Merge branch 'main' into DMED-119-integration-of-search-environment

ansible/group_vars/all/erwin-idm.yml

@@ -3,3 +3,8 @@ ERWINIDM_IMAGE_TAG: 0.4.8
 ERWINIDM_PORT: 8089
 ERWINIDM_PREFIX: idm.
 ERWINIDM_SERVICE_MONITOR: true
+ERWINIDM_ADMIN_HOSTNAME: "{{ ERWINIDM_ADMIN_PREFIX }}{{ DOMAIN }}"
+ERWINIDM_ADMIN_PREFIX: idm-admin.
+ERWINIDM_ADMIN_INGRESS_CLASS: management
+ERWINIDM_ADMIN_CREATE_CERTIFICATE: true
+ERWINIDM_ADMIN_TLS_AUTH_SECRET: erwinidm-tls-auth

ansible/group_vars/brb/instance_cfg.yml

@@ -5,7 +5,7 @@ SC_TITLE: Schul-Cloud Brandenburg
 SC_PRODUCTNAME: Schul-Cloud Brandenburg
 SC_NAV_TITLE: Schul-Cloud Brandenburg
 SC_CONTACT_EMAIL: [email protected]
-DASHBOARD_ANNOUNCEMENT_TEXT: dashboard.text.announcementBrb
+DASHBOARD_ANNOUNCEMENT_TEXT: ''
 DASHBOARD_ANNOUNCEMENT_ROLES: teacher,administrator
 GLOBAL_ANNOUNCEMENT_TEXT: ''
 GLOBAL_ANNOUNCEMENT_ROLES: teacher,administrator

ansible/group_vars/develop/erwin-idm.yml

@@ -1 +1,4 @@
-ERWINIDM_PREFIX: idm-
+ERWINIDM_PREFIX: idm-
+ERWINIDM_ADMIN_INGRESS_CLASS: nginx
+ERWINIDM_ADMIN_CREATE_CERTIFICATE: false
+ERWINIDM_ADMIN_PREFIX: idm-admin-

ansible/host_vars/dev-loadtest-01/erwin-idm.yml

@@ -1 +1,2 @@
-ERWINIDM_PREFIX: idm.
+ERWINIDM_PREFIX: idm.
+ERWINIDM_ADMIN_PREFIX: idm-admin.

ansible/host_vars/prod-brb/erwin-idm.yml

@@ -0,0 +1,2 @@
+---
+ERWINIDM_ADMIN_HOSTNAME: idm-admin.brandenburg.dbildungscloud.de

ansible/host_vars/prod-brb/pod.yml

@@ -27,3 +27,4 @@ TLDRAW_CLIENT_REPLICAS: 3
 TLDRAW_SERVER_REPLICAS: 1
 ADMIN_API_SERVER_REPLICAS: 3
 BOARD_COLLABORATION_SERVER_REPLICAS: 3
+ANTIVIRUS_SCANFILE_MAX_REPLICA_COUNT: 20

ansible/host_vars/prod-dbc/pod.yml

@@ -28,3 +28,4 @@ TLDRAW_CLIENT_REPLICAS: 3
 TLDRAW_SERVER_REPLICAS: 1
 ADMIN_API_SERVER_REPLICAS: 3
 BOARD_COLLABORATION_SERVER_REPLICAS: 3
+ANTIVIRUS_SCANFILE_MAX_REPLICA_COUNT: 20

ansible/host_vars/prod-nbc/erwin-idm.yml

@@ -0,0 +1,2 @@
+---
+ERWINIDM_ADMIN_HOSTNAME: idm-admin.niedersachsen.dbildungscloud.de

ansible/host_vars/prod-nbc/pod.yml

@@ -28,3 +28,4 @@ TLDRAW_CLIENT_REPLICAS: 3
 TLDRAW_SERVER_REPLICAS: 1
 ADMIN_API_SERVER_REPLICAS: 3
 BOARD_COLLABORATION_SERVER_REPLICAS: 3
+ANTIVIRUS_SCANFILE_MAX_REPLICA_COUNT: 20

ansible/host_vars/prod-thr/erwin-idm.yml

@@ -0,0 +1,2 @@
+---
+ERWINIDM_ADMIN_HOSTNAME: idm-admin.thueringen.dbildungscloud.de

ansible/host_vars/prod-thr/pod.yml

@@ -29,4 +29,4 @@ TLDRAW_CLIENT_REPLICAS: 3
 TLDRAW_SERVER_REPLICAS: 1
 ADMIN_API_SERVER_REPLICAS: 3
 BOARD_COLLABORATION_SERVER_REPLICAS: 3
-ANTIVIRUS_SCANFILE_MAX_REPLICA_COUNT: 10
+ANTIVIRUS_SCANFILE_MAX_REPLICA_COUNT: 20

ansible/host_vars/ref-thr/erwin-idm.yml

@@ -0,0 +1,2 @@
+---
+ERWINIDM_ADMIN_HOSTNAME: idm-admin.staging.thueringen.dbildungscloud.org

ansible/roles/erwin-idm/tasks/main.yml

@@ -144,6 +144,69 @@
   tags:
     - ingress
 
+- name: Admin Ingress Certificate
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: admin-certificate.yml.j2
+  when: WITH_ERWINIDM and ERWINIDM_ADMIN_CREATE_CERTIFICATE
+  tags:
+    - 1password
+
+- name: remove Admin Ingress Certificate
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    api_version: cert-manager.io/v1
+    kind: Certificate
+    name: "{{ ERWINIDM_ADMIN_HOSTNAME }}"
+    state: absent
+  when: not WITH_ERWINIDM
+  tags:
+    - 1password
+
+- name: Admin Ingress Secret
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: admin-onepassword.yml.j2
+  when: WITH_ERWINIDM and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+  tags:
+    - 1password
+
+- name: remove Admin Ingress Secret
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    api_version: onepassword.com/v1
+    kind: OnePasswordItem
+    name: "{{ ERWINIDM_ADMIN_TLS_AUTH_SECRET }}"
+    state: absent
+  when: not WITH_ERWINIDM and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+  tags:
+    - 1password
+
+- name: Admin Ingress
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: admin-ingress.yml.j2
+  when: WITH_ERWINIDM
+  tags:
+    - ingress
+
+- name: remove Admin Ingress
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    api_version: networking.k8s.io/v1
+    kind: Ingress
+    name: "{{ NAMESPACE }}-erwinidm-admin-ingress"
+    state: absent
+  when: not WITH_ERWINIDM
+  tags:
+    - ingress
+
 - name: Service Monitor
   kubernetes.core.k8s:
     kubeconfig: ~/.kube/config

ansible/roles/erwin-idm/templates/admin-certificate.yml.j2

@@ -0,0 +1,13 @@
+#jinja2: trim_blocks: "True", lstrip_blocks: "True"
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ ERWINIDM_ADMIN_HOSTNAME }}
+  namespace: {{ NAMESPACE }}
+spec:
+  dnsNames:
+    - {{ ERWINIDM_ADMIN_HOSTNAME }}
+  secretName: {{ ERWINIDM_ADMIN_HOSTNAME }}-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: sc-cert-manager-clusterissuer-letsencrypt-otcdns

ansible/roles/erwin-idm/templates/admin-ingress.yml.j2

@@ -0,0 +1,36 @@
+#jinja2: trim_blocks: "True", lstrip_blocks: "True"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: erwinidm-admin-ingress
+  namespace: {{ NAMESPACE }}
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
+    nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABLED|default("false") }}"
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "{{ NAMESPACE }}/{{ ERWINIDM_ADMIN_TLS_AUTH_SECRET }}"
+    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
+{% if CLUSTER_ISSUER is defined and not ERWINIDM_ADMIN_CREATE_CERTIFICATE %}
+    cert-manager.io/cluster-issuer: {{ CLUSTER_ISSUER }}
+{% endif %}
+spec:
+  ingressClassName: {{ ERWINIDM_ADMIN_INGRESS_CLASS }}
+  tls:
+  - hosts:
+      - {{ ERWINIDM_ADMIN_HOSTNAME }}
+{% if CLUSTER_ISSUER is defined or ERWINIDM_ADMIN_CREATE_CERTIFICATE %}
+    secretName: {{ ERWINIDM_ADMIN_HOSTNAME }}-tls
+{% endif %}
+  rules:
+  - host: {{ ERWINIDM_ADMIN_HOSTNAME }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: erwinidm-svc
+            port:
+              number: {{ ERWINIDM_PORT }}

ansible/roles/erwin-idm/templates/admin-onepassword.yml.j2

@@ -0,0 +1,9 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: {{ ERWINIDM_ADMIN_TLS_AUTH_SECRET }}
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: erwinidm
+spec:
+  itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/{{ ERWINIDM_ADMIN_TLS_AUTH_SECRET }}"

ansible/roles/erwin-idm/templates/configmap.yml.j2

@@ -8,6 +8,7 @@ metadata:
 data:
   # See https://www.keycloak.org/server/all-config?f=config
   KC_HOSTNAME: "https://{{ ERWINIDM_PREFIX }}{{ DOMAIN }}/"
+  KC_HOSTNAME_ADMIN: "https://{{ ERWINIDM_ADMIN_HOSTNAME }}/"
   KC_HOSTNAME_BACKCHANNEL_DYNAMIC: "false"
   KC_HTTP_ENABLED: "true"
   KC_HTTP_PORT: "{{ ERWINIDM_PORT }}"

sc-common/namespace-activator/base/app.yml

@@ -51,12 +51,15 @@ spec:
         runAsNonRoot: true
       containers:
       - name: ns-activator
-        image: ghcr.io/hpi-schul-cloud/devcluster-namespace-activator:2.3
+        image: ghcr.io/hpi-schul-cloud/devcluster-namespace-activator:2.4
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8080
           name: http
           protocol: TCP
+        - containerPort: 9999
+          name: metrics
+          protocol: TCP
         envFrom:
         - configMapRef:
             name: ns-activator-configmap
@@ -88,6 +91,21 @@ spec:
   selector:
     app: ns-activator
 
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: pod-ns-monitor
+  namespace: sc-common
+  labels:
+    app: ns-activator
+spec:
+  selector:
+    matchLabels:
+      app: ns-activator
+  podMetricsEndpoints:
+  - port: metrics
+    path: /q/metrics
 
 ---
 apiVersion: networking.k8s.io/v1