Configuration

2024-02-26 11:26:43 +01:00 · 2024-02-26 11:26:43 +01:00 · 0087cbe846
commit 0087cbe846
parent f595fbeccd
3 changed files with 51 additions and 0 deletions
--- a/global/overlay/etc/puppet/modules/eid/manifests/idm_app.pp
+++ b/global/overlay/etc/puppet/modules/eid/manifests/idm_app.pp
@ -1,6 +1,12 @@
 # idm_app
 class eid::idm_app (
 ) {
+
+  ensure_resource('sunet::misc::create_dir', '/opt/idm_app/config/', { owner => 'root', group => 'root', mode => '0750'})
+  file { '/opt/idm_app/config/idm.yml':
+    content => template('eid/idm/idm.yml.erb'),
+    mode    => '0755',
+  }3
  sunet::docker_compose { 'idm_app':
    content          => template('eid/idm/docker-compose.yml.erb'),
    service_name     => 'idm_app',
--- a/global/overlay/etc/puppet/modules/eid/templates/idm/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/eid/templates/idm/docker-compose.yml.erb
@ -3,5 +3,12 @@ version: '3.2'
 services:
  idm_app:
    image: docker.sunet.se/eidas-idm
+    environment:
+      - TZ='Europe/Stockholm'
+      - SPRING_CONFIG_IMPORT='/opt/idm_app/config/idm.yml'
    ports:
      - '443:443'
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/opt/idm_app:/opt/idm_app"
+      - "/etc/ssl:/etc/ssl:ro"
--- a/global/overlay/etc/puppet/modules/eid/templates/idm/idm.yml.erb
+++ b/global/overlay/etc/puppet/modules/eid/templates/idm/idm.yml.erb
@ -0,0 +1,38 @@
+server:
+  port: 8082
+  ssl:
+    bundle: infra
+
+spring:
+  ssl:
+    bundle:
+      pem:
+        infra:
+          keystore:
+            private-key: file:/etc/ssl/private/<%= @fqdn %>_infra.key
+            certificate: file:/etc/ssl/certs/<%= @fqdn %>_infra.crt
+          truststore:
+            certificate: file:/etc/ssl/certs/infra.crt
+  data:
+    redis:
+      password: '<%= scope.call_function('safe_hiera', ['idm_redis_password'])  %>'
+      cluster:
+        nodes:
+          <%- @redises.each do |host| -%>
+          - <%= host %>:6379
+          - <%= host %>:6380
+          <%- end -%>
+      ssl:
+        enabled: true
+      ssl-ext:
+        # redis or java require IP addresses in cert if verifcation is turned on
+        # Caused by: java.util.concurrent.CompletionException:
+        # javax.net.ssl.SSLHandshakeException: No subject alternative names
+        # matching IP address 89.46.20.236 found
+        enable-hostname-verification: false
+        credential:
+          resource: file:/etc/ssl/private/<%= @fqdn %>_infra.p12
+          password: qwerty123
+        trust:
+          resource: file:/etc/ssl/certs/infra.p12
+          password: qwerty123