release/596

.editorconfig

@@ -9,6 +9,7 @@ end_of_line = lf
 insert_final_newline = true
 indent_style = space
 indent_size = 2
+max_line_length = 180
 
 [*.py]
 indent_size = 4

environments/template/secrets/secret_example.yml

@@ -32,7 +32,7 @@ myconext_verify_client_id: secret
 myconext_verify_secret: secret
 engine_api_profile_password: secret
 engine_api_deprovision_password: secret
-engine_parameters_secret: secret
+engine_parameters_secret: secretsecretsecretsecretsecretsecret  # need 32 chars
 
 profile_secret: secret
 

provision.yml

@@ -140,7 +140,7 @@
   hosts: docker_engineblock
   become: true
   roles:
-    - engineblock
+    - engine
   tags: ['engineblock', 'eb']
 
 - name: Deploy invite app

roles/engineblock/defaults/main.yml → roles/engine/defaults/main.yml

@@ -22,22 +22,8 @@ engine_feature_send_user_attributes: 0
 engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50
 engine_wayf_show_remember_choice: false
 
-## Engine installer specific variables.
-engine_version_dir: "{{ engine_version | replace('/', '-') }}"
-engine_branch_dir: "{{ openconext_builds_dir }}/OpenConext-engineblock-{{ engine_branch | replace('/', '-') }}"
-engine_release_dir: "{{ openconext_releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}"
-engine_build_path: "{{ openconext_builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz"
-engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz"
-engine_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-engineblock"
-
-engine_ipv4_address: "*"
-# engine_ipv6_address:
-engine_api_ipv4_address: "*"
-# engine_api_ipv6_address:
-
 # Required for the Symfony routing.
 engine_base_domain: "{{ base_domain }}"
-
 engine_domain: engine.{{ base_domain }}
 
 engine_debug: false
@@ -89,8 +75,6 @@ engine_stepup_gateway_loa3: "http://{{ engine_stepup_base_domain }}/assurance/lo
 engine_stepup_gateway_sfo_entity_id: "https://{{ engine_stepup_gateway_domain }}/second-factor-only/metadata"
 # The single sign-on endpoint used for Stepup Gateway SFO callouts
 engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain }}/second-factor-only/single-sign-on"
-# The public key from the Stepup Gateway IdP
-engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }}"
 
 ## The minimum priority of messages that will be logged
 engine_logging_passthru_level: NOTICE
@@ -104,13 +88,12 @@ engine_idp_debugging_to_name: "{{ instance_name }} Admin"
 engine_idp_debugging_email_address: "{{ support_email }}"
 engine_idp_debugging_subject: "IdP debug info from %1$s"
 
-eb_support_url: "https://example.org"
-eb_support_url_nameid: "https://example.org"
-eb_tos_url: "https://example.org"
+engine_support_url: "https://example.org"
+engine_support_url_nameid: "https://example.org"
 
 engine_site_notice_show: false
 
-engineblock_log_attributes: []
+engine_log_attributes: []
 
 engine_php_memory: 256M
 engine_docker_networks:

roles/engineblock/handlers/main.yml → roles/engine/handlers/main.yml

@@ -1,10 +1,10 @@
 ---
-- name: restart engine
+- name: Restart engine
   community.docker.docker_container:
     name: engineblock
     state: started
     restart: true
     # avoid restarting it creates unexpected data loss according to docker_container_module notes
     comparisons:
       '*': ignore
-  when: ebcontainer is success and ebcontainer is not change
+  when: engine_container is success and engine_container is not change

roles/engineblock/tasks/main.yml → roles/engine/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Add group engine
   ansible.builtin.group:
     name: "engine"
@@ -20,77 +21,79 @@
     group: root
     mode: "0755"
   with_items:
-    - "{{ current_release_config_dir_name }}"
-    - "{{ current_release_config_dir_name }}/certs"
-    - "{{ current_release_config_dir_name }}/configs"
-    - "{{ current_release_config_dir_name }}/images"
-    - "{{ current_release_config_dir_name }}/languages"
+    - "{{ _engine_config_dir }}"
+    - "{{ _engine_config_dir }}/certs"
+    - "{{ _engine_config_dir }}/configs"
+    - "{{ _engine_config_dir }}/images"
+    - "{{ _engine_config_dir }}/languages"
 
 - name: Place parameters.yml
   ansible.builtin.template:
-    src: parameters.yml.j2
-    dest: "{{ current_release_config_dir_name }}/configs/parameters.yml"
+    src: "{{ item }}.j2"
+    dest: "{{ _engine_config_dir }}/configs/{{ item }}"
     mode: "0640"
-    owner: root
-    group: engine
-  notify: restart engine
+    owner: "root"
+    group: "engine"
+  with_items:
+    - "parameters.yml"
+    - "monolog.yml"
+  notify: "Restart engine"
 
 - name: Check presence of environment specific attributes.json
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/eb/attributes.json"
-  register: attributes_json_present
+  register: engine_attributes_json_present
   become: false
   delegate_to: localhost
 
 - name: Copy environment specific attributes.json
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/eb/attributes.json"
-    dest: "{{ current_release_config_dir_name }}/configs/"
+    dest: "{{ _engine_config_dir }}/configs/"
     mode: "0644"
     owner: root
     group: engine
-  when: attributes_json_present.stat.exists
+  when: engine_attributes_json_present.stat.exists
 
 - name: Check presence of language specific overrides
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/eb/languages/"
-  register: overrides_present
+  register: engine_overrides_present
   become: false
   delegate_to: localhost
 
 - name: Copy language specific overrides
   ansible.builtin.template:
     src: "{{ item }}"
-    dest: "{{ current_release_config_dir_name }}/languages/"
+    dest: "{{ _engine_config_dir }}/languages/"
     owner: root
     group: engine
     mode: "0644"
-  when: overrides_present.stat.exists
+  when: engine_overrides_present.stat.exists
   with_fileglob:
     - "{{ inventory_dir }}/files/eb/languages/*"
-  notify:
-    - "restart engine"
+  notify: "Restart engine"
 
 - name: Check if we have a custom logo
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/logo.png"
-  register: customlogo
+  register: engine_customlogo
   become: false
   delegate_to: localhost
 
 - name: Install environment specific logo
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/logo.png"
-    dest: "{{ current_release_config_dir_name }}/images/"
+    dest: "{{ _engine_config_dir }}/images/"
     owner: root
     group: engine
     mode: "0644"
-  when: customlogo.stat.exists
+  when: engine_customlogo.stat.exists
 
 - name: Check if we have a custom favicon
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/favicon.ico"
-  register: customfavicon
+  register: engine_customfavicon
   become: false
   delegate_to: localhost
 
@@ -101,60 +104,60 @@
     owner: root
     group: root
     mode: "0644"
-  when: customfavicon.stat.exists
+  when: engine_customfavicon.stat.exists
 
 - name: Check if we have a custom background back image for the feedback page
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/eb/background-back.svg"
-  register: eb_customfeedbackbackground
+  register: engine_customfeedbackbackground
   become: false
   delegate_to: localhost
 
 - name: Install environment specific background back image
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/eb/background-back.svg"
-    dest: "{{ current_release_config_dir_name }}/images/"
+    dest: "{{ _engine_config_dir }}/images/"
     owner: root
     group: engine
     mode: "0644"
-  when: eb_customfeedbackbackground.stat.exists
+  when: engine_customfeedbackbackground.stat.exists
 
 - name: Check if we have a custom background front image for the feedback page
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/eb/background-front.svg"
-  register: eb_customfeedbackforeground
+  register: engine_customfeedbackforeground
   become: false
   delegate_to: localhost
 
 - name: Install environment specific background front image
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/eb/background-front.svg"
-    dest: "{{ current_release_config_dir_name }}/images/"
+    dest: "{{ _engine_config_dir }}/images/"
     owner: root
     group: engine
     mode: "0644"
-  when: eb_customfeedbackforeground.stat.exists
+  when: engine_customfeedbackforeground.stat.exists
 
 - name: Check if we have a Stepup GW certificate
   ansible.builtin.stat:
     path: "{{ inventory_dir }}/files/certs/stepup_gateway.pem"
-  register: eb_stepupgwcert
+  register: engine_stepupgwcert
   become: false
   delegate_to: localhost
 
 - name: Install Stepup GW certificate
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/certs/stepup_gateway.pem"
-    dest: "{{ current_release_config_dir_name }}/certs/"
+    dest: "{{ _engine_config_dir }}/certs/"
     owner: root
     group: engine
     mode: "0644"
-  when: eb_stepupgwcert.stat.exists
+  when: engine_stepupgwcert.stat.exists
 
 - name: Copy over the engineblock keys
   ansible.builtin.copy:
     content: "{{ item.private_key }}"
-    dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.key"
+    dest: "{{ _engine_config_dir }}/certs/{{ item.name }}.key"
     owner: root
     group: engine
     mode: "0440"
@@ -164,7 +167,7 @@
 - name: Copy engineblock certificates to correct location
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/certs/{{ item.crt_name }}"
-    dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.crt"
+    dest: "{{ _engine_config_dir }}/certs/{{ item.name }}.crt"
     owner: root
     group: engine
     mode: "0644"
@@ -189,7 +192,7 @@
     image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }}
     pull: true
     restart_policy: "always"
-    networks: "{{ engine_docker_networks}}"
+    networks: "{{ engine_docker_networks }}"
     labels:
       traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)"
       traefik.http.routers.engine.service: "engineblock"
@@ -203,37 +206,55 @@
       APACHE_GUID: "#{{ engine_guid.gid }}"
       TZ: "{{ timezone }}"
       PHP_MEMORY_LIMIT: "{{ engine_php_memory }}"
+      APP_ENV: "prod"
+      APP_SECRET: "{{ engine_parameters_secret }}"
+      APP_DEBUG: "{{ engine_debug | bool | int }}"
     etc_hosts:
       host.docker.internal: host-gateway
     mounts:
-      - source: "{{ current_release_config_dir_name }}/configs/parameters.yml"
-        target: "/var/www/html/app/config/parameters.yml"
+      - source: "{{ _engine_config_dir }}/configs/"
+        target: "{{ _engine_container_config_dir }}"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/languages/overrides.en.php"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/languages/overrides.en.php"
         target: "/var/www/html/languages/overrides.en.php"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/languages/overrides.nl.php"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/languages/overrides.nl.php"
         target: "/var/www/html/languages/overrides.nl.php"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/configs/attributes.json"
-        target: "/var/www/html/app/config/attributes.json"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/configs/attributes.json"
+        target: "{{ _engine_container_config_dir }}/attributes.json"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/images/background-back.svg"
-        target: "/var/www/html/web/images/background-back.svg"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/images/background-back.svg"
+        target: "/var/www/html/public/images/background-back.svg"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/images/background-front.svg"
-        target: "/var/www/html/web/images/background-front.svg"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/images/background-front.svg"
+        target: "/var/www/html/public/images/background-front.svg"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/images/logo.png"
-        target: "/var/www/html/web/images/logo.png"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/images/logo.png"
+        target: "/var/www/html/public/images/logo.png"
         type: bind
-      - source: "{{ current_release_config_dir_name }}/certs/"
+        read_only: true
+      - source: "{{ _engine_config_dir }}/certs/"
         target: "/var/www/html/certs/"
         type: bind
+        read_only: true
       - source: "/opt/openconext/common/favicon.ico"
-        target: "/var/www/html/web/favicon.ico"
+        target: "/var/www/html/public/favicon.ico"
         type: bind
-      - source: engineblock_sessions
-        target: /tmp/
+        read_only: true
+      - source: "engineblock_sessions"
+        target: "/tmp/"
         type: volume
-  register: ebcontainer
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail -s http://localhost/internal/health | grep -q '\"status\":\"UP\"'"]
+      start_period: 60s
+      interval: 10s
+      timeout: 1s
+      retries: 20
+  register: "engine_container"