From cd950289f670df9834e14223da86b71a9c54577b Mon Sep 17 00:00:00 2001 From: "Christian R. Garcia" Date: Fri, 1 Dec 2023 10:49:06 -0800 Subject: [PATCH 1/9] Pods changes for new nfs setup + multiple health containers + changelog --- CHANGELOG.md | 6 ++ playbooks/roles/pods/templates/kube/api.yml | 6 ++ playbooks/roles/pods/templates/kube/burndown | 6 +- playbooks/roles/pods/templates/kube/burnup | 15 ++++- .../roles/pods/templates/kube/config.json | 2 +- .../pods/templates/kube/health-central.yml | 63 +++++++++++++++++++ .../roles/pods/templates/kube/nfs-pvc.yml | 2 +- playbooks/roles/pods/templates/kube/nfs.yml | 63 ++++++++----------- .../roles/pods/templates/kube/services.yml | 14 +---- 9 files changed, 121 insertions(+), 56 deletions(-) create mode 100644 playbooks/roles/pods/templates/kube/health-central.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index d66af0d9..d482ef4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ Notable changes between versions. +## 1.5.3 + +### Services Updates + +- [Pods: 1.5.0 to 1.5.3 (tapis/pods-api)](https://github.com/tapis-project/pods_service/blob/prod/CHANGELOG.md) + ## 1.5.2 ### Services Updates diff --git a/playbooks/roles/pods/templates/kube/api.yml b/playbooks/roles/pods/templates/kube/api.yml index efee8252..c5f1f72b 100644 --- a/playbooks/roles/pods/templates/kube/api.yml +++ b/playbooks/roles/pods/templates/kube/api.yml @@ -54,7 +54,13 @@ spec: - name: pods-config mountPath: /home/tapis/config.json subPath: config.json + - name: pods-nfs-vol + mountPath: "/podsnfs" volumes: - name: pods-config configMap: name: pods-config + - name: pods-nfs-vol + nfs: + server: BURNUP_STATIC_NFS_IP + path: / \ No newline at end of file diff --git a/playbooks/roles/pods/templates/kube/burndown b/playbooks/roles/pods/templates/kube/burndown index 205396f5..caa943fb 100755 --- a/playbooks/roles/pods/templates/kube/burndown +++ b/playbooks/roles/pods/templates/kube/burndown @@ -8,11 +8,15 @@ kubectl delete configmap pods-config kubectl delete configmap pods-traefik-conf + # App kubectl delete -f api.yml +kubectl delete -f health-central.yml +kubectl delete -f traefik-proxy.yml + +# App - when deployed in single namespace kubectl delete -f spawner.yml kubectl delete -f health.yml -kubectl delete -f traefik-proxy.yml # Storage kubectl delete -f postgres.yml diff --git a/playbooks/roles/pods/templates/kube/burnup b/playbooks/roles/pods/templates/kube/burnup index 60be47a7..0dac45ed 100755 --- a/playbooks/roles/pods/templates/kube/burnup +++ b/playbooks/roles/pods/templates/kube/burnup @@ -19,7 +19,6 @@ kubectl apply -f traefik-pvc.yml # Wait for PVC jobs to complete kubectl wait --for=condition=complete job/chown-pods-postgres-pvc -kubectl wait --for=condition=complete job/pods-nfs-mkdirs kubectl wait --for=condition=complete job/chown-pods-traefik-pvc # Storage @@ -27,8 +26,18 @@ kubectl apply -f postgres.yml kubectl apply -f rabbitmq.yml kubectl apply -f nfs.yml + +### Replace nfs server IP at runtime to correct ip. Works during each burnup +## This sed is from Nathan Freeman's Workflows. +here=`pwd` +NFS_SERVICE_IP=$(kubectl get service pods-nfs -o jsonpath='{.spec.clusterIP}') +sed -i "s/server:.*/server: $NFS_SERVICE_IP/g" "$here/api.yml" "$here/health-central.yml" + # App kubectl apply -f api.yml +kubectl apply -f health-central.yml +kubectl apply -f traefik-proxy.yml + +# App - when deployed in single namespace kubectl apply -f spawner.yml -kubectl apply -f health.yml -kubectl apply -f traefik-proxy.yml \ No newline at end of file +kubectl apply -f health.yml \ No newline at end of file diff --git a/playbooks/roles/pods/templates/kube/config.json b/playbooks/roles/pods/templates/kube/config.json index 925cfbff..21a3120f 100644 --- a/playbooks/roles/pods/templates/kube/config.json +++ b/playbooks/roles/pods/templates/kube/config.json @@ -18,7 +18,7 @@ "rabbitmq_pass": "$env{RABBITMQ_PASSWORD}", "nfs_tapis_system_id": "pods-nfs-server", "nfs_pvc_name": "pods-nfs-vol", - "nfs_base_path": "/podsnfs/", + "nfs_base_path": "/podsnfs", "nfs_pods_user_password": "defaultpass", "nfs_develop_mode": false, "image_allow_list": {{ pods_image_allow_list | to_json }}, diff --git a/playbooks/roles/pods/templates/kube/health-central.yml b/playbooks/roles/pods/templates/kube/health-central.yml new file mode 100644 index 00000000..f0630691 --- /dev/null +++ b/playbooks/roles/pods/templates/kube/health-central.yml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pods-health-central +spec: + selector: + matchLabels: + app: pods-health-central + template: + metadata: + labels: + app: pods-health-central + spec: + serviceAccountName: pods-serviceaccount + containers: + - name: pods-health-central + image: {{ pods_api_image }} + imagePullPolicy: {{pods_image_pull_policy}} + resources: + requests: + cpu: "500m" + memory: "5M" + limits: + cpu: "2" + memory: "2G" + env: + - name: PODS_COMPONENT + value: health-central + - name: DEBUG_SLEEP_LOOP + value: 'false' + - name: SERVICE_PASSWORD + valueFrom: + secretKeyRef: + name: tapis-pods-secrets + key: service-password + - name: POSTGRES_USERNAME + value: pods-admin + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: tapis-pods-secrets + key: postgres-password + - name: RABBITMQ_USERNAME + value: pods-admin + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: tapis-pods-secrets + key: rabbitmq-password + volumeMounts: + - name: pods-config + mountPath: /home/tapis/config.json + subPath: config.json + - name: pods-nfs-vol + mountPath: "/podsnfs" + volumes: + - name: pods-config + configMap: + name: pods-config + - name: pods-nfs-vol + nfs: + server: BURNUP_STATIC_NFS_IP + path: / \ No newline at end of file diff --git a/playbooks/roles/pods/templates/kube/nfs-pvc.yml b/playbooks/roles/pods/templates/kube/nfs-pvc.yml index e37a94f1..3ed239d5 100644 --- a/playbooks/roles/pods/templates/kube/nfs-pvc.yml +++ b/playbooks/roles/pods/templates/kube/nfs-pvc.yml @@ -8,4 +8,4 @@ spec: storageClassName: rbd-new resources: requests: - storage: 5Gi + storage: 10Gi diff --git a/playbooks/roles/pods/templates/kube/nfs.yml b/playbooks/roles/pods/templates/kube/nfs.yml index 2fb5af16..b3cfebb5 100644 --- a/playbooks/roles/pods/templates/kube/nfs.yml +++ b/playbooks/roles/pods/templates/kube/nfs.yml @@ -14,54 +14,43 @@ spec: containers: - name: pods-nfs image: itsthenetwork/nfs-server-alpine:12 - # This is an NFS image which we deploy SSH in along with a lot of permissioning/keys - # We create a pods user using adduser - # We then "unlock" the user in Alpine by removing the ! in /etc/shadow for the user. User's are locked by default. - # You cannot ssh via pubkey to a locked user in Alpine. I could not way to do this during the adduser step. - # We install openssh/openrc/acl for ssh, service management, and permissioning later - # We enable the sshd service - # We touch /run/openrc/softlevel so that openrc will run on a host it wasn't started up on - # we create some prerequisite folders - # Create our neccessary keys for the pods user, and the public to authorized_keys for ssh access - # ssh-keyget -A creates host keys that sshd requires - # chown the pods user's ssh folder - # Turn on PubKeyAuthentication in the ssd_config - # Restart sshd - # Run the nfsd.sh script which is the entrypoint for the nfs-server-alpine image, it starts the NFS process. - command: - - /bin/sh - - -c - - | - adduser -D -g "Pods service user used by Files API to manage NFS folder." pods &&\ - sed -i 's/pods:!:/pods::/g' /etc/shadow &&\ - apk add --no-cache openssh openrc acl &&\ - rc-status &&\ - rc-update add sshd &&\ - touch /run/openrc/softlevel &&\ - setfacl -R -m u:pods:rwx /podsnfs &&\ - mkdir /home/pods/.ssh &&\ - ssh-keygen -f /home/pods/.ssh/podskey -m PEM -q -N '' &&\ - cp /home/pods/.ssh/podskey.pub /home/pods/.ssh/authorized_keys &&\ - ssh-keygen -A &&\ - chown pods:pods /home/pods/.ssh/* &&\ - sed -i 's/#PubkeyAuthentication/PubkeyAuthentication/g' /etc/ssh/sshd_config &&\ - rc-service sshd restart &&\ - /usr/bin/nfsd.sh securityContext: - privileged: true + privileged: true # required by image env: - name: SHARED_DIRECTORY value: "/podsnfs" ports: - name: pods-nfs containerPort: 2049 - - name: pods-nfs-ssh - containerPort: 22 volumeMounts: - name: pods-nfs-vol mountPath: "/podsnfs" - + - name: pods-nfs-config + mountPath: "/etc/exports" + subPath: "exports" volumes: - name: pods-nfs-vol persistentVolumeClaim: claimName: pods-nfs-vol + - name: pods-nfs-config + configMap: + name: pods-nfs-config + items: + - key: exports + path: exports + +# Config overwrites /etc/exports which is was nfsd is looking for. +# all_squash makes it so all clients are squashed to the same user, in this case 4872:4872. +# Meaning all clients, no matter uid, write as 4872(tapis uid) regardless of their container id. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pods-nfs-config +data: + exports: | + /podsnfs *(rw,fsid=0,async,no_subtree_check,anonuid=0,anongid=0,all_squash,insecure) +# This only works if user is root on health-central and api otherwise it can't edit anything. +#/podsnfs *(rw,fsid=0,async,no_subtree_check,insecure,no_root_squash) +# This works when user is `tapis` on health-central and api. +#/podsnfs *(rw,fsid=0,async,no_subtree_check,anonuid=0,anongid=0,all_squash,insecure) \ No newline at end of file diff --git a/playbooks/roles/pods/templates/kube/services.yml b/playbooks/roles/pods/templates/kube/services.yml index 8f35de72..e959d22e 100644 --- a/playbooks/roles/pods/templates/kube/services.yml +++ b/playbooks/roles/pods/templates/kube/services.yml @@ -4,6 +4,7 @@ kind: Service metadata: name: pods-rabbitmq spec: + type: NodePort selector: app: pods-rabbitmq ports: @@ -91,16 +92,3 @@ spec: - name: pods-nfs port: 2049 targetPort: 2049 - ---- -apiVersion: v1 -kind: Service -metadata: - name: pods-nfs-ssh -spec: - selector: - app: pods-nfs - ports: - - name: pods-nfs-ssh - port: 22 - targetPort: 22 From 963687a693b7f7a1aa957d781cac1da718e8d5a1 Mon Sep 17 00:00:00 2001 From: "Christian R. Garcia" Date: Wed, 3 Jan 2024 10:14:52 -0800 Subject: [PATCH 2/9] Deployer 1.5.4: Updating abaco so mongo doesn't break during restarts. Updated gunicorn settings. Bump tag. --- CHANGELOG.md | 8 ++++++++ playbooks/roles/actors/defaults/main/vars.yml | 4 +++- playbooks/roles/actors/templates/kube/api/configmap.yml | 3 ++- playbooks/roles/actors/templates/kube/api/mongo.yml | 1 + 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa5b7f6..c0f35ddc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ Notable changes between versions. +## 1.5.4 + +### Services Updates + +- [Abaco: 1.5.0 to 1.5.1 (abaco/core-v3)](https://github.com/TACC/abaco/blob/prod-v3/CHANGELOG.md) + + + ## 1.5.3 ### Services Updates diff --git a/playbooks/roles/actors/defaults/main/vars.yml b/playbooks/roles/actors/defaults/main/vars.yml index ad1250b1..a6d66fd1 100644 --- a/playbooks/roles/actors/defaults/main/vars.yml +++ b/playbooks/roles/actors/defaults/main/vars.yml @@ -6,7 +6,7 @@ actors_service_url: '{{ global_service_url }}' actors_service_tenant_id: admin actors_service_site_id: '{{ global_site_id }}' actors_service_name: actors -actors_service_version: 1.5.0 +actors_service_version: 1.5.1 actors_storage_class: '{{ global_storage_class }}' actors_rabbit_pvc: actors-rabbitmq-vol01 actors_mongo_pvc: actors-mongo-vol01 @@ -15,6 +15,8 @@ actors_mongo_tls: false actors_image_pull_policy: Always actors_host_path: develop actors_timeout: 60 +actors_threads: 6 +actors_processes: 8 actors_tas_role_acct: "" actors_tas_role_pass: "" actors_mongo_init_database: null diff --git a/playbooks/roles/actors/templates/kube/api/configmap.yml b/playbooks/roles/actors/templates/kube/api/configmap.yml index 43d7703f..f313840c 100644 --- a/playbooks/roles/actors/templates/kube/api/configmap.yml +++ b/playbooks/roles/actors/templates/kube/api/configmap.yml @@ -8,4 +8,5 @@ data: TAS_ROLE_ACCT: "{{ actors_tas_role_acct }}" TAS_ROLE_PASS: "{{ actors_tas_role_pass }}" timeout: "{{ actors_timeout }}" - + threads: "{{ actors_threads }}" + processes: "{{ actors_processes }}" \ No newline at end of file diff --git a/playbooks/roles/actors/templates/kube/api/mongo.yml b/playbooks/roles/actors/templates/kube/api/mongo.yml index 9351896f..9756ac03 100644 --- a/playbooks/roles/actors/templates/kube/api/mongo.yml +++ b/playbooks/roles/actors/templates/kube/api/mongo.yml @@ -11,6 +11,7 @@ spec: labels: app: actors-mongo spec: + hostname: actors-mongo # sets static hostname rather than random k8 generated. Without mongo gets replica-set confused. containers: - name: actors-mongo image: {{ actors_mongo_image }} From c587275ac25fe1fbbb241ddba72393ec9ab4f41d Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 09:44:07 -0600 Subject: [PATCH 3/9] 1.6.0 changelog --- CHANGELOG.md | 6 ++++++ playbooks/roles/baseburnup/defaults/main/vars.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa5b7f6..c161aacf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ Notable changes between versions. +## 1.6.0 + +### Service Updates + +- [ Authenticator: 1.5.1 -> 1.6.0 (tapis/authenticator, tapis/authenticator-migrations)](https://github.com/tapis-project/authenticator/blob/dev/CHANGELOG.md) + ## 1.5.3 ### Services Updates diff --git a/playbooks/roles/baseburnup/defaults/main/vars.yml b/playbooks/roles/baseburnup/defaults/main/vars.yml index a58fa68c..b4a34009 100644 --- a/playbooks/roles/baseburnup/defaults/main/vars.yml +++ b/playbooks/roles/baseburnup/defaults/main/vars.yml @@ -1,4 +1,4 @@ -baseburnup_tapis_deployer_version: 1.5.2 +baseburnup_tapis_deployer_version: 1.6.0 baseburnup_service_url: "{{ global_service_url }}" baseburnup_vault_url: "{{ global_vault_url }}" From a156ae45bf9db2e1c2524b3a78be55c059c62bcf Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 13:22:28 -0600 Subject: [PATCH 4/9] 1.6.0 dev --- CHANGELOG.md | 11 +++- .../roles/monitoring/templates/kube/burnup | 3 - .../stern-fluentd/stern-fluentd-config.yml | 65 ------------------- .../kube/stern-fluentd/stern-fluentd.yml | 41 ------------ .../templates/nginx.conf | 2 +- .../roles/proxy/templates/docker/nginx.conf | 2 +- .../proxy/templates/kube/nginx/nginx.conf | 2 +- .../skadmin/templates/docker/run-sk-admin | 2 +- .../templates/kube/rerun/run-sk-admin2 | 2 +- .../roles/skadmin/templates/kube/run-sk-admin | 4 +- .../kube/updateSecrets/run-sk-update | 4 +- 11 files changed, 19 insertions(+), 119 deletions(-) delete mode 100644 playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd-config.yml delete mode 100644 playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 79c7dab4..58bc4329 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,8 +6,17 @@ Notable changes between versions. ### Service Updates -- [Authenticator: 1.5.1 -> 1.6.0 (tapis/authenticator, tapis/authenticator-migrations)](https://github.com/tapis-project/authenticator/blob/dev/CHANGELOG.md) - [Abaco: 1.5.0 to 1.6.0 (abaco/core-v3)](https://github.com/TACC/abaco/blob/prod-v3/CHANGELOG.md) +- [Apps: 1.5.10 to 1.6.0 (tapis/apps)](https://github.com/tapis-project/tapis-apps/blob/dev/CHANGELOG.md) +- [Authenticator: 1.5.1 -> 1.6.0 (tapis/authenticator, tapis/authenticator-migrations)](https://github.com/tapis-project/authenticator/blob/dev/CHANGELOG.md) +- [Files: 1.5.10 to 1.6.0 (tapis/tapis-files, tapis/tapis-files-workers)](https://github.com/tapis-project/tapis-files/blob/dev/CHANGELOG.md) +- [Jobs: 1.5.10 to 1.6.0 (tapis/jobsworker, jobsmigrate, jobsapi)](https://github.com/tapis-project/tapis-jobs/blob/dev/tapis-jobsapi/CHANGELOG.md) +- [Meta: 1.5.10 to 1.6.0 (tapis/metaapi, tapis-meta-rh-server)](https://github.com/tapis-project/tapis-meta/blob/dev/CHANGELOG.md) +- [Notifications: 1.5.12 to 1.6.0 (tapis/notifications, notifications-dispatcher)](https://github.com/tapis-project/tapis-notifications/blob/dev/CHANGELOG.md) +- [Security: 1.5.10 to 1.6.0 (tapis/securitymigrate, securityadmin, securityapi, securityexport)](https://github.com/tapis-project/tapis-security/blob/dev/tapis-securityapi/CHANGELOG.md) +- [Systems: 1.5.10 to 1.6.0 (tapis/systems)](https://github.com/tapis-project/tapis-systems/blob/dev/CHANGELOG.md) +- Removed the stern component from monitoring +- Updated all nginx configs to use TLSv1.3 ## 1.5.3 diff --git a/playbooks/roles/monitoring/templates/kube/burnup b/playbooks/roles/monitoring/templates/kube/burnup index 378d4f49..36d05f74 100755 --- a/playbooks/roles/monitoring/templates/kube/burnup +++ b/playbooks/roles/monitoring/templates/kube/burnup @@ -24,9 +24,6 @@ kubectl apply -f services # Apps kubectl apply -f apps -# Logging -kubectl apply -f stern-fluentd - # Initialize the DB kubectl create configmap monitor-init-user-configmap --from-file monitor-init-user-sh kubectl apply -f monitor-init-user.yml diff --git a/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd-config.yml b/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd-config.yml deleted file mode 100644 index 88abe289..00000000 --- a/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd-config.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: fl-stern-config -data: - fluent.conf: |- - - @type exec - tag tapis.nginx - command 'cd /usr/bin; /usr/bin/stern tapis-nginx-* --color never --tail 0' - - @type regexp - expression /^(?[^ ]*) (?[^ ]*) (?[^ ]*) - (?[^ ]*) \[(?[^\]]*)\] (?[^ ]*) "(?\S+) (?[^\"]*?) (?[^ ]*?)" (?[^ ]*) (?[^ ]*) "(?[^\"]*)" "(?[^\"]*)" "(?[^ ]*)"/ - time_format %d/%b/%Y:%H:%M:%S %z - - - - - @type exec - tag tapis.base - command 'cd /usr/bin; /usr/bin/stern --container .* --color never --tail 0 --exclude-pod "(tapis-nginx-*|stern-fluentd-*|monitoring-kibana-*)"' - - @type regexp - expression /^(?[^ ]*) (?[^ ]*) (?.*)$/ - - - - - @type parser - key_name path - reserve_data true - reserve_time true - - @type regexp - expression /^(:?\/+)(v3\/(?[^\/\s]*)(?:\/?)(?[^ ]*?))?$/ - - - - - - @type elasticsearch - host monitoring-elasticsearch - port 9200 - logstash_format true - suppress_type_name true - - @type file - path /fluentd/log/elastic-buffer - #flush_thread_count 8 - #flush_interval 1s - #chunk_limit_size 32M - #queue_limit_length 4 - #flush_mode interval - #retry_max_interval 30 - #retry_forever true - - - - - diff --git a/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd.yml b/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd.yml deleted file mode 100644 index 161b75a8..00000000 --- a/playbooks/roles/monitoring/templates/kube/stern-fluentd/stern-fluentd.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: stern-fluentd - labels: - app: stern-fluentd -spec: - selector: - matchLabels: - app: stern-fluentd - template: - metadata: - labels: - app: stern-fluentd - spec: - containers: - - name: stern-fluentd - imagePullPolicy: Always - image: {{ monitoring_stern_fluentd_image }} - volumeMounts: - - name: kubeconfig - mountPath: /home/fluent/.kube/config - subPath: config - - name: fl-stern-config - mountPath: /fluentd/etc/fluent.conf - subPath: fluent.conf - volumes: - - name: kubeconfig - configMap: - name: kubeconfig - items: - - key: config - path: config - - name: fl-stern-config - configMap: - name: fl-stern-config - items: - - key: fluent.conf - path: fluent.conf - diff --git a/playbooks/roles/nginx-custom-locations/templates/nginx.conf b/playbooks/roles/nginx-custom-locations/templates/nginx.conf index 40784a4d..3eb1a370 100644 --- a/playbooks/roles/nginx-custom-locations/templates/nginx.conf +++ b/playbooks/roles/nginx-custom-locations/templates/nginx.conf @@ -115,7 +115,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/proxy/templates/docker/nginx.conf b/playbooks/roles/proxy/templates/docker/nginx.conf index 4198321c..dde736f3 100644 --- a/playbooks/roles/proxy/templates/docker/nginx.conf +++ b/playbooks/roles/proxy/templates/docker/nginx.conf @@ -123,7 +123,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/proxy/templates/kube/nginx/nginx.conf b/playbooks/roles/proxy/templates/kube/nginx/nginx.conf index 2176dd7d..e1fd8992 100644 --- a/playbooks/roles/proxy/templates/kube/nginx/nginx.conf +++ b/playbooks/roles/proxy/templates/kube/nginx/nginx.conf @@ -119,7 +119,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/skadmin/templates/docker/run-sk-admin b/playbooks/roles/skadmin/templates/docker/run-sk-admin index e47c4227..8176a803 100755 --- a/playbooks/roles/skadmin/templates/docker/run-sk-admin +++ b/playbooks/roles/skadmin/templates/docker/run-sk-admin @@ -1,3 +1,3 @@ #!/bin/bash -java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{ skadmin_vault_url }} +java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{ skadmin_vault_url }} diff --git a/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 b/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 index c75b1a6c..ba3e77a9 100755 --- a/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 +++ b/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 @@ -17,7 +17,7 @@ echo $KUBE_TOKEN echo debug130 namespace echo $KUBE_NAMESPACE -java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local kubectl delete secret tapis-sk-vault-secrets kubectl create secret generic tapis-sk-vault-secrets --from-literal=vault-secretid=$VAULT_SECRETID --from-literal=vault-roleid=$VAULT_ROLEID diff --git a/playbooks/roles/skadmin/templates/kube/run-sk-admin b/playbooks/roles/skadmin/templates/kube/run-sk-admin index 195ad86b..512892e6 100755 --- a/playbooks/roles/skadmin/templates/kube/run-sk-admin +++ b/playbooks/roles/skadmin/templates/kube/run-sk-admin @@ -14,5 +14,5 @@ echo debug130 namespace echo $KUBE_NAMESPACE -#java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local -java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +#java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local diff --git a/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update b/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update index f8d9e2ae..7ed817ea 100755 --- a/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update +++ b/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update @@ -14,5 +14,5 @@ echo debug130 namespace echo $KUBE_NAMESPACE -#java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local -java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/updateLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +#java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/updateLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local From c8d5d02830df51643113a453f858f0c486419a1c Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 13:26:21 -0600 Subject: [PATCH 5/9] workflows --- playbooks/roles/workflows/templates/kube/engine/deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/workflows/templates/kube/engine/deployment.yml b/playbooks/roles/workflows/templates/kube/engine/deployment.yml index ae9f9db4..33451b60 100644 --- a/playbooks/roles/workflows/templates/kube/engine/deployment.yml +++ b/playbooks/roles/workflows/templates/kube/engine/deployment.yml @@ -83,7 +83,7 @@ spec: tty: true volumeMounts: - name: pipelines-mount - mountPath: /mnt/pipelines/ + mountPath: /var/lib/open-workflow-engine volumes: - name: pipelines-mount nfs: From 4816e3768eebc7f7f053e2b7a7575cbe3e67ead5 Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 16:30:17 -0600 Subject: [PATCH 6/9] - changed image versions to 1.6.0 - homogenized a couple tapis container version (e.g. mqe) - removed prometheus from abaco/actors --- .../roles/actors/defaults/main/images.yml | 5 ++-- playbooks/roles/actors/defaults/main/vars.yml | 2 +- .../templates/docker/docker-compose.yml | 27 ------------------- .../roles/admin/defaults/main/images.yml | 6 ++--- playbooks/roles/apps/defaults/main/images.yml | 4 +-- .../authenticator/defaults/main/images.yml | 4 +-- .../roles/files/defaults/main/images.yml | 6 ++--- .../globus-proxy/defaults/main/images.yml | 2 +- playbooks/roles/jobs/defaults/main/images.yml | 8 +++--- playbooks/roles/meta/defaults/main/images.yml | 14 +++++----- .../roles/monitoring/defaults/main/images.yml | 5 ++-- .../notifications/defaults/main/images.yml | 6 ++--- .../roles/pgrest/defaults/main/images.yml | 4 +-- playbooks/roles/pods/defaults/main/vars.yml | 2 +- .../roles/security/defaults/main/images.yml | 8 +++--- .../roles/skadmin/defaults/main/images.yml | 8 +++--- .../roles/streams/defaults/main/images.yml | 4 +-- .../roles/systems/defaults/main/images.yml | 4 +-- .../roles/tapisui/defaults/main/images.yml | 2 +- .../roles/tenants/defaults/main/images.yml | 8 +++--- .../roles/tokens/defaults/main/images.yml | 6 ++--- .../roles/vault/defaults/main/images.yml | 2 +- .../roles/workflows/defaults/main/images.yml | 6 ++--- 23 files changed, 57 insertions(+), 86 deletions(-) diff --git a/playbooks/roles/actors/defaults/main/images.yml b/playbooks/roles/actors/defaults/main/images.yml index 1b1c217a..5dec6997 100644 --- a/playbooks/roles/actors/defaults/main/images.yml +++ b/playbooks/roles/actors/defaults/main/images.yml @@ -1,10 +1,9 @@ actors_core_image: abaco/core-v3:{{ actors_service_version }} actors_grafana_image: grafana/grafana:9.4.7 -actors_prometheus_image: abaco/promv3:1.4.0 actors_nginx_image: abaco/nginx:1.9.1 actors_nginxk8s_image: abaco/nginxk8s:1.4.0 actors_mongo_image: mongo:4.2.6 actors_alpine_image: alpine:3.17 -actors_mongobackup_image: tapis/mongobackup:0.1 +actors_mongobackup_image: tapis/mongobackup:1.6.0 actors_rabbitmq_image: rabbitmq:3.6.12-management -actors_util_image: tapis/ubutil2204:1.5.0 +actors_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/actors/defaults/main/vars.yml b/playbooks/roles/actors/defaults/main/vars.yml index a6d66fd1..31ee3255 100644 --- a/playbooks/roles/actors/defaults/main/vars.yml +++ b/playbooks/roles/actors/defaults/main/vars.yml @@ -6,7 +6,7 @@ actors_service_url: '{{ global_service_url }}' actors_service_tenant_id: admin actors_service_site_id: '{{ global_site_id }}' actors_service_name: actors -actors_service_version: 1.5.1 +actors_service_version: 1.6.0 actors_storage_class: '{{ global_storage_class }}' actors_rabbit_pvc: actors-rabbitmq-vol01 actors_mongo_pvc: actors-mongo-vol01 diff --git a/playbooks/roles/actors/templates/docker/docker-compose.yml b/playbooks/roles/actors/templates/docker/docker-compose.yml index ac1fd6fe..bd0961ee 100644 --- a/playbooks/roles/actors/templates/docker/docker-compose.yml +++ b/playbooks/roles/actors/templates/docker/docker-compose.yml @@ -239,39 +239,13 @@ services: networks: - tapis - actors-prometheus: - container_name: actors-prometheus - # build: ./images/prometheus - image: {{ actors_prometheus_image }} - # volumes: - # - ./images/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml - # - ./images/prometheus/alert.rules.yml:/etc/prometheus/alert.rules.yml - command: - - '--config.file=/etc/prometheus/prometheus.yml' - # - '-storage.local.path=/prometheus' - # ports: - # - 127.0.0.1:9090:9090 - networks: - - tapis - depends_on: - - actors-mongo - - actors-reg - actors-grafana: container_name: acrots-grafana image: {{ actors_grafana_image }} user: "104" depends_on: - - actors-prometheus - actors-mongo - actors-reg - # ports: - # - "127.0.0.1:3000:3000" - # volumes: - # - grafana_data:/var/lib/grafana - # - ./images/prometheus/grafana/provisioning/:/etc/grafana/provisioning/ - # env_file: - # - ./images/prometheus/grafana/config.monitoring networks: - tapis restart: always @@ -301,7 +275,6 @@ services: depends_on: - actors-mongo - actors-reg - - actors-prometheus # volumes: # grafana_data: {} diff --git a/playbooks/roles/admin/defaults/main/images.yml b/playbooks/roles/admin/defaults/main/images.yml index 9cdb370c..3637890c 100644 --- a/playbooks/roles/admin/defaults/main/images.yml +++ b/playbooks/roles/admin/defaults/main/images.yml @@ -1,3 +1,3 @@ -admin_util_image: tapis/ubutil2204:1.5.0 -admin_centosutil_image: tapis/centosutil:1.5.0 -admin_skadminutil_image: tapis/skadminutil:1.4.0 +admin_util_image: tapis/ubutil2204:1.6.0 +admin_centosutil_image: tapis/centosutil:1.6.0 +admin_skadminutil_image: tapis/skadminutil:1.6.0 diff --git a/playbooks/roles/apps/defaults/main/images.yml b/playbooks/roles/apps/defaults/main/images.yml index 01edddc8..9b2c1b9d 100644 --- a/playbooks/roles/apps/defaults/main/images.yml +++ b/playbooks/roles/apps/defaults/main/images.yml @@ -1,4 +1,4 @@ -apps_api_image: tapis/apps:1.5.10 +apps_api_image: tapis/apps:1.6.0 apps_postgres_image: postgres:12.4 apps_pgadmin_image: dpage/pgadmin4:6.20 -apps_util_image: tapis/ubutil2204:1.5.0 +apps_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/authenticator/defaults/main/images.yml b/playbooks/roles/authenticator/defaults/main/images.yml index 2eb184b3..4f7fe780 100644 --- a/playbooks/roles/authenticator/defaults/main/images.yml +++ b/playbooks/roles/authenticator/defaults/main/images.yml @@ -1,4 +1,4 @@ -authenticator_api_image: tapis/authenticator:1.5.1 -authenticator_migrations_image: tapis/authenticator-migrations:1.5.1 +authenticator_api_image: tapis/authenticator:1.6.0 +authenticator_migrations_image: tapis/authenticator-migrations:1.6.0 authenticator_postgres_image: postgres:11.4 authenticator_ldap_image: tacc/slapd:1 diff --git a/playbooks/roles/files/defaults/main/images.yml b/playbooks/roles/files/defaults/main/images.yml index dd784582..6f3e7d37 100644 --- a/playbooks/roles/files/defaults/main/images.yml +++ b/playbooks/roles/files/defaults/main/images.yml @@ -1,5 +1,5 @@ -files_api_image: tapis/tapis-files:1.5.10 -files_workers_image: tapis/tapis-files-workers:1.5.10 +files_api_image: tapis/tapis-files:1.6.0 +files_workers_image: tapis/tapis-files-workers:1.6.0 files_postgres_image: postgres:11 files_migrations_image: postgres:11 files_minio_image: minio/minio @@ -7,4 +7,4 @@ files_irods_provider_postgres_image: mjstealey/irods-provider-postgres:4.2.4 files_pgadmin_image: dpage/pgadmin4:6.20 files_rabbitmq_image: rabbitmq:3.8.11-management files_rabbitmq_management_image: rabbitmq:3-management-alpine -files_util_image: tapis/ubutil2204:1.5.0 +files_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/globus-proxy/defaults/main/images.yml b/playbooks/roles/globus-proxy/defaults/main/images.yml index 2d137a5d..c5ba3db1 100644 --- a/playbooks/roles/globus-proxy/defaults/main/images.yml +++ b/playbooks/roles/globus-proxy/defaults/main/images.yml @@ -1 +1 @@ -globus_proxy_api_image: tapis/globus-proxy:1.5.0 +globus_proxy_api_image: tapis/globus-proxy:1.6.0 diff --git a/playbooks/roles/jobs/defaults/main/images.yml b/playbooks/roles/jobs/defaults/main/images.yml index c5271912..fcf348e8 100644 --- a/playbooks/roles/jobs/defaults/main/images.yml +++ b/playbooks/roles/jobs/defaults/main/images.yml @@ -1,7 +1,7 @@ -jobs_api_image: tapis/jobsapi:1.5.10 -jobs_migrations_image: tapis/jobsmigrate:1.5.10 -jobs_worker_image: tapis/jobsworker:1.5.10 +jobs_api_image: tapis/jobsapi:1.6.0 +jobs_migrations_image: tapis/jobsmigrate:1.6.0 +jobs_worker_image: tapis/jobsworker:1.6.0 jobs_postgres_image: postgres:12.4 jobs_pgadmin_image: dpage/pgadmin4:6.20 jobs_rabbitmq_management_image: rabbitmq:3.8.11-management -jobs_util_image: tapis/ubutil2204:1.5.0 +jobs_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/meta/defaults/main/images.yml b/playbooks/roles/meta/defaults/main/images.yml index 0c9d341f..7eef2563 100644 --- a/playbooks/roles/meta/defaults/main/images.yml +++ b/playbooks/roles/meta/defaults/main/images.yml @@ -1,8 +1,8 @@ -meta_api_image: tapis/metaapi:1.5.10 -meta_rh_server_image: tapis/tapis-meta-rh-server:1.5.0 -meta_mongo_exporter_image: tapis/mqe:0.1 -meta_mongo_singlenode_image: tapis/mongo-singlenode:4.4.6-bionic -meta_mongodb_backup_image: tapis/mongodb-backup:1 -meta_mongobackup_image: tapis/mongobackup:1.5.0 +meta_api_image: tapis/metaapi:1.6.0 +meta_rh_server_image: tapis/tapis-meta-rh-server:1.6.0 +meta_mongo_exporter_image: tapis/mqe:1.6.0 +meta_mongo_singlenode_image: tapis/mongo-singlenode:1.6.0 +meta_mongodb_backup_image: tapis/mongodb-backup:1.6.0 +meta_mongobackup_image: tapis/mongobackup:1.6.0 meta_alpine_image: alpine:3.17 -meta_util_image: tapis/ubutil2204:1.5.0 +meta_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/monitoring/defaults/main/images.yml b/playbooks/roles/monitoring/defaults/main/images.yml index f17ef9a2..68027b24 100644 --- a/playbooks/roles/monitoring/defaults/main/images.yml +++ b/playbooks/roles/monitoring/defaults/main/images.yml @@ -1,5 +1,4 @@ -monitoring_stern_fluentd_image: tapis/stern-fluentd:1.5.1 -monitoring_tapis_exporter_image: tapis/exporter:1.5.0 +monitoring_tapis_exporter_image: tapis/exporter:1.6.0 monitoring_alpine_image: alpine:3.6 monitoring_postgres_image: bitnami/postgresql:14 monitoring_elasticsearch_image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9 @@ -7,4 +6,4 @@ monitoring_kibana_image: docker.elastic.co/kibana/kibana:7.17.9 monitoring_grafana_image: grafana/grafana:8.5.5 monitoring_prometheus_image: prom/prometheus:v2.38.0 monitoring_thanos_image: quay.io/thanos/thanos:v0.8.0 -monitoring_util_image: tapis/ubutil2204:1.5.0 +monitoring_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/notifications/defaults/main/images.yml b/playbooks/roles/notifications/defaults/main/images.yml index bb6e5322..4b7add96 100644 --- a/playbooks/roles/notifications/defaults/main/images.yml +++ b/playbooks/roles/notifications/defaults/main/images.yml @@ -1,6 +1,6 @@ notifications_postgres_image: postgres:12.4 notifications_pgadmin_image: dpage/pgadmin4:6.20 notifications_rabbitmq_image: rabbitmq:3.8.11-management -notifications_util_image: tapis/ubutil2204:1.5.0 -notifications_api_image: tapis/notifications:1.5.10 -notifications_dispatcher_image: tapis/notifications-dispatcher:1.5.10 +notifications_util_image: tapis/ubutil2204:1.6.0 +notifications_api_image: tapis/notifications:1.6.0 +notifications_dispatcher_image: tapis/notifications-dispatcher:1.6.0 diff --git a/playbooks/roles/pgrest/defaults/main/images.yml b/playbooks/roles/pgrest/defaults/main/images.yml index 9a15ec5c..84550e72 100644 --- a/playbooks/roles/pgrest/defaults/main/images.yml +++ b/playbooks/roles/pgrest/defaults/main/images.yml @@ -1,3 +1,3 @@ -pgrest_api_image: tapis/pgrest-api:1.5.0 +pgrest_api_image: tapis/pgrest-api:1.6.0 pgrest_postgres_image: postgres:13 -pgrest_util_image: tapis/ubutil2204:1.5.0 +pgrest_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/pods/defaults/main/vars.yml b/playbooks/roles/pods/defaults/main/vars.yml index f9645519..0167744d 100644 --- a/playbooks/roles/pods/defaults/main/vars.yml +++ b/playbooks/roles/pods/defaults/main/vars.yml @@ -1,7 +1,7 @@ --- pods_service_name: pods -pods_image_version: 1.5.0 +pods_image_version: 1.6.0 pods_service_site_id: "{{ global_site_id }}" pods_service_tenant_id: admin pods_primary_site_admin_tenant_base_url: "{{ global_primary_site_admin_tenant_base_url }}" diff --git a/playbooks/roles/security/defaults/main/images.yml b/playbooks/roles/security/defaults/main/images.yml index 27a270f4..d3173929 100644 --- a/playbooks/roles/security/defaults/main/images.yml +++ b/playbooks/roles/security/defaults/main/images.yml @@ -1,6 +1,6 @@ security_pgadmin_image: dpage/pgadmin4:6.20 -security_skadminutil_image: tapis/skadminutil:1.5.0 +security_skadminutil_image: tapis/skadminutil:1.6.0 security_postgres_image: postgres:12.4 -security_api_image: tapis/securityapi:1.5.10 -security_migrations_image: tapis/securitymigrate:1.5.10 -security_util_image: tapis/ubutil:1.5.0 +security_api_image: tapis/securityapi:1.6.0 +security_migrations_image: tapis/securitymigrate:1.6.0 +security_util_image: tapis/ubutil:1.6.0 diff --git a/playbooks/roles/skadmin/defaults/main/images.yml b/playbooks/roles/skadmin/defaults/main/images.yml index 758f6604..503111a6 100644 --- a/playbooks/roles/skadmin/defaults/main/images.yml +++ b/playbooks/roles/skadmin/defaults/main/images.yml @@ -1,4 +1,4 @@ -skadmin_securityexport_image: tapis/securityexport:1.5.10 -skadmin_skadminutil_image: tapis/skadminutil:1.5.0 -skadmin_securityadmin_image: tapis/securityadmin:1.5.10 -skadmin_util_image: tapis/ubutil:1.5.0 +skadmin_securityexport_image: tapis/securityexport:1.6.0 +skadmin_skadminutil_image: tapis/skadminutil:1.6.0 +skadmin_securityadmin_image: tapis/securityadmin:1.6.0 +skadmin_util_image: tapis/ubutil:1.6.0 diff --git a/playbooks/roles/streams/defaults/main/images.yml b/playbooks/roles/streams/defaults/main/images.yml index 14a04c8a..da2b253b 100644 --- a/playbooks/roles/streams/defaults/main/images.yml +++ b/playbooks/roles/streams/defaults/main/images.yml @@ -4,5 +4,5 @@ streams_influxdb2_image: influxdb:2.1.1-alpine streams_mysql_image: mysql:5.7 streams_chords_image: ncareol/chords:1.0 streams_tapis_chords_app_image: scleveland/tapis-chords-app:0.9.8.2.3 -streams_api_image: tapis/streams-api:1.5.1 -streams_util_image: tapis/ubutil2204:1.5.0 +streams_api_image: tapis/streams-api:1.6.0 +streams_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/systems/defaults/main/images.yml b/playbooks/roles/systems/defaults/main/images.yml index 21664ae2..6cbf5db7 100644 --- a/playbooks/roles/systems/defaults/main/images.yml +++ b/playbooks/roles/systems/defaults/main/images.yml @@ -1,4 +1,4 @@ systems_pgadmin_image: dpage/pgadmin4:6.20 systems_postgres_image: postgres:12.4 -systems_util_image: tapis/ubutil2204:1.5.0 -systems_api_image: tapis/systems:1.5.10 +systems_util_image: tapis/ubutil2204:1.6.0 +systems_api_image: tapis/systems:1.6.0 diff --git a/playbooks/roles/tapisui/defaults/main/images.yml b/playbooks/roles/tapisui/defaults/main/images.yml index 874e7a11..95e05b0e 100644 --- a/playbooks/roles/tapisui/defaults/main/images.yml +++ b/playbooks/roles/tapisui/defaults/main/images.yml @@ -1 +1 @@ -tapisui_image: tapis/tapisui:1.5.0 +tapisui_image: tapis/tapisui:1.6.0 diff --git a/playbooks/roles/tenants/defaults/main/images.yml b/playbooks/roles/tenants/defaults/main/images.yml index 242ba8cb..42c80208 100644 --- a/playbooks/roles/tenants/defaults/main/images.yml +++ b/playbooks/roles/tenants/defaults/main/images.yml @@ -1,6 +1,6 @@ tenants_pgadmin_image: dpage/pgadmin4:6.20 tenants_postgres_image: postgres:11.4 -tenants_api_image: tapis/tenants-api:1.5.0 -tenants_migrations_image: tapis/tenants-api-migrations:1.5.0 -tenants_api_tests_image: tapis/tenants-api-tests:1.5.0 -tenants_util_image: tapis/ubutil2204:1.5.0 +tenants_api_image: tapis/tenants-api:1.6.0 +tenants_migrations_image: tapis/tenants-api-migrations:1.6.0 +tenants_api_tests_image: tapis/tenants-api-tests:1.6.0 +tenants_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/tokens/defaults/main/images.yml b/playbooks/roles/tokens/defaults/main/images.yml index 9ad61436..d6c4d305 100644 --- a/playbooks/roles/tokens/defaults/main/images.yml +++ b/playbooks/roles/tokens/defaults/main/images.yml @@ -1,3 +1,3 @@ -tokens_api_image: tapis/tokens-api:1.5.0 -tokens_api_tests_image: tapis/tokens-api-tests:1.5.0 -tokens_util_image: tapis/ubutil2204:1.5.0 +tokens_api_image: tapis/tokens-api:1.6.0 +tokens_api_tests_image: tapis/tokens-api-tests:1.6.0 +tokens_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/vault/defaults/main/images.yml b/playbooks/roles/vault/defaults/main/images.yml index ddf1894b..5b73885c 100644 --- a/playbooks/roles/vault/defaults/main/images.yml +++ b/playbooks/roles/vault/defaults/main/images.yml @@ -1,3 +1,3 @@ vault_image: vault:1.8.3 vault_alpine_image: alpine:latest -vault_util_image: tapis/ubutil2204:1.5.0 +vault_util_image: tapis/ubutil2204:1.6.0 diff --git a/playbooks/roles/workflows/defaults/main/images.yml b/playbooks/roles/workflows/defaults/main/images.yml index a4bc3781..b1ceb2f3 100644 --- a/playbooks/roles/workflows/defaults/main/images.yml +++ b/playbooks/roles/workflows/defaults/main/images.yml @@ -1,6 +1,6 @@ -workflows_api_image: tapis/workflows-api:1.5.0 -workflows_pipelines_image: tapis/workflows-pipelines:1.5.0 -workflows_engine_streams_image: tapis/workflow-engine-streams:1.5.0 +workflows_api_image: tapis/workflows-api:1.6.0 +workflows_pipelines_image: tapis/workflows-pipelines:1.6.0 +workflows_engine_streams_image: tapis/workflow-engine-streams:1.6.0 workflows_mysql_image: mysql:8 workflows_rabbitmq_image: rabbitmq:3.9.11-management workflows_registry_image: registry:2 From 274f018f17becc711ef32c62fa8596755e9df509 Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 16:37:57 -0600 Subject: [PATCH 7/9] few more versions --- playbooks/roles/actors/defaults/main/images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/roles/actors/defaults/main/images.yml b/playbooks/roles/actors/defaults/main/images.yml index 5dec6997..c495ef53 100644 --- a/playbooks/roles/actors/defaults/main/images.yml +++ b/playbooks/roles/actors/defaults/main/images.yml @@ -1,7 +1,7 @@ actors_core_image: abaco/core-v3:{{ actors_service_version }} actors_grafana_image: grafana/grafana:9.4.7 -actors_nginx_image: abaco/nginx:1.9.1 -actors_nginxk8s_image: abaco/nginxk8s:1.4.0 +actors_nginx_image: abaco/nginx:1.6.0 +actors_nginxk8s_image: abaco/nginxk8s:1.6.0 actors_mongo_image: mongo:4.2.6 actors_alpine_image: alpine:3.17 actors_mongobackup_image: tapis/mongobackup:1.6.0 From f2f9f5bdc1a2255e5ac4dd1cee237a737d15ad0f Mon Sep 17 00:00:00 2001 From: mpackard Date: Wed, 24 Jan 2024 16:40:47 -0600 Subject: [PATCH 8/9] globus-proxy changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58bc4329..75ce16b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ Notable changes between versions. - [Apps: 1.5.10 to 1.6.0 (tapis/apps)](https://github.com/tapis-project/tapis-apps/blob/dev/CHANGELOG.md) - [Authenticator: 1.5.1 -> 1.6.0 (tapis/authenticator, tapis/authenticator-migrations)](https://github.com/tapis-project/authenticator/blob/dev/CHANGELOG.md) - [Files: 1.5.10 to 1.6.0 (tapis/tapis-files, tapis/tapis-files-workers)](https://github.com/tapis-project/tapis-files/blob/dev/CHANGELOG.md) +- [Globus-Proxy: 1.5.0 to 1.6.0 (tapis/globus-proxy)](https://github.com/tapis-project/globus-proxy/blob/dev/CHANGELOG.md) - [Jobs: 1.5.10 to 1.6.0 (tapis/jobsworker, jobsmigrate, jobsapi)](https://github.com/tapis-project/tapis-jobs/blob/dev/tapis-jobsapi/CHANGELOG.md) - [Meta: 1.5.10 to 1.6.0 (tapis/metaapi, tapis-meta-rh-server)](https://github.com/tapis-project/tapis-meta/blob/dev/CHANGELOG.md) - [Notifications: 1.5.12 to 1.6.0 (tapis/notifications, notifications-dispatcher)](https://github.com/tapis-project/tapis-notifications/blob/dev/CHANGELOG.md) From 3f37ef9ab832abcf93456ae8bfb5eaae9fd74aef Mon Sep 17 00:00:00 2001 From: mpackard Date: Thu, 25 Jan 2024 12:00:03 -0600 Subject: [PATCH 9/9] rolling back tlsv1.3 only change --- CHANGELOG.md | 1 - playbooks/roles/nginx-custom-locations/templates/nginx.conf | 2 +- playbooks/roles/proxy/templates/docker/nginx.conf | 2 +- playbooks/roles/proxy/templates/kube/nginx/nginx.conf | 2 +- playbooks/roles/skadmin/templates/docker/run-sk-admin | 2 +- playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 | 2 +- playbooks/roles/skadmin/templates/kube/run-sk-admin | 4 ++-- .../roles/skadmin/templates/kube/updateSecrets/run-sk-update | 4 ++-- 8 files changed, 9 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75ce16b6..14ed4941 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,6 @@ Notable changes between versions. - [Security: 1.5.10 to 1.6.0 (tapis/securitymigrate, securityadmin, securityapi, securityexport)](https://github.com/tapis-project/tapis-security/blob/dev/tapis-securityapi/CHANGELOG.md) - [Systems: 1.5.10 to 1.6.0 (tapis/systems)](https://github.com/tapis-project/tapis-systems/blob/dev/CHANGELOG.md) - Removed the stern component from monitoring -- Updated all nginx configs to use TLSv1.3 ## 1.5.3 diff --git a/playbooks/roles/nginx-custom-locations/templates/nginx.conf b/playbooks/roles/nginx-custom-locations/templates/nginx.conf index 3eb1a370..f62d7eeb 100644 --- a/playbooks/roles/nginx-custom-locations/templates/nginx.conf +++ b/playbooks/roles/nginx-custom-locations/templates/nginx.conf @@ -115,7 +115,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/proxy/templates/docker/nginx.conf b/playbooks/roles/proxy/templates/docker/nginx.conf index dde736f3..01d0caaa 100644 --- a/playbooks/roles/proxy/templates/docker/nginx.conf +++ b/playbooks/roles/proxy/templates/docker/nginx.conf @@ -123,7 +123,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/proxy/templates/kube/nginx/nginx.conf b/playbooks/roles/proxy/templates/kube/nginx/nginx.conf index e1fd8992..5bc68c9d 100644 --- a/playbooks/roles/proxy/templates/kube/nginx/nginx.conf +++ b/playbooks/roles/proxy/templates/kube/nginx/nginx.conf @@ -119,7 +119,7 @@ http { ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks/roles/skadmin/templates/docker/run-sk-admin b/playbooks/roles/skadmin/templates/docker/run-sk-admin index 8176a803..e47c4227 100755 --- a/playbooks/roles/skadmin/templates/docker/run-sk-admin +++ b/playbooks/roles/skadmin/templates/docker/run-sk-admin @@ -1,3 +1,3 @@ #!/bin/bash -java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{ skadmin_vault_url }} +java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{ skadmin_vault_url }} diff --git a/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 b/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 index ba3e77a9..c75b1a6c 100755 --- a/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 +++ b/playbooks/roles/skadmin/templates/kube/rerun/run-sk-admin2 @@ -17,7 +17,7 @@ echo $KUBE_TOKEN echo debug130 namespace echo $KUBE_NAMESPACE -java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local kubectl delete secret tapis-sk-vault-secrets kubectl create secret generic tapis-sk-vault-secrets --from-literal=vault-secretid=$VAULT_SECRETID --from-literal=vault-roleid=$VAULT_ROLEID diff --git a/playbooks/roles/skadmin/templates/kube/run-sk-admin b/playbooks/roles/skadmin/templates/kube/run-sk-admin index 512892e6..195ad86b 100755 --- a/playbooks/roles/skadmin/templates/kube/run-sk-admin +++ b/playbooks/roles/skadmin/templates/kube/run-sk-admin @@ -14,5 +14,5 @@ echo debug130 namespace echo $KUBE_NAMESPACE -#java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local -java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +#java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local diff --git a/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update b/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update index 7ed817ea..f8d9e2ae 100755 --- a/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update +++ b/playbooks/roles/skadmin/templates/kube/updateSecrets/run-sk-update @@ -14,5 +14,5 @@ echo debug130 namespace echo $KUBE_NAMESPACE -#java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local -java -Djdk.tls.client.protocols=TLSv1.3 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/updateLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local +#java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/initialLoad -vr VAULT_ROLEID -vs VAULT_SECRETID -b {{skadmin_vault_url}} -kt KUBE_TOKEN -kn KUBE_NAMEPSACE -ku https://kubernetes.default.svc.cluster.local +java -Djdk.tls.client.protocols=TLSv1.2 -cp /usr/local/bin/shaded-securitylib.jar edu.utexas.tacc.tapis.security.commands.SkAdmin -c -i /tmp/updateLoad -vr $VAULT_ROLEID -vs $VAULT_SECRETID -b {{skadmin_vault_url}} -dm -kt KUBE_TOKEN -kn $KUBE_NAMESPACE -ku https://kubernetes.default.svc.cluster.local