From 3c4ca71bf6f8967f0bae74455398944f14236d30 Mon Sep 17 00:00:00 2001 From: Patrik Holmqvist Date: Tue, 18 Feb 2025 15:50:23 +0100 Subject: [PATCH] Connector config for connector-qa, SC-2670 --- global/overlay/etc/puppet/cosmos-rules.yaml | 4 + .../connector/application-qa.yml.erb | 178 ++++++++++++++++++ 2 files changed, 182 insertions(+) create mode 100644 global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 5ba277c5..864b5140 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -1293,6 +1293,10 @@ idm-sto[13]-qa-redis-[123]\.komreg\.net: connector-qa-sto1-1.komreg.net: autoupdate: sunet::dockerhost2: + eid::connector: + environment: qa + session_backend: memory + version: 2.0.2_hsm2_ubuntu ### TEST environment #### connector-test-sto3-1.komreg.net: diff --git a/global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb b/global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb new file mode 100644 index 00000000..fb1fac48 --- /dev/null +++ b/global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb @@ -0,0 +1,178 @@ +# +# Connector overrides for the Sweden Connect QA deployment +# +--- +spring: + ssl: + bundle: + pem: + connector-web-server: + keystore: + certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt + private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key + sunet-tls-trust: + truststore: + certificate: file:/etc/ssl/certs/infra.crt +<% if @session_backend == 'redis' -%> + keystore: + certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt + private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key + session: + timeout: 15m + redis: + namespace: spring:session:connector + data: + redis: + cluster: + nodes: + - 89.45.236.201:6379 + - 89.45.237.40:6379 + - 89.45.237.212:6379 + password: <%= scope.call_function('safe_hiera', ['redict_password']) %> + ssl: + enabled: true + bundle: sunet-tls-trust + ssl-ext: + enable-hostname-verification: false +<% end -%> + +server: + port: 8443 + servlet: + context-path: /idp + ssl: + enabled: true + bundle: connector-web-server + error: + include-stacktrace: never + +management: + server: + port: 8444 + health: + redis: +<% if @session_backend == 'redis' -%> + enabled: true +<% end -%> +<% if @session_backend == 'memory' -%> + enabled: false +<% end -%> + +credential: + bundles: + keystore: + pkcs11-store: + type: PKCS11 + provider: SunPKCS11 + password: ${PKCS11_PIN} + pkcs11: + configuration-file: ${CONNECTOR_DIRECTORY}/credentials/pkcs11.cfg + jks: + connector-sign: + name: "Connector Signing Credential" + store-reference: pkcs11-store + key: + certificates: file:${CONNECTOR_DIRECTORY}/credentials/sign.crt + # The alias should be the name of the CKA_LABEL attribute + alias: sc_eidas_sign + key-password: ${PKCS11_PIN} + monitor: true + connector-encrypt: + name: "Connector Encryption Credential" + store-reference: pkcs11-store + key: + # certificates: file:${CONNECTOR_DIRECTORY}/credentials/enc.crt + # The alias should be the name of the CKA_LABEL attribute + alias: sc_eidas_encrypt + key-password: ${PKCS11_PIN} + monitor: true + connector-hsm-md-sign: + name: "Connector HSM Metadata Signing Credential" + store-reference: pkcs11-store + key: + certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt + alias: sctest2 + key-password: ${PKCS11_PIN} + monitor: true + #pem: + #oauth2: + # TODO: Fix certs + #name: "Connector OAuth2 Credential" + #certificates: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.crt + # private-key: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.key + monitoring: + enabled: true + test-interval: 10m + health-endpoint-enabled: true + +connector: + domain: test.connector.eidas.swedenconnect.se + base-url: https://${connector.domain}${server.servlet.context-path} + backup-directory: ${CONNECTOR_DIRECTORY}/backup + eu-metadata: + location: https://test.md.eidas.swedenconnect.se/role/idp.xml + validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt + eidas: + credentials: + # Use same as for IdP except for the metadata signing credential + metadata-sign: + pem: + name: "Credential Metadata Signing" + certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt + private-key: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.key + prid: + policy-resource: file:${CONNECTOR_DIRECTORY}/prid/policy.properties + idp: + ping-whitelist: + - https://test.test.swedenconnect.se/sp + # idm: + # TODO: Change to true when IdM integration should be turned on + # active: false + # api-base-url: https://test.idm.eidas.swedenconnect.se/idm + #service-url: https://test.idm.eidas.swedenconnect.se/idm + #oauth2: + # resource-id: https://test.idm.eidas.swedenconnect.se/idm + # client-id: ${saml.idp.entity-id} + # check-scopes: + # - ${connector.idm.oauth2.resource-id}/idrecord_check + # get-scopes: + # - ${connector.idm.oauth2.resource-id}/idrecord_get + # server: + # issuer: ${saml.idp.entity-id}/as + # credential: + # bundle: oauth2 + +saml: + idp: + entity-id: https://test.connector.eidas.swedenconnect.se/eidas + base-url: ${connector.base-url} + session: + module: <%= @session_backend %> + replay: + type: <%= @session_backend %> + context: "connector-replay-cache" + metadata-providers: + - location: https://test.md.swedenconnect.se/role/sp.xml + backup-location: ${connector.backup-directory}/metadata/sc-cache.xml + validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt + credentials: + # Use same as for IdP except for the metadata signing credential + sign: + bundle: connector-sign + encrypt: + bundle: connector-encrypt + metadata-sign: + bundle: connector-hsm-md-sign + #future-sign: file:${CONNECTOR_DIRECTORY}/credentials/idp-signing.crt + audit: + in-memory: + capacity: 1000 + file: + log-file: ${CONNECTOR_DIRECTORY}/logs/audit.log + +logging: + level: + se: + swedenconnect: + opensaml: DEBUG + eidas: INFO