Use a VM for Ipsilon in prod too

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

inventory/host_vars/db-fas01.iad2.fedoraproject.org

@@ -36,6 +36,9 @@ custom_rules: [
     '-A INPUT -p tcp -m tcp -s 10.3.163.73   --dport 5432 -j ACCEPT',
     # noc01 needs to connect to check the db
     '-A INPUT -p tcp -m tcp -s 10.3.163.10   --dport 5432 -j ACCEPT',
+    # Ipsilon VMs
+    '-A INPUT -p tcp -m tcp -s 10.3.163.105  --dport 5432 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.3.163.106  --dport 5432 -j ACCEPT',
 ]
 #
 # Large updates pushes cause lots of db threads doing the tag moves, so up this from default. 

main.yml

@@ -40,6 +40,7 @@
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml
+- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipsilon.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml
 - import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml

playbooks/groups/ipsilon.yml

@@ -28,14 +28,7 @@
     owner_user: apache
     owner_group: apache
     service: HTTP
-    host: "id.stg.fedoraproject.org"
-    when: env == "staging"
-  - role: keytab/service
-    owner_user: apache
-    owner_group: apache
-    service: HTTP
-    host: "id.fedoraproject.org"
-    when: env == "production"
+    host: "id{{ env_suffix }}.fedoraproject.org"
 
   pre_tasks:
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
@@ -103,8 +96,7 @@
     ipahbacrule:
       name: ipsilon
       action: member
-      host: centos-ipa-client02.stg.iad2.fedoraproject.org
+      host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}"
       ipaadmin_password: "{{ ipa_admin_password }}"
     tags:
     - ipsilon
-    when: env == "staging"

playbooks/include/proxies-reverseproxy.yml

@@ -223,7 +223,7 @@
     proxyurl: http://localhost:10020
     keephost: true
     tags:
-    - id.fedoraproject.org
+    - sso.fedoraproject.org
     when: env == "staging"
 
   - role: httpd/reverseproxy

roles/haproxy/templates/haproxy.cfg

@@ -264,7 +264,6 @@ backend pps-backend
 
 {% endif %}
 
-{% if env == "staging" %}
 frontend ipsilon-frontend
     bind 0.0.0.0:10020
     default_backend ipsilon-backend
@@ -276,7 +275,6 @@ backend ipsilon-backend
     server  ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2
 {% endif %}
     option httpchk GET /
-{% endif %}
 
 frontend ipa-frontend
     bind 0.0.0.0:10053

roles/ipsilon/tasks/main.yml

@@ -152,7 +152,7 @@
 
 - name: copy ipsilon configuration
   template:
-    src: "ipsilon.conf.{{ env }}"
+    src: "ipsilon.conf"
     dest: "/etc/ipsilon/root/ipsilon.conf"
     owner: ipsilon
     group: ipsilon
@@ -191,7 +191,7 @@
 
 - name: copy ipsilon httpd config
   template:
-    src: "httpd.conf.{{ env }}.j2"
+    src: "httpd.conf.j2"
     dest: /etc/ipsilon/root/idp.conf
   tags:
   - ipsilon

roles/ipsilon/templates/configmap.yml

@@ -94,9 +94,9 @@ data:
     CoreDumpDirectory /tmp
 
     # Ipsilon stuff
-    {{ load_file('httpd.conf.production.j2') | indent() }}
+    {{ load_file('httpd.conf.j2') | indent() }}
   ipsilon.conf: |-
-    {{ load_file('ipsilon.conf.production') | indent() }}
+    {{ load_file('ipsilon.conf') | indent() }}
   configuration.conf: |-
     {{ load_file('configuration.conf') | indent() }}
   openidc.static.cfg: |-

roles/ipsilon/templates/httpd.conf.j2

@@ -0,0 +1,107 @@
+RewriteEngine on
+RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+#Alias /ui /usr/share/ipsilon/ui
+Alias /ui /usr/share/ipsilon/themes/Fedora
+{% if env == "staging" %}
+Alias /.well-known /var/lib/ipsilon/root/public/well-known
+Alias /cache /var/cache/ipsilon
+Redirect /.well-known/webfinger /webfinger
+{% endif %}
+
+# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
+RewriteEngine on
+RewriteMap lowercase int:tolower
+{% if env == "staging" %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% else %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% endif %}
+
+
+WSGIScriptAlias / /usr/libexec/ipsilon
+{% if env == "staging" %}
+WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix run/wsgi
+{% else %}
+WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix /httpdir/run/wsgi
+WSGIRestrictStdout Off
+WSGIRestrictSignal Off
+{% endif %}
+# This header is required to be passed for OIDC client_secret_basic
+WSGIPassAuthorization On
+# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
+# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
+WSGIApplicationGroup %{GLOBAL}
+
+
+<Location />
+    WSGIProcessGroup ipsilon
+</Location>
+
+<Directory /usr/libexec>
+    Require all granted
+</Directory>
+
+<Directory /usr/share/ipsilon>
+    Options +SymLinksIfOwnerMatch
+    Require all granted
+</Directory>
+
+{% if env == "staging" %}
+<Directory /var/lib/ipsilon/root/public/well-known>
+{% else %}
+<Directory /etc/ipsilon/wellknown>
+{% endif %}
+    Require all granted
+</Directory>
+
+<Location /.well-known/browserid>
+    ForceType application/json
+</Location>
+
+<Location /login/gssapi/negotiate>
+    AuthName "GSSAPI Single Sign On Login"
+{% if env == "staging" %}
+    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
+{% else %}
+    GssapiCredStore keytab:/etc/keytabs/service.keytab
+{% endif %}
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    Require valid-user
+    ErrorDocument 401 /login/gssapi/unauthorized
+    ErrorDocument 500 /login/gssapi/failed
+</Location>
+
+{% if env == "staging" %}
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+<Location /login/form>
+  InterceptFormPAMService ipsilon
+  InterceptFormLogin login_name
+  InterceptFormPassword login_password
+  # InterceptFormLoginSkip admin
+  # InterceptFormClearRemoteUserForSkipped on
+  InterceptFormPasswordRedact on
+</Location>
+
+<Directory "/var/cache/ipsilon">
+  SetHandler None
+  AllowOverride None
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    Order Allow,Deny
+    Allow from All
+  </IfModule>
+</Directory>
+{% endif %}

roles/ipsilon/templates/httpd.conf.production.j2

@@ -1,58 +0,0 @@
-RewriteEngine on
-RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
-
-# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
-RewriteEngine on
-RewriteMap lowercase int:tolower
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
-{% else %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
-{% endif %}
-
-
-Alias /ui /usr/share/ipsilon/themes/Fedora
-WSGIScriptAlias / /usr/libexec/ipsilon
-WSGIPassAuthorization On
-WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
-WSGIApplicationGroup %{GLOBAL}
-WSGISocketPrefix /httpdir/run/wsgi
-WSGIRestrictStdout Off
-WSGIRestrictSignal Off
-
-
-<Location />
-    WSGIProcessGroup ipsilon
-</Location>
-
-<Location /login/gssapi/negotiate>
-    AuthName "GSSAPI Single Sign On Login"
-    GssapiCredStore keytab:/etc/keytabs/service.keytab
-    AuthType GSSAPI
-    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
-    GssapiSSLonly Off
-    GssapiLocalName on
-    Require valid-user
-    ErrorDocument 401 /login/gssapi/unauthorized
-    ErrorDocument 500 /login/gssapi/failed
-</Location>
-
-<Directory /usr/libexec>
-    Require all granted
-</Directory>
-
-<Directory /usr/share/ipsilon>
-    Require all granted
-</Directory>
-
-<Directory /etc/ipsilon/wellknown>
-    Require all granted
-</Directory>
-
-<Location /.well-known/browserid>
-    ForceType application/json
-</Location>

roles/ipsilon/templates/httpd.conf.staging.j2

@@ -2,9 +2,11 @@ RewriteEngine on
 RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
 #Alias /ui /usr/share/ipsilon/ui
 Alias /ui /usr/share/ipsilon/themes/Fedora
+{% if env == "staging" %}
 Alias /.well-known /var/lib/ipsilon/root/public/well-known
 Alias /cache /var/cache/ipsilon
 Redirect /.well-known/webfinger /webfinger
+{% endif %}
 
 # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
 RewriteEngine on
@@ -21,15 +23,20 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
 
 
 WSGIScriptAlias / /usr/libexec/ipsilon
+{% if env == "staging" %}
 WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix run/wsgi
+{% else %}
+WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+WSGISocketPrefix /httpdir/run/wsgi
+WSGIRestrictStdout Off
+WSGIRestrictSignal Off
+{% endif %}
 # This header is required to be passed for OIDC client_secret_basic
 WSGIPassAuthorization On
 # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
 # Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
 WSGIApplicationGroup %{GLOBAL}
-WSGISocketPrefix run/wsgi
-#WSGIRestrictStdout Off
-#WSGIRestrictSignal Off
 
 
 <Location />
@@ -45,7 +52,11 @@ WSGISocketPrefix run/wsgi
     Require all granted
 </Directory>
 
+{% if env == "staging" %}
 <Directory /var/lib/ipsilon/root/public/well-known>
+{% else %}
+<Directory /etc/ipsilon/wellknown>
+{% endif %}
     Require all granted
 </Directory>
 
@@ -53,6 +64,35 @@ WSGISocketPrefix run/wsgi
     ForceType application/json
 </Location>
 
+<Location /login/gssapi/negotiate>
+    AuthName "GSSAPI Single Sign On Login"
+{% if env == "staging" %}
+    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
+{% else %}
+    GssapiCredStore keytab:/etc/keytabs/service.keytab
+{% endif %}
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    Require valid-user
+    ErrorDocument 401 /login/gssapi/unauthorized
+    ErrorDocument 500 /login/gssapi/failed
+</Location>
+
+{% if env == "staging" %}
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+<Location /login/form>
+  InterceptFormPAMService ipsilon
+  InterceptFormLogin login_name
+  InterceptFormPassword login_password
+  # InterceptFormLoginSkip admin
+  # InterceptFormClearRemoteUserForSkipped on
+  InterceptFormPasswordRedact on
+</Location>
+
 <Directory "/var/cache/ipsilon">
   SetHandler None
   AllowOverride None
@@ -64,28 +104,4 @@ WSGISocketPrefix run/wsgi
     Allow from All
   </IfModule>
 </Directory>
-
-<Location /login/gssapi/negotiate>
-    AuthName "GSSAPI Single Sign On Login"
-    #GssapiCredStore keytab:/etc/keytabs/service.keytab
-    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
-    AuthType GSSAPI
-    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
-    GssapiSSLonly Off
-    GssapiLocalName on
-    Require valid-user
-    ErrorDocument 401 /login/gssapi/unauthorized
-    ErrorDocument 500 /login/gssapi/failed
-</Location>
-
-LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
-LoadModule authnz_pam_module modules/mod_authnz_pam.so
-
-<Location /login/form>
-  InterceptFormPAMService ipsilon
-  InterceptFormLogin login_name
-  InterceptFormPassword login_password
-  # InterceptFormLoginSkip admin
-  # InterceptFormClearRemoteUserForSkipped on
-  InterceptFormPasswordRedact on
-</Location>
+{% endif %}

roles/ipsilon/templates/ipsilon.conf

@@ -0,0 +1,32 @@
+[global]
+debug = {{ (env == 'production')|ternary('False', 'True') }}
+tools.log_request_response.on = False
+theme_dir = "/usr/share/ipsilon/themes/Fedora"
+template_dir = "/usr/share/ipsilon/templates"
+base.dir = "/usr/share/ipsilon"
+{% if env == 'staging' %}
+cache_dir = "/var/cache/ipsilon"
+cleanup_interval = 30
+db.conn.log = False
+db.echo = False
+# base.mount = ""
+admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
+{% else %}
+admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
+{% endif %}
+user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
+
+tools.sessions.on = True
+tools.sessions.name = "fedora_ipsilon_session_id"
+tools.sessions.storage_type = "sql"
+tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
+tools.sessions.timeout = 15
+tools.sessions.httponly = True
+tools.sessions.secure = True
+tools.sessions.locking = 'explicit'
+
+tools.proxy.on = True
+tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org"
+

roles/ipsilon/templates/ipsilon.conf.production

@@ -3,13 +3,17 @@ debug = {{ (env == 'production')|ternary('False', 'True') }}
 tools.log_request_response.on = False
 theme_dir = "/usr/share/ipsilon/themes/Fedora"
 template_dir = "/usr/share/ipsilon/templates"
-
-log.screen = True
 base.dir = "/usr/share/ipsilon"
 {% if env == 'staging' %}
+cache_dir = "/var/cache/ipsilon"
+cleanup_interval = 30
+db.conn.log = False
+db.echo = False
+# base.mount = ""
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
 {% else %}
 admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
 {% endif %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"

roles/ipsilon/templates/ipsilon.conf.staging

@@ -1,16 +1,20 @@
 [global]
 debug = {{ (env == 'production')|ternary('False', 'True') }}
 tools.log_request_response.on = False
-template_dir = "/usr/share/ipsilon/templates"
 theme_dir = "/usr/share/ipsilon/themes/Fedora"
+template_dir = "/usr/share/ipsilon/templates"
+base.dir = "/usr/share/ipsilon"
+{% if env == 'staging' %}
 cache_dir = "/var/cache/ipsilon"
 cleanup_interval = 30
 db.conn.log = False
 db.echo = False
-
 # base.mount = ""
-base.dir = "/usr/share/ipsilon"
 admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf"
+{% else %}
+admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+log.screen = True
+{% endif %}
 user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
 transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"