Install the config file as secret.

2024-04-08 18:28:36 +02:00 · 2024-04-08 18:28:36 +02:00 · fbcf52c5f2
parent 271675d593
commit fbcf52c5f2
6 changed files with 96 additions and 84 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,7 +1,9 @@
 ---
 # https://shinyproxy.io/
-shinyproxy_install: True
-shinyproxy_as_docker_service: False
+# https://github.com/openanalytics/shinyproxy
+# https://github.com/openanalytics/shinyproxy-config-examples
+shinyproxy_install: true
+shinyproxy_as_docker_service: false
 shinyproxy_major_ver: 3
 shinyproxy_minor_ver: 0
 shinyproxy_patch_ver: 2
@ -18,6 +20,7 @@ shinyproxy_conf_dir: '{{ shinyproxy_install_dir }}'
 shinyproxy_log_dir: /var/log/shinyproxy
 shinyproxy_bind_address: 127.0.0.1
 shinyproxy_http_port: 8080
+shinyproxy_published_http_port: "{{ shinyproxy_http_port }}"
 shinyproxy_docker_http_port_mode: 'ingress'
 shinyproxy_heartbeat_rate: 10000
 shinyproxy_heartbeat_timeout: 60000
@ -31,7 +34,7 @@ shinyproxy_default_stop_proxy_on_logout: 'true'
 shinyproxy_default_proxy_max_lifetime: 60
 shinyproxy_undertow_loglevel: 'INFO'
 shinyproxy_prometheus_port: 9090
-shinyproxy_expose_prometheus: True
+shinyproxy_expose_prometheus: true
 # 30 minutes
 shinyproxy_server_session_timeout: 1800
 shinyproxy_server_secure_cookies: 'true'
@ -41,17 +44,17 @@ shinyproxy_server_frame_options: 'sameorigin'
 shinyproxy_same_site_cookie: 'Lax'
 # For logrotate. In days
 shinyproxy_log_retention: 10
-shinyproxy_default_apps: True
+shinyproxy_default_apps: false
 # Shinyproxy as docker service
 shinyproxy_docker_image: 'openanalytics/shinyproxy:{{ shinyproxy_version }}'
 shinyproxy_as_docker_stack_name: 'shinyproxy'
 shinyproxy_as_docker_service_name: 'shinyproxy'
 shinyproxy_as_docker_src_dir: /srv/{{ shinyproxy_as_docker_stack_name }}_service
 shinyproxy_docker_network: 'shinyproxy'
-shinyproxy_docker_swarm_behind_haproxy: True
+shinyproxy_docker_swarm_behind_haproxy: true
 shinyproxy_docker_swarm_replicas: 1
-shinyproxy_docker_mount_conf_file: True
-shinyproxy_docker_log_to_journal: True
+shinyproxy_docker_mount_conf_file: false
+shinyproxy_docker_log_to_journal: true
 # Shinyproxy configuration
 # docker, docker-swarm, kubernetes
 shinyproxy_container_backend: 'docker'
@ -84,11 +87,11 @@ shinyproxy_admin_group: ''
 shinyproxy_ldap_server: 'ldap://ldap.forumsys.com:389/dc=example,dc=com'
 shinyproxy_ldap_admin: cn=read-only-admin,dc=example,dc=com
 shinyproxy_ldap_admin_pwd: password
-shinyproxy_ldap_user_dn_enabled: False
+shinyproxy_ldap_user_dn_enabled: false
 shinyproxy_ldap_user_dn_pattern: 'uid={0}'
-shinyproxy_ldap_user_search_base_enabled: True
+shinyproxy_ldap_user_search_base_enabled: true
 shinyproxy_ldap_user_search_base: ''
-shinyproxy_ldap_user_search_filter_enabled: True
+shinyproxy_ldap_user_search_filter_enabled: true
 shinyproxy_ldap_user_search_filter: '(uid={0})'
 shinyproxy_ldap_group_search_base: ''
 shinyproxy_ldap_group_search_filter: '(uniqueMember={0})'
@ -109,7 +112,7 @@ shinyproxy_oidc_client_secret: 'use a vault file'
 # name, preferred_username, nickname, email
 shinyproxy_oidc_username_attribute: 'email'
 # See https://www.shinyproxy.io/faq/#authentication-using-openid-does-not-work-because-of-missing-attribute-email-in-attributes-exception
-shinyproxy_oidc_use_roles_claim: True
+shinyproxy_oidc_use_roles_claim: true
 shinyproxy_oidc_roles_claim: 'groups'

 shinyproxy_max_log_size: 20MB
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,3 +1,10 @@
 ---
 - name: Restart shinyproxy
-  service: name=shinyproxy state=restarted
+  ansible.builtin.service:
+    name: shinyproxy
+    state: restarted
+
+- name: Stop the shinyproxy service
+  community.docker.docker_swarm_service:
+    name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}"
+    state: absent
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,6 +2,13 @@
 - name: Shinyproxy as a standalone service
  ansible.builtin.import_tasks: shinyproxy_vm.yml
  when: not shinyproxy_as_docker_service
- name: Shinyproxy as a container
+- name: Shinyproxy as a standalone container
  ansible.builtin.import_tasks: shinyproxy_docker_service.yml
-  when: shinyproxy_as_docker_service
+  when:
+    - shinyproxy_as_docker_service
+    - shinyproxy_container_backend == 'docker'
+- name: Shinyproxy as a Docker Swarm stack
+  ansible.builtin.import_tasks: shinyproxy_docker_stack_service.yml
+  when:
+    - shinyproxy_as_docker_service
+    - shinyproxy_container_backend == 'docker-swarm'
--- a/tasks/shinyproxy_docker_service.yml
+++ b/tasks/shinyproxy_docker_service.yml
@ -1,6 +1,5 @@
 ---
 - name: shinyproxy_docker_service | Manage the composition of shinyproxy as a docker (non swarm) service
-  when: shinyproxy_container_backend == 'docker'
  tags: ['shinyproxy', 'shinyproxy_docker', 'docker']
  block:
    - name: shinyproxy_docker_service | Create the directory where the dockerfile and the configuration file will be copied into
@ -11,14 +10,6 @@
        group: root
        mode: "0750"

-    - name: shinyproxy_docker_service | Install the shinyproxy configuration file when using version 2.x
-      ansible.builtin.template:
-        src: shinyproxy-2-conf.yml.j2
-        dest: "{{ shinyproxy_as_docker_src_dir }}/application.yml"
-        owner: root
-        group: root
-        mode: "0400"
-
    - name: shinyproxy_docker_service | Install the shinyproxy docker file
      ansible.builtin.template:
        src: Dockerfile.j2
@ -39,55 +30,3 @@
      community.docker.docker_compose:
        project_src: '{{ shinyproxy_as_docker_src_dir }}'
        build: true
-
- name: shinyproxy_docker_service | Manage the installation of the shinyproxy configuration of the swarm service
-  when:
-    - shinyproxy_container_backend == 'docker-swarm'
-    - shinyproxy_docker_mount_conf_file
-  tags: ['shinyproxy', 'shinyproxy_swarm', 'docker']
-  block:
-    - name: shinyproxy_docker_service | Create the directory where the dockerfile and the configuration file will be copied into
-      ansible.builtin.file:
-        dest: "{{ shinyproxy_as_docker_src_dir }}"
-        state: directory
-        owner: root
-        group: root
-        mode: "0700"
-
-    - name: shinyproxy_docker_service | Install the shinyproxy configuration file
-      ansible.builtin.template:
-        src: shinyproxy-2-conf.yml.j2
-        dest: "{{ shinyproxy_as_docker_src_dir }}/application.yml"
-        owner: root
-        group: root
-        mode: "0400"
-
- name: shinyproxy_docker_service | Manage the docker stack
-  when:
-    - docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
-    - shinyproxy_container_backend == 'docker-swarm'
-  tags: ['shinyproxy', 'shinyproxy_swarm', 'docker']
-  run_once: true
-  block:
-    - name: shinyproxy_docker_service | Create the directory where the dockerfile and the configuration file will be copied into
-      ansible.builtin.file:
-        dest: "{{ shinyproxy_as_docker_src_dir }}"
-        state: directory
-        owner: root
-        group: root
-        mode: "0700"
-
-    - name: shinyproxy_docker_service | Install the docker compose file
-      ansible.builtin.template:
-        src: shinyproxy-docker-compose.yml.j2
-        dest: "{{ shinyproxy_as_docker_src_dir }}/docker-shinyproxy-stack.yml"
-        owner: root
-        group: root
-        mode: "0400"
-
-    - name: shinyproxy_docker_service | Start the shinyproxy stack
-      community.docker.docker_stack:
-        name: '{{ shinyproxy_as_docker_stack_name }}'
-        state: present
-        compose:
-          - '{{ shinyproxy_as_docker_src_dir }}/docker-shinyproxy-stack.yml'
--- a/tasks/shinyproxy_docker_stack_service.yml
+++ b/tasks/shinyproxy_docker_stack_service.yml
@ -0,0 +1,56 @@
+---
+- name: shinyproxy_docker_stack_service | Manage the installation of the shinyproxy configuration of the swarm service
+  tags: ['shinyproxy', 'shinyproxy_swarm', 'docker']
+  block:
+    - name: shinyproxy_docker_stack_service | Create the directory where the dockerfile and the configuration file will be copied into
+      ansible.builtin.file:
+        dest: "{{ shinyproxy_as_docker_src_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0700"
+
+- name: shinyproxy_docker_stack_service | Manage the docker stack
+  tags: ['shinyproxy', 'shinyproxy_swarm', 'docker']
+  run_once: true
+  block:
+    - name: shinyproxy_docker_stack_service | Create the directory where the dockerfile and the configuration file will be copied into
+      ansible.builtin.file:
+        dest: "{{ shinyproxy_as_docker_src_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0700"
+
+    - name: shinyproxy_docker_stack_service | Install the docker compose file
+      ansible.builtin.template:
+        src: shinyproxy-docker-compose.yml.j2
+        dest: "{{ shinyproxy_as_docker_src_dir }}/docker-shinyproxy-stack.yml"
+        owner: root
+        group: root
+        mode: "0400"
+
+    - name: shinyproxy_docker_stack_service | Install the shinyproxy configuration file
+      ansible.builtin.template:
+        src: shinyproxy-2-conf.yml.j2
+        dest: "{{ shinyproxy_as_docker_src_dir }}/application.yml"
+        owner: root
+        group: root
+        mode: "0400"
+      notify: Stop the shinyproxy service
+
+    - name: shinyproxy_docker_stack_service | Flush the handlers to stop the shinyproxy service if needed
+      ansible.builtin.meta: flush_handlers
+
+    - name: shinyproxy_docker_stack_service | Create the secret for the application.yml file
+      community.docker.docker_secret:
+        name: "{{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}_application_yml"
+        data_src: '{{ shinyproxy_as_docker_src_dir }}/application.yml'
+        state: present
+
+    - name: shinyproxy_docker_stack_service | Start the shinyproxy stack
+      community.docker.docker_stack:
+        name: '{{ shinyproxy_as_docker_stack_name }}'
+        state: present
+        compose:
+          - '{{ shinyproxy_as_docker_src_dir }}/docker-shinyproxy-stack.yml'
--- a/templates/shinyproxy-docker-compose.yml.j2
+++ b/templates/shinyproxy-docker-compose.yml.j2
@ -8,9 +8,9 @@ networks:
  {{ shinyproxy_docker_network }}:

 {% if not shinyproxy_docker_mount_conf_file %}
-configs:
-  shinyproxy_conf:
-    file: {{ shinyproxy_as_docker_src_dir }}/application.yml
+secrets:
+  {{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}_application_yml:
+    external: true
 {% endif %}
 services:
  shinyproxy:
@ -21,7 +21,7 @@ services:
        published: {{ shinyproxy_http_port }}
        protocol: tcp
        mode: '{{ shinyproxy_docker_http_port_mode }}'
-{% if shinyproxy_expose_prometheus and shinyproxy_version is version_compare('2.5.0', '>=') %}
+{% if shinyproxy_expose_prometheus %}
      - target: 9090
        published: {{ shinyproxy_prometheus_port }}
        protocol: tcp
@ -32,10 +32,10 @@ services:
 {% if not shinyproxy_docker_swarm_behind_haproxy %}
    ports:
      - target: {{ shinyproxy_http_port }}
-        published: {{ shinyproxy_http_port }}
+        published: {{ shinyproxy_published_http_port }}
        protocol: tcp
        mode: 'ingress'
-{% if shinyproxy_expose_prometheus and shinyproxy_version is version_compare('2.5.0', '>=') %}
+{% if shinyproxy_expose_prometheus %}
      - target: 9090
        published: {{ shinyproxy_prometheus_port }}
        protocol: tcp
@ -49,10 +49,10 @@ services:
      - {{ shinyproxy_as_docker_src_dir }}/application.yml:{{ shinyproxy_conf_dir }}/application.yml
 {% endif %}
 {% if not shinyproxy_docker_mount_conf_file %}
-    configs:
-      - source: shinyproxy_conf
+    secrets:
+      - source: {{ shinyproxy_as_docker_stack_name }}_{{ shinyproxy_as_docker_service_name }}_application_yml
        target: {{ shinyproxy_conf_dir }}/application.yml
-        mode: 0400
+        mode: 0444
 {% endif %}
    networks:
      - {{ shinyproxy_docker_network }}