Connector config for connector-qa, SC-2670

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -1293,6 +1293,10 @@ idm-sto[13]-qa-redis-[123]\.komreg\.net:
 connector-qa-sto1-1.komreg.net:
    autoupdate:
    sunet::dockerhost2:
+   eid::connector:
+     environment: qa
+     session_backend: memory
+     version: 2.0.2_hsm2_ubuntu
 
 ### TEST environment ####
 connector-test-sto3-1.komreg.net:

global/overlay/etc/puppet/modules/eid/templates/connector/application-qa.yml.erb

@@ -0,0 +1,178 @@
+#
+# Connector overrides for the Sweden Connect QA deployment
+#
+---
+spring:
+  ssl:
+    bundle:
+      pem:
+        connector-web-server:
+          keystore:
+            certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt
+            private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key
+        sunet-tls-trust:
+          truststore:
+            certificate: file:/etc/ssl/certs/infra.crt
+<% if @session_backend == 'redis' -%>
+          keystore:
+            certificate: file:/etc/ssl/certs/<%= @server_fqdn %>_infra.crt
+            private-key: file:/etc/ssl/private/<%= @server_fqdn %>_infra.key
+  session:
+    timeout: 15m
+    redis:
+      namespace: spring:session:connector
+  data:
+    redis:
+      cluster:
+        nodes:
+          - 89.45.236.201:6379
+          - 89.45.237.40:6379
+          - 89.45.237.212:6379
+      password: <%= scope.call_function('safe_hiera', ['redict_password']) %>
+      ssl:
+        enabled: true
+        bundle: sunet-tls-trust
+      ssl-ext:
+        enable-hostname-verification: false
+<% end -%>
+
+server:
+  port: 8443
+  servlet:
+    context-path: /idp
+  ssl:
+    enabled: true
+    bundle: connector-web-server
+  error:
+    include-stacktrace: never
+
+management:
+  server:
+    port: 8444
+  health:
+    redis:
+<% if @session_backend == 'redis' -%>
+      enabled: true
+<% end -%>
+<% if @session_backend == 'memory' -%>
+      enabled: false
+<% end -%>
+
+credential:
+  bundles:
+    keystore:
+      pkcs11-store:
+        type: PKCS11
+        provider: SunPKCS11
+        password: ${PKCS11_PIN}
+        pkcs11:
+          configuration-file: ${CONNECTOR_DIRECTORY}/credentials/pkcs11.cfg
+    jks:
+      connector-sign:
+        name: "Connector Signing Credential"
+        store-reference: pkcs11-store
+        key:
+          certificates: file:${CONNECTOR_DIRECTORY}/credentials/sign.crt
+          # The alias should be the name of the CKA_LABEL attribute
+          alias: sc_eidas_sign
+          key-password: ${PKCS11_PIN}
+        monitor: true
+      connector-encrypt:
+        name: "Connector Encryption Credential"
+        store-reference: pkcs11-store
+        key:
+          # certificates: file:${CONNECTOR_DIRECTORY}/credentials/enc.crt
+          # The alias should be the name of the CKA_LABEL attribute
+          alias: sc_eidas_encrypt
+          key-password: ${PKCS11_PIN}
+        monitor: true
+      connector-hsm-md-sign:
+        name: "Connector HSM Metadata Signing Credential"
+        store-reference: pkcs11-store
+        key:
+          certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
+          alias: sctest2
+          key-password: ${PKCS11_PIN}
+        monitor: true
+          #pem:
+          #oauth2:
+        # TODO: Fix certs
+        #name: "Connector OAuth2 Credential"
+        #certificates: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.crt
+        # private-key: file:${CONNECTOR_DIRECTORY}/credentials/oauth2.key
+    monitoring:
+      enabled: true
+      test-interval: 10m
+      health-endpoint-enabled: true
+
+connector:
+  domain: test.connector.eidas.swedenconnect.se
+  base-url: https://${connector.domain}${server.servlet.context-path}
+  backup-directory: ${CONNECTOR_DIRECTORY}/backup
+  eu-metadata:
+    location: https://test.md.eidas.swedenconnect.se/role/idp.xml
+    validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
+  eidas:
+    credentials:
+      # Use same as for IdP except for the metadata signing credential
+      metadata-sign:
+        pem:
+          name: "Credential Metadata Signing"
+          certificates: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
+          private-key: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.key
+  prid:
+    policy-resource: file:${CONNECTOR_DIRECTORY}/prid/policy.properties
+  idp:
+    ping-whitelist:
+      - https://test.test.swedenconnect.se/sp
+        #  idm:
+    # TODO: Change to true when IdM integration should be turned on
+    # active: false
+    # api-base-url: https://test.idm.eidas.swedenconnect.se/idm
+    #service-url: https://test.idm.eidas.swedenconnect.se/idm
+    #oauth2:
+    #  resource-id: https://test.idm.eidas.swedenconnect.se/idm
+    #  client-id: ${saml.idp.entity-id}
+    #  check-scopes:
+    #    - ${connector.idm.oauth2.resource-id}/idrecord_check
+    #  get-scopes:
+    #    - ${connector.idm.oauth2.resource-id}/idrecord_get
+    #  server:
+    #    issuer: ${saml.idp.entity-id}/as
+    #  credential:
+    #    bundle: oauth2
+
+saml:
+  idp:
+    entity-id: https://test.connector.eidas.swedenconnect.se/eidas
+    base-url: ${connector.base-url}
+    session:
+      module: <%= @session_backend %>
+    replay:
+      type: <%= @session_backend %>
+      context: "connector-replay-cache"
+    metadata-providers:
+      - location: https://test.md.swedenconnect.se/role/sp.xml
+        backup-location: ${connector.backup-directory}/metadata/sc-cache.xml
+        validation-certificate: file:${CONNECTOR_DIRECTORY}/credentials/sctest2.crt
+    credentials:
+      # Use same as for IdP except for the metadata signing credential
+      sign:
+        bundle: connector-sign
+      encrypt:
+        bundle: connector-encrypt
+      metadata-sign:
+        bundle: connector-hsm-md-sign
+      #future-sign: file:${CONNECTOR_DIRECTORY}/credentials/idp-signing.crt
+    audit:
+      in-memory:
+        capacity: 1000
+      file:
+        log-file: ${CONNECTOR_DIRECTORY}/logs/audit.log
+
+logging:
+  level:
+    se:
+      swedenconnect:
+        opensaml: DEBUG
+        eidas: INFO