upgrade demw application to 3.2.0 in prod

ref: SC-2047
2024-07-08 11:06:39 +02:00 · 2024-07-08 11:06:39 +02:00 · 8817d753a3
commit 8817d753a3
parent f05da52d8a
4 changed files with 34 additions and 40 deletions
--- a/demw-common/overlay/etc/logrotate.d/eidas-middleware
+++ b/demw-common/overlay/etc/logrotate.d/eidas-middleware
@ -0,0 +1,7 @@
 /var/log/eidas-middleware/eidas-middleware.log {
  rotate 13
  daily
  compress
  missingok
  notifempty
 }
--- a/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh
@ -1,27 +1,27 @@
 cat<<EOF
-#Logging
+#server settings
 logging.file=/var/log/eidas-middleware/demw.log
 #logging.level.com.zaxxer.hikari=DEBUG
 #Credentials
 poseidas.admin.hashed.password=${POSEIDAS_ADMIN_HASHED_PASSWORD}
 poseidas.admin.username=${POSEIDAS_ADMIN_USERNAME:-demw}
 #Server Settings
 server.port=${SERVER_PORT:-8443}
 server.adminInterfacePort=${ADMIN_PORT:-10000}
 server.ssl.key-password=dummy
 server.ssl.key-store=file\:///tmp/${CERTNAME}.p12
 server.ssl.key-store-password=dummy
 server.ssl.keyAlias=tls
 server.ssl.keyStoreType=PKCS12
-#Data source
+#TLS settings
-spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+server.ssl.key-store:file\:///tmp/${CERTNAME}.p12
-spring.datasource.url=jdbc\:h2\:file\:/opt/eidas-middleware/database/eidasmw;DB_CLOSE_DELAY\=-1;DB_CLOSE_ON_EXIT\=FALSE
+server.ssl.key-store-password:dummy
 server.ssl.key-password=dummy
 server.ssl.keyStoreType:PKCS12
 server.ssl.keyAlias:tls
 #database connection
 spring.datasource.url=jdbc:h2:/opt/eidas-middleware/database/eidasmw;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
 spring.datasource.username=${SPRING_DATASOURCE_USERNAME:-demw}
-spring.datasource.hikari.maximumPoolSize=20
+spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
 #logging
 logging.file.name=/var/log/eidas-middleware/eidas-middleware.log
 #HSM
 hsm.type=NO_HSM
 #hsm.keys.delete=30
 #hsm.keys.archive=false
 #pkcs11.config=
 #pkcs11.passwd=123456
 EOF
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -889,11 +889,8 @@ demw-1.sveidas.se:
   konsulter:
   autoupdate:
   eidas_de_middleware_hsm:
-      version: 228-sc-p11_hsm2
+      version: 320-sc_hsm2
      hostname: demw.eidas.swedenconnect.se
   saml_metadata:
      filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
      url: https://connector.eidas.swedenconnect.se/idp/metadata/sp
   webserver:
      enabled: true
   sunet::frontend::register_sites:
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -351,6 +351,8 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
   $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
   $spring_datasource_password = safe_hiera('spring_datasource_password')
   $pkcs11_pin = safe_hiera('pkcs11_pin')
   #saved directly in admin inteface from version 3.0.0 onwards
   $demw_tls_client_key = safe_hiera('demw_tls_client_key')
   $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
   $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
@ -361,7 +363,7 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
      image    => 'docker.sunet.se/eidas-demw',
      imagetag => $_version,
      hostname => "${::fqdn}",
-      ports    => ['443:8443','127.0.0.1:10000:10000'],
+      ports    => ['443:8443','10000:10000'],
      volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
                   '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
                   '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
@ -370,25 +372,13 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
                   '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                   '/etc/ssl:/etc/ssl'],
      env      => ["CERTNAME=${::fqdn}_infra",
-                   "EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
+                   "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG",
-                   "PUBLIC_HOSTNAME=$_hostname",
+                   "SC_HSM.P11_PIN=$pkcs11_pin",
-                   "PKCS11_PIN=$pkcs11_pin",
+                   "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config",
-                   "PKCS11_CONFIG_LOCATION=/opt/eidas-middleware/configuration/hsm/pkcs11.properties",
+                   "SC_HSM.P11_ALIAS=sc_eidas_sign",
                   "POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
                   "DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
                   "DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
                   "DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
                   'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
                   "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
-      extra_parameters => ["--log-driver=syslog --cpuset-cpus=0-3"]
+      extra_parameters => ["--log-driver=syslog"]
   }
   #temp solution
   sunet::scriptherder::cronjob { 'reboot_demw_application':
        cmd           => '/usr/sbin/service docker-eidas-demw restart',
        minute        => '0',
        hour          => '5',
        ok_criteria   => ['exit_status=0', 'max_age=25h'],
        warn_criteria => ['exit_status=0', 'max_age=49h'],
   }
 }