alf-cactus · alf-cactus · Aug 12, 2021 · Jul 3, 2021 · Jul 3, 2021 · Jul 3, 2021
diff --git a/.github/workflows/test-install.yml b/.github/workflows/test-install.yml
@@ -7,14 +7,14 @@ name: Build
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main,develop ]
     paths-ignore:
     - 'documentation/**'
     - 'design/**'
 
   pull_request:
     types: [ ready_for_review review_requested ]
-    branches: [ master ]
+    branches: [ main,develop ]
     paths-ignore:
     - 'documentation/**'
     - 'design/**'

diff --git a/ansible.cfg b/ansible.cfg
@@ -3,6 +3,7 @@
 inventory = inventory
 #timeout = 60
 force_handlers = True
+stdout_callback = yaml
 
 [ssh_connection]
 pipelining = True
diff --git a/documentation/api/hasura-documentation.md b/documentation/api/hasura-documentation.md
@@ -0,0 +1,68 @@
+# Hasura Documentation
+
+## Upgrade tables & permissions
+
+In FWO v5.3.4 we are migrating from hasura v1.x to v2.x. 
+Therefore upgrades to database tables and permissions now need to be handled as follows:
+- apply your changes (e.g. permissions) in the graphql console (https://<ip>:9443/api/) after logging in with hasura admin secret (to be found in ~/etc/secrets/hasura_admin_pwd)
+- go to settings menu (cogwheel in top right corner)
+- choose export metadata to json file
+- copy the metadata {...} part of this file to source roles/api/files/replace_metadata.json (also into metadata {} part)
+- run `ansible-playbook site.yml "installation_mode=upgrade" -K`
+
+## Configuration parameters
+
+### HASURA_GRAPHQL_DATABASE_URL
+- value: "postgres://{{ api_user }}:{{ api_user_password }}@{{ fworch_db_host }}:{{ fworch_db_port }}/{{ fworch_db_name }}"
+- description: the database connection string (currently using a single database for firewall and metadata)
+
+### HASURA_GRAPHQL_ENABLE_CONSOLE
+- value:   "true"
+- description: default is true, set this to false if you want to disable access to hasura console (loosing graphiql access as well)
+
+### HASURA_GRAPHQL_ENABLE_TELEMETRY
+- value: "false"
+- description: do not send telemtry data to hasura
+
+### HASURA_GRAPHQL_ADMIN_SECRET
+- value: "{{ api_hasura_admin_secret }}"
+- description: randomly generated admin secret for hasura console access
+
+### HASURA_GRAPHQL_LOG_LEVEL
+- value: "{{ api_log_level }}"
+- description: default = info
+
+### HASURA_GRAPHQL_ENABLED_LOG_TYPES
+- value: '{{ api_HASURA_GRAPHQL_ENABLED_LOG_TYPES }}'
+- description: default="startup, http-log, websocket-log"
+
+### HASURA_GRAPHQL_CONSOLE_ASSETS_DIR
+- value: "/srv/console-assets"
+- description: ?
+
+### HASURA_GRAPHQL_V1_BOOLEAN_NULL_COLLAPSE
+- value: "true"
+- description: true means make the graphql API v2.x backward compatible with v1.0 (null result in where clause means true). Default settings "false" breaks query functionality. This might have to be migrated later to ensure new standard logic. See <https://hasura.io/docs/latest/graphql/core/guides/upgrade-hasura-v2.html#what-has-changed>.
+
+### HASURA_GRAPHQL_CORS_DOMAIN
+- value: "*"
+- description: See https://hasura.io/docs/latest/graphql/core/deployment/graphql-engine-flags/config-examples.html. Value "*" means no restrictions. For CORS explanation see <https://en.wikipedia.org/wiki/Cross-origin_resource_sharing>. Can be restricted in customer environment if needed.
+
+### HASURA_GRAPHQL_JWT_SECRET
+- value:
+```
+'{
+    "type": "{{ api_hasura_jwt_alg|quote }}",
+    "key": "{{ api_hasura_jwt_secret | regex_replace(''\n'', ''\\n'') }}",
+    "claims_namespace_path": "$"
+ }'
+```
+- description: the JWT secret containing of algorithm, key (public key part) and an optional claims_namespace_path with default value "$", meaning to specific path.
+
+### HTTP_PROXY
+- value: "{{ http_proxy }}"
+- description: allows outbound connections for the docker container via a proxy.
+
+### HTTPS_PROXY
+- value: "{{ https_proxy }}"
+- description: allows outbound connections for the docker container via a proxy.
diff --git a/documentation/installer/install-for-testing.md b/documentation/installer/install-for-testing.md
@@ -34,14 +34,22 @@ Set debug level for extended debugging info during installation.
 ```console
 ansible-playbook/ site.yml -e "debug_level='2'" -K
 ```
-## Running tests after installation
+## Running integration tests after installation/upgrade
 
 To only run tests (for an existing installation) use tags as follows:
 
 ```console
 ansible-playbook/ site.yml --tags test -K
 ```
 
+## Running unit tests only
+
+To only run tests (for an existing installation, can only be combined with installation_mode=upgrade) use tags as follows:
+
+```console
+ansible-playbook/ site.yml --tags unittest -e "installation_mode=upgrade" -K
+```
+
 ## Parameter "api_no_metadata" to prevent meta data import
 
 e.g. if your hasura metadata file needs to be re-created from scratch, then use the following switch::

diff --git a/documentation/installer/server-install.md b/documentation/installer/server-install.md
@@ -1,59 +1,38 @@
 # Installation instructions server
 
 - use latest debian or ubuntu minimal server with ssh service running (need to install and configure sudo for debian)
-- this will install various software components to your system. It is recommended to do so on a dedicated (test) system.
+- currently recommended platform is Ubuntu Server 20.04 TLS
+- We will install various software components to your system. It is recommended to do so on a dedicated (test) system.
 
-1) prepare your test system (install packages needed for install script and create and autorize ssh key pair to allow ssh login to localhost for ansible connect)
+1) prepare your test system (make sure your user has full sudo permissions)
 
 ```console
 su -
-apt-get install git ansible ssh sudo
+apt-get install git ansible sudo
 ```
 if not already configured, add your current user to sudo group (make sure to activate this change by starting new shell or even rebooting):
 
 ```console
 usermod -a -G sudo `whoami`
-
-exit
-# from here in standard user context
-
-ssh-keygen -b 4096
-cat .ssh/id_rsa.pub >>.ssh/authorized_keys
-chmod 600 .ssh/authorized_keys
 ```
 
-2) test system connectivity necessary for installation
-
-test ssh connectivity to localhost (127.0.0.1) using public key auth (add .ssh/authorized_keys)
-
-```console
-ssh 127.0.0.1
-```
-
-make sure you can use ansible locally
-
-```console
-ansible -m ping 127.0.0.1
-```
-
-3) get Firewall Orchestrator with the following command
-
+2) get Firewall Orchestrator with the following command (as normal user)
 ```console
 git clone https://github.com/CactuseSecurity/firewall-orchestrator.git
 ```
 
-4) if ansible version < 2.8 (older systems like ubuntu 18.04, debian 10), install latest ansible 
+3) if ansible version < 2.8 (older systems like ubuntu 18.04, debian 10), install latest ansible 
 
        cd firewall-orchestrator; ansible-playbook scripts/install-latest-ansible.yml -K
 
-5) install (on localhost)
+4) install (on localhost)
 
 ```console
 cd firewall-orchestrator; ansible-playbook site.yml -K
 ```
 Enter sudo password when prompted "BECOME or SUDO password:"
 
-That's it firewall-orchestrator is ready for usage. You will find the randomly generated login credentials printed out at the very end of the installation:
+That's it. Firewall-orchestrator is ready for usage. You will find the randomly generated login credentials printed out at the very end of the installation:
 ```
 ...
 TASK [display secrets for this installation] ***********************************
@@ -70,12 +49,3 @@ fworch-srv                 : ok=302  changed=171  unreachable=0    failed=0    s
 Simply navigate to <https://localhost/> and login with user 'admin' and the UI admin password.
 
 The api hasura admin secret can be used to access the API at <https://localhost:9443/>.
-
-
-6) upgrade
-
-```console
-  cd firewall-orchestrator
-  git pull
-  ansible-playbook site.yml -K -e "installation_mode=upgrade"
-```
diff --git a/documentation/installer/server-upgrade.md b/documentation/installer/server-upgrade.md
@@ -0,0 +1,9 @@
+# Upgrade instructions
+
+it is really simple:
+
+```console
+  cd firewall-orchestrator
+  git pull
+  ansible-playbook site.yml -K -e "installation_mode=upgrade"
+```
diff --git a/documentation/revision-history.md b/documentation/revision-history.md
@@ -136,3 +136,6 @@ adding report template format fk and permissions
 ### 5.3.3 - 10.07.2021
 - add column ldap_name to ldap_connection
 - add column ldap_connection_id to uiuser
+
+### 5.3.4 - 29.07.2021
+- moving to API hasura v2.0
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
@@ -1,5 +1,5 @@
 ### general settings
-product_version: "5.3.3"
+product_version: "5.3.4"
 ansible_python_interpreter: /usr/bin/python3
 ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
 product_name: fworch
@@ -82,7 +82,6 @@ api_service_name: fworch-hasura-docker-api
 api_container_name: "{{ product_name }}-api"
 api_ip_address: "127.0.0.1"
 api_web_port: 9443
-#api_hasura_jwt_alg: "HS384"
 api_hasura_jwt_alg: "RS256"
 api_hasura_jwt_secret: "fake-jwt-secret-for-github-install"
 api_uri: "https://{{ api_ip_address }}:{{ api_web_port }}/api/v1/graphql"

diff --git a/inventory/group_vars/apiserver.yml b/inventory/group_vars/apiserver.yml
@@ -6,7 +6,7 @@ api_hasura_admin_test_password: "not4production"
 api_user_email: "{{ api_user }}@{{ api_ip_address }}"
 api_home: "{{ fworch_home }}/api"
 api_hasura_cli_bin: "/usr/local/bin/hasura"
-api_hasura_version: "v1.3.3"
+api_hasura_version: "v2.0.3"
 api_project_name: api
 api_no_metadata: false
 # debug > info > warn > error

diff --git a/inventory/group_vars/testservers.yml b/inventory/group_vars/testservers.yml
@@ -1,3 +1,4 @@
 install_webhook: no
 webhook_install_mode: reinstall
-# webhook_install_mode: upgrade
+# webhook_install_mode: upgrade
+webhook_branch: develop