From 4eed3ca88212161bdb9330d30f41fafab2b8d2e5 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 02:00:59 +0200 Subject: [PATCH 01/13] With external RDS PG DBMS --- roles/tpa_single_node/README.md | 153 +++++++++--------- roles/tpa_single_node/meta/argument_specs.yml | 16 +- roles/tpa_single_node/tasks/guac/init.yml | 6 +- roles/tpa_single_node/tasks/infra/main.yml | 6 - .../tasks/infra/postgresql.yml | 68 -------- .../collectorist/api/Configmap.yaml.j2 | 2 +- .../manifests/guac/graphql/Deployment.yaml.j2 | 2 +- roles/tpa_single_node/vars/main.yml | 4 +- .../tpa_single_node/vars/main_example_aws.yml | 10 +- .../vars/main_example_nonaws.yml | 8 +- 10 files changed, 112 insertions(+), 163 deletions(-) delete mode 100644 roles/tpa_single_node/tasks/infra/postgresql.yml diff --git a/roles/tpa_single_node/README.md b/roles/tpa_single_node/README.md index e627fbec..a3603c24 100644 --- a/roles/tpa_single_node/README.md +++ b/roles/tpa_single_node/README.md @@ -1,85 +1,92 @@ + # Ansible Role: redhat.trusted_profile_analyzer.tpa_single_node + Version: 0.2.0 Deploy the [RHTPA](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/) service on a single managed node by using the `tpa_single_node` role. - Requires RHEL 9.2 or later. +Requires RHEL 9.2 or later. ## Role Arguments + ### Required -|Option|Description|Type|Default| -|---|---|---|---| -| tpa_single_node_storage_access_key | Storage access key, readed form the env var TPA_STORAGE_ACCESS_KEY. | str | | -| tpa_single_node_storage_secret_key | Storage access key, readed form the env var TPA_STORAGE_SECRET_KEY. | str | | -| tpa_single_node_event_access_key_id | Kafka Username or AWS SQS Access Key ID, readed from TPA_EVENT_ACCESS_KEY_ID env var | str | | -| tpa_single_node_event_secret_access_key | Kafka password or AWS SQS Secret Access Key, readed from TPA_EVENT_SECRET_ACCESS_KEY env var | str | | -| tpa_single_node_root_ca | rootCA path on the controller machine | str | | -| tpa_single_node_trust_cert_tls_crt_path | pem path on the controller machine | str | | -| tpa_single_node_trust_cert_tls_key_path | key path on the controller machine | str | | -| tpa_single_node_nginx_tls_crt_path | nginx-tls-certificate.pem path on the controller machine | str | | -| tpa_single_node_nginx_tls_key_path | nginx-tls.key path on the controller machine | str | | + +| Option | Description | Type | Default | +| --------------------------------------- | -------------------------------------------------------------------------------------------- | ---- | ------- | +| tpa_single_node_storage_access_key | Storage access key, readed form the env var TPA_STORAGE_ACCESS_KEY. | str | | +| tpa_single_node_storage_secret_key | Storage access key, readed form the env var TPA_STORAGE_SECRET_KEY. | str | | +| tpa_single_node_event_access_key_id | Kafka Username or AWS SQS Access Key ID, readed from TPA_EVENT_ACCESS_KEY_ID env var | str | | +| tpa_single_node_event_secret_access_key | Kafka password or AWS SQS Secret Access Key, readed from TPA_EVENT_SECRET_ACCESS_KEY env var | str | | +| tpa_single_node_root_ca | rootCA path on the controller machine | str | | +| tpa_single_node_trust_cert_tls_crt_path | pem path on the controller machine | str | | +| tpa_single_node_trust_cert_tls_key_path | key path on the controller machine | str | | +| tpa_single_node_nginx_tls_crt_path | nginx-tls-certificate.pem path on the controller machine | str | | +| tpa_single_node_nginx_tls_key_path | nginx-tls.key path on the controller machine | str | | ### Optional -|Option|Description|Type|Default| -|---|---|---|---| -| tpa_single_node_trustification_image | Trustification image. | str | `registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:2943d20c8ac831f4ae4f209c8ca6807619404062` | -| tpa_single_node_guac_image | Guac image. | str | `registry.redhat.io/rhtpa/rhtpa-guac-rhel9:f0688194637cc759052e02c350c38dbabc19484e` | -| tpa_single_node_base_hostname | The user name logging in to the registry to pull images. | str | `trustification` | -| tpa_single_node_rhel_host | Ip of the instance. | str | | -| tpa_single_node_certificates_dir | Folder where to place the certificates to deploy on the instance. | str | `certs` | -| tpa_single_node_config_dir | Configuration directory on the instance. | str | `/etc/rhtpa` | -| tpa_single_node_kube_manifest_dir | Configuration directory on the instance containing the manifests. | str | `/etc/rhtpa/manifests` | -| tpa_single_node_namespace | Podman network namespace. | str | `trustification` | -| tpa_single_node_podman_network | Podman network name. | str | `tcnet` | -| tpa_single_node_systemd_directory | Folder where to store the systemd configurations files. | str | `/etc/systemd/system` | -| tpa_single_node_default_empty | Default empty value. | str | | -| tpa_single_node_pg_host | Host ip of the postgresql db instance. Readed from the TPA_PG_HOST env | str | | -| tpa_single_node_pg_port | Port of the postgresql db instance. | str | `5432` | -| tpa_single_node_pg_db | DB name. | str | `guac` | -| tpa_single_node_pg_user | DB username. | str | `guac` | -| tpa_single_node_pg_user_passwd | DB password. | str | `guac1234` | -| tpa_single_node_pg_ssl_mode | DB SSL mode enabled/disabled. | str | `disable` | -| tpa_single_node_storage_type | Storage type s3/minio/other s3 compatible. | str | `minio` | -| tpa_single_node_storage_bombastic_bucket | Bombastic storage bucket name. | str | `bombastic-default` | -| tpa_single_node_storage_v11y_bucket | V11y storage bucket name. | str | `v11y-default` | -| tpa_single_node_storage_vexination_bucket | V11y storage bucket name. | str | `vexination-default` | -| tpa_single_node_storage_region | AWS S3 Storage region | str | `eu-west-1` | -| tpa_single_node_storage_endpoint | Minio storage endpoint if used instead of S3 | str | `eu-west-1` | -| tpa_single_node_event_bus_type | Kafka or SQS | str | `kafka` | -| tpa_single_node_bombastic_topic_failed | Bombastic Events topic failed | str | `bombastic-failed-default` | -| tpa_single_node_bombastic_topic_indexed | Bombastic Events topic indexed | str | `bombastic-indexed-default` | -| tpa_single_node_bombastic_topic_stored | Bombastic Events topic stored | str | `bombastic-stored-default` | -| tpa_single_node_vexination_topic_failed | Vexination Events topic failed | str | `vexination-failed-default` | -| tpa_single_node_vexination_topic_indexed | Vexination Events topic indexed | str | `vexination-indexed-default` | -| tpa_single_node_vexination_topic_stored | Vexination Events topic stored | str | `vexination-stored-default` | -| tpa_single_node_v11y_topic_failed | V11y Events topic failed | str | `vv1y-failed-default` | -| tpa_single_node_v11y_topic_indexed | V11y Events topic indexed | str | `v11y-indexed-default` | -| tpa_single_node_v11y_topic_stored | V11y Events topic stored | str | `v11y-stored-default` | -| tpa_single_node_kafka_bootstrap_servers | Kafka bootstrap servers readed from TPA_EVENT_BOOTSTRAP_SERVER env var | str | | -| tpa_single_node_kafka_security_protocol | Kafka security protocol | str | `SASL_PLAINTEXT` | -| tpa_single_node_kafka_auth_mechanism | Kafka auth mechanism | str | `SCRAM-SHA-512` | -| tpa_single_node_sqs_region | AWS SQS Region | str | `eu-west-1` | -| tpa_single_node_oidc_type | Keycloak or AWS Cognito | str | `keycloak` | -| tpa_single_node_oidc_issuer_url | Readed from TPA_OIDC_ISSUER_URL env var | str | | -| tpa_single_node_oidc_frontend_id | Readed from TPA_OIDC_FRONTEND_ID env var | str | | -| tpa_single_node_oidc_provider_client_id | Readed from TPA_OIDC_PROVIDER_CLIENT_ID env var | str | | -| tpa_single_node_oidc_provider_client_secret | Readed from TPA_OIDC_PROVIDER_CLIENT_SECRET env var | str | | -| tpa_single_node_aws_cognito_domain | Readed from TPA_OIDC_COGNITO_DOMAIN env var | str | | -| tpa_single_node_storage_secret | storage-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/storage-secret.yaml` | -| tpa_single_node_event_secret | event-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/event-secret.yaml` | -| tpa_single_node_oidc_secret | oidc-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/oidc-secret.yaml` | -| tpa_single_node_spog_ui_port | Spog ui port | int | `8080` | -| tpa_single_node_vexination_api_port | Vexination api port | int | `8081` | -| tpa_single_node_bombastic_api_port | Bombastic api port | int | `8082` | -| tpa_single_node_spog_api_port | Spog api port | int | `8084` | -| tpa_single_node_collector_osv_port | Collector OSV api port | int | `8085` | -| tpa_single_node_v11y_api_port | V11y api port | int | `8087` | -| tpa_single_node_collectorist_api_port | Collectorist api port | int | `8088` | -| tpa_single_node_guac_graphql_port | Guac GraphQl port | int | `8089` | -| tpa_single_node_bombastic_walker_suspended | Bombastic walker suspended flag | bool | `True` | -| tpa_single_node_dataset_job_suspended | Dataset job suspended flag | bool | `True` | -| tpa_single_node_vexination_walker_suspended | Vexination walker job suspended flag | bool | `True` | -| tpa_single_node_v11y_walker_suspended | V11y walker job suspended flag | bool | `False` | + +| Option | Description | Type | Default | +| ------------------------------------------- | ---------------------------------------------------------------------- | ---- | ------------------------------------------------------------------------------------------------------ | +| tpa_single_node_trustification_image | Trustification image. | str | `registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:2943d20c8ac831f4ae4f209c8ca6807619404062` | +| tpa_single_node_guac_image | Guac image. | str | `registry.redhat.io/rhtpa/rhtpa-guac-rhel9:f0688194637cc759052e02c350c38dbabc19484e` | +| tpa_single_node_base_hostname | The user name logging in to the registry to pull images. | str | `trustification` | +| tpa_single_node_rhel_host | Ip of the instance. | str | | +| tpa_single_node_certificates_dir | Folder where to place the certificates to deploy on the instance. | str | `certs` | +| tpa_single_node_config_dir | Configuration directory on the instance. | str | `/etc/rhtpa` | +| tpa_single_node_kube_manifest_dir | Configuration directory on the instance containing the manifests. | str | `/etc/rhtpa/manifests` | +| tpa_single_node_namespace | Podman network namespace. | str | `trustification` | +| tpa_single_node_podman_network | Podman network name. | str | `tcnet` | +| tpa_single_node_systemd_directory | Folder where to store the systemd configurations files. | str | `/etc/systemd/system` | +| tpa_single_node_default_empty | Default empty value. | str | | +| tpa_single_node_pg_host | Host ip of the postgresql db instance. Readed from the TPA_PG_HOST env | str | | +| tpa_single_node_pg_port | Port of the postgresql db instance. | str | `5432` | +| tpa_single_node_pg_db | DB name. | str | `guac` | +| tpa_single_node_pg_admin | DB admin user. | str | `postgres` | +| tpa_single_node_pg_admin_passwd | DB admin password. | str | `postgres1234` | +| tpa_single_node_pg_user | DB username. | str | `guac` | +| tpa_single_node_pg_user_passwd | DB user password. | str | `guac1234` | +| tpa_single_node_pg_ssl_mode | DB SSL mode require/disabled. | str | `disable` | +| tpa_single_node_storage_type | Storage type s3/minio/other s3 compatible. | str | `minio` | +| tpa_single_node_storage_bombastic_bucket | Bombastic storage bucket name. | str | `bombastic-default` | +| tpa_single_node_storage_v11y_bucket | V11y storage bucket name. | str | `v11y-default` | +| tpa_single_node_storage_vexination_bucket | V11y storage bucket name. | str | `vexination-default` | +| tpa_single_node_storage_region | AWS S3 Storage region | str | `eu-west-1` | +| tpa_single_node_storage_endpoint | Minio storage endpoint if used instead of S3 | str | `eu-west-1` | +| tpa_single_node_event_bus_type | Kafka or SQS | str | `kafka` | +| tpa_single_node_bombastic_topic_failed | Bombastic Events topic failed | str | `bombastic-failed-default` | +| tpa_single_node_bombastic_topic_indexed | Bombastic Events topic indexed | str | `bombastic-indexed-default` | +| tpa_single_node_bombastic_topic_stored | Bombastic Events topic stored | str | `bombastic-stored-default` | +| tpa_single_node_vexination_topic_failed | Vexination Events topic failed | str | `vexination-failed-default` | +| tpa_single_node_vexination_topic_indexed | Vexination Events topic indexed | str | `vexination-indexed-default` | +| tpa_single_node_vexination_topic_stored | Vexination Events topic stored | str | `vexination-stored-default` | +| tpa_single_node_v11y_topic_failed | V11y Events topic failed | str | `vv1y-failed-default` | +| tpa_single_node_v11y_topic_indexed | V11y Events topic indexed | str | `v11y-indexed-default` | +| tpa_single_node_v11y_topic_stored | V11y Events topic stored | str | `v11y-stored-default` | +| tpa_single_node_kafka_bootstrap_servers | Kafka bootstrap servers readed from TPA_EVENT_BOOTSTRAP_SERVER env var | str | | +| tpa_single_node_kafka_security_protocol | Kafka security protocol | str | `SASL_PLAINTEXT` | +| tpa_single_node_kafka_auth_mechanism | Kafka auth mechanism | str | `SCRAM-SHA-512` | +| tpa_single_node_sqs_region | AWS SQS Region | str | `eu-west-1` | +| tpa_single_node_oidc_type | Keycloak or AWS Cognito | str | `keycloak` | +| tpa_single_node_oidc_issuer_url | Readed from TPA_OIDC_ISSUER_URL env var | str | | +| tpa_single_node_oidc_frontend_id | Readed from TPA_OIDC_FRONTEND_ID env var | str | | +| tpa_single_node_oidc_provider_client_id | Readed from TPA_OIDC_PROVIDER_CLIENT_ID env var | str | | +| tpa_single_node_oidc_provider_client_secret | Readed from TPA_OIDC_PROVIDER_CLIENT_SECRET env var | str | | +| tpa_single_node_aws_cognito_domain | Readed from TPA_OIDC_COGNITO_DOMAIN env var | str | | +| tpa_single_node_storage_secret | storage-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/storage-secret.yaml` | +| tpa_single_node_event_secret | event-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/event-secret.yaml` | +| tpa_single_node_oidc_secret | oidc-secret.yaml path on the target machine | str | `/etc/rhtpa/manifests/oidc-secret.yaml` | +| tpa_single_node_spog_ui_port | Spog ui port | int | `8080` | +| tpa_single_node_vexination_api_port | Vexination api port | int | `8081` | +| tpa_single_node_bombastic_api_port | Bombastic api port | int | `8082` | +| tpa_single_node_spog_api_port | Spog api port | int | `8084` | +| tpa_single_node_collector_osv_port | Collector OSV api port | int | `8085` | +| tpa_single_node_v11y_api_port | V11y api port | int | `8087` | +| tpa_single_node_collectorist_api_port | Collectorist api port | int | `8088` | +| tpa_single_node_guac_graphql_port | Guac GraphQl port | int | `8089` | +| tpa_single_node_bombastic_walker_suspended | Bombastic walker suspended flag | bool | `True` | +| tpa_single_node_dataset_job_suspended | Dataset job suspended flag | bool | `True` | +| tpa_single_node_vexination_walker_suspended | Vexination walker job suspended flag | bool | `True` | +| tpa_single_node_v11y_walker_suspended | V11y walker job suspended flag | bool | `False` | ## Example Playbook @@ -95,7 +102,7 @@ Deploy the [RHTPA](https://docs.redhat.com/en/documentation/red_hat_trusted_prof tpa_single_node_trust_cert_tls_key_path: # TODO: required, type: str tpa_single_node_nginx_tls_crt_path: # TODO: required, type: str tpa_single_node_nginx_tls_key_path: # TODO: required, type: str - + tasks: - name: Include TPA single node role ansible.builtin.include_role: diff --git a/roles/tpa_single_node/meta/argument_specs.yml b/roles/tpa_single_node/meta/argument_specs.yml index 471d5377..39d6c1c9 100644 --- a/roles/tpa_single_node/meta/argument_specs.yml +++ b/roles/tpa_single_node/meta/argument_specs.yml @@ -75,18 +75,28 @@ argument_specs: type: "str" version_added: "0.2.0" default: "guac" + tpa_single_node_pg_admin: + description: "DB admin user." + type: "str" + version_added: "1.2.0" + default: "postgres" + tpa_single_node_pg_admin_passwd: + description: "DB admin password." + type: "str" + version_added: "1.2.0" + default: "posgres1234" tpa_single_node_pg_user: - description: "DB username." + description: "DB user." type: "str" version_added: "0.2.0" default: "guac" tpa_single_node_pg_user_passwd: - description: "DB password." + description: "DB user password." type: "str" version_added: "0.2.0" default: "guac1234" tpa_single_node_pg_ssl_mode: - description: "DB SSL mode enabled/disabled." + description: "DB SSL mode require/disabled." type: "str" version_added: "0.2.0" default: "disable" diff --git a/roles/tpa_single_node/tasks/guac/init.yml b/roles/tpa_single_node/tasks/guac/init.yml index 412e09e3..ef5ba8c0 100644 --- a/roles/tpa_single_node/tasks/guac/init.yml +++ b/roles/tpa_single_node/tasks/guac/init.yml @@ -9,14 +9,14 @@ - name: Run init-db.sql ansible.builtin.command: cmd: > - psql -v ON_ERROR_STOP=1 + psql + postgresql://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }} + -v ON_ERROR_STOP=1 -v db_name={{ tpa_single_node_pg_db }} -v db_user={{ tpa_single_node_pg_user }} -v db_password={{ tpa_single_node_pg_user_passwd }} -f /tmp/init-db.sql changed_when: false - become: true - become_user: postgres - name: Testing DB guac to make sure it is available ansible.builtin.command: "psql postgresql://{{ tpa_single_node_pg_user }}:{{ tpa_single_node_pg_user_passwd }}@\ diff --git a/roles/tpa_single_node/tasks/infra/main.yml b/roles/tpa_single_node/tasks/infra/main.yml index 27e2c777..d56acf08 100644 --- a/roles/tpa_single_node/tasks/infra/main.yml +++ b/roles/tpa_single_node/tasks/infra/main.yml @@ -1,10 +1,4 @@ --- -- name: Configure and deploy Postgres - ansible.builtin.include_tasks: infra/postgresql.yml - args: - apply: - become: true - - name: Configure OIDC ansible.builtin.include_tasks: infra/oidc.yml diff --git a/roles/tpa_single_node/tasks/infra/postgresql.yml b/roles/tpa_single_node/tasks/infra/postgresql.yml deleted file mode 100644 index 434f1752..00000000 --- a/roles/tpa_single_node/tasks/infra/postgresql.yml +++ /dev/null @@ -1,68 +0,0 @@ -# @postgres-remove ---- -- name: "Find out if PostgreSQL is initialized" - ansible.builtin.stat: - path: "/var/lib/pgsql/data/pg_hba.conf" - register: postgres_data - -- name: "Initialize PostgreSQL" - shell: "postgresql-setup --initdb" - when: not postgres_data.stat.exists - -- name: "Start and enable services" - service: "name={{ item }} state=started enabled=yes" - with_items: - - postgresql - -- name: "Install Python packages" - ansible.builtin.pip: - name: psycopg2-binary - -- name: "Create app database" - postgresql_db: - state: present - name: "{{ tpa_single_node_pg_db }}" - become: yes - become_user: postgres - -- name: "Create db user" - postgresql_user: - state: present - name: "{{ tpa_single_node_pg_user }}" - password: "{{ tpa_single_node_pg_user_passwd }}" - become: yes - become_user: postgres - -- name: "Grant db user access to app db" - postgresql_privs: - type: database - database: "{{ tpa_single_node_pg_db }}" - roles: "{{ tpa_single_node_pg_user }}" - grant_option: no - privs: all - become: yes - become_user: postgres - -- name: "Ensure the IP is set to all" - lineinfile: - path: /var/lib/pgsql/data/postgresql.conf - regexp: '^#?listen_addresses =' - line: "listen_addresses = '*'" - state: present - -- name: "Allow md5 connection for the db user" - postgresql_pg_hba: - dest: "/var/lib/pgsql/data/pg_hba.conf" - contype: host - databases: all - source: 0.0.0.0/0 - method: md5 - users: all - create: true - become: yes - become_user: postgres - -- name: Restart postgres - ansible.builtin.service: - name: postgresql - state: restarted diff --git a/roles/tpa_single_node/templates/manifests/collectorist/api/Configmap.yaml.j2 b/roles/tpa_single_node/templates/manifests/collectorist/api/Configmap.yaml.j2 index 8eff4506..df814b99 100644 --- a/roles/tpa_single_node/templates/manifests/collectorist/api/Configmap.yaml.j2 +++ b/roles/tpa_single_node/templates/manifests/collectorist/api/Configmap.yaml.j2 @@ -12,7 +12,7 @@ data: collectors: osv: cadence: 1d - url: https://collector-osv-pod:{{ tpa_single_node_collector_osv_port }}/api/v1/ + url: https://{{ tpa_single_node_rhel_host }}:{{ tpa_single_node_collector_osv_port }}/api/v1/ interests: - package - vulnerability diff --git a/roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2 b/roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2 index e2f36e25..4f14a04e 100644 --- a/roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2 +++ b/roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2 @@ -31,7 +31,7 @@ spec: command: - /opt/guac/guacmigrate args: - - --db-address=postgres://{{ tpa_single_node_pg_user }}:{{ tpa_single_node_pg_user_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }}?sslmode={{ tpa_single_node_pg_ssl_mode }} + - --db-address=postgres://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }}?sslmode={{ tpa_single_node_pg_ssl_mode }} - --db-driver=postgres - --db-debug=true volumeMounts: null diff --git a/roles/tpa_single_node/vars/main.yml b/roles/tpa_single_node/vars/main.yml index 4a69b944..7a0fc632 100644 --- a/roles/tpa_single_node/vars/main.yml +++ b/roles/tpa_single_node/vars/main.yml @@ -13,8 +13,10 @@ tpa_single_node_default_empty: "" tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}" tpa_single_node_pg_port: 5432 tpa_single_node_pg_db: guac +tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}" +tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}" tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}" -tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_PASSWORD') }}" +tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}" tpa_single_node_pg_ssl_mode: disable # Storage Service diff --git a/roles/tpa_single_node/vars/main_example_aws.yml b/roles/tpa_single_node/vars/main_example_aws.yml index 61a32804..1ff3c14c 100644 --- a/roles/tpa_single_node/vars/main_example_aws.yml +++ b/roles/tpa_single_node/vars/main_example_aws.yml @@ -11,12 +11,14 @@ tpa_single_node_systemd_directory: /etc/systemd/system tpa_single_node_default_empty: "" # DB_SERVICE -tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST', default='192.168.121.60') }}" +tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}" tpa_single_node_pg_port: 5432 tpa_single_node_pg_db: guac -tpa_single_node_pg_user: guac -tpa_single_node_pg_user_passwd: guac1234 -tpa_single_node_pg_ssl_mode: disable +tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}" +tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}" +tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}" +tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}" +tpa_single_node_pg_ssl_mode: require # Storage Service tpa_single_node_storage_type: s3 diff --git a/roles/tpa_single_node/vars/main_example_nonaws.yml b/roles/tpa_single_node/vars/main_example_nonaws.yml index fb2cc236..dde566bd 100644 --- a/roles/tpa_single_node/vars/main_example_nonaws.yml +++ b/roles/tpa_single_node/vars/main_example_nonaws.yml @@ -11,11 +11,13 @@ tpa_single_node_systemd_directory: /etc/systemd/system tpa_single_node_default_empty: "" # DB_SERVICE -tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST', default='192.168.121.60') }}" +tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}" tpa_single_node_pg_port: 5432 tpa_single_node_pg_db: guac -tpa_single_node_pg_user: guac -tpa_single_node_pg_user_passwd: guac1234 +tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}" +tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}" +tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}" +tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}" tpa_single_node_pg_ssl_mode: disable # Storage Service From d775943bc0f2aa3d8c76a75c6f3fa714761cf39f Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 03:06:05 +0200 Subject: [PATCH 02/13] Resolve lint issues --- roles/tpa_single_node/tasks/guac/init.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/roles/tpa_single_node/tasks/guac/init.yml b/roles/tpa_single_node/tasks/guac/init.yml index ef5ba8c0..edc6e774 100644 --- a/roles/tpa_single_node/tasks/guac/init.yml +++ b/roles/tpa_single_node/tasks/guac/init.yml @@ -7,15 +7,13 @@ mode: "0666" - name: Run init-db.sql - ansible.builtin.command: - cmd: > - psql - postgresql://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }} - -v ON_ERROR_STOP=1 - -v db_name={{ tpa_single_node_pg_db }} - -v db_user={{ tpa_single_node_pg_user }} - -v db_password={{ tpa_single_node_pg_user_passwd }} - -f /tmp/init-db.sql + ansible.builtin.command: "psql postgresql://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@\ + {{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }} \ + -v ON_ERROR_STOP=1 \ + -v db_name={{ tpa_single_node_pg_db }} \ + -v db_user={{ tpa_single_node_pg_user }} \ + -v db_password={{ tpa_single_node_pg_user_passwd }} \ + -f /tmp/init-db.sql" changed_when: false - name: Testing DB guac to make sure it is available From 8aa212bc4191beb0ae324907ea8cefb7a8e58d70 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 03:08:19 +0200 Subject: [PATCH 03/13] A trailing space --- roles/tpa_single_node/tasks/guac/init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tpa_single_node/tasks/guac/init.yml b/roles/tpa_single_node/tasks/guac/init.yml index edc6e774..51f307ab 100644 --- a/roles/tpa_single_node/tasks/guac/init.yml +++ b/roles/tpa_single_node/tasks/guac/init.yml @@ -11,7 +11,7 @@ {{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }} \ -v ON_ERROR_STOP=1 \ -v db_name={{ tpa_single_node_pg_db }} \ - -v db_user={{ tpa_single_node_pg_user }} \ + -v db_user={{ tpa_single_node_pg_user }} \ -v db_password={{ tpa_single_node_pg_user_passwd }} \ -f /tmp/init-db.sql" changed_when: false From dee8e144f0920ebcd94ba3f1e1418b9211eb0ced Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 03:13:57 +0200 Subject: [PATCH 04/13] Another trailing space --- roles/tpa_single_node/meta/argument_specs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tpa_single_node/meta/argument_specs.yml b/roles/tpa_single_node/meta/argument_specs.yml index 39d6c1c9..f888b4c9 100644 --- a/roles/tpa_single_node/meta/argument_specs.yml +++ b/roles/tpa_single_node/meta/argument_specs.yml @@ -84,7 +84,7 @@ argument_specs: description: "DB admin password." type: "str" version_added: "1.2.0" - default: "posgres1234" + default: "posgres1234" tpa_single_node_pg_user: description: "DB user." type: "str" From 01b7a9963c630d4c526ab5b51b4a92758d6d6851 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 15:45:05 +0200 Subject: [PATCH 05/13] Secure init-db.sql a bit --- roles/tpa_single_node/tasks/guac/init.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/tpa_single_node/tasks/guac/init.yml b/roles/tpa_single_node/tasks/guac/init.yml index 51f307ab..67c564e0 100644 --- a/roles/tpa_single_node/tasks/guac/init.yml +++ b/roles/tpa_single_node/tasks/guac/init.yml @@ -2,9 +2,9 @@ - name: Copy init-db.sql to Server ansible.builtin.copy: content: "{{ lookup('ansible.builtin.template', 'configs/init-db.sql') }}" - dest: "/tmp/init-db.sql" + dest: "{{ tpa_single_node_config_dir }}/init-db.sql" remote_src: true - mode: "0666" + mode: "0600" - name: Run init-db.sql ansible.builtin.command: "psql postgresql://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@\ @@ -13,7 +13,7 @@ -v db_name={{ tpa_single_node_pg_db }} \ -v db_user={{ tpa_single_node_pg_user }} \ -v db_password={{ tpa_single_node_pg_user_passwd }} \ - -f /tmp/init-db.sql" + -f {{ tpa_single_node_config_dir }}/init-db.sql" changed_when: false - name: Testing DB guac to make sure it is available From ebcfee0447401c8bee4b5cdf72aa89cea2a16a16 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Thu, 24 Oct 2024 15:55:00 +0200 Subject: [PATCH 06/13] Flag pg installation --- roles/tpa_single_node/tasks/infra/main.yml | 7 ++ .../tasks/infra/postgresql.yml | 68 +++++++++++++++++++ roles/tpa_single_node/vars/main.yml | 1 + 3 files changed, 76 insertions(+) create mode 100644 roles/tpa_single_node/tasks/infra/postgresql.yml diff --git a/roles/tpa_single_node/tasks/infra/main.yml b/roles/tpa_single_node/tasks/infra/main.yml index d56acf08..79a25352 100644 --- a/roles/tpa_single_node/tasks/infra/main.yml +++ b/roles/tpa_single_node/tasks/infra/main.yml @@ -1,4 +1,11 @@ --- +- name: Configure and deploy Postgres + ansible.builtin.include_tasks: infra/postgresql.yml + args: + apply: + become: true + when: tpa_single_node_pg_install_enabled + - name: Configure OIDC ansible.builtin.include_tasks: infra/oidc.yml diff --git a/roles/tpa_single_node/tasks/infra/postgresql.yml b/roles/tpa_single_node/tasks/infra/postgresql.yml new file mode 100644 index 00000000..434f1752 --- /dev/null +++ b/roles/tpa_single_node/tasks/infra/postgresql.yml @@ -0,0 +1,68 @@ +# @postgres-remove +--- +- name: "Find out if PostgreSQL is initialized" + ansible.builtin.stat: + path: "/var/lib/pgsql/data/pg_hba.conf" + register: postgres_data + +- name: "Initialize PostgreSQL" + shell: "postgresql-setup --initdb" + when: not postgres_data.stat.exists + +- name: "Start and enable services" + service: "name={{ item }} state=started enabled=yes" + with_items: + - postgresql + +- name: "Install Python packages" + ansible.builtin.pip: + name: psycopg2-binary + +- name: "Create app database" + postgresql_db: + state: present + name: "{{ tpa_single_node_pg_db }}" + become: yes + become_user: postgres + +- name: "Create db user" + postgresql_user: + state: present + name: "{{ tpa_single_node_pg_user }}" + password: "{{ tpa_single_node_pg_user_passwd }}" + become: yes + become_user: postgres + +- name: "Grant db user access to app db" + postgresql_privs: + type: database + database: "{{ tpa_single_node_pg_db }}" + roles: "{{ tpa_single_node_pg_user }}" + grant_option: no + privs: all + become: yes + become_user: postgres + +- name: "Ensure the IP is set to all" + lineinfile: + path: /var/lib/pgsql/data/postgresql.conf + regexp: '^#?listen_addresses =' + line: "listen_addresses = '*'" + state: present + +- name: "Allow md5 connection for the db user" + postgresql_pg_hba: + dest: "/var/lib/pgsql/data/pg_hba.conf" + contype: host + databases: all + source: 0.0.0.0/0 + method: md5 + users: all + create: true + become: yes + become_user: postgres + +- name: Restart postgres + ansible.builtin.service: + name: postgresql + state: restarted diff --git a/roles/tpa_single_node/vars/main.yml b/roles/tpa_single_node/vars/main.yml index 7a0fc632..9a97efab 100644 --- a/roles/tpa_single_node/vars/main.yml +++ b/roles/tpa_single_node/vars/main.yml @@ -10,6 +10,7 @@ tpa_single_node_systemd_directory: /etc/systemd/system tpa_single_node_default_empty: "" # DB_SERVICE +tpa_single_node_pg_install_enabled: false tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}" tpa_single_node_pg_port: 5432 tpa_single_node_pg_db: guac From 11149b81ab23d45dd59225e1c2ed83a23ce208b7 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 11:36:22 +0200 Subject: [PATCH 07/13] Make pg users/passwd required --- roles/tpa_single_node/meta/argument_specs.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/tpa_single_node/meta/argument_specs.yml b/roles/tpa_single_node/meta/argument_specs.yml index f888b4c9..c5043706 100644 --- a/roles/tpa_single_node/meta/argument_specs.yml +++ b/roles/tpa_single_node/meta/argument_specs.yml @@ -78,21 +78,25 @@ argument_specs: tpa_single_node_pg_admin: description: "DB admin user." type: "str" + required: true version_added: "1.2.0" default: "postgres" tpa_single_node_pg_admin_passwd: description: "DB admin password." type: "str" + required: true version_added: "1.2.0" default: "posgres1234" tpa_single_node_pg_user: description: "DB user." type: "str" + required: true version_added: "0.2.0" default: "guac" tpa_single_node_pg_user_passwd: description: "DB user password." type: "str" + required: true version_added: "0.2.0" default: "guac1234" tpa_single_node_pg_ssl_mode: From 27465fed0f87bc01480f5ce67243412d97860ef9 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:21:35 +0200 Subject: [PATCH 08/13] Make pg ssl enabled by default --- README.md | 153 ++++++++++++++-------------- roles/tpa_single_node/README.md | 2 +- roles/tpa_single_node/vars/main.yml | 2 +- 3 files changed, 77 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 28bc872b..eeb32b12 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,10 @@ The purpose of this Ansible collection is to automate the deployment of the Red Hat Trusted Profile Analyzer (RHTPA) service on Red Hat Enterprise Linux (RHEL). > [!IMPORTANT] -Deploying RHTPA by using Ansible is a Technology Preview feature only. -Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. -These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. -See the support scope for [Red Hat Technology Preview](https://access.redhat.com/support/offerings/techpreview/) features for more details. - +> Deploying RHTPA by using Ansible is a Technology Preview feature only. +> Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. +> These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. +> See the support scope for [Red Hat Technology Preview](https://access.redhat.com/support/offerings/techpreview/) features for more details. ## Description @@ -24,66 +23,69 @@ An [NGINX](https://www.nginx.com) front end places an entrypoint to the RHTPA UI A set of self-signed certificates get generated at runtime to establishing secure communications. The ingress host name is follow, where `` is your deployment's base hostname: -* https://`` + +- https://`` ## Requirements -* Ansible 2.16.0 or greater -* Python 3.9.0 or greater -* RHEL x86\_64 9.3 or greater. -* Installation and configuration of Ansible on a control node to perform the automation. -* Installation of the Ansible collections on the control node. - * If installing from the Ansible Automation Hub, then run `ansible-galaxy install redhat.trusted_profile_analyzer`. - * If installing from this Git repository, then clone it locally, and run `ansible-galaxy collection install -r requirements.yml`. -* An OpenID Connect (OIDC) provider, such as [Keycloak](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/sso/). -* A PostgreSQL instance -* SQS like [Kafka](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/amq_streams/) -* S3 service or S3 compatible service -* Optional: +- Ansible 2.16.0 or greater +- Python 3.9.0 or greater +- RHEL x86_64 9.3 or greater. +- Installation and configuration of Ansible on a control node to perform the automation. +- Installation of the Ansible collections on the control node. + - If installing from the Ansible Automation Hub, then run `ansible-galaxy install redhat.trusted_profile_analyzer`. + - If installing from this Git repository, then clone it locally, and run `ansible-galaxy collection install -r requirements.yml`. +- An OpenID Connect (OIDC) provider, such as [Keycloak](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/sso/). +- A PostgreSQL instance +- SQS like [Kafka](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/amq_streams/) +- S3 service or S3 compatible service +- Optional: Installation of the `podman` binaries to verify that the RHTPA service is working as expected. ## Overview + The following components are provided by the customers: ### RedHat Single Sign On - For this, you will need to: - - * Install Keycloak - * Create a new realm - * Create the following roles for this realm - * `chicken-user` - * `chicken-manager` - * `chicken-admin` - * Make the `chicken-user` a default role - * Create the following scopes for this realm - * `read:document` - * `create:document` - * `delete:document` - * Add the `create:document` and `delete:document` scope to the `chicken-manager` role - * Create two clients - * One public client - * Set `standardFlowEnabled` to `true` - * Set `fullScopedAllowed` to `true` - * Set the following `defaultClientScopes` - * `read:document` - * `create:document` - * `delete:document` - * One protected client - * Set `publicClient` to `false` - * Set `serviecAccountsEnabled` to `true` - * Set `fullScopedAllowed` to `true` - * Set the following `defaultClientScopes` - * `read:document` - * `create:document` - * Add role `chicken-manager` to the service account of this client - * Increase the token timeout for both clients to at least 5 minutes - * Create a user, acting as administrator - * Add the `chicken-manager` and `chicken-admin` role to this user - - - -### RedHat Kafka streams - With the following topic names created: + +For this, you will need to: + +- Install Keycloak +- Create a new realm +- Create the following roles for this realm +- `chicken-user` +- `chicken-manager` +- `chicken-admin` +- Make the `chicken-user` a default role +- Create the following scopes for this realm + - `read:document` + - `create:document` + - `delete:document` +- Add the `create:document` and `delete:document` scope to the `chicken-manager` role +- Create two clients + - One public client + - Set `standardFlowEnabled` to `true` + - Set `fullScopedAllowed` to `true` + - Set the following `defaultClientScopes` + - `read:document` + - `create:document` + - `delete:document` + - One protected client + - Set `publicClient` to `false` + - Set `serviecAccountsEnabled` to `true` + - Set `fullScopedAllowed` to `true` + - Set the following `defaultClientScopes` + - `read:document` + - `create:document` + - Add role `chicken-manager` to the service account of this client + - Increase the token timeout for both clients to at least 5 minutes + - Create a user, acting as administrator + - Add the `chicken-manager` and `chicken-admin` role to this user + +### RedHat Kafka streams + +With the following topic names created: + ``` bombastic-failed-default bombastic-indexed-default @@ -95,34 +97,36 @@ The following components are provided by the customers: v11y-indexed-default v11y-stored-default ``` + configured in the main.yml ### Postgresql -Create a PostgreSQL database and configure your database credentials in the environment variables, see 'Verifying the deployment section', +Create a PostgreSQL database and configure your database credentials in the environment variables, see 'Verifying the deployment section', other database configurations are in the roles/tpa_single_node/vars/main.yml -### S3 or S3 compatible service like Minio - Have the following unversioned S3 bucket names created: - ``` - bombastic-default - vexination-default - v11y-default - ``` - configured in the main.yml +Postgres ssl mode is enabled by default. To disable it please change the following in vars/main.yml file: +`tpa_single_node_pg_ssl_mode: disable` +### S3 or S3 compatible service like Minio -* Details about how to configure the services can be found here [RHTPA external services deploy](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1/html-single/deployment_guide/index#installing-trusted-profile-analyzer-by-using-helm-with-other-services_deploy) -* [Trustification](https://github.com/trustification/trustification/blob/main/docs/modules/admin/pages/cluster-preparing.adoc) +Have the following unversioned S3 bucket names created: +``` +bombastic-default +vexination-default +v11y-default +``` +configured in the main.yml +- Details about how to configure the services can be found here [RHTPA external services deploy](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1/html-single/deployment_guide/index#installing-trusted-profile-analyzer-by-using-helm-with-other-services_deploy) +- [Trustification](https://github.com/trustification/trustification/blob/main/docs/modules/admin/pages/cluster-preparing.adoc) Utilize the steps below to understand how to setup and execute the provisioning. ## Installation - Before using this collection, you need to install it with the Ansible Galaxy command-line tool: ``` @@ -131,7 +135,6 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer You can also include it in a `requirements.yml` file and install it with `ansible-galaxy collection install -r requirements.yml`, using the format: - ```yaml collections: - name: redhat.trusted_profile_analyzer @@ -171,12 +174,15 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer:==0.2.0 export TPA_EVENT_ACCESS_KEY_ID= export TPA_EVENT_SECRET_ACCESS_KEY= ``` + 2. In case of Kafka Events, create environmental variable for bootstrap server + ```shell export TPA_EVENT_BOOTSTRAP_SERVER= ``` 3. In case of AWS Cognito as OIDC, create environmental variable for Cognito Domain + ```shell export TPA_OIDC_COGNITO_DOMAIN= ``` @@ -184,15 +190,6 @@ export TPA_OIDC_COGNITO_DOMAIN= 4. Open the browser to call the UI https://`` - - - - - - - - - ## Prerequisites A RHEL 9.3+ server should be used to run the Trustification components. diff --git a/roles/tpa_single_node/README.md b/roles/tpa_single_node/README.md index a3603c24..2d34e230 100644 --- a/roles/tpa_single_node/README.md +++ b/roles/tpa_single_node/README.md @@ -5,7 +5,7 @@ Version: 0.2.0 Deploy the [RHTPA](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/) service on a single managed node by using the `tpa_single_node` role. -Requires RHEL 9.2 or later. +Requires RHEL 9.3 or later. ## Role Arguments diff --git a/roles/tpa_single_node/vars/main.yml b/roles/tpa_single_node/vars/main.yml index 9a97efab..eb0dd881 100644 --- a/roles/tpa_single_node/vars/main.yml +++ b/roles/tpa_single_node/vars/main.yml @@ -18,7 +18,7 @@ tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}" tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}" tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}" tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}" -tpa_single_node_pg_ssl_mode: disable +tpa_single_node_pg_ssl_mode: require # Storage Service tpa_single_node_storage_access_key: "{{ lookup('env', 'TPA_STORAGE_ACCESS_KEY') }}" # S3/minio root username From 93fa8e764ade2144ee814d865af4566b08d290f6 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:23:15 +0200 Subject: [PATCH 09/13] Remove some characters --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index eeb32b12..bf4b336a 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ The purpose of this Ansible collection is to automate the deployment of the Red Hat Trusted Profile Analyzer (RHTPA) service on Red Hat Enterprise Linux (RHEL). -> [!IMPORTANT] -> Deploying RHTPA by using Ansible is a Technology Preview feature only. -> Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. -> These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. -> See the support scope for [Red Hat Technology Preview](https://access.redhat.com/support/offerings/techpreview/) features for more details. +[!IMPORTANT] +Deploying RHTPA by using Ansible is a Technology Preview feature only. +Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. +These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. +See the support scope for [Red Hat Technology Preview](https://access.redhat.com/support/offerings/techpreview/) features for more details. ## Description From 87ff8a04df7ca64da50b1cbb2302e22d52c728f2 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:25:38 +0200 Subject: [PATCH 10/13] Missing space --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bf4b336a..13dbbddb 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ The purpose of this Ansible collection is to automate the deployment of the Red Hat Trusted Profile Analyzer (RHTPA) service on Red Hat Enterprise Linux (RHEL). -[!IMPORTANT] + [!IMPORTANT] Deploying RHTPA by using Ansible is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. From 51c9e881bb63fcd79d9c0db3af4d3bbd160e7b59 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:26:53 +0200 Subject: [PATCH 11/13] Missing angle bracket --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 13dbbddb..d629b5b6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ The purpose of this Ansible collection is to automate the deployment of the Red Hat Trusted Profile Analyzer (RHTPA) service on Red Hat Enterprise Linux (RHEL). - [!IMPORTANT] +> [!IMPORTANT] Deploying RHTPA by using Ansible is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. From 237ddd64f2b5890bfb75a904e6b85157ccbf43a8 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:33:10 +0200 Subject: [PATCH 12/13] Restore README and add postgres ssl --- README.md | 145 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 76 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index d629b5b6..c353766e 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Technology Preview features are not supported with Red Hat production service le These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the support scope for [Red Hat Technology Preview](https://access.redhat.com/support/offerings/techpreview/) features for more details. + ## Description The RHTPA service is the downstream redistribution of the [Trustification](https://github.com/trustification/trustification) project. @@ -23,69 +24,66 @@ An [NGINX](https://www.nginx.com) front end places an entrypoint to the RHTPA UI A set of self-signed certificates get generated at runtime to establishing secure communications. The ingress host name is follow, where `` is your deployment's base hostname: - -- https://`` +* https://`` ## Requirements -- Ansible 2.16.0 or greater -- Python 3.9.0 or greater -- RHEL x86_64 9.3 or greater. -- Installation and configuration of Ansible on a control node to perform the automation. -- Installation of the Ansible collections on the control node. - - If installing from the Ansible Automation Hub, then run `ansible-galaxy install redhat.trusted_profile_analyzer`. - - If installing from this Git repository, then clone it locally, and run `ansible-galaxy collection install -r requirements.yml`. -- An OpenID Connect (OIDC) provider, such as [Keycloak](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/sso/). -- A PostgreSQL instance -- SQS like [Kafka](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/amq_streams/) -- S3 service or S3 compatible service -- Optional: +* Ansible 2.16.0 or greater +* Python 3.9.0 or greater +* RHEL x86\_64 9.3 or greater. +* Installation and configuration of Ansible on a control node to perform the automation. +* Installation of the Ansible collections on the control node. + * If installing from the Ansible Automation Hub, then run `ansible-galaxy install redhat.trusted_profile_analyzer`. + * If installing from this Git repository, then clone it locally, and run `ansible-galaxy collection install -r requirements.yml`. +* An OpenID Connect (OIDC) provider, such as [Keycloak](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/sso/). +* A PostgreSQL instance +* SQS like [Kafka](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/amq_streams/) +* S3 service or S3 compatible service +* Optional: Installation of the `podman` binaries to verify that the RHTPA service is working as expected. ## Overview - The following components are provided by the customers: ### RedHat Single Sign On - -For this, you will need to: - -- Install Keycloak -- Create a new realm -- Create the following roles for this realm -- `chicken-user` -- `chicken-manager` -- `chicken-admin` -- Make the `chicken-user` a default role -- Create the following scopes for this realm - - `read:document` - - `create:document` - - `delete:document` -- Add the `create:document` and `delete:document` scope to the `chicken-manager` role -- Create two clients - - One public client - - Set `standardFlowEnabled` to `true` - - Set `fullScopedAllowed` to `true` - - Set the following `defaultClientScopes` - - `read:document` - - `create:document` - - `delete:document` - - One protected client - - Set `publicClient` to `false` - - Set `serviecAccountsEnabled` to `true` - - Set `fullScopedAllowed` to `true` - - Set the following `defaultClientScopes` - - `read:document` - - `create:document` - - Add role `chicken-manager` to the service account of this client - - Increase the token timeout for both clients to at least 5 minutes - - Create a user, acting as administrator - - Add the `chicken-manager` and `chicken-admin` role to this user - -### RedHat Kafka streams - -With the following topic names created: - + For this, you will need to: + + * Install Keycloak + * Create a new realm + * Create the following roles for this realm + * `chicken-user` + * `chicken-manager` + * `chicken-admin` + * Make the `chicken-user` a default role + * Create the following scopes for this realm + * `read:document` + * `create:document` + * `delete:document` + * Add the `create:document` and `delete:document` scope to the `chicken-manager` role + * Create two clients + * One public client + * Set `standardFlowEnabled` to `true` + * Set `fullScopedAllowed` to `true` + * Set the following `defaultClientScopes` + * `read:document` + * `create:document` + * `delete:document` + * One protected client + * Set `publicClient` to `false` + * Set `serviecAccountsEnabled` to `true` + * Set `fullScopedAllowed` to `true` + * Set the following `defaultClientScopes` + * `read:document` + * `create:document` + * Add role `chicken-manager` to the service account of this client + * Increase the token timeout for both clients to at least 5 minutes + * Create a user, acting as administrator + * Add the `chicken-manager` and `chicken-admin` role to this user + + + +### RedHat Kafka streams + With the following topic names created: ``` bombastic-failed-default bombastic-indexed-default @@ -97,36 +95,38 @@ With the following topic names created: v11y-indexed-default v11y-stored-default ``` - configured in the main.yml ### Postgresql -Create a PostgreSQL database and configure your database credentials in the environment variables, see 'Verifying the deployment section', +Create a PostgreSQL database and configure your database credentials in the environment variables, see 'Verifying the deployment section', other database configurations are in the roles/tpa_single_node/vars/main.yml Postgres ssl mode is enabled by default. To disable it please change the following in vars/main.yml file: -`tpa_single_node_pg_ssl_mode: disable` +`tpa_single_node_pg_ssl_mode: disable`. + ### S3 or S3 compatible service like Minio + Have the following unversioned S3 bucket names created: + ``` + bombastic-default + vexination-default + v11y-default + ``` + configured in the main.yml -Have the following unversioned S3 bucket names created: -``` -bombastic-default -vexination-default -v11y-default -``` +* Details about how to configure the services can be found here [RHTPA external services deploy](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1/html-single/deployment_guide/index#installing-trusted-profile-analyzer-by-using-helm-with-other-services_deploy) +* [Trustification](https://github.com/trustification/trustification/blob/main/docs/modules/admin/pages/cluster-preparing.adoc) + -configured in the main.yml -- Details about how to configure the services can be found here [RHTPA external services deploy](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1/html-single/deployment_guide/index#installing-trusted-profile-analyzer-by-using-helm-with-other-services_deploy) -- [Trustification](https://github.com/trustification/trustification/blob/main/docs/modules/admin/pages/cluster-preparing.adoc) Utilize the steps below to understand how to setup and execute the provisioning. ## Installation + Before using this collection, you need to install it with the Ansible Galaxy command-line tool: ``` @@ -135,6 +135,7 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer You can also include it in a `requirements.yml` file and install it with `ansible-galaxy collection install -r requirements.yml`, using the format: + ```yaml collections: - name: redhat.trusted_profile_analyzer @@ -174,15 +175,12 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer:==0.2.0 export TPA_EVENT_ACCESS_KEY_ID= export TPA_EVENT_SECRET_ACCESS_KEY= ``` - 2. In case of Kafka Events, create environmental variable for bootstrap server - ```shell export TPA_EVENT_BOOTSTRAP_SERVER= ``` 3. In case of AWS Cognito as OIDC, create environmental variable for Cognito Domain - ```shell export TPA_OIDC_COGNITO_DOMAIN= ``` @@ -190,6 +188,15 @@ export TPA_OIDC_COGNITO_DOMAIN= 4. Open the browser to call the UI https://`` + + + + + + + + + ## Prerequisites A RHEL 9.3+ server should be used to run the Trustification components. From ed6e4b192acbfc77d372d162f2ce0837f52701e8 Mon Sep 17 00:00:00 2001 From: Gilles Dubreuil Date: Fri, 25 Oct 2024 12:35:38 +0200 Subject: [PATCH 13/13] Add PG users to README --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c353766e..ca45d6f3 100644 --- a/README.md +++ b/README.md @@ -163,9 +163,11 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer:==0.2.0 export TPA_SINGLE_NODE_REGISTRATION_PASSWORD= export TPA_SINGLE_NODE_REGISTRY_USERNAME= export TPA_SINGLE_NODE_REGISTRY_PASSWORD= - export TPA_PG_HOST= - export TPA_PG_USER= - export TPA_PG_PASSWORD== + export TPA_PG_HOST= + export TPA_PG_ADMIN= + export TPA_PG_ADMIN_PASSWORD== + export TPA_PG_USER= + export TPA_PG_USER_PASSWORD== export TPA_STORAGE_ACCESS_KEY= export TPA_STORAGE_SECRET_KEY= export TPA_OIDC_ISSUER_URL=