swedenconnect/eid-ops
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

demw deploy - attempt 1

Browse source
This commit is contained in:
Leif Johansson 2019-07-12 11:31:41 +02:00
parent 366354591b
commit 0bbd0b7faf
8 changed files with 121 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
demw-common/overlay/opt/eidas-middleware/configuration/credentials/enc.crt Normal file
View file

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFLjCCAxagAwIBAgIEBEA5gTANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJT
RTEXMBUGA1UEChMOU3dlZGVuIENvbm5lY3QxDjAMBgNVBAsTBWVJREFTMRcwFQYD
VQQDEw5TQU1MIEVuY3J5cHRlcjAeFw0xODA5MDEwMDAwMDBaFw0yODA5MDEwMDAw
MDBaME8xCzAJBgNVBAYTAlNFMRcwFQYDVQQKEw5Td2VkZW4gQ29ubmVjdDEOMAwG
A1UECxMFZUlEQVMxFzAVBgNVBAMTDlNBTUwgRW5jcnlwdGVyMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAncnQs7F6x3l7WDWfzWQ1YI3nRPRAmou/6wfu
t/Q/0Lrk2qC1t0cKXVcwgjYjond7mNgTl8rUBIheI4KLOzX48diUOs+aNz21EjPP
qGpgq3HzS9AAs7yw8ZEG5Y/G2KTLrxG9DO/zhy+mXcRle+zGJh8jc5MBqz2xnSMj
drRNWlIuAQ+hrlEiJw70+ezZIB3Y0KWwAKSN+CMNXzNoxuCd4hiSocga74guoLu7
borpf6Z+i9Iry+L1+jTRPzPdeoEdVI45a2Oy3x9up5Oag9ehIeqJqEQZOtrJj45Q
FiQgYEEVOB7YAFKSwf426eSOyDNfcYlZGC9+p/hAxsJAptOlfiW5OFhKvsdc4t6l
t43U4GqKT+gDGvk8WOMCTkcJBfDkRMbSHA7ZnmF3xmkfROUjh5/OiypVUpjQDxTi
wd2F7lc0w5qMiWbLTUIGYtbsVdLcsZ3npkxxYSV/b4GnR1QDQgktDol2ksQUFYaW
a301l7zLoKHVXbXIZu569VFVtgB8SeJwaqIEsOqyLpLUzCL+27cpPhenW1hZ4ZAY
R0kEWu8tUL8IEplG96NGSuKF0KM3hrRGC80wW8epHKHcjVlPnAALWSrXh86N+6kw
cf9vKETYCZAWo8QUC0MWNB9yH+JR6whsrmBcywNTnyAtPc00gYY4DbzaWgbjCJNx
cI9rHKUCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IC
AQBvu+YkEyb6JBIVaRfDGk04ggJEZcBMjfP8JH4bCDTkHJW8vTGIADLuONd/LR0z
hmjWILQ/kZWtqmgm7RTduMQfLm1Pl/s2Zj4dRM4KfYGHSuqDOUhOqP8BcvXesx8e
YoD3ui8V5Uo2mnbajJOTSTd5AXEMheujBaMzVQ1G8sT6FPVBPP2jXuQyOS+sSOr3
vRRN+hEMkI2D6b6h20Nu2CFdDP+q9QSbbRf9Igx+h9lJ+VhWgsytHsRIIzq5Watg
rx2cfXOvhgagMomgDmOFD0YrRRjqPH7wYDwcc4W7si3TilP54lfnl6pEG9HCK31t
cVwdMc06lSh3LLpfiYQUBi7Q68p5F9T6oNL71Ii+v99ouDqiDsrcP3ouS5OK5RrY
4w2nw9993xU0Dp3s307OY/5FAUc7PGagTbx464FTXNDXA9nNKW/Z6Fy+c3IwA0fb
ZtqsCoet9DiJr9OG5awC33KeNB95a6WVym/My4WgNeZUHUoI4SnmtELUr4h1IO/2
y6nm2r4haoS5OUw+cxBYYP/LXTDaF759AYJEcOYOqad2IBFChMcC3Sk45XPXwfE9
+AyNq6gwRzqtqsCnDB65g7zSGYZUsTJSAMlEzcrTpksBAgirZmCMsJVLEAJgqCwn
j00m1WNvgK2Fj71hjOONvhwP5gj0bwy+1b8GY0+A/RObSw==
-----END CERTIFICATE-----

0
demw-common/overlay/opt/eidas-middleware/configuration/metadata-signature-certificate.crt → demw-common/overlay/opt/eidas-middleware/configuration/credentials/metadata-signature-certificate.crt
View file

30
demw-common/overlay/opt/eidas-middleware/configuration/credentials/sign.crt Normal file
View file

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFKDCCAxCgAwIBAgIEBEA5gTANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJT
RTEXMBUGA1UEChMOU3dlZGVuIENvbm5lY3QxDjAMBgNVBAsTBWVJREFTMRQwEgYD
VQQDEwtTQU1MIFNpZ25lcjAeFw0xODA5MDEwMDAwMDBaFw0yODA5MDEwMDAwMDBa
MEwxCzAJBgNVBAYTAlNFMRcwFQYDVQQKEw5Td2VkZW4gQ29ubmVjdDEOMAwGA1UE
CxMFZUlEQVMxFDASBgNVBAMTC1NBTUwgU2lnbmVyMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAoDCg0aSB43LoPFwh0gB9ZyQ6c5MRHddSDfdyZW2Z20bo
EML62j3spRnBXG83orL40w3CzbXVu3j4gaCSx+Qt8sGKW9mk2PY8S+h6Xieg18Rw
SP0eZRoAfacxufejvKHUg4nSLdT8k8RjiVkLjPMyTwqHlhusFU/OiGdT82B9aYJa
ekiKVqLorv6VBIFu2j3KJ7mKJN3xxjeSWyHlKVvVmJ7slarp69ndGV5AJNtnDK5Y
KbEzgKslIUicP3rmnqgCSKBUlA3ppYxArUy6IJLGiKmv74/Sc2tRpsCXwVgFouC/
sj2Mpksab0wTzXomZ7oXMb35M12duiltPXgnLhMuH4GjEYlPBaaQl1ilAAvk/e29
xpT2jIR5tl0RF9rUqYlpJqyLq5/jRjyUXOTWwVQ5/oQ65iYXuoA9EYxkAE1bYCf9
rKMPUcczqiThzHzaYUs/mkAoLgBMtLSf2K84ztWZrbUzDa4RBTfeXmZhHyjenTSC
KgBqnN2s89VOgy/+hB8EmTeSHg4BOoJ56zjOr/EOifUQCey2PetA9rMUd7MkMv49
hdVWKdk9fIrAmmEaVtU5uMajmCTiZItMbtEbmBtYfFOZmE0BoI1/g3wu393tY/oF
vMrGrGf2gFUc/o63IrlSDpZLv/hmKfmpmreZpY6yi3pAVs9wiuDRZsaQcV8dpIMC
AwEAAaMSMBAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQBt3yH5
jXx63IFWA+jWdLdAn/MSJNT19vwuC5KVgDdlnv/bWj6u3uCmBvHUVsNMcTuOJXN2
KOverRvdzStwW2yHmNn8PX4Yn4IVLSYdYNlrxp4DvL97WwnpxV2tASaRZ3eUMrh5
sQaG/IqdJ1lCS78PyiE+kVzF0oNUbk1ba0N2Hvlc6LeA5Sy0lbaqT0PTU6xF5lec
9azRPc3S2GiGl5BLRBcJvMjJzBBQ6yD4dXPY4nFQSWdgp7VW6FnvY6jnj2mmLVn8
HYLB7hSxev3vCqt5vOEWXCi/zDM/YU5/SwbvZQ/vdkFGIEaJNSBGLq8As3uljmPd
byLHu2wpW7/hVZpD6fYVG+0nghu23lwZ+l0KQKU4AleHulMJUaYkprP4LhC3mRAO
jaJwlMn4hdGEV38zauukvwspxEmZ52UAEAhS1+NPLIm0gjR/s3S+U4HNpJjvqm+T
BI3VAH8TV9bJ0FGf1jPZ5ZM0AsLearM5AO9peQ2xRvC9tLrpCnfk84HZF6KvZCzo
egUxh55BXfCs5n/xhKU5ZLzbetkNLHXFsd3F2KAg3ny+vTxaTpY/rBCvsOKI98Fo
ybRdsPn1zskNyGXdZi3yxVYa0lvEWf7VyG9svLSfF7xjN/pc7vj/nspCZK6B/q5+
wAO+aJg4t0V8ZXu8gI23LFpiMNhjqkSQ6ZuIGA==
-----END CERTIFICATE-----

2
demw-common/overlay/opt/eidas-middleware/configuration/eidasmiddleware.properties.sh
View file

@ -19,7 +19,7 @@ ORGANIZATION_LANG=sv
ORGANIZATION_NAME=Sweden Connect ORGANIZATION_NAME=Sweden Connect
ORGANIZATION_URL=https\://swedenconnect.se ORGANIZATION_URL=https\://swedenconnect.se
SERVICE_PROVIDER_CONFIG_FOLDER=/opt/eidas-middleware/configuration/serviceprovider-metadata SERVICE_PROVIDER_CONFIG_FOLDER=/opt/eidas-middleware/configuration/serviceprovider-metadata
SERVICE_PROVIDER_METADATA_SIGNATURE_CERT=/opt/eidas-middleware/configuration/metadata-signature-certificate.crt SERVICE_PROVIDER_METADATA_SIGNATURE_CERT=/opt/eidas-middleware/configuration/credentials/metadata-signature-certificate.crt
#metadata validity #metadata validity
#METADATA_VALIDITY=2063-04-30 #METADATA_VALIDITY=2063-04-30

15
demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties
View file

@ -1,15 +0,0 @@
hsmExternalCfgLocations=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config
#hsmPin=
#hsmLib=
#hsmProviderName=
#hsmSlot=0
#hsmSlotListIndex=0
#hsmSlotListIndexMaxRange=0
#keySourcePass=
#keySourceAlias=
#keySourceKeyLocation=
#keySourceCertLocation=
#keySourcePassEnc=
#keySourceAliasEnc=
#keySourceKeyLocationEnc=
#keySourceCertLocationEnc=ß

11
demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties.sh Normal file
View file

@ -0,0 +1,11 @@
cat<<EOF
hsmExternalCfgLocations=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config
hsmPin=${PKCS11_PIN}
hsmLib=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
hsmProviderName=Luna
hsmSlot=5
keySourceAlias=sc_eidas_sign
keySourceCertLocation=/opt/eidas-middleware/configuration/credentials/sign.crt
keySourceAliasEnc=sc_eidas_encrypt
keySourceCertLocationEnc=/opt/eidas-middleware/configuration/credentials/enc.crt
EOF

17
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -610,12 +610,12 @@ md-eu1.qa.komreg.net:
- 'se-tug-lb-1.sunet.se' - 'se-tug-lb-1.sunet.se'
port: '443' port: '443'
'^demw-[0-9]+\.sveidas\.se$': '^demw-1\.sveidas\.se$':
eid::dockerhost: eid::dockerhost:
konsulter: konsulter:
autoupdate: autoupdate:
eidas_de_middleware: eidas_de_middleware_hsm:
version: 1.1.0-qa version: 110-fixes-sc-p11
hostname: demw.eidas.swedenconnect.se hostname: demw.eidas.swedenconnect.se
saml_metadata: saml_metadata:
filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
@ -628,6 +628,17 @@ md-eu1.qa.komreg.net:
- 'fe-tug-3.komreg.net' - 'fe-tug-3.komreg.net'
port: '443' port: '443'
'^demw-2\.sveidas\.se$':
eid::dockerhost:
konsulter:
autoupdate:
eidas_de_middleware_hsm:
version: 110-fixes-sc-p11
hostname: demw.eidas.swedenconnect.se
saml_metadata:
filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
url: https://connector.eidas.swedenconnect.se/idp/metadata/sp
'^refidp-[0-9]+\.qa\.sveidas\.se$': '^refidp-[0-9]+\.qa\.sveidas\.se$':
sunet_iaas_cloud: sunet_iaas_cloud:
eid::dockerhost: eid::dockerhost:

35
global/overlay/etc/puppet/manifests/cosmos-site.pp
View file

@ -289,6 +289,40 @@ class md_repo_server($hostname) {
ensure_resource('class','https_server',{}) ensure_resource('class','https_server',{})
} }
class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname)
$poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
$spring_datasource_password = safe_hiera('spring_datasource_password')
$pkcs11_pin = safe_hiera('pkcs11_pin')
$demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
sunet::docker_run {'eidas-demw':
image => 'docker.sunet.se/eidas-demw',
imagetag => $_version,
hostname => "${::fqdn}",
ports => ['443:8443'],
volumes => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
'/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
'/opt/eidas-middleware/database:/opt/eidas-middleware/database',
'/dev/log:/dev/log',
'/etc/ssl:/etc/ssl'],
env => ["CERTNAME=${::fqdn}_infra",
"EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
"PUBLIC_HOSTNAME=$_hostname",
"PKCS11_PIN=$pkcs11_pin",
"POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
"DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
"DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
"DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
"SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
extra_parameters => ["--log-driver=syslog"]
}
}
class eidas_de_middleware($version="106-rs",$hostname='localhost') { class eidas_de_middleware($version="106-rs",$hostname='localhost') {
$_version = safe_hiera('eidas_demw_version',$version) $_version = safe_hiera('eidas_demw_version',$version)
$_hostname = safe_hiera('eidas_demw_hostname',$hostname) $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
@ -299,6 +333,7 @@ class eidas_de_middleware($version="106-rs",$hostname='localhost') {
$demw_tls_client_key = safe_hiera('demw_tls_client_key') $demw_tls_client_key = safe_hiera('demw_tls_client_key')
$demw_tls_client_cert = safe_hiera('demw_tls_client_cert') $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
$demw_tls_server_cert = safe_hiera('demw_tls_server_cert') $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } -> file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks": sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks":
hiera_key => 'eidasmw-signature-keystore', hiera_key => 'eidasmw-signature-keystore',