Merge branch 'master' into 'quick_start'

# Conflicts:
#   doc/install.md

configure.sh

@@ -5,9 +5,9 @@ clear
 wait () {
 	secs=${1}
 	while [ $secs -gt 0 ]; do
-	   echo -ne "$secs\033[0K\r"
-	   sleep 1
-	   : $((secs--))
+		echo -ne "$secs\033[0K\r"
+		sleep 1
+		: $((secs--))
 	done
 }
 
@@ -19,7 +19,7 @@ MODIFY=${MODIFY:-no}
 case $MODIFY in
 	yes|Yes|YES )
 		echo modify
-		echo "please enter(command) which editor you want to use for editing this file"
+		echo "Please enter which editor (command) you want to use for editing this file"
 		read -p "[vi] : " EDITOR
 		EDITOR=${EDITOR:-vi}
 		if [[ ( $EDITOR = "vi" ) || $EDITOR = "vim" ]]; then
@@ -27,14 +27,14 @@ case $MODIFY in
 				echo "Instruction: "
 				echo -e "\t 1. press i to edit file"
 				echo -e "\t 2. modify file based on your needs"
-				echo -e "\t 3. to save changes use followng sequence: 'Esc : wq' and press enter"
-				echo "to discurd changes, use: 'Esc : q!' and press enter"
+				echo -e "\t 3. to save changes use following sequence: 'Esc : wq' and press enter"
+				echo "to discard changes, use: 'Esc : q!' and press enter"
 				read -p "press enter to continue ..." CONTINUE
 				$EDITOR access.ips
 			else
 				echo "$EDITOR not found. install it and start over"
-                                exit 1
-                        fi
+				exit 1
+			fi
 		else
 			if `which $EDITOR > /dev/null 2>&1`; then
 				$EDITOR access.ips
@@ -48,71 +48,75 @@ case $MODIFY in
 		echo no
 		;;
 	* )
-		echo "Unknown answer, not modifing access rules!"
+		echo "Unknown answer, not modifying access rules!"
 		;;
 esac
 
-./generate_haproxy_whitelis_files.sh
+./generate_haproxy_whitelist_files.sh
 if [ $? -gt 0 ]; then
-	echo "error occured, please check access.ips file structure. lines starting with '###' should not be modified"
+	echo "Error occurred, please check access.ips file structure. lines starting with '###' should not be modified"
 	exit 1
 else
-	echo "access restrictions configured successfully"
+	echo "Access restrictions configured successfully"
 	echo ""
 fi
 
 
 if [ -f group_vars/all/variables.yml ]; then 
-	echo "Variables file (group_vars/all/variables.yml) is configure manually. please take a look if everything is correct and move to next step"
+	echo "Variables file (group_vars/all/variables.yml) is already configured manually. Please take a look if everything is correct and move to the next step"
+	echo
+	echo "group_vars/all/variables.yml:"
+	echo "============================================================"
 	cat group_vars/all/variables.yml
-else 
-	echo "set FQDN which will be used to access the soctools services. (the DNS record should already be in place.)"
+	echo "============================================================"
+else
+	echo "Set the FQDN which will be used to access the soctools services (the DNS record should already be in place)"
 	read -p "[$(hostname -f)]: " soctoolsproxy
 	soctoolsproxy=${soctoolsproxy:-$(hostname -f)}
 	echo
 	echo "Organization's top level domain (will be used as organization name and organization domain in different services)"
 	read -p 'domain: ' domain
-        if [ -z $domain ]; then
-                echo "Error: Empty string for domain! exiting..."
-                exit 1
-        fi
+		if [ -z $domain ]; then
+			echo "Error: Empty string for domain! exiting..."
+			exit 1
+		fi
 	echo
 	echo
 	echo
-	echo "Please provide following parameters for first socctolls user which will be created during the initialization with organization admin privileges:"
+	echo "Please provide the following parameters for the first SOCTools user, which will be created during the initialization with organization admin privileges:"
+	echo "username 	- Username of the user"
 	echo "firstname - First name of the user"
 	echo "lastname 	- Last name of the user"
-	echo "username 	- Username of the user"
-	echo "DN 	- Distinguished Name of the user, for user certificate"
-	echo "CN 	- Common Name of the user, for user certificate"
-	echo "Email will be generated automatically in Username@Domain format becouse of format restrictions in some services"
+	#echo "DN 	- Distinguished Name of the user, for user certificate"
+	#echo "CN 	- Common Name of the user, for user certificate"
+	echo "Email will be generated automatically in Username@Domain format because of format restrictions in some services"
 	echo ""
-	echo ""
-	for i in firstname lastname username; do
-		read -p "${i}: " $i
-	      	if [ -z $i ]; then
-                	echo "Error: Empty string for ${i}! exiting..."
-                	exit 1
-        	fi
-	done
-	read -p "Enter CN for Certificate [${firstname}${lastname}]: " CN
-	CN=${CN:-${firstname}${lastname}}
-	DN=${CN}
+	read -p "username: " username
+	if [ -z "$username" ]; then
+		echo "Error: Empty username! exiting..."
+		exit 1
+  fi
+	read -p "firstname: " firstname
+	read -p "lastname: " lastname
+	#read -p "Enter CN for Certificate [${firstname}${lastname}]: " CN
+	#CN=${CN:-${firstname}${lastname}}
+	CN="$username"
+	DN="CN=${CN}"
 	echo
 	echo
 	echo
-	echo "Please check the gethered variables and type 'yes' if everything is correct: "
-	echo "soctoolsproxy: 	$soctoolsproxy"
-	echo "domain: 		$domain"
-	echo "firstname: 	$firstname"
-	echo "lastname: 	$lastname"
-	echo "username: 	$username"
-	echo "DN: 		$DN"
-	echo "CN:		$CN"
+	echo "Please check the gathered variables and type 'yes' if everything is correct:"
+	echo "soctoolsproxy:	$soctoolsproxy"
+	echo "domain:     $domain"
+	echo "firstname:  $firstname"
+	echo "lastname:   $lastname"
+	echo "username:   $username"
+	echo "DN:         $DN"
+	echo "CN:         $CN"
 	echo
 	echo
 	read -p "Correct? type 'yes' or 'no': " ANSWER
-	if [ $ANSWER = "yes" ]; then
+	if [ "$ANSWER" = "yes" ]; then
 		if ! [ -f group_vars/all/variables.template ]; then
 			echo "template file(group_vars/all/variables.template) does not exists! exiting ..."
 			exit 1
@@ -120,17 +124,17 @@ else
 			cp -f group_vars/all/variables.template group_vars/all/variables.yml
 			sed -i "s/CHANGE_ME_TO_FQDN/${soctoolsproxy}/g" group_vars/all/variables.yml
 			sed -i "s/soctools.test/${domain}/g" group_vars/all/variables.yml
-			sed -i "11s/soc_admin/${firstname}/" group_vars/all/variables.yml
-			sed -i "12s/SOC/${lastname}/" group_vars/all/variables.yml
+			sed -i "11s/CHANGE_ME_FIRST_NAME/${firstname}/" group_vars/all/variables.yml
+			sed -i "12s/CHANGE_ME_LAST_NAME/${lastname}/" group_vars/all/variables.yml
 			sed -i "13s/soc_admin/${username}/" group_vars/all/variables.yml
 			sed -i "14s/soc_admin/${username}/" group_vars/all/variables.yml
-			sed -i "15s/SOC_Admin/${DN}/" group_vars/all/variables.yml
-			sed -i "16s/SOC_Admin/${CN}/" group_vars/all/variables.yml
+			sed -i "15s/CN=soc_admin/${DN}/" group_vars/all/variables.yml
+			sed -i "16s/soc_admin/${CN}/" group_vars/all/variables.yml
 			sed -i "26s/soc_admin/${username}/" group_vars/all/variables.yml
 			echo
 			echo
 			echo "variables file generated (group_vars/all/variables.yml)"
-			echo "We have configured for you following config files: access.ips, group_vars/all/variables.yml and we have also generated HAProxy Access Control Lists in the following directory: roles/haproxy/files"
+			echo "We have configured for you the following config files: access.ips, group_vars/all/variables.yml and we have also generated HAProxy Access Control Lists in the following directory: roles/haproxy/files"
 			echo ""
 			echo "move to next command to deploy the soctools cluster."
 			echo 'Thank You!'

doc/install.md

@@ -22,7 +22,7 @@ The current version of SOCTools only runs on a single server. A fully distribute
 * `cd soctools`
 
 To test the development version you can clone the repository instead of downloading the latest release:  
-* git clone https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools.git
+* git clone --recursive https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools.git
 * `cd soctools`
 
 ## Configure SOCTools
@@ -41,16 +41,13 @@ You can use configuration script named "configure.sh", located in the root folde
   * User Management UI - Web UI for creating and managing SOCTools users. Increase security by restricting access only for administrator(s)
   * Kibana - Web UI for Kibana. Increase security by restricting access only for administrator(s)
 
-Edit roles/haproxy/files/stats_whitelist.lst in order to manually configure whitelist IP addresses for accessing various tools. You can use access.ips file found in the root folder as starting template.
+Edit `roles/haproxy/files/stats_whitelist.lst` in order to manually configure whitelist IP addresses for accessing various tools. You can use `access.ips` file found in the root folder as a starting template.
 * `cat access.ips > roles/haproxy/files/stats_whitelist.lst`
 * `vi roles/haproxy/files/stats_whitelist.lst`
 
-Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it points to the FQDN of the server.
+If you want to use MaxMind GeoLite2 database for enrichment, edit `group_vars/all/main.yml` and add the license key to the variable `maxmind_key`.
 * `vi group_vars/all/main.yml`  
 
-If you want to use MaxMind GeoLite2 database for enrichment, add the license key to the variable 'maxmind_key'  
-Users can be configured in the file group_vars/all/users.yml
-* `vi group_vars/all/users.yml` 
 
 ## Install SOCTools
 Configure the server running SOCTools:

group_vars/all/variables.template

@@ -8,18 +8,18 @@ domain: "soctools.test"
 
 #List of users which will be created during the initialization with organization admin privileges
 soctools_users:
-  - firstname: "soc_admin"
-    lastname: "SOC"
+  - firstname: "CHANGE_ME_FIRST_NAME"
+    lastname: "CHANGE_ME_LAST_NAME"
     username: "soc_admin"
     email: "soc_admin@{{domain}}"
-    DN: "CN=SOC_Admin"
-    CN: "SOC_Admin"
-#  - firstname: "soc_admin_2"
-#    lastname: "SOC"
+    DN: "CN=soc_admin"
+    CN: "soc_admin"
+#  - firstname: "SOC Admin 2"
+#    lastname: ""
 #    username: "soc_admin_2"
 #    email: "soc_admin_2@{{domain}}"
-#    DN: "CN=SOC_Admin_2"
-#    CN: "SOC_Admin_2"
+#    DN: "CN=soc_admin_2"
+#    CN: "soc_admin_2"
     
 # list of users(username) from previous step which will recive admin roles in ODFE. (Minimum one user is required)
 ODFE_ADMIN_USERS:

roles/build/tasks/centos.yml

 ---
 
-- name: Check for CentOS image
-  docker_image_info:
-    name: "{{repo}}/centos:{{version}}{{suffix}}"
-  register: centosimg
-
-- name: Assert CentOS image
-  assert:
-    that: centosimg.images | length == 0
-    fail_msg: "CentOS image already exists"
-
 - name: Create etc tree in build directory
   file:
     path: '{{ temp_root}}/{{ item.path }}'

roles/build/tasks/main.yml

@@ -5,7 +5,17 @@
       - "'CHANGE_ME' not in soctoolsproxy"
     fail_msg: "Review *all* settings in group_vars/all/main.yml"
 
-- include: centos.yml
+
+# Create CentOS image if not created yet
+- name: Check for CentOS image
+  docker_image_info:
+    name: "{{repo}}/centos:{{version}}{{suffix}}"
+  register: centosimg
+
+- name: Include tasks to create CentOS image
+  include_tasks: centos.yml
+  when: centosimg.images | length == 0
+
 
 - name: Create main build dir
   file:

roles/haproxy/templates/haproxy.cfg.j2

@@ -52,15 +52,18 @@ listen odfeserv
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
 	
 listen keycloakserv
-        bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
-        mode http
+        # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here 
+        bind *:12443
+        mode tcp
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-        option httplog
+        option tcp-check
+        option tcplog
+        tcp-check connect port 8443
 {% for keycloakhost in groups['keycloakcontainers'] %}
-	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
+	server {{keycloakhost}} {{keycloakhost}}:8443 check
 {% endfor %}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }
 

user-mgmt-ui @ 5ad6472a

-Subproject commit f66d5abb0dfd5dfdfc09afcd869b1f5d36140661
+Subproject commit 5ad6472a631399f715dbaefac0ec0d679d75ec58