From 4c506917550f1f26e42702894c0d8c67f431a194 Mon Sep 17 00:00:00 2001 From: cohenuzi01 Date: Thu, 14 Jan 2016 17:00:10 -0500 Subject: [PATCH] merge master ps changes from dev. fix NodePort support for the policy-server service --- README.md | 15 +- .../data/environment.properties | 15 +- base/access-gateway/init.d/01_init.sh | 4 + base/access-gateway/init.d/02_config.sh | 209 ++++++++--------- base/admin-ui/data/configuration.properties | 3 +- base/admin-ui/init.d/03_ps_register.sh | 131 ++++++----- .../policy-server/data/environment.properties | 2 - base/policy-server/init.d/02_setconfig.sh | 7 +- .../init.d/03_set_registry_entries.sh | 214 ++++++++++++------ .../init.d/04_start_policy_server.sh | 2 +- sso-12-52-01-ga.json | 176 ++++++++++++-- 11 files changed, 509 insertions(+), 269 deletions(-) diff --git a/README.md b/README.md index 5e902f3..62a9ee4 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,13 @@ -# vapp-config-base -CA SSO configuration +# Solution Configuration + +Configuration for the base CA SSO including configuration the Policy Server, Admin UI and Access Gateway + +The SSO base solution defines replication controllers, and services for the following components: access-gateway, admin-ui, policy-server-master, policy-server (worker), and policy-store. +Each Replication controller is responsible for one Pod, making sure the right number of replicas of that pod are running at all time. Each Pod has two containers running inside of it: Its component (as indicated by its name), as well as a configuration container called a “sidecar”. +Every time a pod starts it starts all of its containers, in our case it means the container running the pod’s main component (policy-server, policy-store, etc.), as well as a sidecar container. The sidecar container is in-charge of downloading the solution’s configuration zip file from the url that was specified when the solution was deployed, extracting it, and making it available to the other container in its pod in the form of a shared Kubernetes Volume ( of type "emptyDir"). These operations happen every time the sidecar container starts up, thus allowing for configuration to be refreshed every time we start/restart the pod. + +The solution exposes 2 administrative UIs. SSO Administrative UI (default credentials SiteMinder/CAdemo123), and the Access Gateway Admin (default credentials Administrator/CAdemo123). Note that in order to authenticate to the Access Gateway Admin (SPS Admin UI), it is required to use a specific host name as specified when the solution was deployed (by default it is “access-gateway-admin.ca.local”). Make sure to add this host name to your DNS server or your local etc/hosts file and use it when accessing the Access Gateway Admin. + +There are two types of replication controller for policy server, one for each policy server role (master and worker). Both servers use the same image. The difference is in their initialization scripts, The role of the master policy server is to initialize and configure the policy store, take care of the generation of agent keys (Agent Key roll-over), as well as be the server that the AdminUI and SPS Admin UI communicate with to perform administrative updates to the policy store. The policy-server-master Service will direct communication only to the master policy-server instance. There should be only one policy-server-master. The policy-server service points to all policy servers, including the master. The number of replicas of worker policy servers can be increased as needed to handle load. This is done via its replication controller (named policy-server). From a console, use the following command to change the number of running replicas of the policy server (x represents the desired number of replicas): +kubectl scale rc policy-server --replicas=x + diff --git a/base/access-gateway/data/environment.properties b/base/access-gateway/data/environment.properties index 08a5f58..eb3060a 100644 --- a/base/access-gateway/data/environment.properties +++ b/base/access-gateway/data/environment.properties @@ -8,8 +8,11 @@ ADMIN_REG_PASSWORD=Q0FkZW1vMTIz TRUSTED_HOST_NAME=samplehost -# Policy server information -PS_HOST=policy-server +# Policy server information. +# Agent registration as well as every initial (bootstrap) connection should be done against the +# policy-server-master service. Once connected to the PS, the access-gateway will use the policy-server service name +# as specified in the 'hostconfig' HCO. +PS_HOST=policy-server-master AGENT_NAME=agent AGENT_CONFIG_OBJ=agentconfig HOST_CONFIG_OBJ=hostconfig @@ -17,22 +20,14 @@ HOST_CONFIG_OBJ=hostconfig SPS_FIPS_VALUE=COMPAT -SM_HOST_FILE=/opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf - TOMCAT_USER=nobody # Apache Information APACHE_ADMIN_EMAIL=admin@policy-server.ca.com APACHE_HTTP_PORT=80 APACHE_SSL_PORT=443 - - VIRTUAL_HOST_NAMES=access-gateway-admin.ca.local,access-gateway.ca.local -#SM_WA_FILENAME=WebAgent.conf -#SM_WA_DIR=/opt/CA/secure-proxy/proxy-engine/conf/defaultagent -SM_WA_FILE=/opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf - ENABLE_WEBAGENT=YES ENABLE_FED_GATEWAY=NO diff --git a/base/access-gateway/init.d/01_init.sh b/base/access-gateway/init.d/01_init.sh index 83f4fad..6e04320 100644 --- a/base/access-gateway/init.d/01_init.sh +++ b/base/access-gateway/init.d/01_init.sh @@ -90,3 +90,7 @@ jar xvf $sps_home/Tomcat/webapps/aaloginservice.war cd $sps_home/Tomcat/webapps/proxyui jar xvf $sps_home/Tomcat/webapps/proxyui/proxyui.war + +#Temporary fix for entropy issue. Will be removed/modified once alternative approach is confirmed. +mv /dev/random /dev/origrandom +ln -s /dev/urandom /dev/random \ No newline at end of file diff --git a/base/access-gateway/init.d/02_config.sh b/base/access-gateway/init.d/02_config.sh index 9209051..2890d69 100644 --- a/base/access-gateway/init.d/02_config.sh +++ b/base/access-gateway/init.d/02_config.sh @@ -1,38 +1,70 @@ -#!/bin/sh +#!/bin/bash +# 02_config - This script registers the Admin UI against the Policy Server. + +##### Constants ENV_PROP_FILE=/solution/$CONFIG/data/environment.properties +POLICYSERVER_AVAILABILITY_TIME_OUT=1000 +#NETE_SPS_ROOT is defined at the docker image level (as /opt/CA/secure-proxy) sps_home=$NETE_SPS_ROOT -tomcat_user=`/opt/util/parser.sh TOMCAT_USER $ENV_PROP_FILE` +WAConf_file="$sps_home/proxy-engine/conf/defaultagent/WebAgent.conf" +sm_host_file="$sps_home/proxy-engine/conf/defaultagent/SmHost.conf" + +ps_host=`/opt/util/parser.sh PS_HOST $ENV_PROP_FILE` +admin_reg_name=`/opt/util/parser.sh ADMIN_REG_NAME $ENV_PROP_FILE` +admin_reg_pswd=`/opt/util/parser.sh ADMIN_REG_PASSWORD $ENV_PROP_FILE` +trusted_host_name=`/opt/util/parser.sh TRUSTED_HOST_NAME $ENV_PROP_FILE` +ps_hco_name=`/opt/util/parser.sh HOST_CONFIG_OBJ $ENV_PROP_FILE` +fips_mode=`/opt/util/parser.sh SPS_FIPS_VALUE $ENV_PROP_FILE` + hostname=`/opt/util/parser.sh VIRTUAL_HOST_NAMES $ENV_PROP_FILE` +aco=`/opt/util/parser.sh AGENT_CONFIG_OBJ $ENV_PROP_FILE` +enable_WA=`/opt/util/parser.sh ENABLE_WEBAGENT $ENV_PROP_FILE` +enable_fed_gateway=`/opt/util/parser.sh ENABLE_FED_GATEWAY $ENV_PROP_FILE` + httpd_port=`/opt/util/parser.sh APACHE_HTTP_PORT $ENV_PROP_FILE` httpd_ssl_port=`/opt/util/parser.sh APACHE_SSL_PORT $ENV_PROP_FILE` server_admin=`/opt/util/parser.sh APACHE_ADMIN_EMAIL $ENV_PROP_FILE` -fips_mode=`/opt/util/parser.sh SPS_FIPS_VALUE $ENV_PROP_FILE` -sm_host_file=`/opt/util/parser.sh SM_HOST_FILE $ENV_PROP_FILE` -aco=`/opt/util/parser.sh AGENT_CONFIG_OBJ $ENV_PROP_FILE` -enable_WA=`/opt/util/parser.sh ENABLE_WEBAGENT $ENV_PROP_FILE` -WAConf_file=`/opt/util/parser.sh SM_WA_FILE $ENV_PROP_FILE` -ajp_port=`/opt/util/parser.sh AJP_PORT $ENV_PROP_FILE` -shut_down_port=`/opt/util/parser.sh SHUT_DOWN_PORT $ENV_PROP_FILE` + tomcat_http_port=`/opt/util/parser.sh TOMCAT_HTTP_PORT $ENV_PROP_FILE` tomcat_ssl_port=`/opt/util/parser.sh TOMCAT_SSL_PORT $ENV_PROP_FILE` -admin_reg_pswd=`/opt/util/parser.sh ADMIN_REG_PASSWORD $ENV_PROP_FILE` -ps_host=`/opt/util/parser.sh PS_HOST $ENV_PROP_FILE` -admin_reg_name=`/opt/util/parser.sh ADMIN_REG_NAME $ENV_PROP_FILE` -ps_hco_name=`/opt/util/parser.sh HOST_CONFIG_OBJ $ENV_PROP_FILE` -trusted_host_name=`/opt/util/parser.sh TRUSTED_HOST_NAME $ENV_PROP_FILE` -enable_fed_gateway=`/opt/util/parser.sh ENABLE_FED_GATEWAY $ENV_PROP_FILE` - +tomcat_user=`/opt/util/parser.sh TOMCAT_USER $ENV_PROP_FILE` +ajp_port=`/opt/util/parser.sh AJP_PORT $ENV_PROP_FILE` +shut_down_port=`/opt/util/parser.sh SHUT_DOWN_PORT $ENV_PROP_FILE` +##### Functions + +# Waiting for the Policy Server service to be ready to register a new trusted host +register_trusted_host() +{ + i=0 + while true; do + if [ "$i" -gt "$POLICYSERVER_AVAILABILITY_TIME_OUT" ]; then + exit 1 + fi + + smreghost -i $ps_host -u $admin_reg_name -p $admin_reg_pswd -hn $trusted_host_name -hc $ps_hco_name -o -cf $fips_mode -f $sm_host_file + if [ $? -eq 0 ]; then + echo "[*][$(date +"%T")] - smreghost successfully completed..." + retval=0 + break + else + echo "[*][$(date +"%T")] - Unable to register host against Policy Server. Will try again in 10 seconds($i).........." + i=`expr $i + 10` + sleep 10 + fi + done +} + +##### Main #decrypted using ../password-util/passwordDecode.sh admin_reg_pswd=`/solution/$CONFIG/../common/password-util/passwordDecode.sh $admin_reg_pswd` - source $sps_home/ca_sps_env.sh +echo "[*][$(date +"%T")] - Updating configuration files..." # changes related to httpd.conf file - sed -i "s|#User |User $tomcat_user|g" $sps_home/httpd/conf/httpd.conf sed -i "s|#LoadModule env_module modules/mod_env.so|LoadModule env_module modules/mod_env.so|g" $sps_home/httpd/conf/httpd.conf sed -i "s|#PassEnv LD_LIBRARY_PATH|PassEnv LD_LIBRARY_PATH|g" $sps_home/httpd/conf/httpd.conf @@ -46,14 +78,10 @@ sed -i "s||$server_admin|g" $sps_home/httpd/conf/httpd.conf sed -i "s||$server_name|g" $sps_home/httpd/conf/httpd.conf sed -i "s|TraceEnable on|TraceEnable off|g" $sps_home/httpd/conf/httpd.conf - # changes related to sps-ctl file - sed -i "s||$tomcat_user|g" $sps_home/proxy-engine/sps-ctl sed -i "s||$sps_home|g" $sps_home/proxy-engine/sps-ctl - - # changes related to httpd-ssl.conf file sed -i "s|:|$httpd_ssl_port|g" $sps_home/httpd/conf/extra/httpd-ssl.conf sed -i "s||$httpd_ssl_port|g" $sps_home/httpd/conf/extra/httpd-ssl.conf @@ -62,54 +90,54 @@ sed -i "s||SSLSpsFipsMode $fips_mode|g" $sps_home/httpd/conf/extr sed -i "s||$sps_home/httpd|g" $sps_home/httpd/conf/extra/httpd-ssl.conf sed -i "s||$server_admin|g" $sps_home/httpd/conf/extra/httpd-ssl.conf - - - # To create $sps_home/arcot/odbc/odbc.ini - touch $sps_home/arcot/odbc/odbc.ini chmod 775 $sps_home/arcot/odbc/odbc.ini -echo "[ODBC Data Sources]" > $sps_home/arcot/odbc/odbc.ini -echo "CAAdvancedAuthDSN=SiteMinder Policy Server Wire Protocol" >> $sps_home/arcot/odbc/odbc.ini -echo "" >> $sps_home/arcot/odbc/odbc.ini -echo "[CAAdvancedAuthDSN]" >> $sps_home/arcot/odbc/odbc.ini -echo "Driver=$sps_home/arcot/lib/libdaproxy.so" >> $sps_home/arcot/odbc/odbc.ini -echo "HostConfigFile=$sps_home/arcot/conf/SmHostFlow.conf" >> $sps_home/arcot/odbc/odbc.ini -echo "" >> $sps_home/arcot/odbc/odbc.ini -echo "[ODBC]" >> $sps_home/arcot/odbc/odbc.ini -echo "Trace=0" >> $sps_home/arcot/odbc/odbc.ini -echo "DATrace=0" >> $sps_home/arcot/odbc/odbc.ini -echo "DATraceSettingsFile=$sps_home/arcot/conf/datracesettings.ini" >> $sps_home/arcot/odbc/odbc.ini -echo "TraceFile=$sps_home/arcot/logs/odbctrace.out" >> $sps_home/arcot/odbc/odbc.ini -echo "TraceDll=$sps_home/arcot/odbc/lib/NStrc27.so" >> $sps_home/arcot/odbc/odbc.ini -echo "InstallDir=$sps_home/arcot/odbc/" >> $sps_home/arcot/odbc/odbc.ini +cat << _EOF_ > $sps_home/arcot/odbc/odbc.ini +[ODBC Data Sources] +CAAdvancedAuthDSN=SiteMinder Policy Server Wire Protocol +[CAAdvancedAuthDSN] +Driver=$sps_home/arcot/lib/libdaproxy.so +HostConfigFile=$sps_home/arcot/conf/SmHostFlow.conf -# To create $sps_home/proxy-engine/conf/defaultagent/WebAgent.conf +[ODBC] +Trace=0 +DATrace=0 +DATraceSettingsFile=$sps_home/arcot/conf/datracesettings.ini +TraceFile=$sps_home/arcot/logs/odbctrace.out +TraceDll=$sps_home/arcot/odbc/lib/NStrc27.so + +InstallDir=$sps_home/arcot/odbc/ +_EOF_ -touch $sps_home/proxy-engine/conf/defaultagent/WebAgent.conf +# To create $sps_home/proxy-engine/conf/defaultagent/WebAgent.conf +touch $WAConf_file chmod 777 $WAConf_file -echo "# WebAgent.conf - configuration file for SiteMinder Secure Proxy" > $WAConf_file -echo "" >> $WAConf_file -echo "LOCALE=en-US" >> $WAConf_file -echo "HostConfigFile=\"$sm_host_file\"" >> $WAConf_file - -echo "AgentConfigObject=\"$aco\"" >> $WAConf_file -echo "ServerPath=\"ServerPath_default\"" >> $WAConf_file -echo "EnableWebAgent=\"$enable_WA\"" >> $WAConf_file -echo "#localconfigfile=\"$sps_home/proxy-engine/conf/defaultagent/LocalConfig.conf\"" >> $WAConf_file -echo "LoadPlugin=\"$sps_home/agentframework/bin/libHttpPlugin.so\"" >> $WAConf_file -echo "LoadPlugin=\"$sps_home/agentframework/bin/libSPSPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libSPPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libDisambiguatePlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libOpenIDPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libSessionLinkerPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libOAuthPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libSAMLDataPlugin.so\"" >> $WAConf_file -echo "#LoadPlugin=\"$sps_home/agentframework/bin/libCertSessionLinkerPlugin.so\"" >> $WAConf_file -echo "AgentIdFile=\"$sps_home/proxy-engine/conf/defaultagent/AgentId.dat\"" >> $WAConf_file +cat << _EOF_ > $WAConf_file +# WebAgent.conf - configuration file for SiteMinder Secure Proxy + +LOCALE=en-US +HostConfigFile="$sm_host_file" +AgentConfigObject="$aco" + +ServerPath="ServerPath_default" +EnableWebAgent="$enable_WA" +#localconfigfile="$sps_home/proxy-engine/conf/defaultagent/LocalConfig.conf" +LoadPlugin="$sps_home/agentframework/bin/libHttpPlugin.so" +LoadPlugin="$sps_home/agentframework/bin/libSPSPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libSPPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libDisambiguatePlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libOpenIDPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libSessionLinkerPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libOAuthPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libSAMLDataPlugin.so" +#LoadPlugin="$sps_home/agentframework/bin/libCertSessionLinkerPlugin.so" + +AgentIdFile="$sps_home/proxy-engine/conf/defaultagent/AgentId.dat" +_EOF_ #changes to server.conf sed -i 's|$$AJP_PORT|'"$ajp_port"'|g' $sps_home/proxy-engine/conf/server.conf @@ -117,63 +145,30 @@ sed -i 's|$$SHUT_DOWN_PORT|'"$shut_down_port"'|g' $sps_home/proxy-engine/conf/se sed -i 's|$$LOCALHTTPPORT|'"$tomcat_http_port"'|g' $sps_home/proxy-engine/conf/server.conf sed -i 's|$$LOCALHTTPSPORT|'"$tomcat_ssl_port"'|g' $sps_home/proxy-engine/conf/server.conf sed -i 's|$$CACERTPATH|'"$sps_home/SSL/certs"'|g' $sps_home/proxy-engine/conf/server.conf + sed -i 's|$$CACERTFILENAME|'"$sps_home/SSL/certs/ca-bundle.cert"'|g' $sps_home/proxy-engine/conf/server.conf sed -i 's|$$RULESFILE|'"$sps_home/proxy-engine/conf/proxyrules.xml"'|g' $sps_home/proxy-engine/conf/server.conf sed -i 's|$$POLICY_SERVER_VERSION|12.5|g' $sps_home/proxy-engine/conf/server.conf -sed -i 's|$$SMINITFILE|'"$sps_home/proxy-engine/conf/defaultagent/WebAgent.conf"'|g' $sps_home/proxy-engine/conf/server.conf +sed -i 's|$$SMINITFILE|'"$WAConf_file"'|g' $sps_home/proxy-engine/conf/server.conf sed -i 's|$$HOSTNAME|'"$hostname"'|g' $sps_home/proxy-engine/conf/server.conf if [[ "$enable_fed_gateway" = "yes" || "$enable_fed_gateway" = "YES" ]] ; then sed -i 's|enablefederationgateway="no"|enablefederationgateway="yes"|g' $sps_home/proxy-engine/conf/server.conf fi - #changes to apachectl -sed -i 's|/vobs/3ptysrc/apache/httpd-unix/Release/Apache2|/opt/CA/secure-proxy/httpd|g' $sps_home/httpd/bin/apachectl +sed -i 's|/vobs/3ptysrc/apache/httpd-unix/Release/Apache2|'"$sps_home/httpd"'|g' $sps_home/httpd/bin/apachectl -echo "Running dbutil..." -$ARCOT_HOME/bin/dbutil -init $admin_reg_pswd -$ARCOT_HOME/bin/dbutil -pi CAAdvancedAuthDSN $admin_reg_pswd -$ARCOT_HOME/bin/dbutil -pi admin $admin_reg_pswd $admnin_reg_pswd - -echo "Running smreghost..." -TIME_OUT=500 -i=0 - -while true; do - if [ "$i" -gt "$TIME_OUT" ]; then - exit 1 - fi - - smreghost -i $ps_host -u $admin_reg_name -p $admin_reg_pswd -hn $trusted_host_name -hc $ps_hco_name -cf $fips_mode -f $sm_host_file - if [ $? -eq 0 ]; then - echo "Smreg host successful..." - retval=0 - break - else - echo "Unable to register host...." - i=`expr $i + 10` - echo "Sleeping for 10 secs and re trying.........." - sleep 10 - fi -done - -cp $sm_host_file $ARCOT_HOME/conf/SmHostFlow.conf - -sed -i 's|D\:\\\\netscape\\\\server4\\\\https-webserv1\\\\config\\\\WebAgent.conf|'"$sps_home/proxy-engine/conf/defaultagent/WebAgent.conf"'|g' $sps_home/Tomcat/webapps/affwebservices/WEB-INF/classes/AffWebServices.properties - -sed -i 's|SmHostConfPath=|SmHostConfPath='"$sps_home/proxy-engine/conf/defaultagent/SmHost.conf"'|g' $sps_home/Tomcat/webapps/chs/WEB-INF/classes/config/chsConfig.properties +#changes to tomcat configuration files +sed -i 's|D\:\\\\netscape\\\\server4\\\\https-webserv1\\\\config\\\\WebAgent.conf|'"$WAConf_file"'|g' $sps_home/Tomcat/webapps/affwebservices/WEB-INF/classes/AffWebServices.properties +sed -i 's|SmHostConfPath=|SmHostConfPath='"$sm_host_file"'|g' $sps_home/Tomcat/webapps/chs/WEB-INF/classes/config/chsConfig.properties sed -i 's|AgentConfigObject=|AgentConfigObject='"$aco"'|g' $sps_home/Tomcat/webapps/chs/WEB-INF/classes/config/chsConfig.properties sed -i 's|c\:\\\\FWS.log|'"$sps_home/proxy-engine/logs/affwebserv.log"'|g' $sps_home/Tomcat/webapps/affwebservices/WEB-INF/classes/LoggerConfig.properties - sed -i 's|c\:\\\\FWSTrace.log|'"$sps_home/proxy-engine/logs/FWSTrace.log"'|g' $sps_home/Tomcat/webapps/affwebservices/WEB-INF/classes/LoggerConfig.properties - sed -i 's|D\:\\\\program\ files\\\\netegrity\\\\webagent\\\\config\\\\FWSTrace.conf|'"$sps_home/proxy-engine/conf/defaultagent/FederationTrace.conf"'|g' $sps_home/Tomcat/webapps/affwebservices/WEB-INF/classes/LoggerConfig.properties -cp $sps_home/proxy-engine/conf/defaultagent/WebAgent.conf $sps_home/proxy-engine/conf/webservicesagent/WebAgent.conf - #modifying server.conf sed -n '//p' $sps_home/proxy-engine/conf/server.conf > /tmp/output.txt sed -i '1d' /tmp/output.txt @@ -182,5 +177,17 @@ sed -i '//d' $sps_home/proxy-engine/conf/server.conf sed -i -e '// r /tmp/output.txt' $sps_home/proxy-engine/conf/server.conf rm -rf /tmp/output.txt -echo "Starting sps service ..." +cp $WAConf_file $sps_home/proxy-engine/conf/webservicesagent/WebAgent.conf + +echo "[*][$(date +"%T")] - Running dbutil..." +$ARCOT_HOME/bin/dbutil -init $admin_reg_pswd +$ARCOT_HOME/bin/dbutil -pi CAAdvancedAuthDSN $admin_reg_pswd +$ARCOT_HOME/bin/dbutil -pi admin $admin_reg_pswd $admnin_reg_pswd + +echo "[*][$(date +"%T")] - Running smreghost..." +# Waiting for the Policy Server service to be ready to register a new trusted host +register_trusted_host +cp $sm_host_file $ARCOT_HOME/conf/SmHostFlow.conf + +echo "[*][$(date +"%T")] - Starting Secure Proxy Server service ..." $sps_home/proxy-engine/sps-ctl start diff --git a/base/admin-ui/data/configuration.properties b/base/admin-ui/data/configuration.properties index 38c133f..920cc45 100644 --- a/base/admin-ui/data/configuration.properties +++ b/base/admin-ui/data/configuration.properties @@ -1,6 +1,5 @@ -PS_HOST=policy-server +PS_HOST=policy-server-master PS_USERNAME=siteminder - PS_PASSWORD=Q0FkZW1vMTIz diff --git a/base/admin-ui/init.d/03_ps_register.sh b/base/admin-ui/init.d/03_ps_register.sh index 8d95398..1df730c 100644 --- a/base/admin-ui/init.d/03_ps_register.sh +++ b/base/admin-ui/init.d/03_ps_register.sh @@ -1,6 +1,14 @@ -#!/bin/sh +#!/bin/bash +# 03_ps_register - This script registers the Admin UI against the Policy Server. + +##### Constants PROP_FILE=/solution/$CONFIG/data/configuration.properties +JBOSS_AVAILABILITY_TIME_OUT=500 +POLICYSERVER_AVAILABILITY_TIME_OUT=1000 +ADMINUI_RESIGTRATION_TIME_OUT=1000 +LOGFILE=${JBOSS_HOME}/bin/nohup.out +JBOSS_STARTED_STRING="CA IAM FW Startup Sequence Complete" ps_host=`/opt/util/parser.sh PS_HOST $PROP_FILE` ps_user=`/opt/util/parser.sh PS_USERNAME $PROP_FILE` @@ -8,66 +16,87 @@ ps_password=`/opt/util/parser.sh PS_PASSWORD $PROP_FILE` ps_password=`/solution/$CONFIG/../common/password-util/passwordDecode.sh $ps_password` -adminui_registration() { - echo "Running admin ui registration command" - - TIME_OUT=1000 - i=0 - echo "Logging in to WAMUI" - TYPE="Content-Type: application/x-www-form-urlencoded" - ACCEPT="Accept: text/html" - - while true; do - if [ "$i" -gt "$TIME_OUT" ]; then - echo "Timeout reached attempting to register admin ui" + +##### Functions +waiting_for_policyserver() { + + echo "[*][$(date +"%T")] - Checking if the policy server is up and running..." + STARTTIME=$(date +%s) + # Waiting for the Policy Server service to be ready + while true; do + if [ "$(($CURRTIME - $STARTTIME))" -gt "$POLICYSERVER_AVAILABILITY_TIME_OUT" ]; then + echo "[*][$(date +"%T")] - A timeout was reached ($POLICYSERVER_AVAILABILITY_TIME_OUT seconds) while waiting for the policy server to be available." exit 1 fi - - /usr/bin/curl -s -H "Host: admin-ui" -H "$ACCEPT" -H "$TYPE" -X POST "admin-ui/iam/siteminder/adminui" -d "username=$ps_user&password=$ps_password&address=$ps_host" | grep -q "Error" - if [ $? -eq 0 ]; then - echo "unable to register adminui...." - i=`expr $i + 10` - echo "Sleeping for 10 secs and re trying.........." - echo $i - sleep 10 - else - echo "adminui registration successful" - echo $i - retval=0 - break - fi - done - - echo "Finished running admin ui registration command.." + + cat < /dev/tcp/policy-server-master/44443| grep -q "Connection timed out" #If not available will timeout with: bash: connect: Connection timed out. "curl http://policy-server-master:44443" can also be used. + + if [ $? -ne 0 ]; then + echo "[*][$(date +"%T")] - Policy server is up and running." + sleep 2 #let's wait a little bit longer, just in case. + retval=0 + break + else + echo "[*][$(date +"%T")] - Unable to connect to the policy server. Waiting for the policy-server to be available ($(($CURRTIME - $STARTTIME))).........." + sleep 10 + CURRTIME=$(date +%s) + fi + done } - TIME_OUT=500 - j=0 - LOGFILE=${JBOSS_HOME}/bin/nohup.out +adminui_registration() { + echo "[*][$(date +"%T")] - Running Admin UI registration command" - while [ -f "$LOGFILE" ]; do - if [ "$j" -gt "$TIME_OUT" ]; then - echo "Timeout reached waiting for jboss to start" + STARTTIME=$(date +%s) + TYPE="Content-Type: application/x-www-form-urlencoded" + ACCEPT="Accept: text/html" + + while true; do + if [ "$(($CURRTIME - $STARTTIME))" -gt "$ADMINUI_RESIGTRATION_TIME_OUT" ]; then + echo "[*][$(date +"%T")] - A timeout was reached ($ADMINUI_RESIGTRATION_TIME_OUT seconds) while attempting to register Admin UI." exit 1 fi - /bin/grep "CA IAM FW Startup Sequence Complete" "$LOGFILE" - if [ $? -eq 0 ]; then - echo "jboss started successfully" - retval=0 - break - else - echo "Jboss haven't started yet" - j=`expr $j + 10` - echo "Sleeping for 10 secs and checking for jboss.........." - sleep 10 - fi - done - -adminui_registration + /usr/bin/curl -s -H "Host: admin-ui" -H "$ACCEPT" -H "$TYPE" -X POST "admin-ui/iam/siteminder/adminui" -d "username=$ps_user&password=$ps_password&address=$ps_host" | grep -q "Error" + if [ $? -eq 0 ]; then + echo "[*][$(date +"%T")] - Unable to register Admin UI. Will try again in 10 seconds(($(($CURRTIME - $STARTTIME)))).........." + sleep 10 + CURRTIME=$(date +%s) + else + echo "[*][$(date +"%T")] - AdminUI registration completed successfully." + retval=0 + break + fi + done +} -tail -f /dev/null +waiting_for_jboss() +{ + j=0 + while [ -f "$LOGFILE" ]; do + if [ "$j" -gt "$JBOSS_AVAILABILITY_TIME_OUT" ]; then + echo "[*][$(date +"%T")] - A timeout was reached ($POLICYSERVER_AVAILABILITY_TIME_OUT seconds) while waiting for the JBoss to start." + exit 1 + fi + /bin/grep "$JBOSS_STARTED_STRING" "$LOGFILE" + if [ $? -eq 0 ]; then + echo "[*][$(date +"%T")] - JBoss started successfully." + retval=0 + break + else + echo "[*][$(date +"%T")] - JBoss did not start yet. Waiting for JBoss to start ($j).........." + j=`expr $j + 10` + sleep 10 + fi + done +} +##### Main +waiting_for_jboss +waiting_for_policyserver +adminui_registration + +tail -f /dev/null diff --git a/base/policy-server/data/environment.properties b/base/policy-server/data/environment.properties index 9e73721..29fd9a9 100644 --- a/base/policy-server/data/environment.properties +++ b/base/policy-server/data/environment.properties @@ -1,4 +1,3 @@ - #policys tore type POLICYSTORE_TYPE=LDAP @@ -13,7 +12,6 @@ POLICY_STORE_ROOT_DN=o=sso #policy.store.user POLICY_STORE_USER_DN=cn=Administrator,o=sso - POLICY_STORE_USER_PASSWORD=Q0FkZW1vMTIz #policy.store.ssl diff --git a/base/policy-server/init.d/02_setconfig.sh b/base/policy-server/init.d/02_setconfig.sh index d48c4fd..fbc6cad 100644 --- a/base/policy-server/init.d/02_setconfig.sh +++ b/base/policy-server/init.d/02_setconfig.sh @@ -2,9 +2,10 @@ echo "[*] Set configuration files: starting" -mv "/opt/CA/siteminder/lib/libsmaps_rename4aps.so" "/opt/CA/siteminder/lib/libsmaps.so" +# Using Basic Password Services (instead of APS). +#mv "/opt/CA/siteminder/lib/libsmaps_rename4aps.so" "/opt/CA/siteminder/lib/libsmaps.so" -mkdir -p /opt/CA/siteminder/bin/Mail -cp -r /opt/CA/siteminder/samples/APS_Mail_Files/* /opt/CA/siteminder/bin/Mail/ +#mkdir -p /opt/CA/siteminder/bin/Mail +#cp -r /opt/CA/siteminder/samples/APS_Mail_Files/* /opt/CA/siteminder/bin/Mail/ echo "[*] Set configuration files: complete" diff --git a/base/policy-server/init.d/03_set_registry_entries.sh b/base/policy-server/init.d/03_set_registry_entries.sh index 6e96d30..de1a7b9 100644 --- a/base/policy-server/init.d/03_set_registry_entries.sh +++ b/base/policy-server/init.d/03_set_registry_entries.sh @@ -1,10 +1,19 @@ #!/bin/bash -echo "[*] Create default objects: starting" +# 03_set_registry_entries - This script initializes the Policy Server configuration files. +# If this script runs on a master policy server, it will initialize the policy store (in case it's not already initialized). +# If this script runs on a worker policy server, it will wait for the policy store to be initialized before starting. +##### Constants +POLICY_STORE_VERSION="r12.52 sp1" +POLICY_STORE_VERIFICATION_ATTRIBUTE=CA.SM::AuthScheme.SupportsValidateIdentity ENV_PROP_FILE=/solution/$CONFIG/data/environment.properties OBJECT_FILE=/solution/$CONFIG/object/SMPS_Objects.xml +STORE_AVAILABILITY_TIME_OUT=500 +STORE_INITIALIZATION_TIME_OUT=600 + +echo "[*][$(date +"%T")] - Create default objects: starting" ps_home=`/opt/util/parser.sh nete_ps_root $ENV_PROP_FILE` shared_key=`/opt/util/parser.sh nete_shared_key $ENV_PROP_FILE` ldap_ip=`/opt/util/parser.sh POLICY_STORE_HOST $ENV_PROP_FILE` @@ -16,6 +25,9 @@ ldap_ssl=`/opt/util/parser.sh POLICY_STORE_SSL_ENABLED $ENV_PROP_FILE` ldap_fips_mode=`/opt/util/parser.sh nete_fips_mode $ENV_PROP_FILE` su_password=`/opt/util/parser.sh nete_su_password $ENV_PROP_FILE` +POLICY_STORE_INITIALIZATION_COMPLETE_INDICATOR="ou=SSOInitialized" +POLICY_STORE_INITIALIZATION_COMPLETE_INDICATOR_DN="$POLICY_STORE_INITIALIZATION_COMPLETE_INDICATOR, $ldap_rootdn" + #decrypted using ../password-util/passwordDecode.sh su_password=`/solution/$CONFIG/../common/password-util/passwordDecode.sh $su_password` shared_key=`/solution/$CONFIG/../common/password-util/passwordDecode.sh $shared_key` @@ -23,93 +35,145 @@ ldap_password=`/solution/$CONFIG/../common/password-util/passwordDecode.sh $ldap set CA_SM_PS_FIPS140=$ldap_fips_mode +##### Functions + +wait_for_policy_store_to_start() +{ + i=0 + # Waiting for the Policy Store service to be ready + while true; do + if [ "$i" -gt "$STORE_AVAILABILITY_TIME_OUT" ]; then + echo "[*][$(date +"%T")] - A timeout was reached ($STORE_AVAILABILITY_TIME_OUT seconds) while waiting for the policy store to be available." + exit 1 + fi + + $NETE_PS_ROOT/bin/smldapsetup status | grep -q "Error" + if [ $? -ne 0 ]; then + echo "[*][$(date +"%T")] - Policy store is up and running." + retval=0 + break + else + echo "[*][$(date +"%T")] - Unable to connect to the policy store. Waiting for the policy-store to be available ($i).........." + i=`expr $i + 10` + sleep 10 + fi + done +} + +initialize_policy_store() +{ + echo "[*][$(date +"%T")] - Initializing policy store:" + echo "[*][$(date +"%T")] - Setting SiteMinder's super user password." + + /opt/CA/tmp/smreg -su $su_password + + #echo "[*][$(date +"%T")] - Finished set super user password" + echo "[*][$(date +"%T")] - Starting XPSDDinstall" + + $NETE_PS_ROOT/bin/XPSDDInstall $NETE_PS_ROOT/xps/dd/SmMaster.xdd + + echo "[*][$(date +"%T")] - FinishedXPSDDInstall" + + echo "[*][$(date +"%T")] - Starting import default objects" + + $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/smpolicy.xml -npass + $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/ampolicy.xml -npass + $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/fedpolicy-12.5.xml -npass + $NETE_PS_ROOT/bin/XPSImport $OBJECT_FILE -npass + $NETE_PS_ROOT/bin/XPSImport /solution/$CONFIG/object/proxyui_objects.xml -npass + + echo "[*][$(date +"%T")] - Finished import default objects" + + echo "[*][$(date +"%T")] - Starting XPS Reg client" + + $NETE_PS_ROOT/bin/XPSRegClient siteminder:$su_password -adminui-setup -t 1440 + + echo "[*][$(date +"%T")] - Finished XPS Reg client..." + + #Creating an indicator object in the store to mark the completion of store initialization + echo version: 1 >SSOInitialized.ldif + echo dn: $POLICY_STORE_INITIALIZATION_COMPLETE_INDICATOR_DN >>SSOInitialized.ldif + echo objectClass: organizationalUnit >>SSOInitialized.ldif + echo objectClass: top >>SSOInitialized.ldif + echo ou: SSOInitialized >>SSOInitialized.ldif + echo description: SSO version $POLICY_STORE_VERSION >>SSOInitialized.ldif + smldapmodify -h $ldap_ip -p $ldap_port -D $ldap_userdn -w $ldap_password -a -f SSOInitialized.ldif + echo "[*][$(date +"%T")] - Policy Store initialization completed" +} + +wait_for_policy_store_to_be_initialized() +{ + i=0 + echo "[*][$(date +"%T")] - Waiting for the Policy Store to be initialized by the Master Policy Server" + while true; do + if [ "$i" -gt "$STORE_INITIALIZATION_TIME_OUT" ]; then + echo "[*][$(date +"%T")] - A timeout was reached ($STORE_AVAILABILITY_TIME_OUT seconds) while waiting for the policy store to be initialized." + exit 1 + fi + ldapsearch -b "$POLICY_STORE_INITIALIZATION_COMPLETE_INDICATOR_DN" -h $ldap_ip -p $ldap_port -D $ldap_userdn -w $ldap_password -R -1 -s base "objectClass=*" description 2>/dev/null + if [ $? -eq 0 ]; then + echo "[*][$(date +"%T")] - Policy store is initialized and ready." + retval=0 + break + else + echo "[*][$(date +"%T")] - Waiting for the policy store to be initialized ($i)...." + i=`expr $i + 10` + sleep 10 + fi + done + } + + ##### Main source $NETE_PS_ROOT/ca_ps_env.ksh -echo "[*] Starting smreg operations" - +echo "[*][$(date +"%T")] - Starting smreg operations" /opt/CA/tmp/smreg LoadRegKeys "$ps_home" "" "EN" /opt/CA/tmp/smreg TestCryptoConfig "$shared_key" "0" "" "" "" /opt/CA/tmp/smreg SetCryptoConfig "$shared_key" "0" "" "" "" /opt/CA/tmp/smreg $DASH_PIN$ LoadInstallKey -123 /opt/CA/tmp/smreg -key $shared_key - -echo "[*] Finished executing smreg" - -echo "[*] Starting smldapsetup" - -echo "NETE_PS_ROOT=$NETE_PS_ROOT" -echo "CAPKIHOME=$CAPKIHOME" -echo "POLICY_STORE_HOST=$ldap_ip" -echo "POLICY_STORE_PORT=$ldap_port" -echo "POLICY_STORE_USER_DN=$ldap_userdn" -echo "POLICY_STORE_ROOT_DN=$ldap_rootdn" +echo "[*][$(date +"%T")] - Finished executing smreg" + +echo "[*][$(date +"%T")] - Configure Policy Server to point at the policy store." +cat << _EOM_ + NETE_PS_ROOT=$NETE_PS_ROOT + CAPKIHOME=$CAPKIHOME + POLICY_STORE_HOST=$ldap_ip + POLICY_STORE_PORT=$ldap_port + POLICY_STORE_USER_DN=$ldap_userdn + POLICY_STORE_ROOT_DN=$ldap_rootdn +_EOM_ $NETE_PS_ROOT/bin/smldapsetup switch - $NETE_PS_ROOT/bin/smldapsetup reg -h$ldap_ip -p$ldap_port -d$ldap_userdn -w$ldap_password -r$ldap_rootdn -ssl$ldap_ssl -echo "[*] Finished smldapsetup" - -TIME_OUT=500 -i=0 +echo "[*][$(date +"%T")] - Checking if the policy store is up and running..." +wait_for_policy_store_to_start -while true; do - if [ "$i" -gt "$TIME_OUT" ]; then - exit 1 - fi - - $NETE_PS_ROOT/bin/smldapsetup status | grep -q "Error" +echo "[*][$(date +"%T")] - Policy Server is running as $ROLE." +if [ "$ROLE" == "master" ]; then + #Checking whether the scheme is of the right version by checking the existence of a certain attribute + echo r> replay.cmd + echo $POLICY_STORE_VERIFICATION_ATTRIBUTE>> replay.cmd + $NETE_PS_ROOT/bin/XPSDictionary /dev/null | grep "matched" if [ $? -ne 0 ]; then - echo "Policy store is ready..." - retval=0 - break + echo "[*][$(date +"%T")] - Policy store is not initialized or does not run an updated schema." + initialize_policy_store else - echo "Unable to contact policy store...." - i=`expr $i + 10` - echo "Sleeping for 10 secs and re trying.........." - sleep 10 + echo "[*][$(date +"%T")] - Policy store is initialized and running with the latest schema" fi -done - -echo "[*] Starting set super user password" -/opt/CA/tmp/smreg -su $su_password - -echo "[*] Finished set super user password" - -echo CA.SM::AuthScheme> replay.cmd - -echo A>> replay.cmd - -XPSExplorer < replay.cmd 2>/dev/null | grep SupportsValidateIdentity - if [ $? -ne 0 ]; then - echo "[*] Starting XPSDDinstall" - # TODO: Do not import schema if it is already there - - $NETE_PS_ROOT/bin/XPSDDInstall $NETE_PS_ROOT/xps/dd/SmMaster.xdd - - echo "[*] FinishedXPSDDInstall" - - echo "[*] Starting import default objects" - # TODO: Do not import data if it is already there - - $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/smpolicy.xml -npass - - $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/ampolicy.xml -npass - - $NETE_PS_ROOT/bin/XPSImport $NETE_PS_ROOT/db/fedpolicy-12.5.xml -npass - - $NETE_PS_ROOT/bin/XPSImport $OBJECT_FILE -npass - - $NETE_PS_ROOT/bin/XPSImport /solution/$CONFIG/object/proxyui_objects.xml -npass - - echo "[*] Finished import default objects" - fi - - -echo "[*] Starting XPS Reg client" - -$NETE_PS_ROOT/bin/XPSRegClient siteminder:$su_password -adminui-setup -t 1440 - -echo "[*] Finished XPS Reg client..." +else #Worker Policy Server will wait for the Policy Store to be initialized by the "Master Policy Server" + wait_for_policy_store_to_be_initialized + echo SM > replay.cmd + echo CA.SM::\$EnableKeyGeneration >> replay.cmd + + $NETE_PS_ROOT/bin/XPSConfig /dev/null |grep -A 20 -F "PARAMETER MENU***********************************CA.SM::$EnableKeyGeneration" |grep "Current Value: [ \t]* \"TRUE\"" + if [ $? -eq 0 ]; then + echo "[*][$(date +"%T")] - Configuring Policy Server not to generate agent keys." + echo C >>replay.cmd + $NETE_PS_ROOT/bin/XPSConfig /dev/null |grep -A 20 -F "PARAMETER MENU***********************************CA.SM::$EnableKeyGeneration" |grep "Pending Value: [ \t]* \"FALSE\"" + else + echo "[*][$(date +"%T")] - Policy Server is set not to generate agent keys." + fi +fi -echo "[*] Create default objects: complete" diff --git a/base/policy-server/init.d/04_start_policy_server.sh b/base/policy-server/init.d/04_start_policy_server.sh index 54e7ab7..7940b47 100644 --- a/base/policy-server/init.d/04_start_policy_server.sh +++ b/base/policy-server/init.d/04_start_policy_server.sh @@ -1,5 +1,5 @@ echo "[*] Starting policy server" -$NETE_PS_ROOT/start-all +$NETE_PS_ROOT/start-ps echo "[*] Finished starting policy server" diff --git a/sso-12-52-01-ga.json b/sso-12-52-01-ga.json index 1aaa288..78e5f5c 100644 --- a/sso-12-52-01-ga.json +++ b/sso-12-52-01-ga.json @@ -39,6 +39,10 @@ "containers": [ { "env": [ + { + "name": "SOURCE", + "value": "${SOLUTION_CONFIGURATION}" + }, { "name": "GITHUB_TOKEN", "value": "${OAUTH_TOKEN}" @@ -46,10 +50,6 @@ { "name": "DESTINATION", "value": "/solution" - }, - { - "name": "SOURCE", - "value": "${SOLUTION_CONFIGURATION}" } ], "image": "store.vapp-security.solutions/vapp/sidecar-configsvc:latest", @@ -69,7 +69,6 @@ } ], "image": "store.vapp-security.solutions/ssignon/access-gateway:12.52.01.ga", - "imagePullPolicy": "Always", "name": "access-gateway", "ports": [ { @@ -124,6 +123,10 @@ "containers": [ { "env": [ + { + "name": "SOURCE", + "value": "${SOLUTION_CONFIGURATION}" + }, { "name": "GITHUB_TOKEN", "value": "${OAUTH_TOKEN}" @@ -131,10 +134,6 @@ { "name": "DESTINATION", "value": "/solution" - }, - { - "name": "SOURCE", - "value": "${SOLUTION_CONFIGURATION}" } ], "image": "store.vapp-security.solutions/vapp/sidecar-configsvc:latest", @@ -154,7 +153,6 @@ } ], "image": "store.vapp-security.solutions/ssignon/admin-ui:12.52.01.ga", - "imagePullPolicy": "Always", "name": "admin-ui", "ports": [ { @@ -185,24 +183,30 @@ "apiVersion": "v1", "kind": "ReplicationController", "metadata": { - "name": "policy-server" + "name": "policy-server-master" }, "spec": { "replicas": 1, "selector": { - "ca.com/sso": "policy-server" + "ca.com/sso": "policy-server", + "ca.com/sso-server-role": "master" }, "template": { "metadata": { "labels": { - "ca.com/sso": "policy-server" + "ca.com/sso": "policy-server", + "ca.com/sso-server-role": "master" }, - "name": "policy-server" + "name": "policy-server-master" }, "spec": { "containers": [ { "env": [ + { + "name": "SOURCE", + "value": "${SOLUTION_CONFIGURATION}" + }, { "name": "GITHUB_TOKEN", "value": "${OAUTH_TOKEN}" @@ -210,10 +214,102 @@ { "name": "DESTINATION", "value": "/solution" + } + ], + "image": "store.vapp-security.solutions/vapp/sidecar-configsvc:latest", + "name": "configuration", + "volumeMounts": [ + { + "mountPath": "/solution", + "name": "configuration" + } + ] + }, + { + "env": [ + { + "name": "CONFIG", + "value": "base/policy-server" }, + { + "name": "ROLE", + "value": "master" + } + ], + "image": "store.vapp-security.solutions/ssignon/policy-server:12.52.01.ga", + "name": "policy-server", + "ports": [ + { + "containerPort": 44441 + }, + { + "containerPort": 44442 + }, + { + "containerPort": 44443 + } + ], + "readinessProbe": { + "tcpSocket": { + "port": 44443 + }, + "initialDelaySeconds": 20 + }, + "volumeMounts": [ + { + "mountPath": "/solution", + "name": "configuration" + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "volumes": [ + { + "name": "configuration", + "emptyDir": {} + } + ] + } + } + } + }, + { + "apiVersion": "v1", + "kind": "ReplicationController", + "metadata": { + "name": "policy-server" + }, + "spec": { + "replicas": 1, + "selector": { + "ca.com/sso": "policy-server", + "ca.com/sso-server-role": "worker" + }, + "template": { + "metadata": { + "labels": { + "ca.com/sso": "policy-server", + "ca.com/sso-server-role": "worker" + }, + "name": "policy-server" + }, + "spec": { + "containers": [ + { + "env": [ { "name": "SOURCE", "value": "${SOLUTION_CONFIGURATION}" + }, + { + "name": "GITHUB_TOKEN", + "value": "${OAUTH_TOKEN}" + }, + { + "name": "DESTINATION", + "value": "/solution" } ], "image": "store.vapp-security.solutions/vapp/sidecar-configsvc:latest", @@ -230,10 +326,13 @@ { "name": "CONFIG", "value": "base/policy-server" + }, + { + "name": "ROLE", + "value": "worker" } ], "image": "store.vapp-security.solutions/ssignon/policy-server:12.52.01.ga", - "imagePullPolicy": "Always", "name": "policy-server", "ports": [ { @@ -294,6 +393,10 @@ "containers": [ { "env": [ + { + "name": "SOURCE", + "value": "${SOLUTION_CONFIGURATION}" + }, { "name": "GITHUB_TOKEN", "value": "${OAUTH_TOKEN}" @@ -301,10 +404,6 @@ { "name": "DESTINATION", "value": "/solution" - }, - { - "name": "SOURCE", - "value": "${SOLUTION_CONFIGURATION}" } ], "image": "store.vapp-security.solutions/vapp/sidecar-configsvc:latest", @@ -506,7 +605,7 @@ "labels": { "ca.com/cluster-public-service": "tcp" }, - "name": "policy-server" + "name": "policy-server-master" }, "spec": { "ports": [ @@ -527,10 +626,43 @@ } ], "selector": { - "ca.com/sso": "policy-server" + "ca.com/sso": "policy-server", + "ca.com/sso-server-role": "master" } + } + }, + { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "labels": { + "ca.com/cluster-public-service": "tcp" + }, + "name": "policy-server" }, - "type": "NodePort" + "spec": { + "ports": [ + { + "name": "accnt", + "port": 44441, + "targetPort": 44441 + }, + { + "name": "authn", + "port": 44442, + "targetPort": 44442 + }, + { + "name": "az", + "port": 44443, + "targetPort": 44443 + } + ], + "selector": { + "ca.com/sso": "policy-server" + }, + "type": "NodePort" + } }, { "apiVersion": "v1",