From 547eb73d6c758fc2dd3997bec9457af5beee3c5a Mon Sep 17 00:00:00 2001 From: William Petit Date: Wed, 25 Oct 2023 11:38:08 +0200 Subject: [PATCH] feat: modularize playbook with tags --- defaults/main.yml | 5 ++++- handlers/main.yml | 9 ++++++++ tasks/install-hydra.yml | 40 +++++++++++++++++++++++++++++++++ tasks/main.yml | 48 ++++++++++++++++++---------------------- templates/haproxy.cfg.j2 | 7 +++++- 5 files changed, 81 insertions(+), 28 deletions(-) create mode 100644 tasks/install-hydra.yml diff --git a/defaults/main.yml b/defaults/main.yml index fa6d496..7848ca3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- +install_only: false + # cadoles-pod repository configuration cadoles_pod_debian_repository_url: https://vulcain.cadoles.com cadoles_pod_debian_repository: bullseye-dev @@ -15,7 +17,7 @@ cadoles_pod_hydra_oidc_v1_package_version: '*' cadoles_pod_hydra_ldap_v1_package_version: '*' # Hydra database configuration -hydra_use_external_database: no +hydra_use_external_database: false hydra_database_name: hydra hydra_database_user: hydra hydra_database_password: hydra @@ -61,6 +63,7 @@ hydra_clients: # Hydra dispatcher configuration +enable_hydra_dispatcher: true hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}" hydra_dispatcher_debug: no hydra_dispatcher_admin_authorized_hosts: diff --git a/handlers/main.yml b/handlers/main.yml index 5834f76..02d9c72 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,36 +4,42 @@ name: haproxy state: restarted become: true + when: not install_only - name: Restart cadoles-pod-hydra-v1 service: name: cadoles-pod-hydra-v1 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-hydra-dispatcher-v1 service: name: cadoles-pod-hydra-dispatcher-v1 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-hydra-passwordless-v1 service: name: cadoles-pod-hydra-passwordless-v1 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-hydra-remote-user-v1 service: name: cadoles-pod-hydra-remote-user-v1 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-shibboleth-sp-v3 service: name: cadoles-pod-shibboleth-sp-v3 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-hydra-oidc-v1 service: @@ -46,13 +52,16 @@ name: cadoles-pod-hydra-ldap-v1 state: restarted become: true + when: not install_only - name: Restart cadoles-pod-goweb-oidc-v1 service: name: cadoles-pod-goweb-oidc-v1 state: restarted become: true + when: not install_only - name: Reload hydra clients ansible.builtin.include_tasks: file: hydra-reload-clients.yml + when: not install_only diff --git a/tasks/install-hydra.yml b/tasks/install-hydra.yml new file mode 100644 index 0000000..b6610c1 --- /dev/null +++ b/tasks/install-hydra.yml @@ -0,0 +1,40 @@ +--- + +- name: Install Hydra + ansible.builtin.apt: + name: + - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }} + update_cache: yes + state: present + become: true + +- name: Configure Hydra local database + ansible.builtin.include_tasks: hydra-database.yml + when: not hydra_use_external_database + +- name: Configure cadoles-pod-hydra-v1 + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: cadoles-pod-hydra-v1.conf.j2 + dest: /etc/cadoles-pod-hydra-v1.conf + notify: + - Restart cadoles-pod-hydra-v1 + become: true + +- name: Check cadoles-pod-hydra-v1 status + service: + name: cadoles-pod-hydra-v1 + state: started + become: true + +- name: Create hydra-clients + template: + src: hydra-client.json.j2 + dest: "/etc/hydra/clients.d/{{ item.client_id }}.json" + with_items: "{{ hydra_clients }}" + notify: + - Reload hydra clients + become: true + diff --git a/tasks/main.yml b/tasks/main.yml index 9692b3e..d735c47 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,24 +9,28 @@ update_cache: yes state: present become: true + tags: [ hydra-only ] - name: Add LetsEncrypt missing intermediate certificates command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'" args: creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem become: true + tags: [ hydra-only ] - name: Add cadoles-pod debian repository key ansible.builtin.apt_key: url: "{{ cadoles_pod_debian_repository_key_url }}" state: present become: true + tags: [ hydra-only ] - name: Configure cadoles-pod debian repository ansible.builtin.apt_repository: repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main" state: present become: true + tags: [ hydra-only ] - name: Ensure sysctl configuration ansible.posix.sysctl: @@ -39,39 +43,30 @@ - name: fs.inotify.max_user_watches value: 204800 become: true + tags: [ hydra-only ] -- name: Install core packages +- name: Install HAProxy ansible.builtin.apt: name: - haproxy={{ haproxy_package_version }} - - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }} - - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }} update_cache: yes state: present become: true + tags: [ hydra-only ] -- name: Configure Hydra local database - ansible.builtin.include_tasks: hydra-database.yml - when: not hydra_use_external_database +- name: Install Hydra + include_tasks: + file: ./install-hydra.yml + apply: + tags: [ hydra-only ] + tags: [ hydra-only ] -- name: Create hydra-clients - template: - src: hydra-client.json.j2 - dest: "/etc/hydra/clients.d/{{ item.client_id }}.json" - with_items: "{{ hydra_clients }}" - notify: - - Reload hydra clients - become: true - -- name: Configure cadoles-pod-hydra-v1 - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - with_items: - - src: cadoles-pod-hydra-v1.conf.j2 - dest: /etc/cadoles-pod-hydra-v1.conf - notify: - - Restart cadoles-pod-hydra-v1 +- name: Install hydra-dispatcher + ansible.builtin.apt: + name: + - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }} + update_cache: yes + state: present become: true - name: Configure cadoles-pod-hydra-dispatcher-v1 @@ -108,11 +103,11 @@ - name: Start OIDC Test app if enabled ansible.builtin.include_tasks: start-oidc-test.yml - when: enable_oidc_test_app + when: enable_oidc_test_app and not install_only - name: Stop OIDC Test app if disabled ansible.builtin.include_tasks: stop-oidc-test.yml - when: not enable_oidc_test_app + when: not enable_oidc_test_app and not install_only - name: Configure HAProxy template: @@ -122,3 +117,4 @@ notify: - Restart HAProxy become: true + tags: [ hydra-only ] diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index 27cabbe..959419c 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -39,8 +39,9 @@ frontend http-in mode http maxconn 2000 - +{% if enable_hydra_dispatcher %} acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }} +{% endif %} {% if enable_hydra_passwordless %} acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }} {% endif %} @@ -57,7 +58,9 @@ frontend http-in acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }} {% endif %} +{% if enable_hydra_dispatcher %} use_backend hydra_dispatcher if login_dispatcher +{% endif %} {% if enable_hydra_passwordless %} use_backend hydra_passwordless if login_passwordless {% endif %} @@ -86,6 +89,7 @@ backend hydra http-request set-path %[path,regsub(^{{ haproxy_hydra_base_path }},)] server hydra 127.0.0.1:4444 check +{% if enable_hydra_dispatcher %} # Backend Hydra Dispatcher backend hydra_dispatcher balance roundrobin @@ -94,6 +98,7 @@ backend hydra_dispatcher http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_dispatcher_base_path }} server hydra-login-dispatcher 127.0.0.1:3000 check +{%- endif %} {% if enable_hydra_passwordless %} # Backend Hydra Passwordless