From 2a364dbbea254ba2df9ddf18050e4855aa57ede7 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Mon, 9 Dec 2024 10:32:17 -0500 Subject: [PATCH 1/6] rm EL7 related files (#255) --- .../ood_portal.yml.custom.httpd24-httpd | 484 ------------------ .../ood_portal.yml.default.httpd24-httpd | 478 ----------------- .../config/ood_portal.yml.oidc.httpd24-httpd | 482 ----------------- vars/CentOS/7.yml | 21 - vars/RedHat/7.yml | 19 - 5 files changed, 1484 deletions(-) delete mode 100644 molecule/default/fixtures/config/ood_portal.yml.custom.httpd24-httpd delete mode 100644 molecule/default/fixtures/config/ood_portal.yml.default.httpd24-httpd delete mode 100644 molecule/default/fixtures/config/ood_portal.yml.oidc.httpd24-httpd delete mode 100644 vars/CentOS/7.yml delete mode 100644 vars/RedHat/7.yml diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd24-httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd24-httpd deleted file mode 100644 index 4eaaa7b..0000000 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd24-httpd +++ /dev/null @@ -1,484 +0,0 @@ -# Ansible managed: Do NOT edit this file manually! ---- -# -# Portal configuration -# - -# The address and port to listen for connections on -# Example: -# listen_addr_port: 443 -# Default: null (don't add any more listen directives) -#listen_addr_port: null - -# The server name used for name-based Virtual Host -# Example: -# servername: 'www.example.com' -# Default: null (don't use name-based Virtual Host) -servername: localhost - -# The server aliases used for the name-based Virtual Host -# Example: -# server_aliases: -# - foo.example.com -server_aliases: - - 'other-site.notrealdoman.edu' - -# The server name used for rewrites -# Example: -# proxy_server: 'proxy.example.com' -# Default: The value of servername -#proxy_server: null - -# The port specification for the Virtual Host -# Example: -# port: 8080 -#Default: null (use default port 80 or 443 if SSL enabled) -port: 80 - -# List of SSL Apache directives -# Example: -# ssl: -# - 'SSLCertificateFile "/etc/pki/tls/certs/www.example.com.crt"' -# - 'SSLCertificateKeyFile "/etc/pki/tls/private/www.example.com.key"' -# Default: null (no SSL support) -# Default: null (no SSL support) - -# Disable logging entirely. With this you can have custom log directives -# in a seperate configuration file. -# Example: -# disable_logs: true -# Default: false (logs are enabled) -#disable_logs: false - -# Root directory of log files (can be relative ServerRoot) -# Example: -# logroot: '/path/to/my/logs' -# Default: 'logs' (this is relative to ServerRoot) -logroot: "/var/log/httpd24" - -# Error log filename -# Example: -# errorlog: 'error.log' -# Default: 'error.log' (If 'servername' and 'ssl' options are defined -# the default value will be _error_ssl.log) -errorlog: 'custom_defined_error.log' - -# Access log filename -# Example: -# accesslog: 'access.log' -# Default: 'access.log' (If 'servername' and 'ssl' options are defined -# the default value will be _access_ssl.log) -accesslog: 'custom_defined_access.log' - -# Apache access log format (Don't specify log nickname see: http://httpd.apache.org/docs/current/mod/mod_log_config.html#transferlog) -# Example: -# logformat: '"%v %h \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %T"' -# Default: Apache combined format -logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e %T %>s"' - -# Should RewriteEngine be used -# Example: -# use_rewrites: false -# Default: true -use_rewrites: true - -# Should Maintenance Rewrite rules be added -# Example: -# use_maintenance: false -# Default: true -use_maintenance: true - -# List of IPs to allow when maintenance is enabled -# Example: -# maintenance_ip_allowlist: -# - 192.168.0..* -# - 192.168.1..* -# Default: [] (no IPs allowed) -maintenance_ip_allowlist: [] - -# Set Header Content-Security-Policy frame-ancestors. -# Example: -# security_csp_frame_ancestors: https://ondemand.osc.edu -# Example to disable setting: -# security_csp_frame_ancestors: false -# Default: based on servername and ssl settings -security_csp_frame_ancestors: http://my.proxy.server.edu - -# Set Header Strict-Transport-Security to help enforce SSL -# Example: -# security_strict_transport: false -# Default: true when ssl is enabled, false otherwise -security_strict_transport: True - -# Root directory of the Lua handler code -# Example: -# lua_root: '/path/to/lua/handlers' -# Default : '/opt/ood/mod_ood_proxy/lib' (default install directory of mod_ood_proxy) -lua_root: "/opt/ood/mod_ood_proxy/lib" - -# Verbosity of the Lua module logging -# (see https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) -# Example: -# lua_log_level: 'warn' -# Default: 'info' (get verbose logs) -lua_log_level: "info" - -# Lua regular expression used to map authenticated-user to system-user -# This configuration is ignored if user_map_cmd is defined -# Example: -# user_map_match: '^([^@]+)@.*$' -# Default: '.*' -user_map_match: '^([^@]+)@.*$' - -# System command used to map authenticated-user to system-user -# This option takes precedence over user_map_match -# Example: -# user_map_cmd: '/usr/local/bin/ondemand-usermap' -# Default: null (use user_map_match) -user_map_cmd: /opt/site/regex-mapper --regex=''^([A-Za-z0-9\-_\.]+)@osc.edu$'' - -# Use an alternative CGI environment variable instead of REMOTE_USER for -# determining the authenticated-user fed to the mapping script -# Example: -# user_env: 'OIDC_CLAIM_preferred_username' -# Default: null (use REMOTE_USER) -#user_env: null - -# Redirect user to the following URI if fail to map there authenticated-user to -# a system-user -# Example: -# map_fail_uri: '/register' -# Default: null (don't redirect, just display error message) -#map_fail_uri: null - -# System command used to run the `nginx_stage` script with sudo privileges -# Example: -# pun_stage_cmd: 'sudo /path/to/nginx_stage' -# Default: 'sudo /opt/ood/nginx_stage/sbin/nginx_stage' (don't forget sudo) -pun_stage_cmd: "sudo /opt/ood/nginx_stage/sbin/nginx_stage" - -# List of Apache authentication directives -# NB: Be sure the appropriate Apache module is installed for this -# Default: (see below, uses OIDC auth with Dex) -#auth: -# - 'AuthType openid-connect' -# - 'Require valid-user' -auth: -- 'AuthType Basic' -- 'AuthName "private"' -- 'AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"' -- 'RequestHeader unset Authorization' -- 'Require valid-user' - -# List of custom apache directives to apply to the entire vhost. -# Note this is an array of strings. -# Example: -# custom_vhost_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -custom_vhost_directives: -- '' -- ' SetEnv SPECIAL_PATH /foo/bin' -- '' - -# List of custom apache directives to apply to the Locations. -# Note this is an array of strings. -# Example: -# custom_location_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -custom_location_directives: -- 'SetEnv SPECIAL_PATH /foo/bin' - -# Redirect user to the following URI when accessing root URI -# Example: -# root_uri: '/my_uri' -# # https://www.example.com/ => https://www.example.com/my_uri -# Default: '/pun/sys/dashboard' (default location of the OOD Dashboard app) -root_uri: /pun/sys/dashboard - -# Track server-side analytics with a Google Analytics account and property -# (see https://github.com/OSC/mod_ood_proxy/blob/master/lib/analytics.lua for -# information on how to setup the GA property) -# Example: -# analytics: -# url: 'http://www.google-analytics.com/collect' -# id: 'UA-79331310-4' -# Default: null (do not track) -#analytics: null - -# -# Publicly available assets -# - -# Public sub-uri (available to public with no authentication) -# Example: -# public_uri: '/assets' -# Default: '/public' -public_uri: "/public" - -# Root directory that serves the public sub-uri (be careful, everything under -# here is open to the public) -# Example: -# public_root: '/path/to/public/assets' -# Default: '/var/www/ood/public' -public_root: "/var/www/ood/public" - -# -# Logout redirect helper -# - -# Logout sub-uri -# Example -# logout_uri: '/log_me_out' -# NB: If you change this, then modify the Dashboard app with the new sub-uri -# Default: '/logout' (the Dashboard app is by default going to expect this) -logout_uri: "/logout" - -# Redirect user to the following URI when accessing logout URI -# Example: -# logout_redirect: '/oidc?logout=https%3A%2F%2Fwww.example.com' -# Default: '/pun/sys/dashboard/logout' (the Dashboard app provides a simple -# HTML page explaining logout to the user) -logout_redirect: "/pun/sys/dashboard/logout" - -# -# Reverse proxy to backend nodes -# - -# Regular expression used for whitelisting allowed hostnames of nodes -# Example: -# host_regex: '[\w.-]+\.example\.com' -# Default: '[^/]+' (allow reverse proxying to all hosts, this allows external -# hosts as well) -host_regex: 'forge-(l|c)\d+' - -# Sub-uri used to reverse proxy to backend web server running on node that -# knows the full URI path -# Example: -# node_uri: '/node' -# Default: null (disable this feature) -node_uri: /custom-node-path - -# Sub-uri used to reverse proxy to backend web server running on node that -# ONLY uses *relative* URI paths -# Example: -# rnode_uri: '/rnode' -# Default: null (disable this feature) -rnode_uri: /custom-rnode-path - -# -# Per-user NGINX Passenger apps -# - -# Sub-uri used to control PUN processes -# Example: -# nginx_uri: '/my_pun_controller' -# Default: '/nginx' -nginx_uri: /nginx - -# Sub-uri used to access the PUN processes -# Example: -# pun_uri: '/my_pun_apps' -# Default: '/pun' -pun_uri: "/pun" - -# Root directory that contains the PUN Unix sockets that the proxy uses to -# connect to -# Example: -# pun_socket_root: '/path/to/pun/sockets' -# Default: '/var/run/ondemand-nginx' (default location set in nginx_stage) -pun_socket_root: "/var/run/ondemand-nginx" - -# Number of times the proxy attempts to connect to the PUN Unix socket before -# giving up and displaying an error to the user -# Example: -# pun_max_retries: 25 -# Default: 5 (only try 5 times) -pun_max_retries: 5 - -# The PUN pre hook command to execute as root -# -# Example: -# pun_pre_hook_root_cmd: '/opt/hpc-site/ood_pun_prehook' -# Default: null (do not run any PUN pre hook as root) -pun_pre_hook_root_cmd: '/opt/site/site_pre_hook' - -# Comma separated list of environment variables to pass from the apache context -# into the PUN pre hook. Defaults to null so nothing is exported. -# -# Example: -# pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' -# Default: null (pass nothing) -pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' - -# -# Support for OpenID Connect -# - -# Sub-uri used by mod_auth_openidc for authentication -# Example: -# oidc_uri: '/oidc' -# Default: null (disable OpenID Connect support) -oidc_uri: /custom-oidc-path - -# Sub-uri user is redirected to if they are not authenticated. This is used to -# *discover* what ID provider the user will login through. -# Example: -# oidc_discover_uri: '/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -#oidc_discover_uri: null - -# Root directory on the filesystem that serves the HTML code used to display -# the discovery page -# Example: -# oidc_discover_root: '/var/www/ood/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -#oidc_discover_root: null - -# -# Support for registering unmapped users -# -# (Not necessary if using regular expressions for mapping users) -# - -# Sub-uri user is redirected to if unable to map authenticated-user to -# system-user -# Example: -# register_uri: '/register' -# Default: null (display error to user if mapping fails) -#register_uri: null - -# Root directory on the filesystem that serves the HTML code used to register -# an unmapped user -# Example: -# register_root: '/var/www/ood/register' -# Default: null (display error to user if mapping fails) -#register_root: null - -# OIDC metadata URL -# Example: -# oidc_provider_metadata_url: https://example.com:5554/.well-known/openid-configuration -# Default: null (value auto-generated if using Dex) -#oidc_provider_metadata_url: null - -# OIDC client ID -# Example: -# oidc_client_id: ondemand.example.com -# Default: null (value auto-generated if using Dex) -#oidc_client_id: null - -# OIDC client secret -# Example: -# oidc_client_secret: 334389048b872a533002b34d73f8c29fd09efc50 -# Default: null (value auto-generated if using Dex) -#oidc_client_secret: null - -# OIDC remote user claim. This is the claim that populates REMOTE_USER -# Example: -# oidc_remote_user_claim: preferred_username -# Default: preferred_username -#oidc_remote_user_claim: preferred_username - -# OIDC scopes -# Example: -# oidc_scope: "openid profile email groups" -# Default: "openid profile email" -#oidc_scope: "openid profile email" - -# OIDC session inactivity timeout -# Example: -# oidc_session_inactivity_timeout: 28800 -# Default: 28800 -#oidc_session_inactivity_timeout: 28800 - -# OIDC session max duration -# Example: -# oidc_session_max_duration: 28800 -# Default: 28800 -#oidc_session_max_duration: 28800 - -# OIDC max number of state cookies and if to automatically clean old cookies -# Example: -# oidc_state_max_number_of_cookies: "10 true" -# Default: "10 true" -#oidc_state_max_number_of_cookies: "10 true" - -# OIDC Enable SameSite cookie -# When ssl is defined this defaults to 'Off' -# When ssl is not defined this defaults to 'On' -# Example: -# oidc_cookie_same_site: 'Off' -# Default: 'On' -#oidc_cookie_same_site: "On" - -# Additional OIDC settings as key-value pairs -# Example: -# oidc_settings: -# OIDCPassIDTokenAs: serialized -# OIDCPassRefreshToken: On -# Default: {} (empty hash) - -# The Dex URI behind Apache reverse proxy -# Setting this value to some path will result in Dex listening on localhost -# as well as only using HTTP for proxied communication -# Example: -# dex_uri: /dex -# Default: null -#dex_uri: null - -# Dex configurations, values inside the "dex" structure are directly used to configure Dex -# If the value for "dex" key is false or null, Dex support is disabled -# Dex support will auto-enable if ondemand-dex package is installed -#dex: - # Default based on if ssl key for ood-portal-generator is defined -# ssl: false - # Only used if SSL is disabled -# http_port: "5556" - # Only used if SSL is enabled -# https_port: "5554" - # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names -# tls_cert: null -# tls_key: null -# storage_file: /etc/ood/dex/dex.db -# grpc: null -# expiry: null - # Client ID, defaults to servername or FQDN -# client_id: null -# client_name: OnDemand - # Client secret, value auto generated - # A value that is a filesystem path can be used to store secret in a file -# client_secret: /etc/ood/dex/ondemand.secret - # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs -# client_redirect_uris: [] - # Additional Dex OIDC clients to configure -# static_clients: [] - # The following example is to configure OpenLDAP - # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md -# connectors: -# - type: ldap -# id: ldap -# name: LDAP -# config: -# host: openldap.my_center.edu:636 -# insecureSkipVerify: false -# bindDN: cn=admin,dc=example,dc=org -# bindPW: admin -# userSearch: -# baseDN: ou=People,dc=example,dc=org -# filter: "(objectClass=posixAccount)" -# username: uid -# idAttr: uid -# emailAttr: mail -# nameAttr: gecos -# preferredUsernameAttr: uid -# groupSearch: -# baseDN: ou=Groups,dc=example,dc=org -# filter: "(objectClass=posixGroup)" -# userMatchers: -# - userAttr: DN -# groupAttr: member -# nameAttr: cn -# frontend: -# theme: ondemand -# dir: /usr/share/ondemand-dex/web diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd24-httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd24-httpd deleted file mode 100644 index 9326c2f..0000000 --- a/molecule/default/fixtures/config/ood_portal.yml.default.httpd24-httpd +++ /dev/null @@ -1,478 +0,0 @@ -# Ansible managed: Do NOT edit this file manually! ---- -# -# Portal configuration -# - -# The address and port to listen for connections on -# Example: -# listen_addr_port: 443 -# Default: null (don't add any more listen directives) -#listen_addr_port: null - -# The server name used for name-based Virtual Host -# Example: -# servername: 'www.example.com' -# Default: null (don't use name-based Virtual Host) -servername: localhost - -# The server aliases used for the name-based Virtual Host -# Example: -# server_aliases: -# - foo.example.com -#server_aliases: [] - -# The server name used for rewrites -# Example: -# proxy_server: 'proxy.example.com' -# Default: The value of servername -#proxy_server: null - -# The port specification for the Virtual Host -# Example: -# port: 8080 -#Default: null (use default port 80 or 443 if SSL enabled) -port: 80 - -# List of SSL Apache directives -# Example: -# ssl: -# - 'SSLCertificateFile "/etc/pki/tls/certs/www.example.com.crt"' -# - 'SSLCertificateKeyFile "/etc/pki/tls/private/www.example.com.key"' -# Default: null (no SSL support) -# Default: null (no SSL support) - -# Disable logging entirely. With this you can have custom log directives -# in a seperate configuration file. -# Example: -# disable_logs: true -# Default: false (logs are enabled) -#disable_logs: false - -# Root directory of log files (can be relative ServerRoot) -# Example: -# logroot: '/path/to/my/logs' -# Default: 'logs' (this is relative to ServerRoot) -logroot: "/var/log/httpd24" - -# Error log filename -# Example: -# errorlog: 'error.log' -# Default: 'error.log' (If 'servername' and 'ssl' options are defined -# the default value will be _error_ssl.log) -#errorlog: 'error.log' - -# Access log filename -# Example: -# accesslog: 'access.log' -# Default: 'access.log' (If 'servername' and 'ssl' options are defined -# the default value will be _access_ssl.log) -#accesslog: 'access.log' - -# Apache access log format (Don't specify log nickname see: http://httpd.apache.org/docs/current/mod/mod_log_config.html#transferlog) -# Example: -# logformat: '"%v %h \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %T"' -# Default: Apache combined format - -# Should RewriteEngine be used -# Example: -# use_rewrites: false -# Default: true -use_rewrites: true - -# Should Maintenance Rewrite rules be added -# Example: -# use_maintenance: false -# Default: true -use_maintenance: true - -# List of IPs to allow when maintenance is enabled -# Example: -# maintenance_ip_allowlist: -# - 192.168.0..* -# - 192.168.1..* -# Default: [] (no IPs allowed) -maintenance_ip_allowlist: [] - -# Set Header Content-Security-Policy frame-ancestors. -# Example: -# security_csp_frame_ancestors: https://ondemand.osc.edu -# Example to disable setting: -# security_csp_frame_ancestors: false -# Default: based on servername and ssl settings -#security_csp_frame_ancestors: - -# Set Header Strict-Transport-Security to help enforce SSL -# Example: -# security_strict_transport: false -# Default: true when ssl is enabled, false otherwise -#security_strict_transport: false - -# Root directory of the Lua handler code -# Example: -# lua_root: '/path/to/lua/handlers' -# Default : '/opt/ood/mod_ood_proxy/lib' (default install directory of mod_ood_proxy) -lua_root: "/opt/ood/mod_ood_proxy/lib" - -# Verbosity of the Lua module logging -# (see https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) -# Example: -# lua_log_level: 'warn' -# Default: 'info' (get verbose logs) -lua_log_level: "info" - -# Lua regular expression used to map authenticated-user to system-user -# This configuration is ignored if user_map_cmd is defined -# Example: -# user_map_match: '^([^@]+)@.*$' -# Default: '.*' -user_map_match: '.*' - -# System command used to map authenticated-user to system-user -# This option takes precedence over user_map_match -# Example: -# user_map_cmd: '/usr/local/bin/ondemand-usermap' -# Default: null (use user_map_match) -#user_map_cmd: null - -# Use an alternative CGI environment variable instead of REMOTE_USER for -# determining the authenticated-user fed to the mapping script -# Example: -# user_env: 'OIDC_CLAIM_preferred_username' -# Default: null (use REMOTE_USER) -#user_env: null - -# Redirect user to the following URI if fail to map there authenticated-user to -# a system-user -# Example: -# map_fail_uri: '/register' -# Default: null (don't redirect, just display error message) -#map_fail_uri: null - -# System command used to run the `nginx_stage` script with sudo privileges -# Example: -# pun_stage_cmd: 'sudo /path/to/nginx_stage' -# Default: 'sudo /opt/ood/nginx_stage/sbin/nginx_stage' (don't forget sudo) -pun_stage_cmd: "sudo /opt/ood/nginx_stage/sbin/nginx_stage" - -# List of Apache authentication directives -# NB: Be sure the appropriate Apache module is installed for this -# Default: (see below, uses OIDC auth with Dex) -#auth: -# - 'AuthType openid-connect' -# - 'Require valid-user' -auth: -- 'AuthType Basic' -- 'AuthName "private"' -- 'AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"' -- 'RequestHeader unset Authorization' -- 'Require valid-user' - -# List of custom apache directives to apply to the entire vhost. -# Note this is an array of strings. -# Example: -# custom_vhost_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -#custom_vhost_directives: [] - -# List of custom apache directives to apply to the Locations. -# Note this is an array of strings. -# Example: -# custom_location_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -#custom_location_directives: [] - -# Redirect user to the following URI when accessing root URI -# Example: -# root_uri: '/my_uri' -# # https://www.example.com/ => https://www.example.com/my_uri -# Default: '/pun/sys/dashboard' (default location of the OOD Dashboard app) -root_uri: /pun/sys/dashboard - -# Track server-side analytics with a Google Analytics account and property -# (see https://github.com/OSC/mod_ood_proxy/blob/master/lib/analytics.lua for -# information on how to setup the GA property) -# Example: -# analytics: -# url: 'http://www.google-analytics.com/collect' -# id: 'UA-79331310-4' -# Default: null (do not track) -#analytics: null - -# -# Publicly available assets -# - -# Public sub-uri (available to public with no authentication) -# Example: -# public_uri: '/assets' -# Default: '/public' -public_uri: "/public" - -# Root directory that serves the public sub-uri (be careful, everything under -# here is open to the public) -# Example: -# public_root: '/path/to/public/assets' -# Default: '/var/www/ood/public' -public_root: "/var/www/ood/public" - -# -# Logout redirect helper -# - -# Logout sub-uri -# Example -# logout_uri: '/log_me_out' -# NB: If you change this, then modify the Dashboard app with the new sub-uri -# Default: '/logout' (the Dashboard app is by default going to expect this) -logout_uri: "/logout" - -# Redirect user to the following URI when accessing logout URI -# Example: -# logout_redirect: '/oidc?logout=https%3A%2F%2Fwww.example.com' -# Default: '/pun/sys/dashboard/logout' (the Dashboard app provides a simple -# HTML page explaining logout to the user) -logout_redirect: "/pun/sys/dashboard/logout" - -# -# Reverse proxy to backend nodes -# - -# Regular expression used for whitelisting allowed hostnames of nodes -# Example: -# host_regex: '[\w.-]+\.example\.com' -# Default: '[^/]+' (allow reverse proxying to all hosts, this allows external -# hosts as well) -host_regex: '[^/]+' - -# Sub-uri used to reverse proxy to backend web server running on node that -# knows the full URI path -# Example: -# node_uri: '/node' -# Default: null (disable this feature) -#node_uri: null - -# Sub-uri used to reverse proxy to backend web server running on node that -# ONLY uses *relative* URI paths -# Example: -# rnode_uri: '/rnode' -# Default: null (disable this feature) -#rnode_uri: null - -# -# Per-user NGINX Passenger apps -# - -# Sub-uri used to control PUN processes -# Example: -# nginx_uri: '/my_pun_controller' -# Default: '/nginx' -nginx_uri: /nginx - -# Sub-uri used to access the PUN processes -# Example: -# pun_uri: '/my_pun_apps' -# Default: '/pun' -pun_uri: "/pun" - -# Root directory that contains the PUN Unix sockets that the proxy uses to -# connect to -# Example: -# pun_socket_root: '/path/to/pun/sockets' -# Default: '/var/run/ondemand-nginx' (default location set in nginx_stage) -pun_socket_root: "/var/run/ondemand-nginx" - -# Number of times the proxy attempts to connect to the PUN Unix socket before -# giving up and displaying an error to the user -# Example: -# pun_max_retries: 25 -# Default: 5 (only try 5 times) -pun_max_retries: 5 - -# The PUN pre hook command to execute as root -# -# Example: -# pun_pre_hook_root_cmd: '/opt/hpc-site/ood_pun_prehook' -# Default: null (do not run any PUN pre hook as root) -# pun_pre_hook_root_cmd: null - -# Comma separated list of environment variables to pass from the apache context -# into the PUN pre hook. Defaults to null so nothing is exported. -# -# Example: -# pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' -# Default: null (pass nothing) -# pun_pre_hook_exports: null - -# -# Support for OpenID Connect -# - -# Sub-uri used by mod_auth_openidc for authentication -# Example: -# oidc_uri: '/oidc' -# Default: null (disable OpenID Connect support) -#oidc_uri: null - -# Sub-uri user is redirected to if they are not authenticated. This is used to -# *discover* what ID provider the user will login through. -# Example: -# oidc_discover_uri: '/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -#oidc_discover_uri: null - -# Root directory on the filesystem that serves the HTML code used to display -# the discovery page -# Example: -# oidc_discover_root: '/var/www/ood/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -#oidc_discover_root: null - -# -# Support for registering unmapped users -# -# (Not necessary if using regular expressions for mapping users) -# - -# Sub-uri user is redirected to if unable to map authenticated-user to -# system-user -# Example: -# register_uri: '/register' -# Default: null (display error to user if mapping fails) -#register_uri: null - -# Root directory on the filesystem that serves the HTML code used to register -# an unmapped user -# Example: -# register_root: '/var/www/ood/register' -# Default: null (display error to user if mapping fails) -#register_root: null - -# OIDC metadata URL -# Example: -# oidc_provider_metadata_url: https://example.com:5554/.well-known/openid-configuration -# Default: null (value auto-generated if using Dex) -#oidc_provider_metadata_url: null - -# OIDC client ID -# Example: -# oidc_client_id: ondemand.example.com -# Default: null (value auto-generated if using Dex) -#oidc_client_id: null - -# OIDC client secret -# Example: -# oidc_client_secret: 334389048b872a533002b34d73f8c29fd09efc50 -# Default: null (value auto-generated if using Dex) -#oidc_client_secret: null - -# OIDC remote user claim. This is the claim that populates REMOTE_USER -# Example: -# oidc_remote_user_claim: preferred_username -# Default: preferred_username -#oidc_remote_user_claim: preferred_username - -# OIDC scopes -# Example: -# oidc_scope: "openid profile email groups" -# Default: "openid profile email" -#oidc_scope: "openid profile email" - -# OIDC session inactivity timeout -# Example: -# oidc_session_inactivity_timeout: 28800 -# Default: 28800 -#oidc_session_inactivity_timeout: 28800 - -# OIDC session max duration -# Example: -# oidc_session_max_duration: 28800 -# Default: 28800 -#oidc_session_max_duration: 28800 - -# OIDC max number of state cookies and if to automatically clean old cookies -# Example: -# oidc_state_max_number_of_cookies: "10 true" -# Default: "10 true" -#oidc_state_max_number_of_cookies: "10 true" - -# OIDC Enable SameSite cookie -# When ssl is defined this defaults to 'Off' -# When ssl is not defined this defaults to 'On' -# Example: -# oidc_cookie_same_site: 'Off' -# Default: 'On' -#oidc_cookie_same_site: "On" - -# Additional OIDC settings as key-value pairs -# Example: -# oidc_settings: -# OIDCPassIDTokenAs: serialized -# OIDCPassRefreshToken: On -# Default: {} (empty hash) - -# The Dex URI behind Apache reverse proxy -# Setting this value to some path will result in Dex listening on localhost -# as well as only using HTTP for proxied communication -# Example: -# dex_uri: /dex -# Default: null -#dex_uri: null - -# Dex configurations, values inside the "dex" structure are directly used to configure Dex -# If the value for "dex" key is false or null, Dex support is disabled -# Dex support will auto-enable if ondemand-dex package is installed -#dex: - # Default based on if ssl key for ood-portal-generator is defined -# ssl: false - # Only used if SSL is disabled -# http_port: "5556" - # Only used if SSL is enabled -# https_port: "5554" - # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names -# tls_cert: null -# tls_key: null -# storage_file: /etc/ood/dex/dex.db -# grpc: null -# expiry: null - # Client ID, defaults to servername or FQDN -# client_id: null -# client_name: OnDemand - # Client secret, value auto generated - # A value that is a filesystem path can be used to store secret in a file -# client_secret: /etc/ood/dex/ondemand.secret - # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs -# client_redirect_uris: [] - # Additional Dex OIDC clients to configure -# static_clients: [] - # The following example is to configure OpenLDAP - # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md -# connectors: -# - type: ldap -# id: ldap -# name: LDAP -# config: -# host: openldap.my_center.edu:636 -# insecureSkipVerify: false -# bindDN: cn=admin,dc=example,dc=org -# bindPW: admin -# userSearch: -# baseDN: ou=People,dc=example,dc=org -# filter: "(objectClass=posixAccount)" -# username: uid -# idAttr: uid -# emailAttr: mail -# nameAttr: gecos -# preferredUsernameAttr: uid -# groupSearch: -# baseDN: ou=Groups,dc=example,dc=org -# filter: "(objectClass=posixGroup)" -# userMatchers: -# - userAttr: DN -# groupAttr: member -# nameAttr: cn -# frontend: -# theme: ondemand -# dir: /usr/share/ondemand-dex/web diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd24-httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd24-httpd deleted file mode 100644 index 337d6e2..0000000 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd24-httpd +++ /dev/null @@ -1,482 +0,0 @@ -# Ansible managed: Do NOT edit this file manually! ---- -# -# Portal configuration -# - -# The address and port to listen for connections on -# Example: -# listen_addr_port: 443 -# Default: null (don't add any more listen directives) -#listen_addr_port: null - -# The server name used for name-based Virtual Host -# Example: -# servername: 'www.example.com' -# Default: null (don't use name-based Virtual Host) -servername: localhost - -# The server aliases used for the name-based Virtual Host -# Example: -# server_aliases: -# - foo.example.com -#server_aliases: [] - -# The server name used for rewrites -# Example: -# proxy_server: 'proxy.example.com' -# Default: The value of servername -#proxy_server: null - -# The port specification for the Virtual Host -# Example: -# port: 8080 -#Default: null (use default port 80 or 443 if SSL enabled) -port: 80 - -# List of SSL Apache directives -# Example: -# ssl: -# - 'SSLCertificateFile "/etc/pki/tls/certs/www.example.com.crt"' -# - 'SSLCertificateKeyFile "/etc/pki/tls/private/www.example.com.key"' -# Default: null (no SSL support) -# Default: null (no SSL support) - -# Disable logging entirely. With this you can have custom log directives -# in a seperate configuration file. -# Example: -# disable_logs: true -# Default: false (logs are enabled) -#disable_logs: false - -# Root directory of log files (can be relative ServerRoot) -# Example: -# logroot: '/path/to/my/logs' -# Default: 'logs' (this is relative to ServerRoot) -logroot: "/var/log/httpd24" - -# Error log filename -# Example: -# errorlog: 'error.log' -# Default: 'error.log' (If 'servername' and 'ssl' options are defined -# the default value will be _error_ssl.log) -errorlog: 'custom_defined_error.log' - -# Access log filename -# Example: -# accesslog: 'access.log' -# Default: 'access.log' (If 'servername' and 'ssl' options are defined -# the default value will be _access_ssl.log) -accesslog: 'custom_defined_access.log' - -# Apache access log format (Don't specify log nickname see: http://httpd.apache.org/docs/current/mod/mod_log_config.html#transferlog) -# Example: -# logformat: '"%v %h \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %T"' -# Default: Apache combined format -logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e %T %>s"' - -# Should RewriteEngine be used -# Example: -# use_rewrites: false -# Default: true -use_rewrites: true - -# Should Maintenance Rewrite rules be added -# Example: -# use_maintenance: false -# Default: true -use_maintenance: true - -# List of IPs to allow when maintenance is enabled -# Example: -# maintenance_ip_allowlist: -# - 192.168.0..* -# - 192.168.1..* -# Default: [] (no IPs allowed) -maintenance_ip_allowlist: [] - -# Set Header Content-Security-Policy frame-ancestors. -# Example: -# security_csp_frame_ancestors: https://ondemand.osc.edu -# Example to disable setting: -# security_csp_frame_ancestors: false -# Default: based on servername and ssl settings -security_csp_frame_ancestors: http://my.proxy.server.edu - -# Set Header Strict-Transport-Security to help enforce SSL -# Example: -# security_strict_transport: false -# Default: true when ssl is enabled, false otherwise -security_strict_transport: True - -# Root directory of the Lua handler code -# Example: -# lua_root: '/path/to/lua/handlers' -# Default : '/opt/ood/mod_ood_proxy/lib' (default install directory of mod_ood_proxy) -lua_root: "/opt/ood/mod_ood_proxy/lib" - -# Verbosity of the Lua module logging -# (see https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) -# Example: -# lua_log_level: 'warn' -# Default: 'info' (get verbose logs) -lua_log_level: "info" - -# Lua regular expression used to map authenticated-user to system-user -# This configuration is ignored if user_map_cmd is defined -# Example: -# user_map_match: '^([^@]+)@.*$' -# Default: '.*' -user_map_match: '^([^@]+)@.*$' - -# System command used to map authenticated-user to system-user -# This option takes precedence over user_map_match -# Example: -# user_map_cmd: '/usr/local/bin/ondemand-usermap' -# Default: null (use user_map_match) -user_map_cmd: /opt/site/regex-mapper --regex=''^([A-Za-z0-9\-_\.]+)@osc.edu$'' - -# Use an alternative CGI environment variable instead of REMOTE_USER for -# determining the authenticated-user fed to the mapping script -# Example: -# user_env: 'OIDC_CLAIM_preferred_username' -# Default: null (use REMOTE_USER) -#user_env: null - -# Redirect user to the following URI if fail to map there authenticated-user to -# a system-user -# Example: -# map_fail_uri: '/register' -# Default: null (don't redirect, just display error message) -#map_fail_uri: null - -# System command used to run the `nginx_stage` script with sudo privileges -# Example: -# pun_stage_cmd: 'sudo /path/to/nginx_stage' -# Default: 'sudo /opt/ood/nginx_stage/sbin/nginx_stage' (don't forget sudo) -pun_stage_cmd: "sudo /opt/ood/nginx_stage/sbin/nginx_stage" - -# List of Apache authentication directives -# NB: Be sure the appropriate Apache module is installed for this -# Default: (see below, uses OIDC auth with Dex) -#auth: -# - 'AuthType openid-connect' -# - 'Require valid-user' -auth: -- 'AuthType Basic' -- 'AuthName "private"' -- 'AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"' -- 'RequestHeader unset Authorization' -- 'Require valid-user' - -# List of custom apache directives to apply to the entire vhost. -# Note this is an array of strings. -# Example: -# custom_vhost_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -#custom_vhost_directives: [] - -# List of custom apache directives to apply to the Locations. -# Note this is an array of strings. -# Example: -# custom_location_directives: -# - 'SetEnv SPECIAL_ENV_VAR custom' -# Default: [] (no custom directives) -#custom_location_directives: [] - -# Redirect user to the following URI when accessing root URI -# Example: -# root_uri: '/my_uri' -# # https://www.example.com/ => https://www.example.com/my_uri -# Default: '/pun/sys/dashboard' (default location of the OOD Dashboard app) -root_uri: /pun/sys/dashboard - -# Track server-side analytics with a Google Analytics account and property -# (see https://github.com/OSC/mod_ood_proxy/blob/master/lib/analytics.lua for -# information on how to setup the GA property) -# Example: -# analytics: -# url: 'http://www.google-analytics.com/collect' -# id: 'UA-79331310-4' -# Default: null (do not track) -#analytics: null - -# -# Publicly available assets -# - -# Public sub-uri (available to public with no authentication) -# Example: -# public_uri: '/assets' -# Default: '/public' -public_uri: "/public" - -# Root directory that serves the public sub-uri (be careful, everything under -# here is open to the public) -# Example: -# public_root: '/path/to/public/assets' -# Default: '/var/www/ood/public' -public_root: "/var/www/ood/public" - -# -# Logout redirect helper -# - -# Logout sub-uri -# Example -# logout_uri: '/log_me_out' -# NB: If you change this, then modify the Dashboard app with the new sub-uri -# Default: '/logout' (the Dashboard app is by default going to expect this) -logout_uri: "/logout" - -# Redirect user to the following URI when accessing logout URI -# Example: -# logout_redirect: '/oidc?logout=https%3A%2F%2Fwww.example.com' -# Default: '/pun/sys/dashboard/logout' (the Dashboard app provides a simple -# HTML page explaining logout to the user) -logout_redirect: "/pun/sys/dashboard/logout" - -# -# Reverse proxy to backend nodes -# - -# Regular expression used for whitelisting allowed hostnames of nodes -# Example: -# host_regex: '[\w.-]+\.example\.com' -# Default: '[^/]+' (allow reverse proxying to all hosts, this allows external -# hosts as well) -host_regex: 'forge-(l|c)\d+' - -# Sub-uri used to reverse proxy to backend web server running on node that -# knows the full URI path -# Example: -# node_uri: '/node' -# Default: null (disable this feature) -node_uri: /custom-node-path - -# Sub-uri used to reverse proxy to backend web server running on node that -# ONLY uses *relative* URI paths -# Example: -# rnode_uri: '/rnode' -# Default: null (disable this feature) -rnode_uri: /custom-rnode-path - -# -# Per-user NGINX Passenger apps -# - -# Sub-uri used to control PUN processes -# Example: -# nginx_uri: '/my_pun_controller' -# Default: '/nginx' -nginx_uri: /nginx - -# Sub-uri used to access the PUN processes -# Example: -# pun_uri: '/my_pun_apps' -# Default: '/pun' -pun_uri: "/pun" - -# Root directory that contains the PUN Unix sockets that the proxy uses to -# connect to -# Example: -# pun_socket_root: '/path/to/pun/sockets' -# Default: '/var/run/ondemand-nginx' (default location set in nginx_stage) -pun_socket_root: "/var/run/ondemand-nginx" - -# Number of times the proxy attempts to connect to the PUN Unix socket before -# giving up and displaying an error to the user -# Example: -# pun_max_retries: 25 -# Default: 5 (only try 5 times) -pun_max_retries: 5 - -# The PUN pre hook command to execute as root -# -# Example: -# pun_pre_hook_root_cmd: '/opt/hpc-site/ood_pun_prehook' -# Default: null (do not run any PUN pre hook as root) -pun_pre_hook_root_cmd: '/opt/site/site_pre_hook' - -# Comma separated list of environment variables to pass from the apache context -# into the PUN pre hook. Defaults to null so nothing is exported. -# -# Example: -# pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' -# Default: null (pass nothing) -pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' - -# -# Support for OpenID Connect -# - -# Sub-uri used by mod_auth_openidc for authentication -# Example: -# oidc_uri: '/oidc' -# Default: null (disable OpenID Connect support) -oidc_uri: /custom-oidc-path - -# Sub-uri user is redirected to if they are not authenticated. This is used to -# *discover* what ID provider the user will login through. -# Example: -# oidc_discover_uri: '/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -oidc_discover_uri: /discover - -# Root directory on the filesystem that serves the HTML code used to display -# the discovery page -# Example: -# oidc_discover_root: '/var/www/ood/discover' -# Default: null (disable support for discovering OpenID Connect IdP) -oidc_discover_root: /var/www/ood/discover - -# -# Support for registering unmapped users -# -# (Not necessary if using regular expressions for mapping users) -# - -# Sub-uri user is redirected to if unable to map authenticated-user to -# system-user -# Example: -# register_uri: '/register' -# Default: null (display error to user if mapping fails) -#register_uri: null - -# Root directory on the filesystem that serves the HTML code used to register -# an unmapped user -# Example: -# register_root: '/var/www/ood/register' -# Default: null (display error to user if mapping fails) -#register_root: null - -# OIDC metadata URL -# Example: -# oidc_provider_metadata_url: https://example.com:5554/.well-known/openid-configuration -# Default: null (value auto-generated if using Dex) -oidc_provider_metadata_url: https://oidc-idp.ohio.edu/.well-known/openid-configuration - -# OIDC client ID -# Example: -# oidc_client_id: ondemand.example.com -# Default: null (value auto-generated if using Dex) -oidc_client_id: ondemand.ohio.edu - -# OIDC client secret -# Example: -# oidc_client_secret: 334389048b872a533002b34d73f8c29fd09efc50 -# Default: null (value auto-generated if using Dex) -oidc_client_secret: test-client-secret - -# OIDC remote user claim. This is the claim that populates REMOTE_USER -# Example: -# oidc_remote_user_claim: preferred_username -# Default: preferred_username -oidc_remote_user_claim: email - -# OIDC scopes -# Example: -# oidc_scope: "openid profile email groups" -# Default: "openid profile email" -oidc_scope: "openid profile email groups" - -# OIDC session inactivity timeout -# Example: -# oidc_session_inactivity_timeout: 28800 -# Default: 28800 -oidc_session_inactivity_timeout: 9001 - -# OIDC session max duration -# Example: -# oidc_session_max_duration: 28800 -# Default: 28800 -oidc_session_max_duration: 9001 - -# OIDC max number of state cookies and if to automatically clean old cookies -# Example: -# oidc_state_max_number_of_cookies: "10 true" -# Default: "10 true" -oidc_state_max_number_of_cookies: 3 true - -# OIDC Enable SameSite cookie -# When ssl is defined this defaults to 'Off' -# When ssl is not defined this defaults to 'On' -# Example: -# oidc_cookie_same_site: 'Off' -# Default: 'On' -oidc_cookie_same_site: "Off" - -# Additional OIDC settings as key-value pairs -# Example: -# oidc_settings: -# OIDCPassIDTokenAs: serialized -# OIDCPassRefreshToken: On -# Default: {} (empty hash) -oidc_settings: - OIDCCryptoPassphrase: 'mycryptopass' - OIDCPassRefreshToken: 'On' - -# The Dex URI behind Apache reverse proxy -# Setting this value to some path will result in Dex listening on localhost -# as well as only using HTTP for proxied communication -# Example: -# dex_uri: /dex -# Default: null -#dex_uri: null - -# Dex configurations, values inside the "dex" structure are directly used to configure Dex -# If the value for "dex" key is false or null, Dex support is disabled -# Dex support will auto-enable if ondemand-dex package is installed -#dex: - # Default based on if ssl key for ood-portal-generator is defined -# ssl: false - # Only used if SSL is disabled -# http_port: "5556" - # Only used if SSL is enabled -# https_port: "5554" - # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names -# tls_cert: null -# tls_key: null -# storage_file: /etc/ood/dex/dex.db -# grpc: null -# expiry: null - # Client ID, defaults to servername or FQDN -# client_id: null -# client_name: OnDemand - # Client secret, value auto generated - # A value that is a filesystem path can be used to store secret in a file -# client_secret: /etc/ood/dex/ondemand.secret - # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs -# client_redirect_uris: [] - # Additional Dex OIDC clients to configure -# static_clients: [] - # The following example is to configure OpenLDAP - # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md -# connectors: -# - type: ldap -# id: ldap -# name: LDAP -# config: -# host: openldap.my_center.edu:636 -# insecureSkipVerify: false -# bindDN: cn=admin,dc=example,dc=org -# bindPW: admin -# userSearch: -# baseDN: ou=People,dc=example,dc=org -# filter: "(objectClass=posixAccount)" -# username: uid -# idAttr: uid -# emailAttr: mail -# nameAttr: gecos -# preferredUsernameAttr: uid -# groupSearch: -# baseDN: ou=Groups,dc=example,dc=org -# filter: "(objectClass=posixGroup)" -# userMatchers: -# - userAttr: DN -# groupAttr: member -# nameAttr: cn -# frontend: -# theme: ondemand -# dir: /usr/share/ondemand-dex/web diff --git a/vars/CentOS/7.yml b/vars/CentOS/7.yml deleted file mode 100644 index 25e7e95..0000000 --- a/vars/CentOS/7.yml +++ /dev/null @@ -1,21 +0,0 @@ -apache_package_name: httpd24-httpd -apache_service_name: httpd24-httpd - - -apache_base_dir: "/opt/rh/httpd24/root" -apache_etc_dir: "/opt/rh/httpd24/root/etc/httpd" -apache_conf_dir: "{{ apache_etc_dir }}/conf.d" -apache_log_dir: "/var/log/httpd24" -container_apache_restart_cmd: "{{ apache_base_dir }}/sbin/httpd-scl-wrapper -k restart" - -additional_rpm_installs: - - centos-release-scl - - lua-posix - -apache_oidc_mod_package: httpd24-mod_auth_openidc - -# TODO these bits change in version 1.7.x and up. -nginx_root: "/opt/rh/ondemand/root" -nginx_bin: "{{ nginx_root }}/sbin/nginx" -nginx_mime_types: "{{ nginx_root }}/etc/nginx/mime.types" -locations_ini: "/opt/ood/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini" diff --git a/vars/RedHat/7.yml b/vars/RedHat/7.yml deleted file mode 100644 index b931e93..0000000 --- a/vars/RedHat/7.yml +++ /dev/null @@ -1,19 +0,0 @@ -apache_package_name: httpd24-httpd -apache_service_name: httpd24-httpd - - -apache_base_dir: "/opt/rh/httpd24/root" -apache_etc_dir: "/opt/rh/httpd24/root/etc/httpd" -apache_conf_dir: "{{ apache_etc_dir }}/conf.d" -apache_log_dir: "/var/log/httpd24" -container_apache_restart_cmd: "{{ apache_base_dir }}/sbin/httpd-scl-wrapper -k restart" - -apache_oidc_mod_package: httpd24-mod_auth_openidc - -nginx_root: "/opt/rh/ondemand/root" -nginx_bin: "{{ nginx_root }}/sbin/nginx" -nginx_mime_types: "{{ nginx_root }}/etc/nginx/mime.types" -locations_ini: "/opt/ood/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini" - -additional_rpm_installs: - - lua-posix From 58b3155e30477eea198e4296c53820c697c642c8 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Tue, 10 Dec 2024 10:15:30 -0500 Subject: [PATCH 2/6] 4.0 portal (#256) * add option for http_redirect_host * rm maintenance_ip_whitelist * add oidc_crypto_passphrase option --- defaults/main/ood_portal.yml | 2 ++ .../config/ood_portal.yml.custom.apache2 | 12 ++++++++++++ .../config/ood_portal.yml.custom.httpd | 12 ++++++++++++ .../config/ood_portal.yml.default.apache2 | 12 ++++++++++++ .../config/ood_portal.yml.default.httpd | 12 ++++++++++++ .../config/ood_portal.yml.oidc.apache2 | 12 ++++++++++++ .../fixtures/config/ood_portal.yml.oidc.httpd | 12 ++++++++++++ templates/ood_portal.yml.j2 | 18 ++++++++++++++---- 8 files changed, 88 insertions(+), 4 deletions(-) diff --git a/defaults/main/ood_portal.yml b/defaults/main/ood_portal.yml index 6754cef..5a8915f 100644 --- a/defaults/main/ood_portal.yml +++ b/defaults/main/ood_portal.yml @@ -15,6 +15,7 @@ # - 443 httpd_use_rewrites: true +ood_http_redirect_host: '%{HTTP_HOST}' maintenance_ip_allowlist: [] use_maintenance: true # security_csp_frame_ancestors: @@ -118,6 +119,7 @@ oidc_settings_samefile: false # oidc_state_max_number_of_cookies: "10 true" # oidc_cookie_same_site: "On" # oidc_settings: {} +# ood_oidc_crypto_passphrase: changeme # dex_uri: null # dex_settings: | # dex: diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 index d6b712e..d7a7d5d 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 @@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path # Default: "openid profile email" #oidc_scope: "openid profile email" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd index 06568df..4afce90 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd @@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path # Default: "openid profile email" #oidc_scope: "openid profile email" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 index 2f8aede..3625f81 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 @@ -80,6 +80,12 @@ logroot: "/var/log/apache2" # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -380,6 +386,12 @@ pun_max_retries: 5 # Default: "openid profile email" #oidc_scope: "openid profile email" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd index e1c89b2..9188b02 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.default.httpd @@ -80,6 +80,12 @@ logroot: "/var/log/httpd" # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -380,6 +386,12 @@ pun_max_retries: 5 # Default: "openid profile email" #oidc_scope: "openid profile email" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 index 4c724bf..9bc1908 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 @@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -381,6 +387,12 @@ oidc_remote_user_claim: email # Default: "openid profile email" oidc_scope: "openid profile email groups" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd index 5e0ab2b..e20ae6b 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd @@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e # Default: true use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -381,6 +387,12 @@ oidc_remote_user_claim: email # Default: "openid profile email" oidc_scope: "openid profile email groups" +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +#oidc_crypto_passphrase: ~ + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 diff --git a/templates/ood_portal.yml.j2 b/templates/ood_portal.yml.j2 index 803892d..c47cfb7 100644 --- a/templates/ood_portal.yml.j2 +++ b/templates/ood_portal.yml.j2 @@ -108,6 +108,12 @@ logroot: "{{ apache_log_dir }}" # Default: true use_rewrites: {{ httpd_use_rewrites | bool | lower }} +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +http_redirect_host: '{{ ood_http_redirect_host }}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false @@ -125,10 +131,6 @@ maintenance_ip_allowlist: {% for item in maintenance_ip_allowlist %} - '{{ item }}' {% endfor %} -{% elif maintenance_ip_whitelist is defined and maintenance_ip_whitelist|length > 0 %} -{% for item in maintenance_ip_whitelist %} - - '{{ item }}' -{% endfor %} {% else %} maintenance_ip_allowlist: [] {% endif %} @@ -477,6 +479,14 @@ pun_max_retries: {{ pun_max_retries }} {% else %}#oidc_scope: "openid profile email" {% endif %} +# OIDC crypto passphrase +# Example: +# oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" +# Default: SHA1 sum of servername +{% if oidc_crypto_passphrase is defined %}oidc_crypto_passphrase: {{ ood_oidc_crypto_passphrase }} +{% else %}#oidc_crypto_passphrase: ~ +{% endif %} + # OIDC session inactivity timeout # Example: # oidc_session_inactivity_timeout: 28800 From d0972b5251db241b7520b0de1981caefce96e1cc Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Wed, 11 Dec 2024 12:58:21 -0500 Subject: [PATCH 3/6] more flexible ondemand.d configurations. (#258) more flexible ondemand.d configurations. This allows for more flexible ondemand.d configurations. Instead of this role supplying all configurations in one single file, users can define a yaml structure that will create specific files for each feature while also being able to specify group and file permissions on the file. --- defaults/main/ondemand.yml | 2 ++ molecule/default/fixtures/ondemand.d/motd.yml | 1 + molecule/default/tasks/verify_custom.yml | 2 ++ molecule/default/vars/ondemand.yml | 5 +++++ tasks/configure.yml | 10 ++++++++++ 5 files changed, 20 insertions(+) create mode 100644 molecule/default/fixtures/ondemand.d/motd.yml diff --git a/defaults/main/ondemand.yml b/defaults/main/ondemand.yml index e8470cf..d923ea9 100644 --- a/defaults/main/ondemand.yml +++ b/defaults/main/ondemand.yml @@ -93,3 +93,5 @@ hide_app_version: false # google_analytics_tag_id: null motd_render_html: false + +# ood_ondemand_d_configs: {} \ No newline at end of file diff --git a/molecule/default/fixtures/ondemand.d/motd.yml b/molecule/default/fixtures/ondemand.d/motd.yml new file mode 100644 index 0000000..62f5492 --- /dev/null +++ b/molecule/default/fixtures/ondemand.d/motd.yml @@ -0,0 +1 @@ +motd_render_html: true diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml index a51bccc..982c2f5 100644 --- a/molecule/default/tasks/verify_custom.yml +++ b/molecule/default/tasks/verify_custom.yml @@ -11,6 +11,7 @@ - { src: "fixtures/apps/bc_desktop/", dest: "bc_desktop/" } - { src: "fixtures/config/auth_openidc.conf", dest: "auth_openidc.conf" } - { src: "fixtures/ondemand.d/ondemand_custom.yml", dest: "ondemand.yml" } + - { src: "fixtures/ondemand.d/motd.yml", dest: "motd.yml" } - name: Verify config files ansible.builtin.command: "diff /tmp/{{ item.left }} {{ item.right }}" @@ -23,6 +24,7 @@ - { left: "bc_desktop/submit/submit.yml.erb", right: "{{ ood_base_conf_dir }}/apps/bc_desktop/submit/submit.yml.erb" } - { left: "auth_openidc.conf", right: "{{ apache_conf_dir }}/auth_openidc.conf" } - { left: "ondemand.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/ondemand.yml" } + - { left: "motd.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/motd.yml" } changed_when: false - name: Verify sys/jupyter was installed correctly diff --git a/molecule/default/vars/ondemand.yml b/molecule/default/vars/ondemand.yml index cec82e8..68a715b 100644 --- a/molecule/default/vars/ondemand.yml +++ b/molecule/default/vars/ondemand.yml @@ -66,3 +66,8 @@ globus_endpoints: google_analytics_tag_id: 'abc123' motd_render_html: true + +ood_ondemand_d_configs: + motd: + content: + motd_render_html: true diff --git a/tasks/configure.yml b/tasks/configure.yml index c40e9d8..83f2839 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -35,6 +35,16 @@ dest: "{{ ood_base_conf_dir }}/ondemand.d/ondemand.yml" mode: 'u=rw,g=r,o=r' +- name: Create other ondemand.d files + copy: + content: "{{ ood_ondemand_d_configs[item].content | to_nice_yaml }}" + dest: "{{ ood_base_conf_dir }}/ondemand.d/{{ item }}.yml" + mode: "{{ ood_ondemand_d_configs[item].mode | default('644') }}" + group: "{{ ood_ondemand_d_configs[item].group | default('root') }}" + loop: "{{ ood_ondemand_d_configs | list | default([]) }}" + when: ood_ondemand_d_configs is defined + + - name: Enable Debian apache mods ansible.builtin.file: src: "{{ apache_etc_dir }}/mods-available/{{ item }}.load" From 3907e9c326b549d5cd264997b2c731ede7cf766f Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 19 Dec 2024 12:02:15 -0500 Subject: [PATCH 4/6] add more tests for ondemand.d files (#259) Add more tests for ondemand.d files and add a README item for this feature. --- README.md | 46 +++++++++++++++++++ .../default/fixtures/ondemand.d/globus.yml | 7 +++ molecule/default/prepare.yml | 5 ++ molecule/default/tasks/verify_custom.yml | 25 +++++++++- molecule/default/vars/ondemand.yml | 12 +++++ 5 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 molecule/default/fixtures/ondemand.d/globus.yml diff --git a/README.md b/README.md index 20ba410..6ac2bdb 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ This ansible role installs and configures [Open OnDemand](https://openondemand.o - [ood_apps](#ood_apps) - [Open ID Connect](#open-id-connect) - [Install Dex](#install-dex) + - [OnDemand.d Configurations](#ondemandd-configurations) - [Contributing](#contributing) ## Version compatibility @@ -294,6 +295,51 @@ See [auth\_openidc](https://github.com/zmartzone/mod_auth_openidc) for more info To install dex for OIDC use set the flag `install_ondemand_dex` to true and it will install the package. +### OnDemand.d Configurations + +In the 4.0 release of this role, configurations for `ondemand.d` files was changed. +While this role will continue to support the old way of specifing each +variable and writing them all out to a single `ondemand.d/ondemand.yml` file, +users should begin to migrate to the new way to write these files. + +4.0 introduced `ood_ondemand_d_configs` which will in turn write out as many files +as you've provided. + +Each configuration at a minimum needs `content` which will be the content of +the file that's begin written. It can additionally accept ``group`` and ``mode`` +to set the file's group ownership and file access mode. These files are always +owned by the ``root`` user. + +In this example, we're writing out two files, ``motd.yml`` and ``globus.yml``. +These filenames are given by the top level keys under ``ood_ondemand_d_configs``. + +``content`` specifies the content of the file that's going to be written out. +This should be in YAML and will be written out in YAML. + +In this configuration ``motd.yml`` will be written out with ``644 root:root`` +permissions. ``globus.yml`` on the other hand will be written out with +``640 root:specialusers`` permissions so it'll only be available for certain +users. + +```yaml +ood_ondemand_d_configs: + motd: + content: + motd_render_html: true + globus: + content: + globus_endpoints: + - path: "<%= CurrentUser.home %>" + endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + endpoint_path: "/" + + - path: "/project" + endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + endpoint_path: "/" + group: specialusers + mode: 640 +``` + ## Contributing If you run into an issue or have a feature request or fixed some issue, let us know! PRs welcome! Even if you diff --git a/molecule/default/fixtures/ondemand.d/globus.yml b/molecule/default/fixtures/ondemand.d/globus.yml new file mode 100644 index 0000000..8ededae --- /dev/null +++ b/molecule/default/fixtures/ondemand.d/globus.yml @@ -0,0 +1,7 @@ +globus_endpoints: +- endpoint: 716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx + endpoint_path: / + path: <%= CurrentUser.home %> +- endpoint: 9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx + endpoint_path: / + path: /project diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index a537994..e5f8ea3 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -15,3 +15,8 @@ - ca-certificates - systemd - git + + - name: Create secondary group + ansible.builtin.group: + name: specialusers + state: present diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml index 982c2f5..12ec90a 100644 --- a/molecule/default/tasks/verify_custom.yml +++ b/molecule/default/tasks/verify_custom.yml @@ -12,6 +12,7 @@ - { src: "fixtures/config/auth_openidc.conf", dest: "auth_openidc.conf" } - { src: "fixtures/ondemand.d/ondemand_custom.yml", dest: "ondemand.yml" } - { src: "fixtures/ondemand.d/motd.yml", dest: "motd.yml" } + - { src: "fixtures/ondemand.d/globus.yml", dest: "globus.yml" } - name: Verify config files ansible.builtin.command: "diff /tmp/{{ item.left }} {{ item.right }}" @@ -25,6 +26,7 @@ - { left: "auth_openidc.conf", right: "{{ apache_conf_dir }}/auth_openidc.conf" } - { left: "ondemand.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/ondemand.yml" } - { left: "motd.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/motd.yml" } + - { left: "globus.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/globus.yml" } changed_when: false - name: Verify sys/jupyter was installed correctly @@ -41,4 +43,25 @@ dest: '/var/www/ood/apps/dev/customdir' clone: no update: no - version: v1.0.1 \ No newline at end of file + version: v1.0.1 + +- name: Get globus.yml file stats. + stat: + path: /etc/ood/config/ondemand.d/globus.yml + register: globus_perms + +- debug: var=globus_perms + +- name: Assert that globus.yml has correct permissions + assert: + that: + - "globus_perms.stat.mode == '0640'" + success_msg: 'globus.yml has correct permissions.' + fail_msg: "globus.yml permissions are {{ globus_perms.stat.mode }} when they should be '0640'" + +- name: Assert that globus.yml has correct group ownership + assert: + that: + - "globus_perms.stat.gr_name == 'specialusers'" + success_msg: 'globus.yml has correct group ownership.' + fail_msg: "globus.yml group ownership is {{ globus_perms.stat.gr_name }} when they should be 'specialusers'" diff --git a/molecule/default/vars/ondemand.yml b/molecule/default/vars/ondemand.yml index 68a715b..627e0d1 100644 --- a/molecule/default/vars/ondemand.yml +++ b/molecule/default/vars/ondemand.yml @@ -71,3 +71,15 @@ ood_ondemand_d_configs: motd: content: motd_render_html: true + globus: + content: + globus_endpoints: + - path: "<%= CurrentUser.home %>" + endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + endpoint_path: "/" + + - path: "/project" + endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + endpoint_path: "/" + group: specialusers + mode: 640 From c4723d43eba3580093081833b2895ac8226eff1c Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 19 Dec 2024 15:35:52 -0500 Subject: [PATCH 5/6] update defaults for next version (#254) Update defaults to prepare for next version. This installs from latest, so will need to be updated when we get real 4.0 packages built. --- .github/workflows/tests.yml | 20 +------------------- defaults/main/install.yml | 8 ++++---- molecule/upgrade/prepare.yml | 10 ++++++---- molecule/upgrade/vars/prepare.yml | 6 +++--- molecule/upgrade/verify.yml | 2 +- 5 files changed, 15 insertions(+), 31 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index fd33e3b..0d76064 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -48,26 +48,8 @@ jobs: run: | python3 -m pip install -r molecule/requirements.txt ansible-galaxy collection install community.general - sudo apt update && sudo apt install -y podman + sudo apt update && sudo apt upgrade -y && sudo apt install -y podman - # we have to patch crun here because Ubuntu fails with the errors similar to the - # github issue below. - # https://github.com/containers/crun/issues/1308 - - name: patch crun - run: | - export CRUN_VER='1.14.3' - mkdir -p "${HOME}/.local/bin" - curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "${HOME}/.local/bin/crun" - chmod +x "${HOME}/.local/bin/crun" - - mkdir -p "${HOME}/.config/containers" - cat << EOF > "${HOME}/.config/containers/containers.conf" - [engine.runtimes] - crun = [ - "${HOME}/.local/bin/crun", - "/usr/bin/crun" - ] - EOF - name: run tests run: molecule test --scenario-name=${{ matrix.scenario }} env: diff --git a/defaults/main/install.yml b/defaults/main/install.yml index 364177d..0568a68 100644 --- a/defaults/main/install.yml +++ b/defaults/main/install.yml @@ -17,8 +17,8 @@ apache_etc_dir: "/etc/{{ apache_service_name }}" apache_conf_dir: "{{ apache_etc_dir }}/conf.d" apache_log_dir: "/var/log/{{ apache_service_name }}" -rpm_repo_url: "https://yum.osc.edu/ondemand/3.1/ondemand-release-web-3.1-1.{{ el_distro }}.noarch.rpm" -apt_repo_url: "https://apt.osc.edu/ondemand/3.1/ondemand-release-web_3.1.1-{{ deb_distro }}_all.deb" +rpm_repo_url: "https://yum.osc.edu/ondemand/latest/ondemand-release-web-latest-1-8.{{ el_distro }}.noarch.rpm" +apt_repo_url: "https://apt.osc.edu/ondemand/latest/ondemand-release-web-latest_5-{{ deb_distro }}_all.deb" rpm_repo_key: "https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand" deb_repo_key: "https://apt.osc.edu/ondemand/DEB-GPG-KEY-ondemand" @@ -42,7 +42,7 @@ ondemand_dex_package: ondemand-dex # behaviour as for ondemand_package # needed for testing. no reason to change these in production. disable_htcacheclean: false -nodejs_version: 18 -ruby_version: 3.1 +nodejs_version: 20 +ruby_version: 3.3 ood_base_apache_dir: "/var/www/ood" diff --git a/molecule/upgrade/prepare.yml b/molecule/upgrade/prepare.yml index e95d10c..388e69a 100644 --- a/molecule/upgrade/prepare.yml +++ b/molecule/upgrade/prepare.yml @@ -22,14 +22,16 @@ pre_tasks: - name: Set dependency versions on el8 set_fact: - ruby_version: 3.0 - nodejs_version: 14 - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '8' + ruby_version: 3.1 + nodejs_version: 18 + when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= '8' - - name: Use default versions on el8 + - name: Use default versions on el9 set_fact: additional_rpm_installs: - lua-posix + - "@ruby:{{ ruby_version }}" + - "@nodejs:{{ nodejs_version }}" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '9' roles: diff --git a/molecule/upgrade/vars/prepare.yml b/molecule/upgrade/vars/prepare.yml index 1de872b..01dee8f 100644 --- a/molecule/upgrade/vars/prepare.yml +++ b/molecule/upgrade/vars/prepare.yml @@ -1,4 +1,4 @@ -ondemand_package: "ondemand{% if ansible_os_family == 'RedHat' %}-{% else %}={% endif %}3.0.3" +ondemand_package: "ondemand{% if ansible_os_family == 'RedHat' %}-{% else %}={% endif %}3.1.10" disable_htcacheclean: true -apt_repo_url: "https://apt.osc.edu/ondemand/3.0/ondemand-release-web_3.0.0_all.deb" -rpm_repo_url: "https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm" +apt_repo_url: "https://apt.osc.edu/ondemand/3.1/ondemand-release-web_3.1.2-{{ deb_distro }}_all.deb" +rpm_repo_url: "https://yum.osc.edu/ondemand/3.1/ondemand-release-web-3.1-1.{{ el_distro }}.noarch.rpm" \ No newline at end of file diff --git a/molecule/upgrade/verify.yml b/molecule/upgrade/verify.yml index 678db80..f8120dc 100644 --- a/molecule/upgrade/verify.yml +++ b/molecule/upgrade/verify.yml @@ -58,7 +58,7 @@ - name: Verify OOD version ansible.builtin.shell: | set -o pipefail - grep -P '3.1.(\d)*' /opt/ood/VERSION + grep -P '4.0.(\d)*' /opt/ood/VERSION args: executable: /bin/bash changed_when: false \ No newline at end of file From 09ef4caf89c1ef4fe120ee4bd7a218e40c8adc17 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Tue, 14 Jan 2025 15:34:22 -0500 Subject: [PATCH 6/6] update to 4.0 repo (#261) Update defaults to the 4.0 repository. --- defaults/main/install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main/install.yml b/defaults/main/install.yml index 0568a68..5ff698b 100644 --- a/defaults/main/install.yml +++ b/defaults/main/install.yml @@ -17,8 +17,8 @@ apache_etc_dir: "/etc/{{ apache_service_name }}" apache_conf_dir: "{{ apache_etc_dir }}/conf.d" apache_log_dir: "/var/log/{{ apache_service_name }}" -rpm_repo_url: "https://yum.osc.edu/ondemand/latest/ondemand-release-web-latest-1-8.{{ el_distro }}.noarch.rpm" -apt_repo_url: "https://apt.osc.edu/ondemand/latest/ondemand-release-web-latest_5-{{ deb_distro }}_all.deb" +rpm_repo_url: "https://yum.osc.edu/ondemand/4.0/ondemand-release-web-4.0-1.{{ el_distro }}.noarch.rpm" +apt_repo_url: "https://apt.osc.edu/ondemand/4.0/ondemand-release-web_4.0.0-{{ deb_distro }}_all.deb" rpm_repo_key: "https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand" deb_repo_key: "https://apt.osc.edu/ondemand/DEB-GPG-KEY-ondemand"