From 20bba195f4f7fd3a1ac765a4faa93429fdcb558e Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 11:41:32 +0200 Subject: [PATCH 1/8] add security group for motley-cue --- deploy/cloud-info/main.tf | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/deploy/cloud-info/main.tf b/deploy/cloud-info/main.tf index ac96a893..68aecc5a 100644 --- a/deploy/cloud-info/main.tf +++ b/deploy/cloud-info/main.tf @@ -1,8 +1,24 @@ +resource "openstack_networking_secgroup_v2" "motley" { + name = "motley" + description = "Open ports for motley-cue" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "motley-8080" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 8080 + port_range_max = 8080 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.motley.id +} + resource "openstack_compute_instance_v2" "cloud-info" { name = "cloud-info" image_id = var.image_id flavor_id = var.flavor_id - security_groups = ["default"] + security_groups = ["default", "motley"] user_data = file("cloud-init.yaml") network { uuid = var.net_id From f6ab7f7328a2ca01efb2112003ec2e3fbafcc0d2 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 11:41:58 +0200 Subject: [PATCH 2/8] enable ssh-oidc again --- deploy/playbook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/playbook.yaml b/deploy/playbook.yaml index c1172ef5..6f9bad2e 100644 --- a/deploy/playbook.yaml +++ b/deploy/playbook.yaml @@ -7,7 +7,7 @@ ssh_oidc_other_vos_name: cloud.egi.eu ssh_oidc_other_vos_role: auditor tags: - - never + - always - role: catchall vars: site_config_dir: ../sites/ From 0f5391ad8dd52906413a7f5fd9dc2385727d76e0 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 11:42:29 +0200 Subject: [PATCH 3/8] pass access token to motley-cue role and pip install ansible --- deploy/deploy.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index fa98aee8..d53ad0dd 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -30,6 +30,17 @@ image_sync_image: "ghcr.io/egi-federation/fedcloud-image-sync:sha-$SHORT_SHA" site_config_dir: "$(readlink -f ../sites)" EOF +# get access token for motley-cue +CLIENT_ID=$(yq -r '.fedcloudops.client_id' secrets.yaml) +CLIENT_SECRET=$(yq -r '.fedcloudops.client_secret' secrets.yaml) +SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" +ACCESS_TOKEN=$(curl --request POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ + --data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&scope=$SCOPE" \ + | jq -r ".access_token") + +# use pip-installed Ansible (apt version is too old) +pip install ansible + # install Ansible dependencies ansible-galaxy role install -r galaxy-requirements.yaml @@ -37,6 +48,7 @@ ansible-galaxy role install -r galaxy-requirements.yaml if ansible-playbook -i inventory.yaml \ --extra-vars @secrets.yaml \ --extra-vars @extra-vars.yaml \ + --extra-vars ACCESS_TOKEN=$ACCESS_TOKEN \ --tags "$TAGS" \ playbook.yaml >ansible.log 2>&1; then status_summary="success" From e47e38ce7e056b1758338bdd2425b2ac8636c6da Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 11:43:06 +0200 Subject: [PATCH 4/8] use python3-venv instead of python3.10-venv and do not install ansible with apt --- deploy/cloud-init.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml index b388144f..1deac98b 100644 --- a/deploy/cloud-init.yaml +++ b/deploy/cloud-init.yaml @@ -13,11 +13,10 @@ users: packages: - git - - ansible - jq - python3-openstackclient - python3-pip - - python3.10-venv + - python3-venv - retry write_files: From 52d3426a83a9925ef9059bab32fda72d9630fdcd Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 12:04:04 +0200 Subject: [PATCH 5/8] linting --- deploy/cloud-info/backend.tf | 8 -------- deploy/deploy.sh | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/deploy/cloud-info/backend.tf b/deploy/cloud-info/backend.tf index 1fabdd85..9adb13c2 100644 --- a/deploy/cloud-info/backend.tf +++ b/deploy/cloud-info/backend.tf @@ -1,11 +1,3 @@ -# This is where the info about the deployment is to be stored -terraform { - backend "swift" { - container = "terraform" - cloud = "backend" - } -} - # The provider where the deployment is actually performed provider "openstack" { cloud = "deploy" diff --git a/deploy/deploy.sh b/deploy/deploy.sh index d53ad0dd..a726c5de 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -48,7 +48,7 @@ ansible-galaxy role install -r galaxy-requirements.yaml if ansible-playbook -i inventory.yaml \ --extra-vars @secrets.yaml \ --extra-vars @extra-vars.yaml \ - --extra-vars ACCESS_TOKEN=$ACCESS_TOKEN \ + --extra-vars ACCESS_TOKEN="$ACCESS_TOKEN" \ --tags "$TAGS" \ playbook.yaml >ansible.log 2>&1; then status_summary="success" From 615151371ce8819c5051fa7e4d42ecb3effb6186 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 12:09:03 +0200 Subject: [PATCH 6/8] linting --- deploy/deploy.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index a726c5de..baecc940 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -35,8 +35,8 @@ CLIENT_ID=$(yq -r '.fedcloudops.client_id' secrets.yaml) CLIENT_SECRET=$(yq -r '.fedcloudops.client_secret' secrets.yaml) SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" ACCESS_TOKEN=$(curl --request POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - --data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&scope=$SCOPE" \ - | jq -r ".access_token") + --data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&scope=$SCOPE" | + jq -r ".access_token") # use pip-installed Ansible (apt version is too old) pip install ansible From a4343a32f731639eab37745308028876545c45d2 Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 12:44:39 +0200 Subject: [PATCH 7/8] Revert "linting" This reverts commit 52d3426a83a9925ef9059bab32fda72d9630fdcd. --- deploy/cloud-info/backend.tf | 8 ++++++++ deploy/deploy.sh | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/deploy/cloud-info/backend.tf b/deploy/cloud-info/backend.tf index 9adb13c2..1fabdd85 100644 --- a/deploy/cloud-info/backend.tf +++ b/deploy/cloud-info/backend.tf @@ -1,3 +1,11 @@ +# This is where the info about the deployment is to be stored +terraform { + backend "swift" { + container = "terraform" + cloud = "backend" + } +} + # The provider where the deployment is actually performed provider "openstack" { cloud = "deploy" diff --git a/deploy/deploy.sh b/deploy/deploy.sh index baecc940..891db59f 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -48,7 +48,7 @@ ansible-galaxy role install -r galaxy-requirements.yaml if ansible-playbook -i inventory.yaml \ --extra-vars @secrets.yaml \ --extra-vars @extra-vars.yaml \ - --extra-vars ACCESS_TOKEN="$ACCESS_TOKEN" \ + --extra-vars ACCESS_TOKEN=$ACCESS_TOKEN \ --tags "$TAGS" \ playbook.yaml >ansible.log 2>&1; then status_summary="success" From a57bd1c5f68f220972ff4dd3169cb7ea7d5d476a Mon Sep 17 00:00:00 2001 From: Sebastian Luna-Valero Date: Tue, 17 Sep 2024 12:47:18 +0200 Subject: [PATCH 8/8] linting without messing around --- deploy/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 891db59f..baecc940 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -48,7 +48,7 @@ ansible-galaxy role install -r galaxy-requirements.yaml if ansible-playbook -i inventory.yaml \ --extra-vars @secrets.yaml \ --extra-vars @extra-vars.yaml \ - --extra-vars ACCESS_TOKEN=$ACCESS_TOKEN \ + --extra-vars ACCESS_TOKEN="$ACCESS_TOKEN" \ --tags "$TAGS" \ playbook.yaml >ansible.log 2>&1; then status_summary="success"