Verified Commit 695c662f authored by p.jbowden's avatar p.jbowden
Browse files

Expose UoW cloud applications

* Adds traefik to micado ADT for ingress with TLS
* minor changes to environment variables and config script to support
  this feature
parent 7cf42f4b
Pipeline #237322 passed with stages
in 3 minutes and 24 seconds
......@@ -262,7 +262,8 @@ KEYTRAY_AZ_CALL_DISABLED=true
CPABE_SERVER_MODE=dev
CPABE_SERVER_KEYCLOAK_CORS=true
CPABE_SERVER_KECLOAK_URL=${INTERNAL_KEYTRAY_PROTOCOL}://${INTERNAL_KEYTRAY_HOST}:${INTERNAL_KEYTRAY_PORT}/api/v1
CPABE_SERVER_KEYTRAY_URL=${INTERNAL_KEYTRAY_PROTOCOL}://${INTERNAL_KEYTRAY_HOST}:${INTERNAL_KEYTRAY_PORT}/api/v1
CPABE_SERVER_KEYCLOAK_URL=${INTERNAL_KEYCLOAK_AUTH_ENDPOINT}
# --- SSE-CLIENT --- #
......
......@@ -13,7 +13,7 @@
# rendered MiCADO ADT and settings, contains secrets
micado/sleep-sse_openstack.yaml
micado/storage-platform_uow-openstack.yaml
micado/_settings
# Docker creates a /log file which obviously should not persist in git.
......
......@@ -112,12 +112,13 @@ configure-gwdg:
# XNAT needs to use public endpoints on multi-cloud deployments
echo '${KEYCLOAK_BASE_URL}' | sudo tee "$WORK_DIR/.env.d/XNAT_OPENID_USER_AUTH_BASE_URL" > /dev/null
echo '${KEYCLOAK_BASE_URL}' | sudo tee "$WORK_DIR/.env.d/XNAT_OPENID_ACCESS_TOKEN_BASE_URL" > /dev/null
echo \$\{KEYCLOAK_BASE_URL\} | sudo tee "$WORK_DIR/.env.d/XNAT_OPENID_USER_AUTH_BASE_URL" > /dev/null
echo \$\{KEYCLOAK_BASE_URL\} | sudo tee "$WORK_DIR/.env.d/XNAT_OPENID_ACCESS_TOKEN_BASE_URL" > /dev/null
# Use public keytray for CPABE server (for proper e2e testing)
echo '${KEYTRAY_API_URL}' | sudo tee "$WORK_DIR/.env.d/CPABE_SERVER_KEYCLOAK_URL" > /dev/null
echo \$\{KEYCLOAK_AUTH_ENDPOINT\} | sudo tee "$WORK_DIR/.env.d/CPABE_SERVER_KEYCLOAK_URL" > /dev/null
echo \$\{KEYTRAY_API_URL\} | sudo tee "$WORK_DIR/.env.d/CPABE_SERVER_KEYTRAY_URL" > /dev/null
# run configure script
......@@ -129,7 +130,7 @@ configure-gwdg:
--volume $WORK_DIR:/srv \
--workdir /srv \
--env-file ${WORK_DIR}/.env \
jwilder/dockerize dockerize -template micado/sleep-sse_openstack.yaml.tpl:micado/sleep-sse_openstack.yaml
jwilder/dockerize dockerize -template micado/storage-platform_uow-openstack.yaml.tpl:micado/storage-platform_uow-openstack.yaml
start-gwdg:
extends: .run_template
......@@ -181,12 +182,17 @@ start-UoW:
UOW_NFS_SHARE_DIR: "/srv/nfs4/share"
COMMAND: |
echo "$UOW_NFS_SSH_HOST_KEY" | sudo tee "/root/.ssh/known_hosts" > /dev/null
# echo "$UOW_PERSISTANCE_SSH_HOST_KEY" | sudo tee "/root/.ssh/known_hosts" > /dev/null
sudo scp -i ~cloud/.ssh/id_rsa "$WORK_DIR/conf/openid-provider.properties" "$UOW_NFS_SSH_USER@$UOW_NFS_SSH_HOST:$UOW_NFS_SHARE_DIR/conf"
sudo scp -i ~cloud/.ssh/id_rsa "$WORK_DIR/conf/zuul.application.yml" "${UOW_NFS_SSH_USER}@${UOW_NFS_SSH_HOST}:${UOW_NFS_SHARE_DIR}/conf"
sudo scp -i ~cloud/.ssh/id_rsa "$WORK_DIR/conf/zuul.authorization-client.properties" "${UOW_NFS_SSH_USER}@${UOW_NFS_SSH_HOST}:${UOW_NFS_SHARE_DIR}/conf"
sudo scp -i ~cloud/.ssh/id_rsa "$WORK_DIR/certs/common/common-truststore.p12" "${UOW_NFS_SSH_USER}@${UOW_NFS_SSH_HOST}:${UOW_NFS_SHARE_DIR}/certs/common"
sudo scp -i ~cloud/.ssh/id_rsa "$WORK_DIR/certs/abac-server/abac-server-keystore.p12" "${UOW_NFS_SSH_USER}@${UOW_NFS_SSH_HOST}:${UOW_NFS_SHARE_DIR}/certs/abac-server"
sudo scp -i ~cloud/.ssh/id_rsa -r "$WORK_DIR/policies" "${UOW_NFS_SSH_USER}@${UOW_NFS_SSH_HOST}:${UOW_NFS_SHARE_DIR}/policies"
# sudo scp -i cloud/.ssh/id_rsa "WORKDIR/conf/xnat.sql" "${UOW_PERSISTANCE_SSH_USER}@${UOW_PERSISTANCE_SSH_HOST}:/srv/data/xnat-db-docker-entrypoint-initdb.d/001-xnat.sql
cd $WORK_DIR/micado && sudo ./2-delete-beast.sh && sudo ./1-submit-adt.sh
test-gwdg:
......
# backup-keycloak.sh
# exports all realms, users, secrets, etc
# based on this stack overflow answer: https://stackoverflow.com/a/60972882
mkdir -pv .tmp
cat <<\EOF > .tmp/docker-exec-cmd.sh
# docker-exec-cmd.sh
set -o errexit
set -o errtrace
set -o nounset
set -o pipefail
# If something goes wrong, this script does not run forever, but times out
TIMEOUT_SECONDS=300
# Logfile for the keycloak export instance
LOGFILE=/tmp/standalone.sh.log
# destionation export file
JSON_EXPORT_FILE=/tmp/realms-export-single-file.json
# Remove files from old backups inside the container
# You could also move the files or change the name with timestamp prefix
rm -f ${LOGFILE} ${JSON_EXPORT_FILE}
# Start a new keycloak instance with exporting options enabled.
# Use the port offset argument to prevent port conflicts
# with the "real" keycloak instance.
timeout ${TIMEOUT_SECONDS}s \
/opt/jboss/keycloak/bin/standalone.sh \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=${JSON_EXPORT_FILE} \
-Djboss.socket.binding.port-offset=99 \
> ${LOGFILE} &
# Grab the keycloak export instance process id
PID="${!}"
# Wait for the export to finish
# It will wait till it sees the string, which indicates
# a successful finished backup.
# If it will take too long (>TIMEOUT_SECONDS), it will be stopped.
timeout ${TIMEOUT_SECONDS}s \
grep -m 1 "Export finished successfully" <(tail -f ${LOGFILE})
# Stop the keycloak export instance
kill ${PID}
EOF
# Copy the export bash script to the (already running) keycloak container
# to perform an export
docker cp .tmp/docker-exec-cmd.sh keycloak:/tmp/docker-exec-cmd.sh
# Execute the script inside of the container
docker exec -it keycloak /tmp/docker-exec-cmd.sh
# Grab the finished export from the container
docker cp keycloak:/tmp/realms-export-single-file.json .
......@@ -194,7 +194,7 @@ while read -r LINE ; do
if ! ( [[ "$KEY" == "#"* ]] || [ -z $(xargs <<< "$KEY") ] ); then
if [ -f "$DIRECTORY/.env.d/$KEY" ]; then
# resolve key's value from /.env.d/
VAL=$(cat "$DIRECTORY/.env.d/$KEY")
VAL=$(cat "$DIRECTORY/.env.d/$KEY" | envsubst)
else
# subsitute variables with previously exported values
VAL=$(cut -d'=' -f2- <<< "$LINE" | envsubst)
......
......@@ -7,11 +7,11 @@ services:
environment:
PORT: ${CPABE_SERVER_PORT}
MODE: ${CPABE_SERVER_MODE}
KEYCLOAK_URL: ${INTERNAL_KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_URL: ${CPABE_SERVER_KEYCLOAK_URL}
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_CLIENT: ${KEYCLOAK_CPABE_CLIENT}
KEYCLOAK_SECRET: ${KEYCLOAK_CPABE_CLIENT_SECRET}
KEYTRAY_URL: ${CPABE_SERVER_KECLOAK_URL}
KEYTRAY_URL: ${CPABE_SERVER_KEYTRAY_URL}
KEYCLOAK_CORS: ${CPABE_SERVER_KEYCLOAK_CORS}
expose:
- ${CPABE_SERVER_PORT}
......
......@@ -10,6 +10,7 @@ services:
networks:
- snet-asclepios
volumes:
- ../conf/nginx-proxy.conf:/etc/nginx/proxy.conf
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
......
......@@ -88,7 +88,7 @@ services:
container_name: minio
entrypoint: >
sh -c "mkdir -p /data/snet
&& minio server /data"
&& minio server -console-address ":9001" /data"
environment:
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
......@@ -96,8 +96,10 @@ services:
VIRTUAL_PORT: ${INTERNAL_MINIO_PORT}
ports:
- ${INTERNAL_MINIO_PORT}:${INTERNAL_MINIO_PORT}
- 9001:9001
expose:
- ${INTERNAL_MINIO_PORT}
- 9001
networks:
- snet-asclepios
volumes:
......@@ -119,7 +121,7 @@ services:
- ../conf/xnat.sql:/docker-entrypoint-initdb.d/xnat.sql
xnat:
image: registry.gitlab.com/indie-sleep-demo/dockerfiles/somnonetz/snet-xnat-asclepios
image: gitlab.rz.htw-berlin.de:5050/snet-asclepios-demo/dockerfiles/somnonetz/snet-xnat-asclepios:latest
container_name: xnat
environment:
# tomcat web app settings
......@@ -135,7 +137,9 @@ services:
PGPASSWORD: ${XNAT_DATASOURCE_PASSWORD}
# browser client settings
XNAT_API_URL: ${XNAT_API_URL}
KEYCLOAK_HOST: ${KEYCLOAK_BASE_URL}
KEYCLOAK_HOST: ${KEYCLOAK_BASE_URL} # fix me: asclepio-search/index.html needs to use KEYCLOAK_BASE_URL naming convention
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_AUTH_ENDPOINT: ${KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_PUBLIC_CLIENT: ${KEYCLOAK_PUBLIC_CLIENT}
TA_URL: ${SSE_TA_BASE_URL}
SSE_URL: ${SSE_SERVER_BASE_URL}
......
......@@ -13,6 +13,7 @@ services:
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam
- certs:/etc/nginx/certs:ro
- ../conf/nginx-proxy.conf:/etc/nginx/proxy.conf
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
- snet-asclepios
......
......@@ -25,4 +25,5 @@ if [ -z "$SSL_PASS" ]; then
fi
echo "Submitting Sleep to MiCADO at $MICADO_MASTER with appid \"$APP_ID\"..."
curl --insecure -s -F adt=@"$ADT_FILENAME" -X POST -u "$SSL_USER":"$SSL_PASS" https://$MICADO_MASTER:$MICADO_PORT/toscasubmitter/v2.0/applications/$APP_ID/ | jq .
curl --insecure -s -F adt=@"$ADT_FILENAME" -X POST -u "$SSL_USER":"$SSL_PASS" https://$MICADO_MASTER:$MICADO_PORT/toscasubmitter/v2.0/applications/$APP_ID/ | jq .message | grep "Application asclepios-sleep successfully deployed"
......@@ -21,10 +21,13 @@ dsl_definitions:
network_id: c4a7ce20-5f68-4f48-9deb-3c2c6b52f397
config_drive: true
key_name: james-htw-key
floating_ip_pool: public_net
floating_ip: 161.74.31.91
security_groups:
- 94fa5200-7e4f-4e18-9df7-efb75e2c1d5e #MiCADO-worker UOW ONLY
- d2ad0c7c-5f3a-4732-a04a-3885b5e5866a #default
- 34cacbf2-d367-42e8-8edd-c567906fc231 #ports
- fc6dabe0-a886-4fd0-a936-4bb3beb93b87 #public ports
context:
insert: true
cloud_config: |
......@@ -51,31 +54,159 @@ topology_template:
# Application Server
application-server: *compute_cloud_with_nfs
app-server-gateway:
traefik:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
image: nginxproxy/nginx-proxy
name: app-server-gateway
image: traefik:1.7
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
args:
- --api
- --kubernetes
- --logLevel=INFO
- --defaultentrypoints=http,https
- --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
- --entrypoints=Name:https Address::443 TLS
requirements:
- host: application-server
interfaces:
Kubernetes:
create:
inputs:
metadata:
namespace: kube-system
spec:
template:
spec:
serviceAccountName: traefik-ingress
terminationGracePeriodSeconds: 60
issuer:
type: tosca.nodes.MiCADO.Kubernetes
interfaces:
Kubernetes:
create:
inputs:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: bowden@htw-berlin.de
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: traefik
certificate:
type: tosca.nodes.MiCADO.Kubernetes
interfaces:
Kubernetes:
create:
inputs:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: snet-apps.com
spec:
secretName: snet-apps.com-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: snet-apps.com
dnsNames:
- snet-apps.com
- zuul.snet-apps.com
- xnat.snet-apps.com
- minio.snet-apps.com
ingress:
type: tosca.nodes.MiCADO.Kubernetes
interfaces:
Kubernetes:
create:
inputs:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: letsencrypt
spec:
rules:
- host: snet-apps.com
http:
paths:
- backend:
serviceName: landing
servicePort: 80
- host: xnat.snet-apps.com
http:
paths:
- backend:
serviceName: xnat
servicePort: 8080
- host: zuul.snet-apps.com
http:
paths:
- backend:
serviceName: abac-zuul-proxy
servicePort: 80
- host: minio.snet-apps.com
http:
paths:
- backend:
serviceName: minio-gateway
servicePort: 9000
tls:
- hosts:
- snet-apps.com
- zuul.snet-apps.com
- xnat.snet-apps.com
- minio.snet-apps.com
secretName: snet-apps.com-tls
landing:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
image: nginx:latest
ports:
- port: 80
- port: 443
requirements:
- host: application-server
- volume:
node: docker-socket-vol
relationship:
type: tosca.relationships.AttachesTo
properties:
location: /tmp/docker.sock
docker-socket-vol:
type: tosca.nodes.MiCADO.Container.Volume.HostPath
minio-gateway:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
path: /var/run/docker.sock
image: minio/minio
command:
- /bin/bash
- -c
- minio gateway s3 http://minio-s3-server:9000
env:
- name: MINIO_ROOT_USER
value: "{{ .Env.MINIO_ROOT_USER }}"
- name: MINIO_ROOT_PASSWORD
value: "{{ .Env.MINIO_ROOT_PASSWORD }}"
ports:
- port: {{ .Env.INTERNAL_MINIO_PORT }}
- containerPort: {{ .Env.INTERNAL_MINIO_PORT }}
requirements:
- host: application-server
xnat:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
image: registry.gitlab.com/indie-sleep-demo/dockerfiles/somnonetz/snet-xnat-asclepios
image: gitlab.rz.htw-berlin.de:5050/snet-asclepios-demo/dockerfiles/somnonetz/snet-xnat-asclepios:latest
env:
- name: XNAT_ROOT
value: "{{ .Env.XNAT_ROOT }}"
......@@ -101,6 +232,16 @@ topology_template:
value: "{{ .Env.XNAT_API_URL }}"
- name: KEYCLOAK_HOST
value: "{{ .Env.KEYCLOAK_BASE_URL }}"
- name: KEYCLOAK_REALM
value: "{{ .Env.KEYCLOAK_REALM }}"
- name: KEYCLOAK_AUTH_ENDPOINT
value: "{{ .Env.KEYCLOAK_AUTH_ENDPOINT }}"
- name: KEYCLOAK_PUBLIC_CLIENT
value: "{{ .Env.KEYCLOAK_PUBLIC_CLIENT }}"
- name: XNAT_OPENID_ACCESS_TOKEN_BASE_URL
value: "{{ .Env.XNAT_OPENID_ACCESS_TOKEN_BASE_URL }}"
- name: XNAT_OPENID_USER_AUTH_BASE_URL
value: "{{ .Env.XNAT_OPENID_USER_AUTH_BASE_URL }}"
- name: TA_URL
value: "{{ .Env.SSE_TA_BASE_URL }}"
- name: SSE_URL
......@@ -141,12 +282,9 @@ topology_template:
value: "{{ .Env.SSE_CLIENT_AUTH }}"
- name: SMALL_FILE
value: "{{ .Env.SSE_CLIENT_SMALL_FILE }}"
- name: VIRTUAL_HOST
value: "{{ .Env.XNAT_HOST }}"
- name: VIRTUAL_PORT
value: "{{ .Env.INTERNAL_XNAT_PORT }}"
ports:
- port: {{ .Env.INTERNAL_XNAT_PORT }}
- containerPort: {{ .Env.INTERNAL_XNAT_PORT }}
requirements:
- host: application-server
- volume:
......@@ -162,7 +300,7 @@ topology_template:
server: 10.255.230.92
path: /share/conf
sse:
sse-server:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
image: registry.gitlab.com/asclepios-project/symmetric-searchable-encryption-server:0.6
......@@ -203,6 +341,7 @@ topology_template:
value: "{{ .Env.SSE_SERVER_MINIO_EXPIRE_PUT }}"
ports:
- port: {{ .Env.INTERNAL_SSE_SERVER_PORT }}
- containerPort: {{ .Env.INTERNAL_SSE_SERVER_PORT }}
requirements:
- host: application-server
......@@ -242,7 +381,8 @@ topology_template:
- name: SGX
value: "{{ .Env.SSE_TA_SGX }}"
ports:
- port: {{ .Env.INTERNAL_SSE_TA_DB_PORT }}
- port: {{ .Env.INTERNAL_SSE_TA_PORT }}
- containerPort: {{ .Env.INTERNAL_SSE_TA_PORT }}
requirements:
- host: application-server
......@@ -277,12 +417,9 @@ topology_template:
value: "{{ .Env.KEYCLOAK_REALM }}"
- name: KEYCLOAK_RESOURCE
value: "{{ .Env.KEYCLOAK_PUBLIC_CLIENT }}"
- name: VIRTUAL_HOST
value: "{{ .Env.ZUUL_HOST }}"
- name: VIRTUAL_PORT
value: "{{ .Env.INTERNAL_ZUUL_PORT }}"
ports:
- port: {{ .Env.INTERNAL_ZUUL_PORT }}
- containerPort: {{ .Env.INTERNAL_ZUUL_PORT }}
requirements:
- host: application-server
- volume:
......@@ -352,6 +489,7 @@ topology_template:
value: "{{ .Env.INTERNAL_ABAC_SERVER_PORT }}"
ports:
- port: {{ .Env.INTERNAL_ABAC_SERVER_PORT }}
- containerPort: {{ .Env.INTERNAL_ABAC_SERVER_PORT }}
requirements:
- host: application-server
- volume:
......@@ -481,7 +619,7 @@ topology_template:
node: sleep-persistence
path: /srv/data/sse-ta-db
minio:
minio-s3-server:
type: tosca.nodes.MiCADO.Container.Application.Docker.Deployment
properties:
image: minio/minio
......@@ -494,12 +632,9 @@ topology_template:
value: "{{ .Env.MINIO_ROOT_USER }}"
- name: MINIO_ROOT_PASSWORD
value: "{{ .Env.MINIO_ROOT_PASSWORD }}"
- name: VIRTUAL_HOST
value: "{{ .Env.MINIO_HOST }}"
- name: VIRTUAL_PORT
value: "{{ .Env.INTERNAL_MINIO_PORT }}"
ports:
- port: {{ .Env.INTERNAL_MINIO_PORT }}
- containerPort: {{ .Env.INTERNAL_MINIO_PORT }}
requirements:
- volume:
node: minio-dir
......
  • ilka.schulz @ilka.schulz

    mentioned in issue #4 (closed)

    By James Bowden on 2021-09-27T08:52:21 (imported from GitLab)

    ·

    mentioned in issue #4 (closed)

    By James Bowden on 2021-09-27T08:52:21 (imported from GitLab)

    Toggle commit list
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment