server (#178)

Signed-off-by: max <[email protected]>

roles/tpa_single_node/tasks/infra/main.yml

@@ -2,16 +2,33 @@
 - name: Configure OIDC
   ansible.builtin.include_tasks: infra/oidc.yml
 
+# - name: Configure Trust anchor
 #   ansible.builtin.include_tasks: infra/trust_anchor.yml
 
 # - name: Configure TLS certs
 #   ansible.builtin.include_tasks: infra/tls_cert.yml
 
+- name: Configure Server TLS certs
+  ansible.builtin.include_tasks: infra/server_tls.yml
+
 - name: Configure db
   ansible.builtin.include_tasks: infra/db.yml
-  args:
-    apply:
-      become: true
 
 - name: Migrate db
   ansible.builtin.include_tasks: infra/migrate-db.yml
+
+- name: Create configmap auth for server
+  ansible.builtin.include_tasks: infra/component_auth.yml
+  vars:
+    component:
+      name: "server"
+      type: "api"
+
+- name: Generate Persistent Volume Claim for server
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/server/PersistentVolumeClaim.yaml.j2"
+    dest: "{{ tpa_single_node_kube_manifest_dir }}/PVCs/server.yaml"
+    mode: "0600"
+
+- name: Start Server
+  ansible.builtin.include_tasks: server/trustd.yml

roles/tpa_single_node/tasks/infra/oidc.yml

@@ -8,16 +8,16 @@
     oidc: cognito
   when: "'cognito' in (tpa_single_node_oidc_issuer_url | string | safe)"
 
-- name: Check OIDC Walker is defined
-  ansible.builtin.assert:
-    that:
-      - tpa_single_node_oidc_provider_client_id is defined
-      - tpa_single_node_oidc_provider_client_id != ""
-      - tpa_single_node_oidc_provider_client_secret is defined
-      - tpa_single_node_oidc_provider_client_secret != ""
-      - tpa_single_node_oidc_frontend_id is defined
-      - tpa_single_node_oidc_frontend_id != ""
-    fail_msg: OIDC FrondEnd, Walker ID and Secret is not defined
+# - name: Check OIDC Walker is defined
+#   ansible.builtin.assert:
+#     that:
+#       - tpa_single_node_oidc_provider_client_id is defined
+#       - tpa_single_node_oidc_provider_client_id != ""
+#       - tpa_single_node_oidc_provider_client_secret is defined
+#       - tpa_single_node_oidc_provider_client_secret != ""
+#       - tpa_single_node_oidc_frontend_id is defined
+#       - tpa_single_node_oidc_frontend_id != ""
+#     fail_msg: OIDC FrondEnd, Walker ID and Secret is not defined
 
 - name: Generate OIDC secret manifest
   ansible.builtin.template:

roles/tpa_single_node/tasks/infra/server_tls.yml

@@ -0,0 +1,21 @@
+---
+- name: Generate TLS Server Cert secret manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/infra/Secret-server-tls.yaml.j2"
+    dest: "{{ tpa_single_node_server_secret }}"
+    mode: "0600"
+  vars:
+    tpa_single_node_trust_tls_cert_pem: "{{ lookup('file', tpa_single_node_trust_server_cert_tls_crt_path) }}"
+    tpa_single_node_trust_tls_cert_key: "{{ lookup('file', tpa_single_node_trust_server_cert_tls_key_path) }}"
+
+
+- name: Generate OIDC secret manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/infra/Secret-oidc.yaml.j2"
+    dest: "{{ tpa_single_node_server_secret }}"
+    mode: "0600"
+
+- name: Apply server secret manifest
+  ansible.builtin.command:
+    cmd: "podman kube play {{ tpa_single_node_server_secret }}"
+  changed_when: false

roles/tpa_single_node/tasks/main.yml

@@ -3,11 +3,11 @@
   ansible.builtin.set_fact:
     tpa_single_node_rhel_host: "{{ ansible_ssh_host }}"
 
-- name: Set a variable about Rhel
+- name: Set a variable about RHEL
   ansible.builtin.set_fact:
     rhel: false
 
-- name: Set a variable if is a Rhel as expected
+- name: Set a variable if is a RHEL as expected
   ansible.builtin.set_fact:
     rhel: true
   when:

roles/tpa_single_node/tasks/server/trustd.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Generate Server secret manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/infra/Secret-server-tls.yaml.j2"
+    dest: "{{ tpa_single_node_server_secret }}"
+    mode: "0600"
+
+- name: Deploy server
+  ansible.builtin.include_tasks: install_manifest.yml
+  vars:
+    podman_spec:
+      state: started
+      systemd_file: server
+      network: "{{ tpa_single_node_podman_network }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/server/Deployment.yaml.j2') | from_yaml }}"

roles/tpa_single_node/templates/manifests/infra/Secret-server-tls.yaml.j2

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: server-tls
+data:
+  server-tls.crt: "{{ tpa_single_node_trust_tls_cert_pem | b64encode }}"
+  server-tls.key: "{{ tpa_single_node_trust_tls_cert_key | b64encode }}"

roles/tpa_single_node/templates/manifests/init/dataset/Migrate.yaml.j2

@@ -28,7 +28,7 @@ spec:
           imagePullPolicy: IfNotPresent
           env:
             - name: TRUSTD_DB_HOST
-              value: "{{ tpa_single_node_oidc_provider_client_id }}"
+              value: "{{ tpa_single_node_pg_host }}"
             - name: TRUSTD_DB_PORT
               value: "{{ tpa_single_node_pg_port }}"
             - name: TRUSTD_DB_NAME

roles/tpa_single_node/templates/manifests/server/Deployment.yaml.j2

@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: server
+  namespace: "{{ tpa_single_node_namespace }}"
+  labels:
+    app: server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: server
+      app.kubernetes.io/component: server
+      app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: server
+        app.kubernetes.io/component: server
+        app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    spec:
+      containers:
+        - name: service
+          image: "{{ tpa_single_node_trustification_image }}"
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/live
+              port: 9010
+          readinessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/ready
+              port: 9010
+          command:
+            - /usr/local/bin/trustd
+          args:
+            - api
+            - --auth-configuration
+            - /etc/config/auth.yaml
+          env:
+            - name: NAMESPACE
+              value: "{{ tpa_single_node_namespace }}"
+            - name: RUST_LOG
+              value: info
+            - name: INFRASTRUCTURE_ENABLED
+              value: 'true'
+            - name: INFRASTRUCTURE_BIND
+              value: '[::]:9010'
+            - name: HTTP_SERVER_BIND_ADDR
+              value: '::'
+            - name: HTTP_SERVER_TLS_ENABLED
+              value: 'true'
+            - name: HTTP_SERVER_TLS_KEY_FILE
+              value: /etc/tls/tls.key
+            - name: HTTP_SERVER_TLS_CERTIFICATE_FILE
+              value: /etc/tls/tls.crt
+            - name: TRUSTD_DB_HOST
+              value: "{{ tpa_single_node_pg_host }}"
+            - name: TRUSTD_DB_PORT
+              value:  "{{ tpa_single_node_pg_port }}"
+            - name: TRUSTD_DB_NAME
+              value: "{{ tpa_single_node_pg_db }}"
+            - name: TRUSTD_DB_USER
+              value: "{{ tpa_single_node_pg_user }}"
+            - name: TRUSTD_DB_PASSWORD
+              value: "{{  tpa_single_node_pg_user_passwd }}"
+            - name: TRUSTD_DB_SSLMODE
+              value: allow
+            - name: TRUSTD_STORAGE_STRATEGY
+              value: fs
+            - name: TRUSTD_STORAGE_FS_PATH
+              value: /data/storage
+            - name: SWAGGER_UI_OIDC_ISSUER_URL
+              value: https://ssochange-me/realms/chicken
+            - name: SWAGGER_UI_OIDC_CLIENT_ID
+              value: frontend
+            - name: UI_ISSUER_URL
+              value: https://ssochange-me/realms/chicken
+            - name: UI_CLIENT_ID
+              value: frontend
+          ports:
+            - containerPort: 9010
+              protocol: TCP
+              name: infra
+            - containerPort: 8080
+              name: endpoint
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /etc/tls
+              name: tls
+              readOnly: true
+            - name: config-auth
+              mountPath: /etc/config/auth.yaml
+              subPath: auth.yaml
+            - name: storage
+              mountPath: /data/storage
+      volumes:
+        - name: tls
+          secret:
+            secretName: server-tls
+        - name: config-auth
+          configMap:
+            name: server-auth
+        - name: storage
+          persistentVolumeClaim:
+            claimName: storage

roles/tpa_single_node/templates/manifests/server/PersistentVolumeClaim.yaml.j2

@@ -0,0 +1,14 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: storage
+  namespace: "{{ tpa_single_node_namespace }}"
+  labels:
+    app: rhtpa
+    component: server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 32Gi

roles/tpa_single_node/vars/main.yml

@@ -37,11 +37,14 @@ tpa_single_node_trust_cert_tls_crt_path: "{{ tpa_single_node_certificates_dir }}
 tpa_single_node_trust_cert_tls_key_path: "{{ tpa_single_node_certificates_dir }}/trust-cert.key"
 tpa_single_node_nginx_tls_crt_path: "{{ tpa_single_node_certificates_dir }}/trust-cert.crt"
 tpa_single_node_nginx_tls_key_path: "{{ tpa_single_node_certificates_dir }}/trust-cert.key"
+tpa_single_node_trust_server_cert_tls_crt_path: "{{ tpa_single_node_certificates_dir }}/trust-cert.crt"
+tpa_single_node_trust_server_cert_tls_key_path: "{{ tpa_single_node_certificates_dir }}/trust-cert.key"
 
 # Target node(s) - Secret and Configmap locations
 tpa_single_node_storage_secret: "{{ tpa_single_node_kube_manifest_dir }}/Secrets/storage.yaml"
 tpa_single_node_event_secret: "{{ tpa_single_node_kube_manifest_dir }}/Secrets/event.yaml"
 tpa_single_node_oidc_secret: "{{ tpa_single_node_kube_manifest_dir }}/Secrets/oidc.yaml"
+tpa_single_node_server_secret: "{{ tpa_single_node_kube_manifest_dir }}/Secrets/server.yaml"
 
 # ports