From 79a14e15adf11987554336d80fc503293509e5ef Mon Sep 17 00:00:00 2001 From: Finn Stutzenstein Date: Thu, 8 Apr 2021 08:54:10 +0200 Subject: [PATCH] OS4 productive setup changes Now uses secrets and add the possibility to enable electronic voting --- .gitignore | 4 ++-- docker/.env | 4 ++++ docker/docker-compose.yml.m4 | 34 +++++++++++++++++++++++----------- docker/docker-stack.yml.m4 | 31 ++++++++++++++++++++----------- docker/setup-prod.sh | 11 ++++++----- openslides-auth-service | 2 +- openslides-autoupdate-service | 2 +- openslides-backend | 2 +- openslides-datastore-service | 2 +- openslides-manage-service | 2 +- openslides-permission-service | 2 +- 11 files changed, 61 insertions(+), 35 deletions(-) diff --git a/.gitignore b/.gitignore index f1c7b58e2..d0919cb16 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,8 @@ dev-commands/export.json # Deployment /docker/docker-compose.yml /docker/docker-stack.yml +/docker/secrets/auth_*_key +docker/secrets/*.env # Old OS3 files and folders .coverage @@ -36,7 +38,5 @@ tests .vscode/ package-lock.json server/ -docker/keys -docker/secrets/*.env # OS3+-Submodules /autoupdate/ diff --git a/docker/.env b/docker/.env index 880256be8..3e9539846 100644 --- a/docker/.env +++ b/docker/.env @@ -22,6 +22,10 @@ DOCKER_OPENSLIDES_BACKEND_TAG= DOCKER_OPENSLIDES_FRONTEND_NAME= DOCKER_OPENSLIDES_FRONTEND_TAG= +# Configuration +# ------------- +ENABLE_ELECTRONIC_VOTING= + # Service Replication # ------------------- # TODO!! diff --git a/docker/docker-compose.yml.m4 b/docker/docker-compose.yml.m4 index af9ac0d54..d7a3b0646 100644 --- a/docker/docker-compose.yml.m4 +++ b/docker/docker-compose.yml.m4 @@ -91,12 +91,12 @@ services: - datastore-reader - datastore-writer env_file: services.env - environment: - - AUTH_TOKEN_KEY=test123 - - AUTH_COOKIE_KEY=test123 networks: - frontend - backend + secrets: + - auth_token_key + - auth_cookie_key datastore-reader: image: DATASTORE_READER_IMAGE @@ -141,13 +141,13 @@ services: - datastore-reader - message-bus env_file: services.env - environment: - - AUTH_KEY_TOKEN=test123 - - AUTH_KEY_COOKIE=test123 networks: - frontend - backend - message-bus + secrets: + - auth_token_key + - auth_cookie_key auth: image: AUTH_IMAGE @@ -156,14 +156,14 @@ services: - message-bus - cache env_file: services.env - environment: - - AUTH_TOKEN_KEY=test123 - - AUTH_COOKIE_KEY=test123 networks: - datastore-reader - frontend - message-bus - auth + secrets: + - auth_token_key + - auth_cookie_key cache: image: redis:latest @@ -196,14 +196,22 @@ services: - backend - auth + # TODO: Remove depenencies to auth and datastore in "depends_on" and "networks" + # Should be doable when the manage service is fixed manage-setup: image: MANAGE_IMAGE entrypoint: /root/entrypoint-setup depends_on: - manage + - auth + - datastore-writer + - datastore-reader env_file: services.env + environment: + ENABLE_ELECTRONIC_VOTING: "ifenvelse(`ENABLE_ELECTRONIC_VOTING',)" networks: - backend + - auth ifelse(ADMIN_SECRET_AVAILABLE, 0,secrets: - admin) @@ -233,6 +241,10 @@ networks: auth: internal: true -ifelse(ADMIN_SECRET_AVAILABLE, 0,secrets: - admin: +secrets: + auth_token_key: + file: ./secrets/auth_token_key + auth_cookie_key: + file: ./secrets/auth_cookie_key + ifelse(ADMIN_SECRET_AVAILABLE, 0,admin: file: ./secrets/admin.env) diff --git a/docker/docker-stack.yml.m4 b/docker/docker-stack.yml.m4 index 60de1e15d..9c7528c5f 100644 --- a/docker/docker-stack.yml.m4 +++ b/docker/docker-stack.yml.m4 @@ -89,9 +89,6 @@ services: backend: image: BACKEND_IMAGE env_file: services.env - environment: - - AUTH_TOKEN_KEY=test123 - - AUTH_COOKIE_KEY=test123 networks: - frontend - backend @@ -100,6 +97,9 @@ services: condition: on-failure delay: 5s replicas: ifenvelse(`OPENSLIDES_BACKEND_REPLICAS', 1) + secrets: + - auth_token_key + - auth_cookie_key datastore-reader: image: DATASTORE_READER_IMAGE @@ -149,9 +149,6 @@ services: autoupdate: image: AUTOUPDATE_IMAGE env_file: services.env - environment: - - AUTH_KEY_TOKEN=test123 - - AUTH_KEY_COOKIE=test123 networks: - frontend - backend @@ -161,13 +158,13 @@ services: condition: on-failure delay: 5s replicas: ifenvelse(`OPENSLIDES_AUTOUPDATE_REPLICAS', 1) + secrets: + - auth_token_key + - auth_cookie_key auth: image: AUTH_IMAGE env_file: services.env - environment: - - AUTH_TOKEN_KEY=test123 - - AUTH_COOKIE_KEY=test123 networks: - datastore-reader - frontend @@ -178,6 +175,9 @@ services: condition: on-failure delay: 5s replicas: ifenvelse(`OPENSLIDES_AUTH_REPLICAS', 1) + secrets: + - auth_token_key + - auth_cookie_key cache: image: redis:latest @@ -221,12 +221,17 @@ services: condition: on-failure delay: 5s + # TODO: Remove depenency to auth in "networks" + # Should be doable when the manage service is fixed manage-setup: image: MANAGE_IMAGE entrypoint: /root/entrypoint-setup env_file: services.env + environment: + ENABLE_ELECTRONIC_VOTING: "ifenvelse(`ENABLE_ELECTRONIC_VOTING',)" networks: - backend + - auth ifelse(ADMIN_SECRET_AVAILABLE, 0,secrets: - admin) deploy: @@ -273,6 +278,10 @@ networks: encrypted: "" internal: true -ifelse(ADMIN_SECRET_AVAILABLE, 0,secrets: - admin: +secrets: + auth_token_key: + file: ./secrets/auth_token_key + auth_cookie_key: + file: ./secrets/auth_cookie_key + ifelse(ADMIN_SECRET_AVAILABLE, 0,admin: file: ./secrets/admin.env) diff --git a/docker/setup-prod.sh b/docker/setup-prod.sh index f20948b6d..9e43c1c58 100755 --- a/docker/setup-prod.sh +++ b/docker/setup-prod.sh @@ -1,11 +1,12 @@ #!/bin/bash # Create keys for auth, if they do not exist -if [ ! -d keys ]; then - mkdir keys - - ssh-keygen -f keys/rsa-token.key -t rsa -b 2048 -P "" - ssh-keygen -f keys/rsa-cookie.key -t rsa -b 2048 -P "" +if [ ! -f secrets/auth_token_key ]; then + tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64 > secrets/auth_token_key +fi +if [ ! -f secrets/auth_cookie_key ]; then + tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 64 > secrets/auth_cookie_key fi ( set -a; source .env; m4 docker-compose.yml.m4 ) > docker-compose.yml +( set -a; source .env; m4 docker-stack.yml.m4 ) > docker-stack.yml diff --git a/openslides-auth-service b/openslides-auth-service index ed9875e56..edfb247a2 160000 --- a/openslides-auth-service +++ b/openslides-auth-service @@ -1 +1 @@ -Subproject commit ed9875e56911d709a103bbb912646d245ff1ae44 +Subproject commit edfb247a2398ae69dd5c0ff44e7cdf692b7c1b80 diff --git a/openslides-autoupdate-service b/openslides-autoupdate-service index d28465081..431bcf22c 160000 --- a/openslides-autoupdate-service +++ b/openslides-autoupdate-service @@ -1 +1 @@ -Subproject commit d284650811d2ae0bb512c4db268952862b5722b4 +Subproject commit 431bcf22c9a37c84c93f1aed292b77547854078b diff --git a/openslides-backend b/openslides-backend index a24b735b4..fffc152f7 160000 --- a/openslides-backend +++ b/openslides-backend @@ -1 +1 @@ -Subproject commit a24b735b482be4ff5f5425f2e92dd85f805f353d +Subproject commit fffc152f79d3446591e07a6913d9fdf30b46f577 diff --git a/openslides-datastore-service b/openslides-datastore-service index 5b17e162c..e8e2d287f 160000 --- a/openslides-datastore-service +++ b/openslides-datastore-service @@ -1 +1 @@ -Subproject commit 5b17e162c477e3d19b59b2dcfcf307538e5ce90b +Subproject commit e8e2d287fb84192db0dbf78e7ebdfac6a33fcaa7 diff --git a/openslides-manage-service b/openslides-manage-service index df61ded33..6ab94da8d 160000 --- a/openslides-manage-service +++ b/openslides-manage-service @@ -1 +1 @@ -Subproject commit df61ded339c1cb07e46876d4e463c5f9812d25cc +Subproject commit 6ab94da8debbd0367a34f173ccc1ddee5a701863 diff --git a/openslides-permission-service b/openslides-permission-service index c33b68b0c..e5e2313ca 160000 --- a/openslides-permission-service +++ b/openslides-permission-service @@ -1 +1 @@ -Subproject commit c33b68b0c701f7fc503096c1d89d6c82e5a50232 +Subproject commit e5e2313cadd4827a07af97259bfafd4e8ee7b066