022 16:37:24 +0200 Subject: [PATCH 2/8] test: removed hostname from test, use domain instead --- molecule/default/converge.yml | 3 +-- molecule/saas/converge.yml | 7 +++---- molecule/with_cifs/converge.yml | 7 +++---- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 25e1eba..49f3501 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -9,8 +9,7 @@ setup_control_panel: false letsencrypt: false secret_key: not-secret-at-all-but-okay-for-tests - admin_hostname: admin.portal.localhost - portal_hostname: portal.localhost + portal_domain: portal.localhost customization_hostname: customization.portal.localhost session_management_hostname: session-management.portal.localhost admin_email: admin@innoactive.de diff --git a/molecule/saas/converge.yml b/molecule/saas/converge.yml index 50f39a7..40c4a6b 100644 --- a/molecule/saas/converge.yml +++ b/molecule/saas/converge.yml @@ -11,10 +11,9 @@ # do not issue certificates from production letsencrypt server letsencrypt_test: true secret_key: not-secret-at-all-but-okay-for-tests - admin_hostname: "admin.portal.{{ public_hostname }}" - portal_hostname: "portal.{{ public_hostname }}" - customization_hostname: "customization.portal.{{ public_hostname }}" - session_management_hostname: session-management.portal.{{ public_hostname }}" + portal_domain: "{{ public_hostname }}" + customization_hostname: "customization.{{ public_hostname }}" + session_management_hostname: session-management.{{ public_hostname }}" admin_email: admin@innoactive.de admin_password: sup3rs3cur3pa55w0rdf0rt3st1ng session_management_ip_stack_api_token: invalid-token-but-not-empty diff --git a/molecule/with_cifs/converge.yml b/molecule/with_cifs/converge.yml index 067815f..baa5564 100644 --- a/molecule/with_cifs/converge.yml +++ b/molecule/with_cifs/converge.yml @@ -11,10 +11,9 @@ # do not issue certificates from production letsencrypt server letsencrypt_test: true secret_key: not-secret-at-all-but-okay-for-tests - admin_hostname: "admin.portal.{{ public_hostname }}" - portal_hostname: "portal.{{ public_hostname }}" - customization_hostname: "customization.portal.{{ public_hostname }}" - session_management_hostname: session-management.portal.{{ public_hostname }}" + portal_domain: "{{ public_hostname }}" + customization_hostname: "customization.{{ public_hostname }}" + session_management_hostname: session-management.{{ public_hostname }}" admin_email: admin@innoactive.de admin_password: sup3rs3cur3pa55w0rdf0rt3st1ng session_management_ip_stack_api_token: invalid-token-but-not-empty From 5bbcd469fb35ecd333a9fe1ce65628b0475f6b96 Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 10:31:19 +0200 Subject: [PATCH 3/8] chore: fixed typo --- tasks/backend.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/backend.yml b/tasks/backend.yml index ffd2a02..1bcca16 100644 --- a/tasks/backend.yml +++ b/tasks/backend.yml @@ -11,7 +11,7 @@ - name: Collect environment variables for the main application server set_fact: base_server_environment_variables: - DOMAIN: "{{ admin.configuration.domain }}" + DOMAIN: "{{ admin_configuration.domain }}" DJANGO_SECRET_KEY: "{{ admin_configuration.secret_key | mandatory }}" FROM_EMAIL: "{{ admin_configuration.from_email | default('admin@' + admin_configuration.domain, true) }}" RAVEN_DSN: "{{ admin_configuration.sentry_dsn | default('') }}" From 8c18abbeef9379768a5da1ec9d32764214475982 Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 15:06:34 +0200 Subject: [PATCH 4/8] chore: fixed some undefined variables --- README.md | 9 +-------- defaults/main.yml | 2 ++ tasks/backend.yml | 6 +++--- tasks/customization_service.yml | 8 ++++---- tasks/reverse_proxy.yml | 4 ++-- tasks/session_management_service.yml | 2 +- 6 files changed, 13 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 32587ee..54b58d2 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,6 @@ The password to use to authenticate against the specified docker registry. **Mandatory** Domain under which the Portal's Backend, Control Panel and Frontend will be acessible (on a per organization basis à la `.`). -Alternative or legacy hostnames array. Users accessing it will be redirected to admin_hostname. - customization_hostname: Alternative or legacy hostnames array. Users accessing it will be redirected to customization_hostname. @@ -382,10 +380,6 @@ The OAuth2 Client Secret that the Remote (Cloud Rendering) Launcher uses. Whether or not to setup the Portal frontend for this instance. (Legacy parameter: `setup_discovery_portal: true`) - portal_hostname: "portal.{{ admin_configuration.primay_hostname }}" - -The hostname under which the Portal frontend should be publicly availabe. This defaults to `portal.`. - portal_oauth_client_id: Allows to explicitly define the oauth client id to be used by the portal to communicate with the Portal backend. If not defined, @@ -534,10 +528,9 @@ users too: setup_database: true setup_control_panel: true letsencrypt: true + portal_domain: innoactive.io secret_key: not-secret-at-all-but-okay-for-tests admin_email: admin@innoactive.de - portal_hostname: portal.my.hostname.com - admin_hostname: admin.portal.my.hostname.com customization_hostname: customization.portal.my.hostname.com ## Testing diff --git a/defaults/main.yml b/defaults/main.yml index 69119b6..16655df 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -102,6 +102,8 @@ admin_configuration: extra_labels: "{{ extra_labels }}" extra_volumes: "{{ extra_volumes }}" google_tag_manager_id: "{{ google_tag_manager_id }}" + api_hostname: "api.{{ portal_domain }}" + admin_hostname: "admin.{{ portal_domain }}" # Portal Configuration portal_oauth_client_id: diff --git a/tasks/backend.yml b/tasks/backend.yml index 1bcca16..b9df339 100644 --- a/tasks/backend.yml +++ b/tasks/backend.yml @@ -30,7 +30,7 @@ vars: traefik_labels: traefik.enable: "true" - traefik.http.routers.web.rule: HostRegexp(`admin.{subdomain:[\w-_]+}.{{ admin_configuration.domain }}`,`api.{{ admin_configuration.domain }}`,`admin.{{ admin_configuration.domain }}`) + traefik.http.routers.web.rule: HostRegexp(`admin.{subdomain:[\w-_]+}.{{ admin_configuration.domain }}`,{{ admin_configuration.api_hostname }}`,`{{ admin_configuration.admin_hostname }}`) traefik.http.routers.web.tls: "{{ traefik.enable_tls | ternary('true', 'false') }}" traefik.http.routers.web.tls.certresolver: "{{ traefik.certificate_resolver }}" base_volumes: @@ -81,8 +81,8 @@ shell: "{{ lookup('template', 'run_in_django_shell.sh.j2') }}" # noqa 305 vars: python_script_name: change_site_name_and_domain - site_name: "admin.{{ admin_configuration.domain[:49] }}" - domain: "admin.{{ admin_configuration.domain }}" + site_name: "{{ admin_configuration.admin_hostname[:49] }}" + domain: "{{ admin_configuration.admin_hostname }}" register: site_update_output changed_when: site_update_output.stdout | trim | bool tags: diff --git a/tasks/customization_service.yml b/tasks/customization_service.yml index a736a70..e19cbc2 100644 --- a/tasks/customization_service.yml +++ b/tasks/customization_service.yml @@ -10,9 +10,9 @@ client_id: "{{ customization_configuration.oauth2_client_id }}" client_secret: "{{ customization_configuration.oauth2_client_secret }}" redirect_uris: - - "{{ admin_configuration.protocol }}://%s/services/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" - - "{{ admin_configuration.protocol }}://%s/microservices/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" - - "{{ admin_configuration.protocol }}://%s/hub_services/customization/hub/callback/' % 'admin.{{ admin_configuration.domain }}" + - "{{ admin_configuration.protocol }}://%s/services/customization/hub/callback/' % '{{ admin_configuration.admin_hostname }}" + - "{{ admin_configuration.protocol }}://%s/microservices/customization/hub/callback/' % '{{ admin_configuration.admin_hostname }}" + - "{{ admin_configuration.protocol }}://%s/hub_services/customization/hub/callback/' % '{{ admin_configuration.admin_hostname }}" - "{{ admin_configuration.protocol }}://%s/hub/callback/' % '{{ customization_configuration.hostname }}" register: customization_oauth2_client_output changed_when: customization_oauth2_client_output.stdout | from_json | json_query('changed') @@ -41,7 +41,7 @@ vars: CUSTOMIZATION_SERVICE_ALLOWED_HOSTS: "{{ customization_configuration.hostname | mandatory }}" default_environment_variables: - API_ROOT: "{{ admin_configuration.protocol }}://admin.{{ admin_configuration.domain }}" + API_ROOT: "{{ admin_configuration.protocol }}://{{ admin_configuration.api_hostname }}" CUSTOMIZATION_API_ROOT: "{{ admin_configuration.protocol }}://{{ customization_configuration.hostname }}/api" DB_HOST: db DB_NAME: customization diff --git a/tasks/reverse_proxy.yml b/tasks/reverse_proxy.yml index 3022bcc..39b2f28 100644 --- a/tasks/reverse_proxy.yml +++ b/tasks/reverse_proxy.yml @@ -72,7 +72,7 @@ - name: "{{ network_names.main }}" aliases: - traefik - - "admin.{{ admin_configuration.domain }}" - - "api.{{ admin_configuration.domain }}" + - "{{ admin_configuration.api_hostname }}" + - "{{ admin_configuration.admin_hostname }}" - "{{ customization_configuration.hostname }}" register: reverse_proxy_result diff --git a/tasks/session_management_service.yml b/tasks/session_management_service.yml index 90126a3..0a689fc 100644 --- a/tasks/session_management_service.yml +++ b/tasks/session_management_service.yml @@ -43,7 +43,7 @@ traefik.http.routers.session_management.tls.certresolver: lets-encrypt env: OAuth__UseTokenCache: "true" - PortalBackend__BaseUrl: "{{ admin_configuration.protocol }}://{{ admin_hostname }}" + PortalBackend__BaseUrl: "{{ admin_configuration.protocol }}://{{ admin_configuration.api_hostname }}" PortalBackend__ClientId: "{{ session_management_oauth2_client_id }}" PortalBackend__ClientSecret: "{{ session_management_oauth2_client_secret }}" IpLookupService__ApiToken: "{{ session_management_configuration.ip_stack_api_token }}" From 94532fa5690123a850ffc35fba94e22cde4f4e56 Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 15:34:21 +0200 Subject: [PATCH 5/8] refactor: use api hostname variable Co-authored-by: Klyse --- tasks/frontend.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/frontend.yml b/tasks/frontend.yml index 50a7e73..efa31d0 100644 --- a/tasks/frontend.yml +++ b/tasks/frontend.yml @@ -38,7 +38,7 @@ default_environment_variables: SPA_portalDomain: "{{ portal_configuration.domain }}" SPA_sentryDSN: "{{ portal_configuration.sentry_dsn }}" - SPA_portalBackendRootUrl: "{{ admin_configuration.protocol }}://api.{{ admin_configuration.domain }}" + SPA_portalBackendRootUrl: "{{ admin_configuration.protocol }}://{{ admin_configuration.api_hostname }}" SPA_portalOAuth2ClientId: "{{ portal_frontend_oauth2_client_id }}" SPA_portalCustomizationRootUrl: "{{ customization_api_root | default('', true) }}" SPA_portalCloudRenderingSessionManagementRootUrl: "{{ admin_configuration.protocol }}://{{ session_management_configuration.hostname }}" From 1e82706c2e3d79ceb057f9a8d0a481ed92e7803c Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 15:55:48 +0200 Subject: [PATCH 6/8] chore: ditch portal_hostname --- defaults/main.yml | 2 +- tasks/session_management_service.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 16655df..e65dabe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -120,7 +120,7 @@ portal_configuration: sentry_dsn: "{{ portal_sentry_dsn }}" extra_environment_variables: "{{ portal_extra_environment_variables }}" extra_labels: "{{ portal_extra_labels }}" - signaling_service: "{{ portal_signaling_service | default('wss://' + portal_hostname, true) }}" + signaling_service: "{{ portal_signaling_service | default('wss://signaling.' + portal_domain, true) }}" google_maps_api_key: "{{ portal_google_maps_api_key }}" google_tag_manager_id: "{{ portal_google_tag_manager_id }}" diff --git a/tasks/session_management_service.yml b/tasks/session_management_service.yml index 0a689fc..bb5c216 100644 --- a/tasks/session_management_service.yml +++ b/tasks/session_management_service.yml @@ -55,7 +55,7 @@ AdaptiveInstanceScaling__MaxInstancesPerRegion: "{{ session_management_configuration.adaptive_instance_scaling.max_instances_per_region }}" AdaptiveInstanceScaling__ConnectionIsIdleAfterMin: "{{ session_management_configuration.adaptive_instance_scaling.connection_is_idle_after_min }}" SessionWorkers__CloudRenderedSession__Enabled: "{{ session_management_configuration.cloud_rendering_enabled | ternary('true', 'false') }}" - CorsOrigins: "{{ session_management_configuration.cors_origins | default(admin_configuration.protocol + '://' + portal_hostname, true) }}" + CorsOrigins: "{{ session_management_configuration.cors_origins | default(admin_configuration.protocol + '://*.' + portal_domain, true) }}" Serilog__MinimumLevel__Default: "{{ session_management_configuration.log_level | default('Warning', true) }}" ASPNETCORE_ENVIRONMENT: "{{ session_management_configuration.environment | default('Production', true) }}" From 11de5228e3ae0df6b17be73a2f5b7513153d94fa Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 15:57:49 +0200 Subject: [PATCH 7/8] chore: removed accidentally committed test playbook --- test.yml | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 test.yml diff --git a/test.yml b/test.yml deleted file mode 100644 index 8f58ce8..0000000 --- a/test.yml +++ /dev/null @@ -1,13 +0,0 @@ -- hosts: localhost - connection: local - gather_facts: false - - vars: - bla: "{{ undef(hint='You must specify an API token for IPStack') }}" - blubb: "{{ bla | mandatory }}" - - tasks: - - debug: - var: test - vars: - test: "{{ bla | mandatory }}" From 503909f13e238e168fbba0322b97ecd33779616e Mon Sep 17 00:00:00 2001 From: Benedikt Reiser Date: Wed, 11 May 2022 16:12:08 +0200 Subject: [PATCH 8/8] chore: removed references to missing portal hostname --- tasks/cloudxr_management_service.yml | 2 +- tasks/frontend.yml | 2 +- tasks/session_management_service.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cloudxr_management_service.yml b/tasks/cloudxr_management_service.yml index 0f5f6ce..924f1f9 100644 --- a/tasks/cloudxr_management_service.yml +++ b/tasks/cloudxr_management_service.yml @@ -10,7 +10,7 @@ - 5000:5000 env: Sentry__Dsn: "{{ cloudxr_configuration.sentry_dsn }}" - Sentry__ServerName: "{{ portal_configuration.hostname }}" + Sentry__ServerName: "{{ portal_domain }}" Azure__Enabled: "{{ cloudxr_configuration.azure_enabled | ternary('true', 'false') }}" Azure__ClientId: "{{ cloudxr_configuration.azure_client_id }}" Azure__Secret: "{{ cloudxr_configuration.azure_client_secret }}" diff --git a/tasks/frontend.yml b/tasks/frontend.yml index efa31d0..8eebd90 100644 --- a/tasks/frontend.yml +++ b/tasks/frontend.yml @@ -10,7 +10,7 @@ client_id: "{{ portal_configuration.oauth2_client_id }}" client_secret: "" redirect_uris: - - "{{ admin_configuration.protocol }}://%s/oauth/callback' % '{{ portal_configuration.hostname }}" + - "{{ admin_configuration.protocol }}://%s/oauth/callback' % '{{ portal_domain }}" register: portal_frontend_oauth2_client_output changed_when: portal_frontend_oauth2_client_output.stdout | from_json | json_query('changed') # ansible lint has an issue where it cannot bypass rules (like 305) within blocks diff --git a/tasks/session_management_service.yml b/tasks/session_management_service.yml index bb5c216..6048403 100644 --- a/tasks/session_management_service.yml +++ b/tasks/session_management_service.yml @@ -49,7 +49,7 @@ IpLookupService__ApiToken: "{{ session_management_configuration.ip_stack_api_token }}" CloudXRManagement__BaseUrl: "http://{{ container_names.cloudxr_management }}:5000" Sentry__Dsn: "{{ session_management_configuration.sentry_dsn }}" - Sentry__ServerName: "{{ portal_configuration.hostname }}" + Sentry__ServerName: "{{ portal_domain }}" AdaptiveInstanceScaling__Enabled: "{{ session_management_configuration.adaptive_instance_scaling.enabled | ternary('true', 'false') }}" AdaptiveInstanceScaling__UserScaleRatio: "{{ session_management_configuration.adaptive_instance_scaling.user_scale_ratio }}" AdaptiveInstanceScaling__MaxInstancesPerRegion: "{{ session_management_configuration.adaptive_instance_scaling.max_instances_per_region }}"