swedenconnect/eid-ops
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Connector config for connector-qa, SC-2670

Browse source
This commit is contained in:
Patrik Holmqvist 2025-02-18 15:50:23 +01:00
parent a6483a2bf8
commit 3c4ca71bf6
Signed by: pahol
GPG key ID: 5D5B0D4E93F77273
2 changed files with 182 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -1293,6 +1293,10 @@ idm-sto[13]-qa-redis-[123]\.komreg\.net:
connector-qa-sto1-1.komreg.net:
autoupdate:
sunet::dockerhost2:
eid::connector:
environment: qa
session_backend: memory
version: 2.0.2_hsm2_ubuntu
### TEST environment ####
connector-test-sto3-1.komreg.net:

178
global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb Normal file
View file

@ -0,0 +1,178 @@
#
# Connector overrides for the Sweden Connect QA deployment
#
---
spring:
ssl:
bundle:
pem:
connector-web-server:
keystore:
certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt
private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key
sunet-tls-trust:
truststore:
certificate: file:/etc/ssl/certs/infra.crt
<% if @session_backend == 'redis' -%>
keystore:
certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt
private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key
session:
timeout: 15m
redis:
namespace: spring:session:connector
data:
redis:
cluster:
nodes:
- 89.45.236.201:6379
- 89.45.237.40:6379
- 89.45.237.212:6379
password: <%= scope.call_function('safe_hiera', ['redict_password']) %>
ssl:
enabled: true
bundle: sunet-tls-trust
ssl-ext:
enable-hostname-verification: false
<% end -%>
server:
port: 8443
servlet:
context-path: /idp
ssl:
enabled: true
bundle: connector-web-server
error:
include-stacktrace: never
management:
server:
port: 8444
health:
redis:
<% if @session_backend == 'redis' -%>
enabled: true
<% end -%>
<% if @session_backend == 'memory' -%>
enabled: false
<% end -%>
credential:
bundles:
keystore:
pkcs11-store:
type: PKCS11
provider: SunPKCS11
password: ${PKCS11_PIN}
pkcs11:
configuration-file: ${CONNECTOR_DIRECTORY}/credentials/pkcs11.cfg
jks:
connector-sign:
name: "Connector Signing Credential"
store-reference: pkcs11-store
key:
certificates: file:${CONNECTOR_DIRECTORY}/credentials/sign.crt
# The alias should be the name of the CKA_LABEL attribute
alias: sc_eidas_sign
key-password: ${PKCS11_PIN}
monitor: true
connector-encrypt:
name: "Connector Encryption Credential"
store-reference: pkcs11-store
key:
# certificates: file:${CONNECTOR_DIRECTORY}/credentials/enc.crt
# The alias should be the name of the CKA_LABEL attribute
alias: sc_eidas_encrypt
key-password: ${PKCS11_PIN}
monitor: true
connector-hsm-md-sign:
name: "Connector HSM Metadata Signing Credential"
store-reference: pkcs11-store
key:
certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
alias: sctest2
key-password: ${PKCS11_PIN}
monitor: true
#pem:
#oauth2:
# TODO: Fix certs
#name: "Connector OAuth2 Credential"
#certificates: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.crt
# private-key: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.key
monitoring:
enabled: true
test-interval: 10m
health-endpoint-enabled: true
connector:
domain: test.connector.eidas.swedenconnect.se
base-url: https://${connector.domain}${server.servlet.context-path}
backup-directory: ${CONNECTOR_DIRECTORY}/backup
eu-metadata:
location: https://test.md.eidas.swedenconnect.se/role/idp.xml
validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
eidas:
credentials:
# Use same as for IdP except for the metadata signing credential
metadata-sign:
pem:
name: "Credential Metadata Signing"
certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
private-key: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.key
prid:
policy-resource: file:${CONNECTOR_DIRECTORY}/prid/policy.properties
idp:
ping-whitelist:
- https://test.test.swedenconnect.se/sp
# idm:
# TODO: Change to true when IdM integration should be turned on
# active: false
# api-base-url: https://test.idm.eidas.swedenconnect.se/idm
#service-url: https://test.idm.eidas.swedenconnect.se/idm
#oauth2:
# resource-id: https://test.idm.eidas.swedenconnect.se/idm
# client-id: ${saml.idp.entity-id}
# check-scopes:
# - ${connector.idm.oauth2.resource-id}/idrecord_check
# get-scopes:
# - ${connector.idm.oauth2.resource-id}/idrecord_get
# server:
# issuer: ${saml.idp.entity-id}/as
# credential:
# bundle: oauth2
saml:
idp:
entity-id: https://test.connector.eidas.swedenconnect.se/eidas
base-url: ${connector.base-url}
session:
module: <%= @session_backend %>
replay:
type: <%= @session_backend %>
context: "connector-replay-cache"
metadata-providers:
- location: https://test.md.swedenconnect.se/role/sp.xml
backup-location: ${connector.backup-directory}/metadata/sc-cache.xml
validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
credentials:
# Use same as for IdP except for the metadata signing credential
sign:
bundle: connector-sign
encrypt:
bundle: connector-encrypt
metadata-sign:
bundle: connector-hsm-md-sign
#future-sign: file:${CONNECTOR_DIRECTORY}/credentials/idp-signing.crt
audit:
in-memory:
capacity: 1000
file:
log-file: ${CONNECTOR_DIRECTORY}/logs/audit.log
logging:
level:
se:
swedenconnect:
opensaml: DEBUG
eidas: INFO