commit 752e58012368b2aa6cb49718783c038e71d21278 Author: Nicolas MASSE Date: Fri Jan 22 09:37:39 2021 +0100 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e845c18 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +inventory diff --git a/files/keycloak.yaml.j2 b/files/keycloak.yaml.j2 new file mode 100644 index 0000000..28f7244 --- /dev/null +++ b/files/keycloak.yaml.j2 @@ -0,0 +1,13 @@ +http: + routers: + keycloak: + rule: PathPrefix(`/auth`) + entryPoints: + - http + service: "keycloak" + services: + keycloak: + loadBalancer: + servers: + - url: "http://keycloak-server-1.dns.podman:8080" + - url: "http://keycloak-server-2.dns.podman:8080" diff --git a/files/traefik.yaml.j2 b/files/traefik.yaml.j2 new file mode 100644 index 0000000..ff8f635 --- /dev/null +++ b/files/traefik.yaml.j2 @@ -0,0 +1,13 @@ +log: + level: "INFO" + +accesslog: true + +providers: + file: + directory: /etc/traefik/conf.d/ + watch: true + +entryPoints: + http: + address: ":8080" \ No newline at end of file diff --git a/files/users.ldif.j2 b/files/users.ldif.j2 new file mode 100644 index 0000000..c79148b --- /dev/null +++ b/files/users.ldif.j2 @@ -0,0 +1,20 @@ +dn: ou=users,dc=keycloak,dc=org +objectclass: top +objectclass: organizationalUnit +ou: users + +{% for i in range(openldap_users_count) %} +{% set id = "%06d" |format(i) %} +dn: uid=user_{{ id }},ou=users,dc=keycloak,dc=org +objectclass: top +objectclass: person +objectclass: organizationalPerson +objectclass: inetOrgPerson +uid: user_{{ id }} +cn: User {{ id }} +sn: {{ id }} +givenName: User +mail: user_{{ id }}@nowhere.test +userPassword: user_{{ id }} + +{% endfor %} \ No newline at end of file diff --git a/group_vars/all.yaml b/group_vars/all.yaml new file mode 100644 index 0000000..571412a --- /dev/null +++ b/group_vars/all.yaml @@ -0,0 +1,9 @@ +keycloak_admin_username: admin +keycloak_admin_password: admin +traefik_image: docker.io/traefik:v2.3.4 +keycloak_image: docker.io/jboss/keycloak:11.0.3 +postgresql_image: quay.io/centos7/postgresql-10-centos7:latest +#postgresql_image: docker.io/postgres:11.5-alpine +mariadb_image: quay.io/centos7/mariadb-103-centos7:latest +openldap_image: osixia/openldap:1.4.0 + diff --git a/inventory.sample b/inventory.sample new file mode 100644 index 0000000..9a39ce4 --- /dev/null +++ b/inventory.sample @@ -0,0 +1,2 @@ +[sut] +hp-microserver.itix.fr ansible_become=yes ansible_user=nicolas diff --git a/provision.yaml b/provision.yaml new file mode 100644 index 0000000..46485b2 --- /dev/null +++ b/provision.yaml @@ -0,0 +1,283 @@ +- name: Prepare the SUT (System Under Test) + hosts: sut + tasks: + - assert: + that: + - enable_ldap is defined + - enable_https is defined + - database is defined + msg: >- + specify the scenario to provision as extra vars (using -e '@scenarios/foo.yaml') + + - dnf: + name: + - podman + - podman-plugins + - openldap-clients + state: installed + + - name: Inspect the default network created by podman + command: podman network inspect podman + register: podman_network_inspect + changed_when: false + + - name: Check if the default network needs to be patched to add the "dnsname" plugin + set_fact: + podman_default_network_needs_patch: '{{ "dnsname" not in network_plugins }}' + vars: + network_plugins: '{{ podman_network_inspect.stdout | from_json | json_query("[0].plugins[].type") | list }}' + + - name: Remove the default podman network + containers.podman.podman_network: + name: podman + state: absent + when: podman_default_network_needs_patch + + - name: Re-create the default podman network (with the "dnsname" plugin) + containers.podman.podman_network: + name: podman + state: present + subnet: 10.88.0.0/16 + when: podman_default_network_needs_patch + + - name: Cleanup containers + containers.podman.podman_container: + name: '{{ item }}' + state: absent + loop: + - traefik + - keycloak-server-1 + - keycloak-server-2 + - postgresql + - mariadb + - openldap + + - stat: + path: /srv/openldap/data + register: data + when: enable_ldap|bool + + - name: Backup /srv/openldap/data if present + command: + cmd: "mv /srv/openldap/data /srv/openldap/data-{{ name }}" + vars: + name: "{{ lookup('pipe','date +%Y%m%d-%H%M%S') }}" + when: enable_ldap|bool and data.stat.exists + + - name: Re-create /srv/openldap/data + file: + path: /srv/openldap/data/{{ item }} + state: directory + owner: root + group: root + mode: 0777 + when: enable_ldap|bool + loop: + - db + - schema + - ldif + + - name: Drop the initial LDIF into /srv/openldap/data/ldif + template: + src: files/users.ldif.j2 + dest: /srv/openldap/data/ldif/users.ldif + owner: root + group: root + mode: 0777 + when: enable_ldap|bool + + - name: Install OpenLDAP + containers.podman.podman_container: + name: openldap + image: '{{ openldap_image }}' + state: started + cpuset_cpus: 0,4 + command: + - --copy-service + #- --loglevel + #- debug + env: + LDAP_ORGANISATION: Keycloak + LDAP_DOMAIN: keycloak.org + LDAP_ADMIN_PASSWORD: keycloak + volume: + - '/srv/openldap/data/db:/var/lib/ldap:z' + - '/srv/openldap/data/schema:/etc/ldap/slapd.d:z' + - '/srv/openldap/data/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom:z' + when: enable_ldap|bool + + - stat: + path: /srv/postgresql/data + register: data + when: database == 'postgresql' + + - name: Backup /srv/postgresql/data if present + command: + cmd: "mv /srv/postgresql/data /srv/postgresql/data-{{ name }}" + vars: + name: "{{ lookup('pipe','date +%Y%m%d-%H%M%S') }}" + when: database == 'postgresql' and data.stat.exists + + - name: Re-create /srv/postgresql/data + file: + path: /srv/postgresql/data + state: directory + owner: root + group: root + mode: 0777 + when: database == 'postgresql' + + - stat: + path: /srv/mariadb/data + register: data + when: database == 'mariadb' + + - name: Backup /srv/mariadb/data if present + command: + cmd: "mv /srv/mariadb/data /srv/mariadb/data-{{ name }}" + vars: + name: "{{ lookup('pipe','date +%Y%m%d-%H%M%S') }}" + when: database == 'mariadb' and data.stat.exists + + - name: Re-create /srv/mariadb/data + file: + path: /srv/mariadb/data + state: directory + owner: root + group: root + mode: 0777 + when: database == 'mariadb' + + - name: Install PostgreSQL (Docker version) + containers.podman.podman_container: + name: postgresql + image: '{{ postgresql_image }}' + state: started + memory: 4g + cpuset_cpus: 3,7 + env: + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak + POSTGRES_DB: keycloak # Docker version + volume: + - '/srv/postgresql/data:/var/lib/postgresql/data:z' # Docker version + when: > + database == 'postgresql' and 'docker.io/postgres:' in postgresql_image + + - name: Install PostgreSQL (SCL version) + containers.podman.podman_container: + name: postgresql + image: '{{ postgresql_image }}' + state: started + cpuset_cpus: 3,7 + memory: 4g + env: + POSTGRESQL_USER: keycloak + POSTGRESQL_PASSWORD: keycloak + POSTGRESQL_DATABASE: keycloak # SCL version + volume: + - '/srv/postgresql/data:/var/lib/pgsql/data:z' # SCL version + when: > + database == 'postgresql' and postgresql_image |regex_search("quay.io/centos./postgresql-.*:") + + - name: Install MariaDB + containers.podman.podman_container: + name: mariadb + image: '{{ mariadb_image }}' + state: started + cpuset_cpus: 3,7 + memory: 4g + env: + MYSQL_USER: keycloak + MYSQL_PASSWORD: keycloak + MYSQL_DATABASE: keycloak + volume: + - '/srv/mariadb/data:/var/lib/mysql/data:z' + when: > + database == 'mariadb' + + - name: Remove /etc/keycloak + file: + path: /etc/keycloak + state: absent + + - name: Re-create /etc/keycloak + file: + path: /etc/keycloak + state: directory + owner: root + group: root + mode: 0755 + + - name: Install Keycloak + containers.podman.podman_container: + name: '{{ item.name }}' + image: '{{ keycloak_image }}' + state: started + cpuset_cpus: '{{ item.cpuset }}' + env: '{{ common_env | combine(db_env) }}' + volume: + - '/etc/keycloak:/etc/keycloak:z' + loop: + - name: keycloak-server-1 + cpuset: 1,5 + - name: keycloak-server-2 + cpuset: 2,6 + vars: + db_env: '{{ postgres_env if database == "postgresql" else mariadb_env }}' + mariadb_env: + DB_VENDOR: mariadb + DB_ADDR: mariadb.dns.podman + postgres_env: + DB_VENDOR: postgres + DB_ADDR: postgresql.dns.podman + common_env: + DB_USER: keycloak + DB_PASSWORD: keycloak + DB_DATABASE: keycloak + KEYCLOAK_USER: '{{ keycloak_admin_username }}' + KEYCLOAK_PASSWORD: '{{ keycloak_admin_password }}' + PROXY_ADDRESS_FORWARDING: 'true' + + - name: Remove /etc/traefik + file: + path: /etc/traefik + state: absent + + - name: Re-create /etc/traefik + file: + path: /etc/traefik/conf.d + state: directory + owner: root + group: root + mode: 0755 + + - name: Install the traefik configuration files + template: + src: files/traefik.yaml.j2 + dest: /etc/traefik/traefik.yaml + + - name: Install the traefik configuration files + template: + src: files/keycloak.yaml.j2 + dest: /etc/traefik/conf.d/keycloak.yaml + + - name: Install Traefik + containers.podman.podman_container: + name: traefik + image: '{{ traefik_image }}' + state: started + cpuset_cpus: 0,4 + ports: + - 80:8080 + volume: + - '/etc/traefik:/etc/traefik:z' + + - name: Wait for Keycloak to get ready + uri: + url: http://{{ inventory_hostname }}/auth/realms/master/.well-known/openid-configuration + timeout: 10 + retries: 20 + delay: 5 + register: healthcheck + until: not healthcheck.failed diff --git a/requirements.yaml b/requirements.yaml new file mode 100644 index 0000000..8637c83 --- /dev/null +++ b/requirements.yaml @@ -0,0 +1,4 @@ +collections: +- name: containers.podman + version: '>=1.4.1' # 1.4.1 is the minimum when working with podman 2.2 +- name: community.general diff --git a/scenarios/baseline.yaml b/scenarios/baseline.yaml new file mode 100644 index 0000000..b8582ca --- /dev/null +++ b/scenarios/baseline.yaml @@ -0,0 +1,3 @@ +enable_https: no +enable_ldap: no +database: postgresql diff --git a/scenarios/ldap.yaml b/scenarios/ldap.yaml new file mode 100644 index 0000000..fd49387 --- /dev/null +++ b/scenarios/ldap.yaml @@ -0,0 +1,4 @@ +enable_https: no +enable_ldap: yes +database: postgresql +openldap_users_count: 1000000 diff --git a/scenarios/mariadb.yaml b/scenarios/mariadb.yaml new file mode 100644 index 0000000..ef20f24 --- /dev/null +++ b/scenarios/mariadb.yaml @@ -0,0 +1,3 @@ +enable_https: no +enable_ldap: no +database: mariadb