Add metadata vhost for serving static metadata files generated elsewh…

…ere.
OpenConext · Mar 21, 2017 · f1ff108 · f1ff108
1 parent 05c1f37
commit f1ff108
Show file tree

Hide file tree

Showing 20 changed files with 113 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -79,7 +79,7 @@ These are the steps the above script performs:
 We need pseudo-DNS entries so that your browser can reach the VM-platform we just installed. So, add this very long line to your `/etc/hosts` file:
 
 ```
-192.168.66.98  welcome.vm.openconext.org serviceregistry.vm.openconext.org static.vm.openconext.org db.vm.openconext.org ldap.vm.openconext.org engine.vm.openconext.org  profile.vm.openconext.org mujina-sp.vm.openconext.org mujina-idp.vm.openconext.org teams.vm.openconext.org grouper.vm.openconext.org authz.vm.openconext.org voot.vm.openconext.org authz-admin.vm.openconext.org authz-playground.vm.openconext.org pdp.vm.openconext.org engine-api.vm.openconext.org oidc.vm.openconext.org aa.vm.openconext.org
+192.168.66.98  welcome.vm.openconext.org serviceregistry.vm.openconext.org static.vm.openconext.org metadata.vm.openconext.org db.vm.openconext.org ldap.vm.openconext.org engine.vm.openconext.org  profile.vm.openconext.org mujina-sp.vm.openconext.org mujina-idp.vm.openconext.org teams.vm.openconext.org grouper.vm.openconext.org authz.vm.openconext.org voot.vm.openconext.org authz-admin.vm.openconext.org authz-playground.vm.openconext.org pdp.vm.openconext.org engine-api.vm.openconext.org oidc.vm.openconext.org aa.vm.openconext.org
 ```
 
 Here, the ip-address `192.168.66.98` refers to the address that is mentioned in ./Vagrantfile.

diff --git a/environments/docker/group_vars/docker.yml b/environments/docker/group_vars/docker.yml
@@ -405,6 +405,8 @@ loadbalancing:
     port: 404
   engine_api:
     port: 405
+  metadata:
+    port: 409
   teams:
     port: 601
   authzserver:
@@ -615,6 +617,19 @@ haproxy_applications:
     backend_vhost_name: backend.{{ base_domain }}
     backend_ca_file: "{{ tls_backend_ca }}"
 
+  - name: metadata
+    vhost_name: metadata
+    ip: 127.0.0.1
+    ha_method: HEAD
+    ha_url: /alive.txt
+    port: 409
+    servers: "{{ php_servers }}"
+    crt_name: "{{ tls_star_cert }}"
+    key_name: "{{ tls_star_cert_key }}"
+    sslbackend: yes
+    backend_vhost_name: backend.{{ base_domain }}
+    backend_ca_file: "{{ tls_backend_ca }}"
+
   - name: mujina-idp
     vhost_name: "mujina-idp"
     ip: "192.168.66.98"

diff --git a/environments/docker/host_vars/localhost b/environments/docker/host_vars/localhost
@@ -13,6 +13,7 @@ apache_app_listen_address:
   aa: 127.0.0.1
   metadata_exporter: 127.0.0.1
   static: 127.0.0.1
+  metadata: 127.0.0.1
   welcome: 127.0.0.1
   engine: 127.0.0.1
   engine_api: 127.0.0.1

diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml
@@ -380,6 +380,9 @@ loadbalancing:
   engine_api:
     port: 405
 
+  metadata:
+    port: 409
+
   teams:
     port: 601
 
@@ -445,6 +448,14 @@ haproxy_applications:
     port: "403"
     servers: "{{php_servers}}"
 
+  - name: metadata
+    vhost_name: "metadata"
+    ip: "{{ ansible_default_ipv4 }}"
+    ha_method: "HEAD"
+    ha_url: "/alive.txt"
+    port: "409"
+    servers: "{{php_servers}}"
+
   - name:  serviceregistry
     vhost_name: "serviceregistry"
     ip: "{{ ansible_default_ipv4 }}"

diff --git a/environments/template/host_vars/template.yml b/environments/template/host_vars/template.yml
@@ -7,6 +7,7 @@ apache_app_listen_address:
   mujina_sp: 127.0.0.1
   serviceregistry: 127.0.0.1
   static: 127.0.0.1
+  metadata: 127.0.0.1
   authzserver: 127.0.0.1
   authz_admin: 127.0.0.1
   authz_playground: 127.0.0.1

diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml
@@ -426,7 +426,14 @@ loadbalancing:
       servers: [
         { label: "engine_backend", ip: "192.168.66.99" },
       ]
-    }
+  }
+  metadata: {
+    port: 409,
+    heartbeat: { url: "/alive.txt", method: "HEAD" },
+    servers: [
+      { label: "metadata_backend", ip: "192.168.66.99" },
+    ]
+  }
   teams: {
     port: 601,
     heartbeat: { url: "/media/trans-white.png", method: "GET" },
@@ -561,6 +568,14 @@ haproxy_applications:
     ha_url: "/"
     port: 405
     servers: "{{php_servers}}"
+
+  - name: metadata
+    vhost_name: "metadata"
+    ip: 192.168.66.98
+    ha_method: "HEAD"
+    ha_url: "/alive.txt"
+    port: 409
+    servers: "{{php_servers}}"
 
   - name: teams
     vhost_name: "teams"

diff --git a/environments/vm/host_vars/192.168.66.99.yml b/environments/vm/host_vars/192.168.66.99.yml
@@ -18,3 +18,4 @@ apache_app_listen_address:
   oidc: 192.168.66.99
   aa: 192.168.66.99
   metadata_exporter: 192.168.66.99
+  metadata: 192.168.66.99
diff --git a/host_vars/template.yml b/host_vars/template.yml
@@ -11,6 +11,7 @@ apache_app_listen_address:
   mujina_sp: 127.0.0.2
   serviceregistry: 127.0.0.2
   static: 127.0.0.2
+  metadata: 127.0.0.2
   teams: 127.0.0.2
   voot: 127.0.0.2
   welcome: 127.0.0.2

diff --git a/provision-diy.yml b/provision-diy.yml
@@ -47,12 +47,13 @@
   roles:
     - { role: php56fpm,          tags: ['php'     ] }
     - { role: static,            tags: ['static'  ] }
+    - { role: metadata,          tags: ['static'  ] }
     - { role: openconext-common, tags: ['eb','sr','profile'] }
-    - { role: engineblock,      tags: ['eb'     ] }
+    - { role: engineblock,       tags: ['eb'      ] }
     - { role: janus,             tags: ['sr'      ] }
     - { role: profile,           tags: ['profile' ] }
-    - { role: spform,           tags: ['spform' ] }
-    - { role: diyidp,           tags: ['diyidp' ] }
+    - { role: spform,            tags: ['spform'  ] }
+    - { role: diyidp,            tags: ['diyidp'  ] }
   handlers:
     - include: roles/httpd/handlers/main.yml
 

diff --git a/provision-ebhost.yml b/provision-ebhost.yml
@@ -45,6 +45,7 @@
   roles:
     - { role: php56fpm,          tags: ['php'     ] }
     - { role: static,            tags: ['static'  ] }
+    - { role: metadata,          tags: ['static'  ] }
     - { role: welcome,           tags: ['welcome'] }
     - { role: openconext-common, tags: ['eb','sr','profile'] }
     - { role: engineblock,       tags: ['eb'     ] }

diff --git a/provision-template.yml b/provision-template.yml
@@ -58,13 +58,14 @@
   roles:
     - { role: php56fpm,          tags: ['php'     ] }
     - { role: static,            tags: ['static'  ] }
-    - { role: welcome,           tags: ['welcome'] }
+    - { role: metadata,          tags: ['static'  ] }
+    - { role: welcome,           tags: ['welcome' ] }
     - { role: openconext-common, tags: ['eb','sr','profile'] }
-    - { role: engineblock,       tags: ['eb'     ] }
-    - { role: profile,       tags: ['profile'     ] }
+    - { role: engineblock,       tags: ['eb'      ] }
+    - { role: profile,           tags: ['profile' ] }
     - { role: vm_only_bootstrap_ldap_attributes, tags: [ 'ldap_bootstrap' ], when: not minimal_install }
-    - { role: janus,             tags: ['sr'     ] }
-    - { role: profile,           tags: ['profile'] }
+    - { role: janus,             tags: ['sr'      ] }
+    - { role: profile,           tags: ['profile' ] }
   handlers:
     - include: roles/httpd/handlers/main.yml
 

diff --git a/provision-vm.yml b/provision-vm.yml
@@ -48,6 +48,7 @@
   roles:
     - { role: php56fpm,                          tags: ['php56fpm'] }
     - { role: static,                            tags: ['static'] }
+    - { role: metadata,                          tags: ['static'] }
     - { role: welcome,                           tags: ['welcome'] }
     - { role: openconext-common,                 tags: ['eb','sr','profile'] }
     - { role: engineblock,                       tags: ['eb'     ] }

diff --git a/provision.yml b/provision.yml
@@ -65,8 +65,9 @@
   roles:
     - { role: php56fpm,          tags: ['php'     ] }
     - { role: static,            tags: ['static'  ] }
+    - { role: metadata,          tags: ['static'  ] }
     - { role: openconext-common, tags: ['eb','sr','profile'] }
-    - { role: engineblock,      tags: ['eb'     ] }
+    - { role: engineblock,       tags: ['eb'      ] }
     - { role: janus,             tags: ['sr'      ] }
     - { role: profile,           tags: ['profile' ] }
   handlers:

diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml
@@ -3,6 +3,7 @@
   lineinfile: dest=/etc/hosts line="{{ hosts_ip_address }} {{ item }}" unsafe_writes=yes
   with_items:
     - "static.vm.openconext.org"
+    - "metadata.vm.openconext.org"
     - "serviceregistry.vm.openconext.org"
     - "engine.vm.openconext.org"
     - "profile.vm.openconext.org"

diff --git a/roles/keepalived/templates/keepalived_loadbalancer.conf.j2 b/roles/keepalived/templates/keepalived_loadbalancer.conf.j2
@@ -73,6 +73,10 @@ vrrp_instance backup {
         {% if static_ipv6 is defined %}
         {{ static_ipv6 }}
         {% endif %}
+        {{ metadata_ip }}
+        {% if metadata_ipv6 is defined %}
+        {{ metadata_ipv6 }}
+        {% endif %}
         {{ bind_ip }}
         {% if bind_ipv6 is defined %}
         {{ bind_ipv6 }}

diff --git a/roles/metadata/defaults/main.yml b/roles/metadata/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+metadata_dir: "/opt/openconext/metadata/www"
diff --git a/roles/metadata/files/alive.txt b/roles/metadata/files/alive.txt
@@ -0,0 +1 @@
+dummy file to serve as endpoint for haproxy-healthchecks
diff --git a/roles/metadata/tasks/main.yml b/roles/metadata/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: create metadata dir
+  file: path={{ metadata_dir }} state=directory
+
+- name: copy dummy files
+  copy: src=alive.txt dest={{ metadata_dir }}
+
+- name: copy apache config
+  template: src=metadata.conf.j2 dest=/etc/httpd/conf.d/metadata.conf
+  notify: reload httpd
diff --git a/roles/metadata/templates/metadata.conf.j2 b/roles/metadata/templates/metadata.conf.j2
@@ -0,0 +1,33 @@
+{% if apache_app_listen_address.metadata is defined %}
+Listen {{ apache_app_listen_address.metadata }}:{{ loadbalancing.metadata.port }}
+<Virtualhost {{ apache_app_listen_address.metadata }}:{{ loadbalancing.metadata.port }}>
+{% else %}
+<Virtualhost *:443 >
+{% endif %}
+    ServerName metadata.{{ base_domain }}:443
+
+    DocumentRoot {{ metadata_dir }}
+    <Directory "{{ metadata_dir }}">
+          Require all granted
+    </Directory>
+
+{% if apache_app_listen_address.all is defined %}
+    SSLEngine on
+    SSLCertificateFile      {{ tls.cert_path }}/{{ tls_star_cert }}
+    SSLCertificateKeyFile   {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
+    SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
+{% endif %}
+
+    ErrorLog "|/usr/bin/logger -p local3.err  -t 'Apache-METADATA'"
+    CustomLog "|/usr/bin/logger -p local3.info  -t 'Apache-METADATA'" combined
+
+    {% if haproxy_backend_tls %}
+    SSLEngine on
+    SSLCertificateFile      {{ tls.cert_path }}/backend.{{ base_domain }}.pem
+    SSLCertificateKeyFile   {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
+    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLHonorCipherOrder     on
+    SSLCompression          off
+    {% endif %}
+</VirtualHost>
diff --git a/tests/travis-build.sh b/tests/travis-build.sh
@@ -18,6 +18,7 @@ docker run --detach                                         \
 	--privileged                                            \
 	--name ansible-test                                     \
 	--add-host static.vm.openconext.org:127.0.0.1           \
+	--add-host metadata.vm.openconext.org:127.0.0.1         \
 	--add-host serviceregistry.vm.openconext.org:127.0.0.1  \
 	--add-host engine.vm.openconext.org:127.0.0.1           \
 	--add-host profile.vm.openconext.org:127.0.0.1          \