From b8e6754f97c9cea4b2f75b34439aeece30e6f5b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 22 Mar 2021 17:07:45 +0100 Subject: [PATCH] Use a VM for Ipsilon in prod too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- .../host_vars/db-fas01.iad2.fedoraproject.org | 3 + main.yml | 1 + playbooks/groups/ipsilon.yml | 12 +- playbooks/include/proxies-reverseproxy.yml | 2 +- roles/haproxy/templates/haproxy.cfg | 2 - roles/ipsilon/tasks/main.yml | 4 +- roles/ipsilon/templates/configmap.yml | 4 +- roles/ipsilon/templates/httpd.conf.j2 | 107 ++++++++++++++++++ .../templates/httpd.conf.production.j2 | 58 ---------- roles/ipsilon/templates/httpd.conf.staging.j2 | 72 +++++++----- roles/ipsilon/templates/ipsilon.conf | 32 ++++++ .../ipsilon/templates/ipsilon.conf.production | 8 +- roles/ipsilon/templates/ipsilon.conf.staging | 10 +- 13 files changed, 207 insertions(+), 108 deletions(-) create mode 100644 roles/ipsilon/templates/httpd.conf.j2 delete mode 100644 roles/ipsilon/templates/httpd.conf.production.j2 create mode 100644 roles/ipsilon/templates/ipsilon.conf diff --git a/inventory/host_vars/db-fas01.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.iad2.fedoraproject.org index 9511809b56..1311c595a7 100644 --- a/inventory/host_vars/db-fas01.iad2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.iad2.fedoraproject.org @@ -36,6 +36,9 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.73 --dport 5432 -j ACCEPT', # noc01 needs to connect to check the db '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT', + # Ipsilon VMs + '-A INPUT -p tcp -m tcp -s 10.3.163.105 --dport 5432 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.3.163.106 --dport 5432 -j ACCEPT', ] # # Large updates pushes cause lots of db threads doing the tag moves, so up this from default. diff --git a/main.yml b/main.yml index cc2f46780d..fe98bd1b9b 100644 --- a/main.yml +++ b/main.yml @@ -40,6 +40,7 @@ - import_playbook: /srv/web/infra/ansible/playbooks/groups/github2fedmsg.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/gnome-backups.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/ipa.yml +- import_playbook: /srv/web/infra/ansible/playbooks/groups/ipsilon.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/kerneltest.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/koji-hub.yml - import_playbook: /srv/web/infra/ansible/playbooks/groups/kojipkgs.yml diff --git a/playbooks/groups/ipsilon.yml b/playbooks/groups/ipsilon.yml index c254db8067..dc27855a82 100644 --- a/playbooks/groups/ipsilon.yml +++ b/playbooks/groups/ipsilon.yml @@ -28,14 +28,7 @@ owner_user: apache owner_group: apache service: HTTP - host: "id.stg.fedoraproject.org" - when: env == "staging" - - role: keytab/service - owner_user: apache - owner_group: apache - service: HTTP - host: "id.fedoraproject.org" - when: env == "production" + host: "id{{ env_suffix }}.fedoraproject.org" pre_tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml" @@ -103,8 +96,7 @@ ipahbacrule: name: ipsilon action: member - host: centos-ipa-client02.stg.iad2.fedoraproject.org + host: "{{ (env == 'production')|ternary('ipsilon.iad2.centos.org', 'centos-ipa-client02.stg.iad2.fedoraproject.org') }}" ipaadmin_password: "{{ ipa_admin_password }}" tags: - ipsilon - when: env == "staging" diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 98085cf5a0..eeb54ce409 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -223,7 +223,7 @@ proxyurl: http://localhost:10020 keephost: true tags: - - id.fedoraproject.org + - sso.fedoraproject.org when: env == "staging" - role: httpd/reverseproxy diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 84b5708ec1..23c40a76fd 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -264,7 +264,6 @@ backend pps-backend {% endif %} -{% if env == "staging" %} frontend ipsilon-frontend bind 0.0.0.0:10020 default_backend ipsilon-backend @@ -276,7 +275,6 @@ backend ipsilon-backend server ipsilon02 ipsilon02:80 check inter 10s rise 1 fall 2 {% endif %} option httpchk GET / -{% endif %} frontend ipa-frontend bind 0.0.0.0:10053 diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 13db3964d9..765439c5bb 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -152,7 +152,7 @@ - name: copy ipsilon configuration template: - src: "ipsilon.conf.{{ env }}" + src: "ipsilon.conf" dest: "/etc/ipsilon/root/ipsilon.conf" owner: ipsilon group: ipsilon @@ -191,7 +191,7 @@ - name: copy ipsilon httpd config template: - src: "httpd.conf.{{ env }}.j2" + src: "httpd.conf.j2" dest: /etc/ipsilon/root/idp.conf tags: - ipsilon diff --git a/roles/ipsilon/templates/configmap.yml b/roles/ipsilon/templates/configmap.yml index 677d61226e..c90aba099e 100644 --- a/roles/ipsilon/templates/configmap.yml +++ b/roles/ipsilon/templates/configmap.yml @@ -94,9 +94,9 @@ data: CoreDumpDirectory /tmp # Ipsilon stuff - {{ load_file('httpd.conf.production.j2') | indent() }} + {{ load_file('httpd.conf.j2') | indent() }} ipsilon.conf: |- - {{ load_file('ipsilon.conf.production') | indent() }} + {{ load_file('ipsilon.conf') | indent() }} configuration.conf: |- {{ load_file('configuration.conf') | indent() }} openidc.static.cfg: |- diff --git a/roles/ipsilon/templates/httpd.conf.j2 b/roles/ipsilon/templates/httpd.conf.j2 new file mode 100644 index 0000000000..db5293aa6b --- /dev/null +++ b/roles/ipsilon/templates/httpd.conf.j2 @@ -0,0 +1,107 @@ +RewriteEngine on +RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] +#Alias /ui /usr/share/ipsilon/ui +Alias /ui /usr/share/ipsilon/themes/Fedora +{% if env == "staging" %} +Alias /.well-known /var/lib/ipsilon/root/public/well-known +Alias /cache /var/cache/ipsilon +Redirect /.well-known/webfinger /webfinger +{% endif %} + +# This is for mapping $username.id.fp.o -> id.fp.o/id/$username +RewriteEngine on +RewriteMap lowercase int:tolower +{% if env == "staging" %} +RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$ +RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] +RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT] +{% else %} +RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$ +RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] +RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] +{% endif %} + + +WSGIScriptAlias / /usr/libexec/ipsilon +{% if env == "staging" %} +WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000 +WSGISocketPrefix run/wsgi +{% else %} +WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 +WSGISocketPrefix /httpdir/run/wsgi +WSGIRestrictStdout Off +WSGIRestrictSignal Off +{% endif %} +# This header is required to be passed for OIDC client_secret_basic +WSGIPassAuthorization On +# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails +# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190 +WSGIApplicationGroup %{GLOBAL} + + + + WSGIProcessGroup ipsilon + + + + Require all granted + + + + Options +SymLinksIfOwnerMatch + Require all granted + + +{% if env == "staging" %} + +{% else %} + +{% endif %} + Require all granted + + + + ForceType application/json + + + + AuthName "GSSAPI Single Sign On Login" +{% if env == "staging" %} + GssapiCredStore keytab:/etc/httpd/conf/http.keytab +{% else %} + GssapiCredStore keytab:/etc/keytabs/service.keytab +{% endif %} + AuthType GSSAPI + # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS + GssapiSSLonly Off + GssapiLocalName on + Require valid-user + ErrorDocument 401 /login/gssapi/unauthorized + ErrorDocument 500 /login/gssapi/failed + + +{% if env == "staging" %} +LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so +LoadModule authnz_pam_module modules/mod_authnz_pam.so + + + InterceptFormPAMService ipsilon + InterceptFormLogin login_name + InterceptFormPassword login_password + # InterceptFormLoginSkip admin + # InterceptFormClearRemoteUserForSkipped on + InterceptFormPasswordRedact on + + + + SetHandler None + AllowOverride None + + Require all granted + + + Order Allow,Deny + Allow from All + + +{% endif %} diff --git a/roles/ipsilon/templates/httpd.conf.production.j2 b/roles/ipsilon/templates/httpd.conf.production.j2 deleted file mode 100644 index bc5c465870..0000000000 --- a/roles/ipsilon/templates/httpd.conf.production.j2 +++ /dev/null @@ -1,58 +0,0 @@ -RewriteEngine on -RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] - -# This is for mapping $username.id.fp.o -> id.fp.o/id/$username -RewriteEngine on -RewriteMap lowercase int:tolower -{% if env == "staging" %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$ -RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] -RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT] -{% else %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$ -RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] -RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] -{% endif %} - - -Alias /ui /usr/share/ipsilon/themes/Fedora -WSGIScriptAlias / /usr/libexec/ipsilon -WSGIPassAuthorization On -WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 -WSGIApplicationGroup %{GLOBAL} -WSGISocketPrefix /httpdir/run/wsgi -WSGIRestrictStdout Off -WSGIRestrictSignal Off - - - - WSGIProcessGroup ipsilon - - - - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore keytab:/etc/keytabs/service.keytab - AuthType GSSAPI - # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS - GssapiSSLonly Off - GssapiLocalName on - Require valid-user - ErrorDocument 401 /login/gssapi/unauthorized - ErrorDocument 500 /login/gssapi/failed - - - - Require all granted - - - - Require all granted - - - - Require all granted - - - - ForceType application/json - diff --git a/roles/ipsilon/templates/httpd.conf.staging.j2 b/roles/ipsilon/templates/httpd.conf.staging.j2 index d7f6a3992a..db5293aa6b 100644 --- a/roles/ipsilon/templates/httpd.conf.staging.j2 +++ b/roles/ipsilon/templates/httpd.conf.staging.j2 @@ -2,9 +2,11 @@ RewriteEngine on RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] #Alias /ui /usr/share/ipsilon/ui Alias /ui /usr/share/ipsilon/themes/Fedora +{% if env == "staging" %} Alias /.well-known /var/lib/ipsilon/root/public/well-known Alias /cache /var/cache/ipsilon Redirect /.well-known/webfinger /webfinger +{% endif %} # This is for mapping $username.id.fp.o -> id.fp.o/id/$username RewriteEngine on @@ -21,15 +23,20 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] WSGIScriptAlias / /usr/libexec/ipsilon +{% if env == "staging" %} WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000 +WSGISocketPrefix run/wsgi +{% else %} +WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 +WSGISocketPrefix /httpdir/run/wsgi +WSGIRestrictStdout Off +WSGIRestrictSignal Off +{% endif %} # This header is required to be passed for OIDC client_secret_basic WSGIPassAuthorization On # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails # Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190 WSGIApplicationGroup %{GLOBAL} -WSGISocketPrefix run/wsgi -#WSGIRestrictStdout Off -#WSGIRestrictSignal Off @@ -45,7 +52,11 @@ WSGISocketPrefix run/wsgi Require all granted +{% if env == "staging" %} +{% else %} + +{% endif %} Require all granted @@ -53,6 +64,35 @@ WSGISocketPrefix run/wsgi ForceType application/json + + AuthName "GSSAPI Single Sign On Login" +{% if env == "staging" %} + GssapiCredStore keytab:/etc/httpd/conf/http.keytab +{% else %} + GssapiCredStore keytab:/etc/keytabs/service.keytab +{% endif %} + AuthType GSSAPI + # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS + GssapiSSLonly Off + GssapiLocalName on + Require valid-user + ErrorDocument 401 /login/gssapi/unauthorized + ErrorDocument 500 /login/gssapi/failed + + +{% if env == "staging" %} +LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so +LoadModule authnz_pam_module modules/mod_authnz_pam.so + + + InterceptFormPAMService ipsilon + InterceptFormLogin login_name + InterceptFormPassword login_password + # InterceptFormLoginSkip admin + # InterceptFormClearRemoteUserForSkipped on + InterceptFormPasswordRedact on + + SetHandler None AllowOverride None @@ -64,28 +104,4 @@ WSGISocketPrefix run/wsgi Allow from All - - - AuthName "GSSAPI Single Sign On Login" - #GssapiCredStore keytab:/etc/keytabs/service.keytab - GssapiCredStore keytab:/etc/httpd/conf/http.keytab - AuthType GSSAPI - # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS - GssapiSSLonly Off - GssapiLocalName on - Require valid-user - ErrorDocument 401 /login/gssapi/unauthorized - ErrorDocument 500 /login/gssapi/failed - - -LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so -LoadModule authnz_pam_module modules/mod_authnz_pam.so - - - InterceptFormPAMService ipsilon - InterceptFormLogin login_name - InterceptFormPassword login_password - # InterceptFormLoginSkip admin - # InterceptFormClearRemoteUserForSkipped on - InterceptFormPasswordRedact on - +{% endif %} diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf new file mode 100644 index 0000000000..bcb7c3261a --- /dev/null +++ b/roles/ipsilon/templates/ipsilon.conf @@ -0,0 +1,32 @@ +[global] +debug = {{ (env == 'production')|ternary('False', 'True') }} +tools.log_request_response.on = False +theme_dir = "/usr/share/ipsilon/themes/Fedora" +template_dir = "/usr/share/ipsilon/templates" +base.dir = "/usr/share/ipsilon" +{% if env == 'staging' %} +cache_dir = "/var/cache/ipsilon" +cleanup_interval = 30 +db.conn.log = False +db.echo = False +# base.mount = "" +admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" +{% else %} +admin.config.db = "configfile:///etc/ipsilon/configuration.conf" +log.screen = True +{% endif %} +user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" +transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" + +tools.sessions.on = True +tools.sessions.name = "fedora_ipsilon_session_id" +tools.sessions.storage_type = "sql" +tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" +tools.sessions.timeout = 15 +tools.sessions.httponly = True +tools.sessions.secure = True +tools.sessions.locking = 'explicit' + +tools.proxy.on = True +tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org" + diff --git a/roles/ipsilon/templates/ipsilon.conf.production b/roles/ipsilon/templates/ipsilon.conf.production index 79325e4ab4..bcb7c3261a 100644 --- a/roles/ipsilon/templates/ipsilon.conf.production +++ b/roles/ipsilon/templates/ipsilon.conf.production @@ -3,13 +3,17 @@ debug = {{ (env == 'production')|ternary('False', 'True') }} tools.log_request_response.on = False theme_dir = "/usr/share/ipsilon/themes/Fedora" template_dir = "/usr/share/ipsilon/templates" - -log.screen = True base.dir = "/usr/share/ipsilon" {% if env == 'staging' %} +cache_dir = "/var/cache/ipsilon" +cleanup_interval = 30 +db.conn.log = False +db.echo = False +# base.mount = "" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" {% else %} admin.config.db = "configfile:///etc/ipsilon/configuration.conf" +log.screen = True {% endif %} user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" diff --git a/roles/ipsilon/templates/ipsilon.conf.staging b/roles/ipsilon/templates/ipsilon.conf.staging index f80a4311ed..bcb7c3261a 100644 --- a/roles/ipsilon/templates/ipsilon.conf.staging +++ b/roles/ipsilon/templates/ipsilon.conf.staging @@ -1,16 +1,20 @@ [global] debug = {{ (env == 'production')|ternary('False', 'True') }} tools.log_request_response.on = False -template_dir = "/usr/share/ipsilon/templates" theme_dir = "/usr/share/ipsilon/themes/Fedora" +template_dir = "/usr/share/ipsilon/templates" +base.dir = "/usr/share/ipsilon" +{% if env == 'staging' %} cache_dir = "/var/cache/ipsilon" cleanup_interval = 30 db.conn.log = False db.echo = False - # base.mount = "" -base.dir = "/usr/share/ipsilon" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" +{% else %} +admin.config.db = "configfile:///etc/ipsilon/configuration.conf" +log.screen = True +{% endif %} user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"