Compare commits

...

54 Commits

Author SHA1 Message Date
Marco Lettere 112395d292 added versions 3.136,3.13.8 and 3.15.0 2023-12-11 09:54:14 +01:00
Marco Lettere e4585299d4 added env var for smtp_user and added conductor.dev.d4science.org as vhost 2022-09-30 16:56:21 +02:00
Marco Lettere b4477987b6 rewritten to support stack for local, dev and pre 2022-08-30 15:09:09 +02:00
Marco Lettere afd8bd777c added pre build and stack 2022-07-25 11:17:17 +02:00
Marco Lettere 6ef1939bc4 removed value 2022-06-15 16:03:17 +02:00
Marco Lettere 14a2201085 added new dev stack for version 3.4 2022-06-15 15:35:18 +02:00
Marco Lettere e01bffd1dc fixed support for client_credentials when basic auth 2021-12-14 15:14:43 +01:00
Marco Lettere 1cc1f1bb8c support IAM sending gunzipped tokens 2021-10-22 15:02:05 +02:00
Marco Lettere 571a988be9 added more info on token parse error 2021-10-22 12:45:21 +02:00
Marco Lettere 66a86dfe1a retry basic auth also when IAM returns 400 2021-08-25 17:02:14 +02:00
Marco Lettere 63806e6a6b fixed path for tasks in order to match updates 2021-08-02 17:51:34 +02:00
Marco Lettere 1253174c74 added support for client_credentials before password flow which is downgraded to backup 2021-07-22 17:49:01 +02:00
Marco Lettere 11716f0d4d try setting baseline for flyway 2021-06-11 19:51:14 +02:00
Marco Lettere 7c7535f94f try setting baseline for flyway 2021-06-11 19:45:26 +02:00
Marco Lettere bfd86a8697 try setting baseline for flyway 2021-06-11 19:35:07 +02:00
Marco Lettere 7948081d04 added external postgres vault 2021-06-11 19:21:01 +02:00
Marco Lettere 94eb5bd2fb added external postgres vault 2021-06-11 19:19:05 +02:00
Marco Lettere 2c54e97aeb adopted jdbc pass from vault 2021-06-11 19:13:57 +02:00
Marco Lettere eb40300249 removed unnecessary = 2021-06-11 19:09:43 +02:00
Marco Lettere a8b8f41446 changed oauth2 strategy to work around multiple role bug 2021-06-11 09:14:12 +02:00
Marco Lettere f3ec4f6327 scaled down otriginal conductor replicas to two to help startup. 2021-06-01 10:26:39 +02:00
Marco Lettere 3224c53ae5 corrected local site 2021-06-01 10:15:08 +02:00
Marco Lettere 139043faa2 minor fixes 2021-06-01 10:10:26 +02:00
Marco Lettere fafd89a278 fixed typo 2021-05-31 18:05:32 +02:00
Marco Lettere c4bb342b3f changed naming of service to incorporate infrastructure 2021-05-31 18:04:17 +02:00
Marco Lettere c1db229a68 removed authorization constraint from health check and fixed host header for backend calls 2021-05-26 18:42:29 +02:00
Marco Lettere 9cc76a61d5 pep replicas set to two 2021-05-25 10:13:08 +02:00
dcore94 981b8e1ac7 moved volumes to configs 2021-05-20 18:58:23 +02:00
dcore94 33499eb123 all nodes on master for clustered deployment 2021-05-20 18:28:57 +02:00
dcore94 e69fc35258 tuned redirect uris 2021-05-20 18:02:07 +02:00
dcore94 b76b34c624 tuned redirect uris 2021-05-20 18:00:15 +02:00
dcore94 2f6d6e28ee set callback uri to https 2021-05-20 17:50:45 +02:00
dcore94 eeb843341a inventory fix 2021-05-20 17:21:48 +02:00
dcore94 d9467bf520 added support for load balanced network on external node 2021-05-20 17:17:16 +02:00
dcore94 676cac24ec tuned generation for all environments and added local-site 2021-05-19 17:02:57 +02:00
dcore94 288482d5b6 conductor 3.0.4 with oauth2 and pep 2021-05-18 15:10:08 +02:00
Mauro Mugnaini 2d4585d086 Commented out journald logging driver, the default will be used. The docker image for conductor is the local and not the public on the hub (for the moment for dev purposes). Oauth2 strategy is used for the login. 2021-04-23 18:53:41 +02:00
Mauro Mugnaini ab66713941 Config for oauth2 strategy 2021-04-23 18:51:53 +02:00
dcore94 e12f87fd85 use oauth2 enabled image for conductor-ui 2021-04-16 16:49:16 +02:00
dcore94 bf1bf82c0f added local-site with pep 2021-04-16 16:07:16 +02:00
dcore94 ca0b62bcfe added configurations for email workers 2021-03-24 17:26:49 +01:00
dcore94 c69b192c41 separated sites, added local auth for UI 2021-02-23 09:42:26 +01:00
dcore94 492c11ce61 redefined encrypted var name 2021-02-17 13:13:17 +01:00
dcore94 2ec568e0a6 renamed again 2021-02-17 13:09:26 +01:00
dcore94 d185681fef renamed 2021-02-17 12:57:34 +01:00
dcore94 5a324e3265 renamed postgres keys 2021-02-17 12:55:24 +01:00
dcore94 f434e0883e moved one level up 2021-02-17 12:50:27 +01:00
dcore94 b2b321a7de made vault file visible 2021-02-16 18:50:05 +01:00
dcore94 dafb96637f added vault for secret and fixed public address 2021-02-16 18:21:19 +01:00
dcore94 48655dbbe3 corrected host list 2021-02-16 14:58:21 +01:00
dcore94 414a38631c added configs for prod deployment 2021-02-16 14:48:41 +01:00
dcore94 1887adf73b Merge branch 'master' of https://bitbucket.org/Nubisware/conductor-setup 2021-02-16 12:26:45 +01:00
dcore94 af94edbda4 created playbook for prod 2021-02-16 12:26:19 +01:00
Andrea Dell'Amico 854f682bd3 Merge pull request 'Adeguata la lista di host in site.yml' (#2) from andrea.dellamico/conductor-setup:master into master 2020-11-20 17:03:16 +01:00
220 changed files with 10376 additions and 638 deletions

View File

@ -1,50 +1,55 @@
# Conductor Setup # Conductor Setup
**Conductor Setup** is composed of a set of ansible roles and a playbook named site.yaml useful for deploying a docker swarm running Conductor microservice orchestrator by [Netflix OSS](https://netflix.github.io/conductor/). **Conductor Setup** is composed of a set of ansible roles and a playbook named site-*.yaml useful for deploying a docker swarm running Conductor microservice orchestrator by [Netflix OSS](https://netflix.github.io/conductor/).
Current setup is based on Conductor 3.0.4 version adapted by Nubisware S.r.l.
It uses the docker images on dockerhub:
- nubisware/conductor-server:3.0.4
- nubisware/conductor-ui-oauth2:3.0.4 (which has been improved with Oauth2 login in collaboration with Keycloak)
Besides the basic components Conductor itself (server and ui) and Elasticsearch 6.1.8, the repository can be configured to launch postgres or mysql persistence plus basic python based workers for running PyRest, PyMail, PyExec and PyShell in the same Swarm.
In addition a nginx based PEP can be executed to protect the conductor REST API server.
It is also possible to connect to an external postgres for stateful deployments.
## Structure of the project ## Structure of the project
The AutoDynomite Docker image script file is present in `dynomite` folder. The folder roles contains the necessary roles for configuring the different configurations
The Docker Compose Swarm files are present in the `stack` folder. There are 4 file for deploying to local, nw-cluster or D4SCience dev, pre and prod environments.
To run a deployment
`ansible-playbook site-X.yaml`
whereas
`ansible-playbook site-X.yaml -e dry=true`
only generates the files for the stack without actually deploying it.
The folder *local-site* contains a ready version for quickly launching a conductor instance with no replications (except workers), no auth in the Conductor UI and no PEP.
`docker stack deploy -c elasticsearch-swarm.yaml -c postgres-swarm.yaml -c conductor-swarm.yaml -c conductor-workers-swarm.yaml -c pep-swarm.yaml conductor`
When you have ensured that Postgres and Elasticsearch are running, execute:
`docker stack deploy -c conductor-swarm.yaml conductor`
This will create a local stack accessible through permissive pep at port 80. Please add two mappings for localhost in your /etc/hosts
`127.0.1.1 conductor-server conductor-ui`
and point your browser to http://conductor-ui.
## Built With ## Built With
* [Ansible](https://www.ansible.com) * [Ansible](https://www.ansible.com)
* [Docker](https://www.docker.com) * [Docker](https://www.docker.com)
## Documentation
The provided Docker stack files provide the following configuration:
- 2 Conductor Server nodes with 2 replicas handled by Swarm
- 2 Conductor UI nodes with 2 replicas handled by Swarm
- 1 Elasticsearch node
- 1 Database node that can be postgres (default), mysql or mariadb
- 2 Optional replicated instances of PyExec worker running the tasks Http, Eval and Shell
- 1 Optional cluster-replacement service that sets up a networking environment (including on HAProxy LB) similar to the one available in production. By default it's disabled.
The default configuration is run with the command: `ansible-playbook site.yaml`
Files for swarms and configurations will be generated inside a temporary folder named /tmp/conductor_stack on the local machine.
In order to change destination folder use the switch: `-e target_path=anotherdir`
If you only want to review the generated files run the command `ansible-playbook site.yaml -e dry=true`
In order to switch between postgres and mysql specify the db on the proper variable: `-e db=mysql`
In order to skip worker creation specify the noworker varaible: `-e noworker=true`
In order to enable the cluster replacement use the switch: `-e cluster_replacement=true`
If you run the stack in production behind a load balenced setup ensure the variable cluster_check is true: `ansible-playbook site.yaml -e cluster_check=true`
Other setting can be fine tuned by checking the variables in the proper roles which are:
- *common*: defaults and common tasks
- *conductor*: defaults, templates and tasks for generating swarm files for replicated conductor-server and ui.
- *elasticsearch*: defaults, templates and task for starting in the swarm a single instance of elasticsearch
- *mysql*: defaults, template and tasks for starting in the swarm a single instance of mysql/mariadb
- *postgres*: defaults, templates and tasks for starting in the swarm a single instance of postgres
- *workers*: defaults and task for starting in the swarm a replicated instance of the workers for executing HTTP, Shell, Eval operations.
## Examples ## Examples
The following example runs as user username on the remote hosts listed in hosts a swarm with 2 replicas of conductor server and ui, 1 postgres, 1 elasticsearch, 2 replicas of simple PyExec, an HAProxy that acts as load balancer. Checkout the files site-X.yaml as a reference for different configurations.
`ansible-playbook -u username -i hosts site.yaml -e target_path=/tmp/conductor -e cluster_replacement=true`
## Change log ## Change log

View File

@ -1,3 +0,0 @@
---
infrastructure: dev
conductor_workers_server: http://conductor-dev.int.d4science.net/api

View File

@ -1,3 +0,0 @@
---
infrastructure: pre
conductor_workers_server: https://conductor.pre.d4science.org/api

View File

@ -1,5 +1,5 @@
[dev_infra:children] [dev_infra:children]
nw_cluster dev_cluster
[nw_cluster] [dev_cluster]
nubis1.int.d4science.net docker-swarm1.int.d4science.net docker_swarm_manager_main_node=True

View File

@ -0,0 +1,5 @@
[nw_cluster_infra:children]
nw_cluster
[nw_cluster]
nubis1.int.d4science.net

5
inventory/hosts.prod Normal file
View File

@ -0,0 +1,5 @@
[prod_infra:children]
prod_cluster
[prod_cluster]
docker-swarm1.int.d4science.net docker_swarm_manager_main_node=True

View File

@ -0,0 +1,13 @@
[common]
loglevel = info
#server =
threads = 1
pollrate = 1
[pymail]
server = smtp-relay.d4science.org
user = conductor_local
password =
protocol = starttls
port = 587

View File

@ -0,0 +1,23 @@
# Servers.
conductor.grpc-server.enabled=false
# Database persistence type.
conductor.db.type=postgres
conductor.postgres.jdbcUrl=jdbc:postgresql://postgresdb:5432/conductor
conductor.postgres.jdbcUsername=conductor
conductor.postgres.jdbcPassword=password
# Hikari pool sizes are -1 by default and prevent startup
conductor.postgres.connectionPoolMaxSize=10
conductor.postgres.connectionPoolMinIdle=2
# Elastic search instance indexing is enabled.
conductor.indexing.enabled=true
conductor.elasticsearch.url=http://elasticsearch:9200
workflow.elasticsearch.instanceType=EXTERNAL
workflow.elasticsearch.index.name=conductor
# Load sample kitchen sink workflow
loadSample=false

View File

@ -0,0 +1,44 @@
version: '3.6'
services:
conductor-server-local:
environment:
- CONFIG_PROP=conductor-swarm-config.properties
image: "nubisware/conductor-server:3.0.4"
networks:
- conductor-network
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
window: 120s
configs:
- source: swarm-config
target: /app/config/conductor-swarm-config.properties
logging:
driver: "journald"
conductor-ui-local:
environment:
- WF_SERVER=http://conductor-server-local:8080/api/
image: "nubisware/conductor-ui-oauth2:3.0.4"
networks:
- conductor-network
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
window: 120s
networks:
conductor-network:
configs:
swarm-config:
file: ./conductor-swarm-config.properties

View File

@ -0,0 +1,30 @@
version: '3.6'
services:
base:
environment:
CONDUCTOR_SERVER: http://conductor-server-local:8080/api/
CONDUCTOR_HEALTH: http://conductor-server-local:8080/health
configs:
- source: base-config
target: /app/config.cfg
image: 'nubisware/nubisware-conductor-worker-py-base'
networks:
- conductor-network
deploy:
mode: replicated
replicas: 2
restart_policy:
condition: on-failure
delay: 5s
window: 120s
logging:
driver: "journald"
networks:
conductor-network:
configs:
base-config:
file: base-config.cfg

View File

@ -0,0 +1,28 @@
version: '3.6'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:6.8.15
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- transport.host=0.0.0.0
- discovery.type=single-node
- xpack.security.enabled=false
networks:
conductor-network:
aliases:
- es
logging:
driver: "journald"
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
networks:
conductor-network:

13
local-site/nginx.conf Normal file
View File

@ -0,0 +1,13 @@
load_module modules/ngx_http_js_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -0,0 +1,41 @@
upstream _conductor-server {
ip_hash;
server conductor-server-local:8080;
}
upstream _conductor-ui {
ip_hash;
server conductor-ui-local:5000;
}
server {
listen *:80;
listen [::]:80;
server_name conductor-server;
location / {
proxy_set_header Host $host;
proxy_pass http://_conductor-server;
}
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
server_name conductor-ui;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://_conductor-ui;
}
}

30
local-site/pep-swarm.yaml Normal file
View File

@ -0,0 +1,30 @@
version: '3.6'
services:
pep:
image: nginx:stable-alpine
networks:
- conductor-network
ports:
- "80:80"
deploy:
replicas: 1
restart_policy:
condition: on-failure
delay: 10s
window: 120s
configs:
- source: nginxconf
target: /etc/nginx/templates/default.conf.template
- source: nginxbaseconf
target: /etc/nginx/nginx.conf
networks:
conductor-network:
configs:
nginxconf:
file: ./nginx.default.conf
nginxbaseconf:
file: ./nginx.conf

View File

@ -0,0 +1,16 @@
version: '3.6'
services:
postgresdb:
image: postgres
environment:
POSTGRES_USER: "conductor"
POSTGRES_PASSWORD: "password"
POSTGRES_DB: "conductor"
networks:
- conductor-network
deploy:
replicas: 1
networks:
conductor-network:

View File

@ -1,56 +0,0 @@
---
haproxy_latest_release: True
haproxy_version: 2.2
haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg'
haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
haproxy_pkg_state: present
haproxy_enabled: True
haproxy_loglevel: info
haproxy_k_bind_non_local_ip: True
haproxy_docker_container: False
haproxy_docker_version: '{{ haproxy_version }}.4'
haproxy_docker_image: 'haproxytech/haproxy-debian:{{ haproxy_version }}.4'
haproxy_docker_compose_dir: /srv/haproxy_swarm
haproxy_docker_restart_policy: 'on-failure'
haproxy_ha_with_keepalived: False
haproxy_docker_swarm_networks:
- '{{ docker_swarm_portainer_network }}'
haproxy_docker_swarm_additional_networks: []
haproxy_docker_swarm_haproxy_constraints:
- 'node.role == manager'
haproxy_docker_swarm_additional_services: [{ acl_name: 'conductor-server', acl_rule: 'hdr_dom(host) -i conductor-dev.int.d4science.net', stack_name: 'conductor-{{ infrastructure }}', service_name: 'conductor-server', service_replica_num: '2', service_port: '8080', service_overlay_network: 'conductor-network', stick_sessions: False, stick_on_cookie: True, stick_cookie: 'JSESSIONID', stick_table: 'type ip size 2m expire 180m', balance_type: 'roundrobin', backend_options: '', http_check_enabled: True, http_check: 'meth GET uri /api/health ver HTTP/1.1 hdr Host localhost', http_check_expect: 'rstatus (2|3)[0-9][0-9]' }, { acl_name: 'conductor-ui', acl_rule: 'hdr_dom(host) -i conductorui-dev.int.d4science.net', stack_name: 'conductor-{{ infrastructure }}', service_name: 'conductor-ui', service_replica_num: '2', service_port: '5000', service_overlay_network: 'conductor-network', stick_sessions: False, stick_on_cookie: True, stick_cookie: 'JSESSIONID', stick_table: 'type ip size 2m expire 180m', balance_type: 'roundrobin', backend_options: '', http_check_enabled: True, http_check: 'meth GET uri / ver HTTP/1.1 hdr Host localhost', http_check_expect: 'rstatus (2|3)[0-9][0-9]' }]
# - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', stack_name: 'stack', service_name: 'service', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network', stick_sessions: False, stick_on_cookie: True, stick_cookie: 'JSESSIONID', stick_table: 'type ip size 2m expire 180m', balance_type: 'roundrobin', backend_options: '', http_check_enabled: True, http_check: 'meth HEAD uri / ver HTTP/1.1 hdr Host localhost', http_check_expect: 'rstatus (2|3)[0-9][0-9]', allowed_networks: '192.168.1.0/24 192.168.2.0/24' }
haproxy_default_port: 80
haproxy_terminate_tls: False
haproxy_ssl_port: 443
haproxy_admin_port: 8880
haproxy_admin_socket: /run/haproxy/admin.sock
haproxy_install_additional_pkgs: False
haproxy_additional_pkgs:
- haproxyctl
- haproxy-log-analysis
haproxy_nagios_check: False
# It's a percentage
haproxy_nagios_check_w: 70
haproxy_nagios_check_c: 90
# Used by some other role as defaults, eg docker-swarm
haproxy_spread_checks: 5
haproxy_connect_timeout: 10s
haproxy_client_timeout: 120s
haproxy_server_timeout: 480s
haproxy_global_keepalive_timeout: 10s
haproxy_client_keepalive_timeout: 5184000s
haproxy_backend_maxconn: 2048
haproxy_check_interval: 3s
haproxy_check_timeout: 2s
haproxy_maxconns: 4096
haproxy_sysctl_conntrack_max: 131072

View File

@ -1,16 +0,0 @@
---
- name: Generate haproxy config
template:
src: templates/haproxy.cfg.j2
dest: "{{ target_path }}/haproxy.cfg"
- name: Generate haproxy-docker-swarm
template:
src: templates/haproxy-docker-swarm.yaml.j2
dest: "{{ target_path }}/haproxy-swarm.yaml"
- name: Create the overlay network that will be joined by the proxied services
docker_network:
name: '{{ haproxy_docker_overlay_network }}'
driver: overlay
scope: swarm

View File

@ -1,56 +0,0 @@
version: '3.6'
services:
haproxy:
image: {{ haproxy_docker_image }}
configs:
- source: haproxy-config
target: /usr/local/etc/haproxy/haproxy.cfg
networks:
- {{ haproxy_docker_overlay_network }}
volumes:
#- /etc/haproxy:/usr/local/etc/haproxy:ro
- /var/run/docker.sock:/var/run/docker.sock
ports:
- target: {{ haproxy_default_port }}
published: {{ haproxy_default_port }}
protocol: tcp
mode: host
- target: {{ haproxy_ssl_port }}
published: {{ haproxy_ssl_port }}
protocol: tcp
mode: host
- target: {{ haproxy_admin_port }}
published: {{ haproxy_admin_port }}
protocol: tcp
mode: host
dns: [127.0.0.11]
deploy:
mode: replicated
replicas: 1
update_config:
parallelism: 1
delay: 20s
placement:
constraints:
- "node.role==manager"
restart_policy:
condition: {{ haproxy_docker_restart_policy}}
delay: 20s
max_attempts: 5
window: 120s
resources:
limits:
cpus: '2.0'
memory: 768M
reservations:
cpus: '1.0'
memory: 384M
logging:
driver: 'journald'
configs:
haproxy-config:
file: ./haproxy.cfg
networks:
{{ haproxy_docker_overlay_network }}:
external: true

View File

@ -1,75 +0,0 @@
global
log fd@2 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
stats socket /var/lib/haproxy/stats expose-fd listeners
master-worker
resolvers docker
nameserver dns1 127.0.0.11:53
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 10s
hold refused 10s
hold nx 10s
hold timeout 10s
hold valid 10s
hold obsolete 10s
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
monitor-uri /_haproxy_health_check
timeout http-keep-alive {{ haproxy_global_keepalive_timeout }}
timeout connect {{ haproxy_connect_timeout }}
timeout client {{ haproxy_client_timeout }}
timeout server {{ haproxy_server_timeout }}
timeout check {{ haproxy_check_timeout }}
timeout http-request 10s # slowloris protection
default-server inter 3s fall 2 rise 2 slowstart 60s
# Needed to preserve the stick tables
peers mypeers
peer local_haproxy 127.0.0.1:1024
frontend http
bind *:{{ haproxy_default_port }}
mode http
option http-keep-alive
{% for srv in haproxy_docker_swarm_additional_services %}
use_backend {{ srv.acl_name }}_bck if { {{ srv.acl_rule }} }
{% endfor %}
#
# Backends
#
{% for srv in haproxy_docker_swarm_additional_services %}
backend {{ srv.acl_name }}_bck
mode http
option httpchk
balance {{ srv.balance_type | default('roundrobin') }}
{% if srv.http_check_enabled is defined and srv.http_check_enabled %}
http-check send {{ srv.http_check }}
http-check expect {{ srv.http_check_expect }}
{% endif %}
{% if srv.stick_sessions %}
{% if srv.stick_on_cookie %}
cookie {{ srv.stick_cookie }}
{% else %}
stick on src
stick-table {{ srv.stick_table }}
{% endif %}
{% endif %}
server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} {{ srv.backend_options | default('') }} check resolvers docker init-addr libc,none
{% endfor %}

View File

@ -1,2 +0,0 @@
---
haproxy_docker_overlay_network: 'haproxy-public'

View File

@ -1,5 +1,9 @@
--- ---
target_path: /tmp/conductor_stack conductor_service: "conductor-server-{{ infrastructure }}"
conductor_ui_service: "conductor-ui-{{ infrastructure }}"
conductor_service_url: "http://{{ conductor_service }}:8080/api/"
conductor_service_health_url: "http://{{ conductor_service }}:8080/health"
target_path: "/tmp/conductor_stack_{{ infrastructure }}"
conductor_network: conductor-network conductor_network: conductor-network
conductor_db: postgres conductor_db: postgres
init_db: True init_db: True

View File

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.1;AES256
62366130363930353837376531653565316531653234366233663032386266346338356335623537
3765393265633163396330646365393865386130393661650a666264363165656539396365643465
35313238313135363736386661633833333736396236303861383061313366613235623731356336
3634376335626138370a646666343033316165343665633338316432636562323736626466376233
64633738356663666563643465363137636261643639643035633931386631383436353936613334
64333135643036336539313164386264643737636164613462646130393730393334626335333262
30373231353061376565336366353938356338643432633664306632366436383262636333643961
62613562666463633164313235366433616134613831393436303466366236323337323635616337
34383634613736343034626330303661663662633661383734633834373464313137656461356562
37336430633865656330623863396133613636316136613133633965353932333266663532356334
35333138316339353236623963383739663730313737303838396538666338316366636537643663
35366537353736343462383734663762393433666266303963306136626631653539396632326337
39326266316532623232643437323238313765653261343630636339633936356138646262346634
63363763306533363839386364646130396534383437366631343537303165326539393639613735
39393364616361393435643531363462393633343437393936613861353266356230353338616163
37373562393362356563623966313034653138616632336264343533363165313362306330386639
32356363653031656465623463373337643930386361393839613139623530363635

View File

@ -1,5 +1,15 @@
--- ---
conductor_replicas: 2 conductor_replicas: 1
conductor_ui_replicas: 1
conductor_image: nubisware/conductor-server:3.0.4
conductor_ui_image: nubisware/conductor-ui-oauth2:3.0.4
conductor_config: conductor-swarm-config.properties conductor_config: conductor-swarm-config.properties
conductor_config_template: "{{ conductor_config }}.j2" conductor_config_template: "{{ conductor_config }}.j2"
conductor_ui_clientid: "conductor-ui"
conductor_ui_public_url: "http://conductor-ui"
#nw_cluster_conductor_ui_secret: in vault
#dev_conductor_ui_secret: in vault
#pre_conductor_ui_secret: in vault
#prod_conductor_ui_secret: in vault

View File

@ -4,23 +4,14 @@
src: templates/conductor-swarm.yaml.j2 src: templates/conductor-swarm.yaml.j2
dest: "{{ target_path }}/conductor-swarm.yaml" dest: "{{ target_path }}/conductor-swarm.yaml"
- name: Generate conductor config from dynomite seeds - name: Generate local auth config
when: conductor_db is defined and conductor_db == 'dynomite' when: conductor_auth is defined
vars:
seeds: "{{ lookup('file', '{{ target_path}}/seeds.list').splitlines() }}"
template: template:
src: "templates/{{ conductor_config_template }}" src: "templates/{{ conductor_auth }}_auth.cfg.j2"
dest: "{{ target_path }}/{{ conductor_config }}" dest: "{{ target_path }}/auth.cfg"
- name: Generate conductor config for JDBC DB - name: Generate conductor config for JDBC DB
when: conductor_db is not defined or conductor_db != 'dynomite' when: conductor_db is not defined or conductor_db != 'dynomite'
template: template:
src: "templates/{{ conductor_config_template }}" src: "templates/{{ conductor_config_template }}"
dest: "{{ target_path }}/{{ conductor_config }}" dest: "{{ target_path }}/{{ conductor_config }}"
- name: Copy conductor SQL schema init for JDBC DB
when: (conductor_db is not defined or conductor_db != 'dynomite') and init_db
template:
src: "templates/conductor-db-init-{{ conductor_db }}.sql.j2"
dest: "{{ target_path }}/conductor-db-init.sql"

View File

@ -1,92 +1,36 @@
# Servers. # Servers.
conductor.jetty.server.enabled=true conductor.grpc-server.enabled=false
conductor.grpc.server.enabled=false
# Database persistence model. Possible values are memory, redis, and dynomite. # Database persistence type.
# If ommitted, the persistence used is memory
#
# memory : The data is stored in memory and lost when the server dies. Useful for testing or demo
# redis : non-Dynomite based redis instance
# dynomite : Dynomite cluster. Use this for HA configuration.
{% if conductor_db is not defined or conductor_db == 'postgres' %} {% if conductor_db is not defined or conductor_db == 'postgres' %}
db=postgres conductor.db.type=postgres
jdbc.url={{ postgres_jdbc_url }} conductor.postgres.jdbcUrl={{ postgres_jdbc_url }}
jdbc.username={{ postgres_jdbc_user }} conductor.postgres.jdbcUsername={{ postgres_jdbc_user }}
jdbc.password={{ postgres_jdbc_pass }} conductor.postgres.jdbcPassword={{ postgres_jdbc_pass }}
conductor.{{ conductor_db }}.connection.pool.size.max=10 flyway.baseline-on-migrate=true
conductor.{{ conductor_db }}.connection.pool.idle.min=2 conductor.flyway.baseline-on-migrate=true
flyway.enabled=false
{% elif conductor_db is defined and conductor_db == 'mysql' %}
db=mysql
jdbc.url={{ mysql_jdbc_url }}
jdbc.username={{ mysql_jdbc_user }}
jdbc.password={{ mysql_jdbc_pass }}
conductor.{{ conductor_db }}.connection.pool.size.max=10
conductor.{{ conductor_db }}.connection.pool.idle.min=2
flyway.enabled=false
{% else %}
db=dynomite
# Dynomite Cluster details.
# format is host:port:rack separated by semicolon
workflow.dynomite.cluster.hosts={% set ns = namespace() %}
{% set ns.availability_zone = "" %}
{% for seed in seeds %}
{% set ns.seed_tokens = seed.split(':') %}
{% if ns.availability_zone == "" %}
{% set ns.availability_zone = ns.seed_tokens[2] %}
{% endif %}
{% if ns.availability_zone == ns.seed_tokens[2] %}
{{ ns.seed_tokens[0] }}:8102:{{ ns.availability_zone }}{%- if not loop.last %};{%- endif %}
{% endif %}
{%- endfor %}
# If you are running using dynomite, also add the following line to the property
# to set the rack/availability zone of the conductor server to be same as dynomite cluster config
EC2_AVAILABILTY_ZONE={{ ns.availability_zone }}
# Dynomite cluster name
workflow.dynomite.cluster.name=dyno1
# Namespace for the keys stored in Dynomite/Redis
workflow.namespace.prefix=conductor
# Namespace prefix for the dyno queues
workflow.namespace.queue.prefix=conductor_queues
# No. of threads allocated to dyno-queues (optional)
queues.dynomite.threads=3
# Non-quorum port used to connect to local redis. Used by dyno-queues.
# When using redis directly, set this to the same port as redis server
# For Dynomite, this is 22122 by default or the local redis-server port used by Dynomite.
queues.dynomite.nonQuorum.port=22122
{% endif %} {% endif %}
# Elastic search instance type. Possible values are memory and external. {% if conductor_db == 'mysql' %}
# If not specified, the instance type will be embedded in memory conductor.db.type=mysql
# conductor.mysql.jdbcUrl={{ mysql_jdbc_url }}
# memory: The instance is created in memory and lost when the server dies. Useful for development and testing. conductor.mysql.jdbcUsername={{ mysql_jdbc_user }}
# external: Elastic search instance runs outside of the server. Data is persisted and does not get lost when conductor.mysql.jdbcPassword={{ mysql_jdbc_pass }}
# the server dies. Useful for more stable environments like staging or production. {% endif %}
workflow.elasticsearch.instanceType=external
# Transport address to elasticsearch # Hikari pool sizes are -1 by default and prevent startup
workflow.elasticsearch.url=elasticsearch:9300 conductor.{{conductor_db}}.connectionPoolMaxSize=10
conductor.{{conductor_db}}.connectionPoolMinIdle=2
# Name of the elasticsearch cluster
# Elastic search instance indexing is enabled.
conductor.indexing.enabled=true
conductor.elasticsearch.url=http://elasticsearch:9200
workflow.elasticsearch.instanceType=EXTERNAL
workflow.elasticsearch.index.name=conductor workflow.elasticsearch.index.name=conductor
# Additional modules (optional)
# conductor.additional.modules=class_extending_com.google.inject.AbstractModule
# Additional modules for metrics collection (optional)
# conductor.additional.modules=com.netflix.conductor.contribs.metrics.MetricsRegistryModule,com.netflix.conductor.contribs.metrics.LoggingMetricsModule
# com.netflix.conductor.contribs.metrics.LoggingMetricsModule.reportPeriodSeconds=15
# Load sample kitchen sink workflow # Load sample kitchen sink workflow
loadSample=false loadSample=false
#flyway.baseline-on-migrate=true

View File

@ -3,31 +3,22 @@ version: '3.6'
{% set clustered = (cluster_replacement is defined and cluster_replacement) or (cluster_check is defined and cluster_check) %} {% set clustered = (cluster_replacement is defined and cluster_replacement) or (cluster_check is defined and cluster_check) %}
services: services:
conductor-server: {{ conductor_service }}:
environment: environment:
- CONFIG_PROP={{ conductor_config }} - CONFIG_PROP={{ conductor_config }}
image: nubisware/conductor-server image: "{{ conductor_image }}"
networks: networks:
- {{ conductor_network }} - {{ conductor_network }}
{% if clustered %}
- {{ haproxy_docker_overlay_network }}
{% endif %}
{% if not clustered %}
ports:
- "8080:8080"
{% endif %}
deploy: deploy:
mode: replicated mode: replicated
replicas: {{ conductor_replicas }} replicas: {{ conductor_replicas }}
{% if clustered %} {% if infrastructure != 'local' %}
endpoint_mode: dnsrr
{% endif %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s
max_attempts: 3
window: 120s window: 120s
configs: configs:
- source: swarm-config - source: swarm-config
@ -36,40 +27,39 @@ services:
logging: logging:
driver: "journald" driver: "journald"
conductor-ui: {{ conductor_ui_service }}:
environment: environment:
- WF_SERVER=http://conductor-server:8080/api/ - WF_SERVER={{ conductor_service_url }}
image: nubisware/conductor-ui {% if conductor_auth is defined %}
- AUTH_CONFIG_PATH=/app/config/auth.config
{% endif %}
image: "{{ conductor_ui_image }}"
networks: networks:
- {{ conductor_network }} - {{ conductor_network }}
{% if clustered %} {% if conductor_auth is defined %}
- {{ haproxy_docker_overlay_network }} configs:
{% endif %} - source: auth-config
{% if not clustered %} target: /app/config/auth.config
ports:
- "5000:5000"
{% endif %} {% endif %}
deploy: deploy:
mode: replicated mode: replicated
replicas: {{ conductor_replicas }} replicas: {{ conductor_ui_replicas }}
{% if clustered %} {% if infrastructure != 'local' %}
endpoint_mode: dnsrr
{% endif %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s
max_attempts: 3
window: 120s window: 120s
networks: networks:
{{ conductor_network }}: {{ conductor_network }}:
{% if clustered %}
{{ haproxy_docker_overlay_network }}:
external: True
{% endif %}
configs: configs:
swarm-config: swarm-config:
file: ./{{ conductor_config }} file: ./{{ conductor_config }}
{% if conductor_auth is defined %}
auth-config:
file: ./auth.cfg
{% endif %}

View File

@ -0,0 +1,23 @@
{
"strategy": "local",
"strategySettings":{
"users": {
"admin": {
"hash": "098039dd5e84e486f83eadefc31ce038ccc90d6d62323528181049371c9460b4",
"salt": "salt",
"displayName": "Admin",
"email": "marco.lettere@nubisware.com",
"roles": [ "admin", "viewer" ]
}
}
},
"audit": true,
"acl": [
"POST /(.*) admin",
"PUT /(.*) admin",
"DELETE /(.*) admin",
"GET /api/(.*) viewer",
"GET /(.*) *"
]
}

View File

@ -0,0 +1,24 @@
{
"strategy": "oauth2",
"strategySettings": {
"authorizationURL": "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/auth",
"tokenURL": "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token",
"clientID": "{{ conductor_ui_clientid }}",
"clientSecret": "{{ conductor_ui_secret }}",
"callbackURL": "{{ conductor_ui_public_url }}/login/callback",
"logoutURL": "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/logout",
"logoutCallbackURL": "{{ conductor_ui_public_url }}/logout/callback",
"roles": [ "admin", "viewer" ]
},
"cookieSecret": "{{ conductor_ui_secret }}",
"audit": true,
"acl": [
"POST /(.*) admin",
"PUT /(.*) admin",
"DELETE /(.*) admin",
"GET /api/(.*) *",
"GET /(.*) viewer"
]
}

View File

@ -3,7 +3,7 @@ version: '3.6'
services: services:
elasticsearch: elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:5.6.8 image: docker.elastic.co/elasticsearch/elasticsearch:6.8.15
environment: environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- transport.host=0.0.0.0 - transport.host=0.0.0.0
@ -18,9 +18,10 @@ services:
deploy: deploy:
mode: replicated mode: replicated
replicas: {{ elasticsearch_replicas }} replicas: {{ elasticsearch_replicas }}
#endpoint_mode: dnsrr {% if infrastructure != 'local' %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s

View File

@ -9,22 +9,14 @@ services:
MYSQL_PASSWORD: {{ mysql_jdbc_pass }} MYSQL_PASSWORD: {{ mysql_jdbc_pass }}
MYSQL_ROOT_PASSWORD: {{ mysql_jdbc_pass }} MYSQL_ROOT_PASSWORD: {{ mysql_jdbc_pass }}
MYSQL_DB: {{ mysql_jdbc_db }} MYSQL_DB: {{ mysql_jdbc_db }}
{% if init_db %}
configs:
- source: db-init
target: "/docker-entrypoint-initdb.d/db-init.sql"
{% endif %}
networks: networks:
- {{ conductor_network }} - {{ conductor_network }}
deploy: deploy:
replicas: {{ mysql_replicas }} replicas: {{ mysql_replicas }}
{% if infrastructure == 'local' %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
networks: networks:
{{ conductor_network }}: {{ conductor_network }}:
{% if init_db %}
configs:
db-init:
file: {{ target_path }}/conductor-db-init.sql
{% endif %}

View File

@ -4,28 +4,17 @@ services:
{{ postgres_service_name }}: {{ postgres_service_name }}:
image: postgres image: postgres
ports:
- "5432:5432"
environment: environment:
POSTGRES_USER: "{{ postgres_jdbc_user }}" POSTGRES_USER: "{{ postgres_jdbc_user }}"
POSTGRES_PASSWORD: "{{ postgres_jdbc_pass }}" POSTGRES_PASSWORD: "{{ postgres_jdbc_pass }}"
POSTGRES_DB: "{{ postgres_jdbc_db }}" POSTGRES_DB: "{{ postgres_jdbc_db }}"
{% if init_db %}
configs:
- source: db-init
target: "/docker-entrypoint-initdb.d/db-init.sql"
{% endif %}
networks: networks:
- {{ conductor_network }} - {{ conductor_network }}
deploy: deploy:
replicas: {{ postgres_replicas }} replicas: {{ postgres_replicas }}
{% if infrastructure != 'local' %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
networks: networks:
{{ conductor_network }}: {{ conductor_network }}:
{% if init_db %}
configs:
db-init:
file: {{ target_path }}/conductor-db-init.sql
{% endif %}

View File

@ -3,7 +3,7 @@ version: '3.6'
services: services:
elasticsearch: elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:5.6.8 image: docker.elastic.co/elasticsearch/elasticsearch:6.8.15
environment: environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- transport.host=0.0.0.0 - transport.host=0.0.0.0
@ -18,13 +18,13 @@ services:
deploy: deploy:
mode: replicated mode: replicated
replicas: {{ elasticsearch_replicas }} replicas: {{ elasticsearch_replicas }}
#endpoint_mode: dnsrr {% if infrastructure != 'local' %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s
max_attempts: 3
window: 120s window: 120s
networks: networks:

View File

@ -0,0 +1,9 @@
---
use_jdbc: True
postgres_host: "postgresql-srv.d4science.org"
conductor_db: "postgres"
postgres_jdbc_user: "conductor_u"
postgres_jdbc_pass: '{{ jdbc_pass }}'
jdbc_db: "conductor"
postgres_jdbc_url: "jdbc:postgresql://{{ postgres_host }}:5432/{{ jdbc_db }}"

View File

@ -0,0 +1 @@
#jdbc_pass: "secret"

View File

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
39303332663366633565666361663463353562636165643464313163633432373339633735656333
3331323435653762303366303238333835623762313133360a646466383563383832313662356239
32353134636636393433663638383639396365373736383135363133656161336165373864363566
3831666263643664320a386632666439306337383139613861353534313334303065303164616231
65343235343065383734643239666266626432393839656334383462336533383865646662646636
6333633164653139653337356135353264376363353532313536

View File

@ -1,10 +0,0 @@
---
use_jdbc: True
mysql_image_name: 'mariadb'
mysql_service_name: 'mysqldb'
mysql_replicas: 1
conductor_db: mysql
jdbc_user: conductor
jdbc_pass: password
jdbc_db: conductor
jdbc_url: jdbc:mysql://{{ mysql_service_name }}:3306/{{ mysql_jdbc_db }}?useSSL=false&allowPublicKeyRetrieval=true

View File

@ -1,5 +0,0 @@
---
- name: "Generate mysql swarm, image used: {{ mysql_image_name }}"
template:
src: templates/mysql-swarm.yaml.j2
dest: "{{ target_path }}/mysql-swarm.yaml"

View File

@ -1,30 +0,0 @@
version: '3.6'
services:
{{ mysql_service_name }}:
image: {{ mysql_image_name }}
environment:
MYSQL_USER: {{ mysql_jdbc_user }}
MYSQL_PASSWORD: {{ mysql_jdbc_pass }}
MYSQL_ROOT_PASSWORD: {{ mysql_jdbc_pass }}
MYSQL_DB: {{ jdbc_db }}
{% if init_db %}
configs:
- source: db-init
target: "/docker-entrypoint-initdb.d/db-init.sql"
{% endif %}
networks:
- {{ conductor_network }}
deploy:
replicas: {{ mysql_replicas }}
placement:
constraints: [node.role == worker]
networks:
{{ conductor_network }}:
{% if init_db %}
configs:
db-init:
file: {{ target_path }}/conductor-db-init.sql
{% endif %}

View File

@ -0,0 +1,4 @@
pep_port: 80
pep_replicas: 1
# hostnames to be used as vhosts
#pep_credentials: in vault

View File

@ -0,0 +1,24 @@
$ANSIBLE_VAULT;1.1;AES256
63653037396633613264356337303461626364643463616264616333313065336263626665646233
3861663135613138333863343261373464326239303835650a643535633265653339376332663462
35306231383136623339313436343732666332333435383162366135386663363063376466636233
6233353263663839310a623233353138373734356465653965376132643137643738363430333861
63336132646562343639666334616633356631366535343561646434323130633135393535383061
38313337303261396364653663316462376337393837373038623266633831303564646539326665
30303065363335346538643436613030336163336535383665623533303535623064376539363062
33393137376263383335363632633836626137346663613934346136306436353230663934633637
32356234386161393937303563343931373939623737636466363936393438353666326663373038
66343339353430393065346237626434356462653330313064303166366239343636636661633438
38613863386666343638663762303531326531633062343132663462333137373062646339623961
35666164313962356139623839323161303131306132633139303463393661636165353566373561
37333963386332386635616332326239386639636434376232356465366131306366376464366433
33323839326366653261636665623136336564373333313135313661633536333837353163373334
32366532373239303263386565363236383036623333353662303031373335653032646166386262
33656266356164666130343135386263346533393533386166306666366137313231386434343434
31653633303133323031343566663834636565313235323863353963363633346264636339653463
34353834343836306633346638313066316162373239326435313532643764306461663965303236
31386331303334636636623035303236303265633839323963633066633932336335326561623334
34366565393434393131656564646132343964653637393739613837313561646238646631316265
32303865633862386162393161336533313465326632363463653831623961633039393932623633
63613730663131343463316436326437393931343566373533666638366631333264353939343862
306362633430393061666539616565383366

41
roles/pep/tasks/main.yaml Normal file
View File

@ -0,0 +1,41 @@
---
- name: Generate PEP config
template:
src: templates/nginx.conf.j2
dest: "{{ target_path }}/nginx.conf"
- name: Generate PEP default config
when: pep is defined and pep == True
template:
src: templates/nginx.default.conf.j2
dest: "{{ target_path }}/nginx.default.conf"
- name: Generate PEP default config
when: pep is not defined or pep == False
template:
src: templates/nginx.default.conf.nopep.j2
dest: "{{ target_path }}/nginx.default.conf"
- name: Generate config.js
when: pep is defined and pep == True
template:
src: templates/config.js.j2
dest: "{{ target_path }}/config.js"
- name: Generate pep.js
when: pep is defined and pep == True
template:
src: templates/pep.js.j2
dest: "{{ target_path }}/pep.js"
- name: Generate pep-docker-swarm
template:
src: templates/pep-swarm.yaml.j2
dest: "{{ target_path }}/pep-swarm.yaml"
- name: Generate pep-docker-swarm when behind HA proxy
when: ha_network is defined and ha_network == True
template:
src: templates/pep-swarm-ha_network.yaml.j2
dest: "{{ target_path }}/pep-swarm.yaml"

View File

@ -0,0 +1,99 @@
export default { config };
var config = {
"pep-credentials" : "{{ pep_credentials }}",
"hosts" : [
{
"host": "{{ conductor_server_name }}",
"audience" : "conductor-server",
"allow-basic-auth" : true,
"pip" : [ { claim: "context", operator : "get-contexts" } ],
"paths" : [
{
"name" : "metadata",
"path" : "^/api/metadata/(taskdefs|workflow)/?.*$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get","list"]
}
]
},
{
"name" : "metadata.taskdefs",
"path" : "^/api/metadata/taskdefs/?.*$",
"methods" : [
{
"method" : "POST",
"scopes" : ["create"]
},
{
"method" : "DELETE",
"scopes" : ["delete"],
},
{
"method" : "PUT",
"scopes" : ["update"],
}
]
},
{
"name" : "metadata.workflow",
"path" : "^/api/metadata/workflow/?.*$",
"methods" : [
{
"method" : "POST",
"scopes" : ["create"]
},
{
"method" : "DELETE",
"scopes" : ["delete"],
},
{
"method" : "PUT",
"scopes" : ["update"],
}
]
},
{
"name" : "workflow",
"path" : "^/api/workflow/?.*$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get"],
},
{
"method" : "POST",
"scopes" : ["start"],
},
{
"method" : "DELETE",
"scopes" : ["terminate"],
}
]
},
{
"name" : "task",
"path" : "^/api/tasks/poll/.+$",
"methods" : [
{
"method" : "GET",
"scopes" : ["poll"],
}
]
},
{
"name" : "task",
"path" : "^/api/tasks[/]?$",
"methods" : [
{
"method" : "POST",
"scopes" : ["update"],
}
]
}
]
}
]
}

View File

@ -0,0 +1,18 @@
load_module modules/ngx_http_js_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
{% if pep is defined and pep == True %}
js_import pep.js;
js_set $authorization pep.enforce;
proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
{% endif %}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -0,0 +1,109 @@
upstream _conductor-server {
ip_hash;
server {{ conductor_service }}:8080;
}
upstream _conductor-ui {
ip_hash;
server {{ conductor_ui_service }}:5000;
}
map $http_authorization $source_auth {
default "";
}
js_var $auth_token;
js_var $pep_credentials;
server {
listen *:80;
listen [::]:80;
server_name {{ conductor_server_name }};
{% if conductor_server_name != conductor_ui_server_name %}
# When there is the possibility to separate vhosts for ui and apis as in local-site deployment forward also / to swagger docs
location / {
proxy_set_header Host $host;
proxy_pass http://_conductor-server;
}
{% endif %}
location /health {
proxy_set_header Host $host;
proxy_pass http://_conductor-server;
}
location /api/ {
js_content pep.enforce;
}
location @backend {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_pass http://_conductor-server;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
proxy_ignore_headers Cache-Control Expires Set-Cookie;
gunzip on;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_pass "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
server_name {{ conductor_ui_server_name }};
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://_conductor-ui;
}
}

View File

@ -0,0 +1,41 @@
upstream _conductor-server {
ip_hash;
server {{ conductor_service }}:8080;
}
upstream _conductor-ui {
ip_hash;
server {{ conductor_ui_service}}:5000;
}
server {
listen *:80;
listen [::]:80;
server_name conductor-server;
location / {
proxy_set_header Host $host;
proxy_pass http://_conductor-server;
}
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
server_name conductor-ui;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://_conductor-ui;
}
}

View File

@ -0,0 +1,46 @@
version: '3.6'
services:
pep:
image: nginx:stable-alpine
networks:
- {{ conductor_network }}
- haproxy-public
deploy:
replicas: 1
placement:
constraints: [node.role == worker]
endpoint_mode: dnsrr
restart_policy:
condition: on-failure
delay: 10s
window: 120s
configs:
- source: nginxconf
target: /etc/nginx/templates/default.conf.template
- source: nginxbaseconf
target: /etc/nginx/nginx.conf
{% if pep is defined and pep == True %}
- source: pep
target: /etc/nginx/pep.js
- source: pepconfig
target: /etc/nginx/config.js
{% endif %}
networks:
{{ conductor_network }}:
haproxy-public:
external: true
configs:
nginxconf:
file: ./nginx.default.conf
nginxbaseconf:
file: ./nginx.conf
{% if pep is defined and pep == True %}
pep:
file: ./pep.js
pepconfig:
file: ./config.js
{% endif %}

View File

@ -0,0 +1,46 @@
version: '3.6'
services:
pep:
image: nginx:stable-alpine
networks:
- {{ conductor_network }}
ports:
- "{{ pep_port }}:80"
deploy:
replicas: {{ pep_replicas }}
{% if infrastructure != 'local' %}
placement:
constraints: [node.role != worker]
{% endif %}
restart_policy:
condition: on-failure
delay: 10s
window: 120s
configs:
- source: nginxconf
target: /etc/nginx/templates/default.conf.template
- source: nginxbaseconf
target: /etc/nginx/nginx.conf
{% if pep is defined and pep == True %}
- source: pep
target: /etc/nginx/pep.js
- source: pepconfig
target: /etc/nginx/config.js
{% endif %}
networks:
{{ conductor_network }}:
configs:
nginxconf:
file: ./nginx.default.conf
nginxbaseconf:
file: ./nginx.conf
{% if pep is defined and pep == True %}
pep:
file: ./pep.js
pepconfig:
file: ./config.js
{% endif %}

View File

@ -0,0 +1,325 @@
export default { enforce };
import defaultExport from './config.js';
function log(c, s){
c.request.error(s)
}
function enforce(r) {
var context = {
request: r ,
config : defaultExport["config"],
backend : (defaultExport.backend ? defaultExport.backend : "@backend"),
export_backend_headers : (defaultExport.backendHeaders ? defaultExport.backendHeaders : wkf.export_backend_headers)
}
log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
context = computeProtection(context)
wkf.run(wkf.build(context), context)
}
// ######## WORKFLOW FUNCTIONS ###############
var wkf = {
build : (context)=>{
var actions = [
"export_pep_credentials",
"parse_authentication",
"check_authentication",
"export_authn_token",
"pip",
"pdp",
"export_backend_headers",
"pass"
]
return actions
},
run : (actions, context) => {
context.request.error("Starting workflow with " + njs.dump(actions))
var w = actions.reduce(
(acc, f) => acc.then(typeof(f) === "function" ? f : wkf[f]),
Promise.resolve().then(()=>context)
)
w.catch(e => { context.request.error(njs.dump(e)); context.request.return(401)} )
},
export_pep_credentials : exportPepCredentials,
export_authn_token : exportAuthToken,
export_backend_headers : c=>c,
parse_authentication : parseAuthentication,
check_authentication : checkAuthentication,
verify_token : verifyToken,
request_token : requestToken,
pip : pipExecutor,
pdp : pdpExecutor,
pass : pass,
//PIP utilities
"get-path-component" : (c, i) => c.request.uri.split("/")[i],
"get-token-field" : getTokenField,
"get-contexts" : (c) => {
var ra = c.authn.verified_token["resource_access"]
if(ra){
var out = [];
for(var k in ra){
if(ra[k].roles && ra[k].roles.length !== 0) out.push(k)
}
}
return out;
}
}
function getTokenField(context, f){
return context.authn.verified_token[f]
}
function exportVariable(context, name, value){
context.request.variables[name] = value
log(context, "Exported variables:" + njs.dump(context.request.variables))
return context
}
function exportPepCredentials(context){
if(!context.config["pep-credentials"]){
throw new Error("Need PEP credentials")
}
return exportVariable(context, "pep_credentials", "Basic " + context.config["pep-credentials"])
}
function exportAuthToken(context){
return exportVariable(context, "auth_token", context.authn.token)
}
function checkAuthentication(context){
return context.authn.type === "bearer" ? wkf.verify_token(context) : wkf.request_token(context)
}
function parseAuthentication(context){
context.request.log("Inside parseAuthentication")
var incomingauth = context.request.headersIn["Authorization"]
if(!incomingauth) throw new Error("Authentication required");
var arr = incomingauth.trim().replace(/\s\s+/g, " ").split(" ")
if(arr.length != 2) throw new Error("Unknown authentication scheme");
var type = arr[0].toLowerCase()
if(type === "basic" && context.authz.host && context.authz.host["allow-basic-auth"]){
var unamepass = Buffer.from(arr[1], 'base64').toString().split(":")
if(unamepass.length != 2) return null;
context.authn = { type : type, raw : arr[1], user : unamepass[0], password : unamepass[1]}
return context
}else if(type === "bearer"){
context.authn = { type : type, raw : arr[1], token : arr[1]}
return context
}
throw new Error("Unknown authentication scheme");
}
function verifyToken(context){
log(context, "Inside verifyToken")
var options = {
"body" : "token=" + context.authn.token + "&token_type_hint=access_token"
}
return context.request.subrequest("/jwt_verify_request", options)
.then(reply=>{
if (reply.status === 200) {
var response = null
try{
response = JSON.parse(reply.responseBody);
} catch(error){
throw new Error("Unable to parse response json from token request: " + reply.responseBody)
}
if (response.active === true) {
return response
} else {
throw new Error("Unauthorized")
}
} else {
throw new Error("Unauthorized")
}
}).then(verified_token => {
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
})
}
function requestToken(context){
log(context, "Inside requestToken")
var options = {
"body" : "grant_type=client_credentials&client_id="+context.authn.user+"&client_secret="+context.authn.password
}
return context.request.subrequest("/jwt_request", options)
.then(reply=>{
if (reply.status === 200) {
var response = null
try{
response = JSON.parse(reply.responseBody);
} catch(error){
throw new Error("Unable to parse response json from token request: " + reply.responseBody)
}
context.authn.token = response.access_token
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
} else if (reply.status === 400 || reply.status === 401){
var options = {
"body" : "grant_type=password&username="+context.authn.user+"&password="+context.authn.password
}
return context.request.subrequest("/jwt_request", options)
.then( reply=>{
if (reply.status === 200) {
var response = JSON.parse(reply.responseBody);
context.authn.token = response.access_token
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
} else{
throw new Error("Unauthorized " + reply.status)
}
})
} else {
throw new Error("Unauthorized " + reply.status)
}
})
}
function pipExecutor(context){
log(context, "Inside extra claims PIP")
context.authz.pip.forEach(extra =>{
//call extra claim pip function
try{
var operator = extra.operator
var result = wkf[operator](context, extra.args)
//ensure array and add to extra_claims
if(!(result instanceof Array)) result = [result]
if(!context.extra_claims) context.extra_claims = {};
context.extra_claims[extra.claim] = result
} catch (error){
log(context, "Skipping invalid extra claim " + njs.dump(error))
}
})
log(context, "Extra claims are " + njs.dump(context.extra_claims))
return context
}
function pdpExecutor(context){
log(context, "Inside PDP")
return context.authz.pdp(context)
}
function umaCall(context){
log(context, "Inside UMA call")
var options = { "body" : computePermissionRequestBody(context) };
return context.request.subrequest("/permission_request", options)
.then(reply =>{
if(reply.status === 200){
return context
}else{
throw new Error("Response for authorization request is not ok " + reply.status + " " + njs.dump(reply.responseBody))
}
})
}
function pass(context){
log(context, "Inside pass");
if(typeof(context.backend) === "string") context.request.internalRedirect(context.backend);
else if (typeof(context.backend) === "function") context.request.internalRedirect(context.backend(context))
return context;
}
// ######## AUTHORIZATION PART ###############
function computePermissionRequestBody(context){
if(!context.authz.host || !context.authz.path ){
throw new Error("Enforcemnt mode is always enforcing. Host or path not found...")
}
var audience = computeAudience(context)
var grant = "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
var mode = "response_mode=decision"
var permissions = computePermissions(context)
var extra = ""
if(context.extra_claims){
extra =
"claim_token_format=urn:ietf:params:oauth:token-type:jwt&claim_token=" +
JSON.stringify(context.extra_claims).toString("base64url")
}
var body = audience + "&" + grant + "&" + permissions + "&" + mode + "&" + extra
context.request.error("Computed permission request body is " + body)
return body
}
function computeAudience(context){
var aud = context.request.headersIn.host
if(context.authz.host){
aud = context.authz.host.audience||context.authz.host.host
}
return "audience=" + aud
}
function computePermissions(context){
var resource = context.request.uri
if(context.authz.path){
resource = context.authz.path.name||context.authz.path.path
}
var scopes = []
if(context.authz.method && context.authz.method.scopes){
scopes = context.authz.method.scopes
}
if(scopes.length > 0){
return scopes.map(s=>"permission=" + resource + "#" + s).join("&")
}
return "permission=" + resource
}
function getPath(hostconfig, incomingpath, incomingmethod){
var paths = hostconfig.paths || []
var matchingpaths = paths
.filter(p => {return incomingpath.match(p.path) != null})
.reduce((acc, p) => {
if (!p.methods || p.methods.length === 0) acc.weak.push({ path: p});
else{
var matchingmethods = p.methods.filter(m=>m.method.toUpperCase() === incomingmethod)
if(matchingmethods.length > 0) acc.strong.push({ method : matchingmethods[0], path: p});
}
return acc;
}, { strong: [], weak: []})
return matchingpaths.strong.concat(matchingpaths.weak)[0]
}
function getHost(config, host){
var matching = config.hosts.filter(h=>{
return h.host === host
})
return matching.length > 0 ? matching[0] : null
}
function computeProtection(context){
log(context, "Getting by host " + context.request.headersIn.host)
context.authz = {}
context.authz.host = getHost(context.config, context.request.headersIn.host)
if(context.authz.host !== null){
context.authz.pip = context.authz.host.pip ? context.authz.host.pip : [];
context.authz.pdp = context.authz.host.pdp ? context.authz.host.pdp : umaCall;
var pathandmethod = getPath(context.authz.host, context.request.uri, context.request.method);
if(pathandmethod){
context.authz.path = pathandmethod.path;
context.authz.pip = context.authz.path.pip ? context.authz.pip.concat(context.authz.path.pip) : context.authz.pip;
context.authz.pdp = context.authz.path.pdp ? context.authz.path.pdp : context.authz.pdp;
context.authz.method = pathandmethod.method;
if(context.authz.method){
context.authz.pip = context.authz.method.pip ? context.authz.pip.concat(context.authz.method.pip) : context.authz.pip;
context.authz.pdp = context.authz.method.pdp ? context.authz.method.pdp : context.authz.pdp;
}
}
}
log(context, "Leaving protection computation: ")
return context
}

View File

@ -1,9 +0,0 @@
---
use_jdbc: True
postgres_service_name: 'postgresdb'
postgres_replicas: 1
conductor_db: postgres
jdbc_user: conductor
jdbc_pass: password
jdbc_db: conductor
jdbc_url: jdbc:postgresql://{{ postgres_service_name }}:5432/{{ postgres_jdbc_db }}

View File

@ -1,5 +0,0 @@
---
- name: Generate postgres swarm
template:
src: templates/postgres-swarm.yaml.j2
dest: "{{ target_path }}/postgres-swarm.yaml"

View File

@ -1,31 +0,0 @@
version: '3.6'
services:
{{ postgres_service_name }}:
image: postgres
ports:
- "5432:5432"
environment:
POSTGRES_USER: "{{ postgres_jdbc_user }}"
POSTGRES_PASSWORD: "{{ postgres_jdbc_pass }}"
POSTGRES_DB: "{{ postgres_jdbc_db }}"
{% if init_db %}
configs:
- source: db-init
target: "/docker-entrypoint-initdb.d/db-init.sql"
{% endif %}
networks:
- {{ conductor_network }}
deploy:
replicas: {{ postgres_replicas }}
placement:
constraints: [node.role == worker]
networks:
{{ conductor_network }}:
{% if init_db %}
configs:
db-init:
file: {{ target_path }}/conductor-db-init.sql
{% endif %}

View File

@ -1,6 +1,15 @@
--- ---
conductor_workers_server: http://conductor-dev.int.d4science.net/api
conductor_workers: [ { service: 'base', image: 'nubisware/nubisware-conductor-worker-py-base', replicas: 2, threads: 1, pollrate: 1 }] conductor_workers: [ { service: 'base', image: 'nubisware/nubisware-conductor-worker-py-base', replicas: 2, threads: 1, pollrate: 1 }]
pymail_server: "smtp-relay.d4science.org"
pymail_user: "conductor_{{ infrastructure }}"
pymail_protocol: "starttls"
pymail_port: "587"
#smtp_local_pwd: ""
#smtp_dev_pwd: in vault
#smtp_pre_pwd: in vault
#smtp_prod_pwd: in vault
#{service: 'provisioning', image: 'nubisware/nubisware-conductor-worker-py-provisioning', replicas: 2, threads: 1, pollrate: 1 } #{service: 'provisioning', image: 'nubisware/nubisware-conductor-worker-py-provisioning', replicas: 2, threads: 1, pollrate: 1 }

View File

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
62323839306636626530646263356365643863653430393837343037643461666230333037383239
6266363838393538643739393765656165613161396236330a323834623936373933643335306163
33323739663463326265613663363132383364336432646237666466663061393631623239306266
6363396363326364310a376362313934653933613939313463653865363538363935333866366164
36373062353631356632356230316535616666633265326136343061303962633163393264316431
31623730623764363763633939373963333333343731376466613437386264653461616263306530
63663032653030643239643830346631303766393136363337626635633664353635363161313562
63623733613039646465386434396238336637626632616566323734303362653633373936393532
3665

View File

@ -4,7 +4,8 @@ services:
{% for workers in conductor_workers %} {% for workers in conductor_workers %}
{{ workers.service }}: {{ workers.service }}:
environment: environment:
CONDUCTOR_SERVER: {{ conductor_workers_server }} CONDUCTOR_SERVER: {{ conductor_service_url }}
CONDUCTOR_HEALTH: {{ conductor_service_health_url }}
configs: configs:
- source: {{workers.service}}-config - source: {{workers.service}}-config
target: /app/config.cfg target: /app/config.cfg
@ -14,12 +15,13 @@ services:
deploy: deploy:
mode: replicated mode: replicated
replicas: {{ workers.replicas }} replicas: {{ workers.replicas }}
{% if infrastructure != 'local' %}
placement: placement:
constraints: [node.role == worker] constraints: [node.role == worker]
{% endif %}
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s
max_attempts: 3
window: 120s window: 120s
logging: logging:
driver: "journald" driver: "journald"

View File

@ -1,9 +1,16 @@
[common] [common]
loglevel = {{ item.get('loglevel', 'info') }} loglevel = {{ item.get('loglevel', 'info') }}
#server = #server =
threads = 3 threads = 1
pollrate = .1 pollrate = 1
{% if "domain" in item.keys() %} {% if "domain" in item.keys() %}
domain={{ item.domain }} domain={{ item.domain }}
{% endif %} {% endif %}
[pymail]
server = {{ pymail_server}}
user = {{ pymail_user }}
password = {{ pymail_password }}
protocol = {{ pymail_protocol }}
port = {{ pymail_port }}

85
run.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
#
# The "directory/directory.yml" is the old way that we used to simplify jobs execution.
# The "directory/site.yml" is the syntax used by roles (from ansible version 1.2)
#
# Otherwise we can directly execute a single play (file)
#
PAR=50
TIMEOUT=15
PLAY=site.yml
HOSTS_DIR=.
ANSIBLE_HOSTS=
export TMPDIR=/var/tmp/${USER}
if [ ! -d ${TMPDIR} ] ; then
mkdir -p ${TMPDIR}
fi
if [ -f ./ansible.cfg ] ; then
export ANSIBLE_CONFIG="./ansible.cfg"
fi
# No cows!
export ANSIBLE_NOCOWS=1
export ANSIBLE_ERROR_ON_UNDEFINED_VARS=True
export ANSIBLE_HOST_KEY_CHECKING=False
export ANSIBLE_LIBRARY="/usr/share/ansible:./modules:../modules:$ANSIBLE_LIBRARY"
# Update the galaxy requirements
if [ -f requirements.yml ] ; then
ansible-galaxy install --ignore-errors -f -r requirements.yml
fi
PLAY_OPTS="-T $TIMEOUT -f $PAR"
if [ -f "$1" ] ; then
PLAY=$1
elif [ ! -f $PLAY ] ; then
echo "No play file available."
exit 1
fi
if [ -f "${PLAY}" ] ; then
MAIN="${PLAY}"
shift
elif [ -f "${PLAY}.yml" ]; then
MAIN="${PLAY}.yml"
shift
fi
if [ -f ${HOSTS_DIR}/hosts ] ; then
ANSIBLE_HOSTS=${HOSTS_DIR}/hosts
fi
if [ -f ${HOSTS_DIR}/inventory/hosts ] ; then
ANSIBLE_HOSTS=${HOSTS_DIR}/inventory/hosts
fi
if [ ! -z "$ANSIBLE_HOSTS" ] ; then
PLAY_OPTS="-i $ANSIBLE_HOSTS"
fi
#echo "Find vault encrypted files if any"
if [ -d ./group_vars ] ; then
VAULT_GROUP_FILES=$( find ./group_vars -name \*vault\* )
fi
if [ -d ./host_vars ] ; then
VAULT_HOST_FILES=$( find ./host_vars -name \*vault\* )
fi
if [ -n "$VAULT_GROUP_FILES" ] || [ -n "$VAULT_HOST_FILES" ] ; then
# Vault requires a password.
# To encrypt a password for a user: python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('<password>')"
if [ -f ~/.conductor_ansible_vault_pass.txt ] ; then
PLAY_OPTS="$PLAY_OPTS --vault-password-file=~/.conductor_ansible_vault_pass.txt"
else
echo "There are password protected encrypted files, we will ask for password before proceeding"
PLAY_OPTS="$PLAY_OPTS --ask-vault-pass"
fi
fi
# Main
ansible-playbook $PLAY_OPTS $MAIN $@
rm -f /tmp/passwordfile

67
site-dev.yaml Normal file
View File

@ -0,0 +1,67 @@
---
- hosts: dev_infra
#- hosts: localhost
vars_files:
- roles/workers/defaults/smtp.yaml
- roles/pep/defaults/pep_credentials.yaml
- roles/conductor/defaults/conductor_ui_secrets.yaml
vars:
infrastructure: "dev"
pymail_password: "{{ smtp_dev_pwd }}"
iam_host: https://accounts.dev.d4science.org
pep: True
pep_replicas: 2
pep_credentials: "{{ dev_pep_credentials }}"
ha_network: True
conductor_ui_secret: "{{ dev_conductor_ui_secret }}"
conductor_auth: oauth2
conductor_server_name: conductor.dev.d4science.org
conductor_ui_server_name: conductor-ui.dev.d4science.org
conductor_ui_public_url: "https://{{ conductor_ui_server_name }}"
conductor_replicas: 1
conductor_ui_replicas: 2
roles:
- common
- databases
- conductor
- workers
- pep
tasks:
- name: Start {{ db|default('postgres', true) }} and es
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/{{ db|default('postgres', true) }}-swarm.yaml"
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 20
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start pep
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/pep-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start workers
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when: dry is not defined or not dry|bool

52
site-local.yaml Normal file
View File

@ -0,0 +1,52 @@
---
- hosts: localhost
vars_files:
- roles/workers/defaults/smtp.yaml
vars:
infrastructure: "local"
pymail_password: "{{ smtp_local_pwd }}"
smtp_local_pwd: ""
roles:
- common
- databases
- conductor
- workers
- pep
tasks:
- name: Start {{ db|default('postgres', true) }} and es
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/{{ db|default('postgres', true) }}-swarm.yaml"
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 20
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start pep
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/pep-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start workers
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when: dry is not defined or not dry|bool

64
site-nw-cluster.yaml Normal file
View File

@ -0,0 +1,64 @@
---
- hosts: nw_cluster_infra
#- hosts: localhost
vars_files:
- roles/workers/defaults/smtp.yaml
- roles/pep/defaults/pep_credentials.yaml
- roles/conductor/defaults/conductor_ui_secrets.yaml
vars:
infrastructure: "nw-cluster"
pymail_password: "{{ smtp_dev_pwd }}"
iam_host: https://accounts.dev.d4science.org
pep: True
pep_credentials: "{{ nw_cluster_pep_credentials }}"
conductor_ui_secret: "{{ nw_cluster_conductor_ui_secret }}"
conductor_auth: oauth2
conductor_server_name: conductor-dev.int.d4science.net
conductor_ui_server_name: conductorui-dev.int.d4science.net
conductor_ui_public_url: "http://{{ conductor_ui_server_name }}"
conductor_replicas: 1
conductor_ui_replicas: 2
roles:
- common
- databases
- conductor
- workers
- pep
tasks:
- name: Start {{ db|default('postgres', true) }} and es
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/{{ db|default('postgres', true) }}-swarm.yaml"
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 20
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start pep
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/pep-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start workers
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when: dry is not defined or not dry|bool

65
site-pre.yaml Normal file
View File

@ -0,0 +1,65 @@
---
- hosts: pre_infra
vars_files:
- roles/workers/defaults/smtp.yaml
- roles/pep/defaults/pep_credentials.yaml
- roles/conductor/defaults/conductor_ui_secrets.yaml
vars:
infrastructure: "pre"
pymail_password: "{{ smtp_pre_pwd }}"
iam_host: https://accounts.pre.d4science.org
pep: True
pep_replicas: 2
pep_credentials: "{{ pre_pep_credentials }}"
ha_network: True
conductor_ui_secret: "{{ pre_conductor_ui_secret }}"
conductor_auth: oauth2
conductor_server_name: conductor.pre.d4science.org
conductor_ui_server_name: conductor-ui.pre.d4science.org
conductor_ui_public_url: "https://{{ conductor_ui_server_name }}"
conductor_replicas: 1
conductor_ui_replicas: 2
roles:
- common
- databases
- conductor
- workers
- pep
tasks:
- name: Start {{ db|default('postgres', true) }} and es
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/{{ db|default('postgres', true) }}-swarm.yaml"
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 20
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start pep
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/pep-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start workers
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when: dry is not defined or not dry|bool

65
site-prod.yaml Normal file
View File

@ -0,0 +1,65 @@
---
- hosts: prod_infra
vars_files:
- roles/external-postgres/defaults/vault_main.yaml
- roles/workers/defaults/smtp.yaml
- roles/pep/defaults/pep_credentials.yaml
- roles/conductor/defaults/conductor_ui_secrets.yaml
vars:
infrastructure: "prod"
pymail_password: "{{ smtp_prod_pwd }}"
iam_host: https://accounts.d4science.org
pep: True
pep_credentials: "{{ prod_pep_credentials }}"
ha_network: True
conductor_ui_secret: "{{ prod_conductor_ui_secret }}"
conductor_auth: oauth2
conductor_server_name: conductor.d4science.org
conductor_ui_server_name: conductor-ui.d4science.org
conductor_ui_public_url: "https://{{ conductor_ui_server_name }}"
conductor_replicas: 1
conductor_ui_replicas: 2
roles:
- common
- elasticsearch
- external-postgres
- conductor
- workers
- pep
tasks:
- name: Start es
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 5
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start pep
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/pep-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start workers
docker_stack:
name: "conductor-{{ infrastructure }}"
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when: dry is not defined or not dry|bool

View File

@ -1,56 +0,0 @@
---
- hosts: pre_infra:dev_infra
roles:
- common
- role: cluster-replacement
when:
- cluster_replacement is defined and cluster_replacement|bool
- role: databases
- conductor
- role: workers
when:
- no_workers is not defined or not no_workers|bool
tasks:
- name: Start {{ db|default('postgres', true) }} and es
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/{{ db|default('postgres', true) }}-swarm.yaml"
- "{{ target_path }}/elasticsearch-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Waiting for databases
pause:
seconds: 10
when: dry is not defined or not dry|bool
- name: Start conductor
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/conductor-swarm.yaml"
when: dry is not defined or not dry|bool
- name: Start haproxy
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/haproxy-swarm.yaml"
when:
- dry is not defined or not dry|bool
- cluster_replacement is defined
- cluster_replacement|bool
- name: Start workers
docker_stack:
name: 'conductor-{{ infrastructure }}'
state: present
compose:
- "{{ target_path }}/conductor-workers-swarm.yaml"
when:
- dry is not defined or not dry|bool
- no_workers is not defined or not no_workers|bool

View File

@ -0,0 +1,21 @@
FROM nginx:alpine
LABEL maintainer="Nubisware <info@nubisware.com>"
# Bake common configurations for Conductor PEP
COPY config/nginx/nginx.conf /etc/nginx/nginx.conf
COPY config/nginx/pep.js /etc/nginx/pep.js
COPY config/nginx/config.js /etc/nginx/config.js
# Ensure that cache is invalidated
ADD "https://www.random.org/cgi-bin/randbyte?nbytes=10&format=h" skipcache
# Copy compiled UI assets to nginx www directory
WORKDIR /usr/share/nginx/html
RUN rm -rf ./*
COPY build/ .
# Copy NGINX default configuration
COPY default.conf /etc/nginx/conf.d/default.conf

View File

@ -0,0 +1,15 @@
FROM nubisware/conductor-frontend:common
LABEL maintainer="Nubisware <info@nubisware.com>"
# Ensure that cache is invalidated
ADD "https://www.random.org/cgi-bin/randbyte?nbytes=10&format=h" skipcache
# Copy compiled UI assets to nginx www directory
WORKDIR /usr/share/nginx/html
RUN rm -rf ./*
COPY build/ .
# Copy NGINX default configuration
COPY ./config.dev/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf

View File

@ -0,0 +1,15 @@
FROM nubisware/conductor-frontend:common
LABEL maintainer="Nubisware <info@nubisware.com>"
# Ensure that cache is invalidated
ADD "https://www.random.org/cgi-bin/randbyte?nbytes=10&format=h" skipcache
# Copy compiled UI assets to nginx www directory
WORKDIR /usr/share/nginx/html
RUN rm -rf ./*
COPY build/ .
# Copy NGINX default configuration
COPY ./config.pre/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf

View File

@ -0,0 +1,15 @@
FROM nubisware/conductor-frontend:common
LABEL maintainer="Nubisware <info@nubisware.com>"
# Ensure that cache is invalidated
ADD "https://www.random.org/cgi-bin/randbyte?nbytes=10&format=h" skipcache
# Copy compiled UI assets to nginx www directory
WORKDIR /usr/share/nginx/html
RUN rm -rf ./*
COPY build/ .
# Copy NGINX default configuration
COPY ./config.prod/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf

38
v3.13.6/Dockerfile-server Normal file
View File

@ -0,0 +1,38 @@
#
# ===========================================================================================================
# 0. Builder stage
# ===========================================================================================================
FROM eclipse-temurin:11-jdk-focal AS builder
LABEL maintainer="Nubisware SRL"
# Copy the project directly onto the image
COPY ./conductor-community /conductor
COPY build.gradle /conductor/community-server/
WORKDIR /conductor
# Build the server on run
RUN ./gradlew generateLock updateLock saveLock
RUN ./gradlew build -x test --stacktrace
# ===========================================================================================================
# 1. Bin stage
# ===========================================================================================================
FROM eclipse-temurin:11-jre-focal
LABEL maintainer="Nubisware SRL"
# Make app folders
RUN mkdir -p /app/config /app/logs /app/libs
# Copy the compiled output to new image
COPY --from=builder /conductor/community-server/build/libs/conductor-community-server-*-SNAPSHOT-boot.jar /app/libs/conductor-server.jar
COPY ./config.properties /app/config.properties
COPY startup.sh /app/
RUN chmod +x /app/startup.sh
HEALTHCHECK --interval=60s --timeout=30s --retries=10 CMD curl -I -XGET http://localhost:8080/health || exit 1
CMD [ "/app/startup.sh" ]
ENTRYPOINT [ "/bin/sh"]

24
v3.13.6/build-dev-images.sh Executable file
View File

@ -0,0 +1,24 @@
ln -s config.dev/config-pg-es7.properties config.properties
docker build -t nubisware/conductor-server:3.13.6-dev -f Dockerfile-server .
docker push nubisware/conductor-server:3.13.6-dev
unlink config.properties
# Override fetch plugin with one that uses d4s-boot secure fetch
#cp config/fetch.js conductor/ui/src/plugins/fetch.js
# Override root App with one instantiating d4s-boot configured for dev
#cp config.dev/App.jsx conductor/ui/src/App.jsx
# jump to ui code and build
#cd conductor/ui/
#yarn install && yarn build
#cd -
# copy the built app to local folder and build Docker image. The clean up.
#cp -r conductor/ui/build .
#ln -s config.dev/nginx/conf.d/default.conf default.conf
#docker build -t nubisware/conductor-frontend:3.13.6-dev -f Dockerfile-frontend .
#rm -rf build
#unlink default.conf
#docker push nubisware/conductor-frontend:dev

12
v3.13.6/build-pre-images.sh Executable file
View File

@ -0,0 +1,12 @@
docker build -t nubisware/conductor-server3:pre -f Dockerfile-server-pre .
docker push nubisware/conductor-server3:pre
#docker build -t nubisware/conductor-frontend:common -f Dockerfile-frontend .
#cd /home/lettere/git/conductor/ui/
#./build-pre-code.sh
#cd -
#cp -r /home/lettere/git/conductor/ui/build .
#docker build -t nubisware/conductor-frontend:pre -f Dockerfile-frontend-pre .
#rm -rf build
#docker push nubisware/conductor-frontend:pre

4
v3.13.6/build-prepare.sh Executable file
View File

@ -0,0 +1,4 @@
git clone https://github.com/Netflix/conductor
git clone https://github.com/Netflix/conductor-community
find conductor-community/ -name dependencies.lock -exec rm -v {} \;

12
v3.13.6/build-prod-images.sh Executable file
View File

@ -0,0 +1,12 @@
docker build -t nubisware/conductor-server3:prod -f Dockerfile-server-prod .
docker push nubisware/conductor-server3:prod
#docker build -t nubisware/conductor-frontend:common -f Dockerfile-frontend .
#cd /home/lettere/git/conductor/ui/
#./build-prod-code.sh
#cd -
#cp -r /home/lettere/git/conductor/ui/build .
#docker build -t nubisware/conductor-frontend:prod -f Dockerfile-frontend-prod .
#rm -rf build
#docker push nubisware/conductor-frontend:prod

72
v3.13.6/build.gradle Normal file
View File

@ -0,0 +1,72 @@
plugins {
id 'org.springframework.boot'
}
dependencies {
implementation "com.netflix.conductor:conductor-rest:${revConductor}"
implementation "com.netflix.conductor:conductor-core:${revConductor}"
implementation "com.netflix.conductor:conductor-redis-persistence:${revConductor}"
implementation "com.netflix.conductor:conductor-cassandra-persistence:${revConductor}"
implementation "com.netflix.conductor:conductor-grpc-server:${revConductor}"
implementation "com.netflix.conductor:conductor-redis-lock:${revConductor}"
implementation "com.netflix.conductor:conductor-redis-concurrency-limit:${revConductor}"
implementation "com.netflix.conductor:conductor-http-task:${revConductor}"
implementation "com.netflix.conductor:conductor-json-jq-task:${revConductor}"
implementation "com.netflix.conductor:conductor-awss3-storage:${revConductor}"
implementation "com.netflix.conductor:conductor-awssqs-event-queue:${revConductor}"
implementation project(':event-queue:conductor-amqp')
implementation project(':event-queue:conductor-nats')
implementation project(':index:conductor-es7-persistence')
implementation project(':external-payload-storage:conductor-azureblob-storage')
implementation project(':external-payload-storage:conductor-postgres-external-storage')
implementation project(':lock:conductor-zookeeper-lock')
implementation project(':conductor-metrics')
implementation project(':persistence:conductor-common-persistence')
implementation project(':persistence:conductor-postgres-persistence')
implementation project(':persistence:conductor-mysql-persistence')
implementation project(':task:conductor-kafka')
implementation project(':conductor-workflow-event-listener')
implementation 'org.springframework.boot:spring-boot-starter'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.retry:spring-retry'
implementation 'org.springframework.boot:spring-boot-starter-log4j2'
implementation 'org.apache.logging.log4j:log4j-web'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation "org.springdoc:springdoc-openapi-ui:${revOpenapi}"
runtimeOnly "org.glassfish.jaxb:jaxb-runtime:${revJAXB}"
testImplementation "com.netflix.conductor:conductor-rest:${revConductor}"
testImplementation "com.netflix.conductor:conductor-common:${revConductor}"
testImplementation "io.grpc:grpc-testing:${revGrpc}"
testImplementation "com.google.protobuf:protobuf-java:${revProtoBuf}"
testImplementation "io.grpc:grpc-protobuf:${revGrpc}"
testImplementation "io.grpc:grpc-stub:${revGrpc}"
}
jar {
enabled = true
}
bootJar {
mainClass = 'com.netflix.conductor.Conductor'
classifier = 'boot'
}
springBoot {
buildInfo()
}

View File

@ -0,0 +1,13 @@
{
"files": {
"main.css": "/static/css/main.98e59355.css",
"main.js": "/static/js/main.18fa60f5.js",
"index.html": "/index.html",
"main.98e59355.css.map": "/static/css/main.98e59355.css.map",
"main.18fa60f5.js.map": "/static/js/main.18fa60f5.js.map"
},
"entrypoints": [
"static/css/main.98e59355.css",
"static/js/main.18fa60f5.js"
]
}

52
v3.13.6/build/favicon.svg Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
viewBox="0 0 419.77176 434.76002"
version="1.1"
id="svg134"
sodipodi:docname="favicon.svg"
width="419.77176"
height="434.76001"
inkscape:version="1.1.2 (b8e25be8, 2022-02-05)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview136"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
showgrid="false"
inkscape:zoom="1.2341567"
inkscape:cx="208.64449"
inkscape:cy="217.15233"
inkscape:window-width="1296"
inkscape:window-height="932"
inkscape:window-x="2544"
inkscape:window-y="454"
inkscape:window-maximized="0"
inkscape:current-layer="svg134" />
<defs
id="defs124">
<style
id="style122">.cls-1{fill:none;}.cls-2{fill:#1976d2;}</style>
</defs>
<rect
class="cls-1"
width="565"
height="570.42999"
id="rect126"
x="-73.398232"
y="-67.82" />
<path
class="cls-2"
d="m 384.31177,242.99 -59.55,103.19 a 13.52,13.52 0 0 1 -11.67,6.73 h -19.95 l 63.46,-109.92 h -35.47 l -63.45,109.88 h -85.46 a 13.49,13.49 0 0 1 -11.62,-6.69 l -70.490004,-122 a 13.54,13.54 0 0 1 0,-13.48 l 70.450004,-122 a 13.51,13.51 0 0 1 11.67,-6.73 h 67.67 l -13.3,-23.16 a 54.43,54.43 0 0 0 -5.55,-7.6 h -48.83 a 44.3,44.3 0 0 0 -38.26,22.09 l -70.440004,122 a 44.29,44.29 0 0 0 0,44.18 l 70.430004,122 a 44.31,44.31 0 0 0 38.27,22.1 h 140.87 a 44.3,44.3 0 0 0 38.26,-22.09 l 68.42,-118.5 z"
id="path128" />
<path
class="cls-2"
d="m 218.88177,398.93 a 55.89,55.89 0 0 1 -23.16,5.12 h -33.54 a 56.31,56.31 0 0 1 -48.58,-28.07 L 38.211766,245.47 a 56.3,56.3 0 0 1 0,-56.14 L 113.60177,58.81 a 56.29,56.29 0 0 1 48.62,-28.07 h 33.54 a 56.28,56.28 0 0 1 48.62,28.07 l 76.79,133 h 35.43 l -63.46,-109.89 h 19.95 a 13.52,13.52 0 0 1 11.67,6.73 l 59.55,103.16 h 35.46 l -68.41,-118.5 a 44.31,44.31 0 0 0 -38.27,-22.13 h -37.68 l -4.47,-7.76 A 87.11,87.11 0 0 0 195.72177,0 h -33.54 A 87.1,87.1 0 0 0 86.971766,43.42 l -75.37,130.55 a 87.07,87.07 0 0 0 0,86.85 l 75.35,130.52 a 87.1,87.1 0 0 0 75.210004,43.42 h 33.54 a 87,87 0 0 0 70.12,-35.83 z"
id="path130" />
</svg>

After

Width:  |  Height:  |  Size: 2.4 KiB

1
v3.13.6/build/index.html Normal file
View File

@ -0,0 +1 @@
<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><title>Conductor UI</title><script defer="defer" src="/static/js/main.18fa60f5.js"></script><link href="/static/css/main.98e59355.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div></body></html>

1
v3.13.6/build/logo.svg Normal file
View File

@ -0,0 +1 @@
<svg version="1.1" id="svg39" width="874.922" height="185.4" xmlns="http://www.w3.org/2000/svg"><defs id="defs11"><style id="style9">.cls-2{fill:#242a36}.cls-3{fill:#1976d2}</style></defs><g id="Layer_2" data-name="Layer 2" transform="translate(-73.828 -68)"><path id="rect13" style="fill:none" d="M0 0h1022.01v320.7H0z"/><path class="cls-2" d="M433.91 140.05q-14.78 0-25 9.56t-10.22 24.58q0 15 10.22 24.65 10.22 9.65 25 9.62a34.71 34.71 0 0 0 24.78-9.62q10.14-9.63 10.15-24.65.01-15.02-10.09-24.58-10.08-9.55-24.84-9.56zm15.15 50.29a21.72 21.72 0 0 1-30.51 0q-6.39-6.27-6.39-16.15 0-9.88 6.39-16.19a21.72 21.72 0 0 1 30.51 0q6.46 6.27 6.46 16.15 0 9.88-6.46 16.19z" id="path15"/><path class="cls-2" d="M515.55 139.66q-14.37 0-22.67 9.88v-8h-13.71v65.38h13.71v-30.23q0-12 5.21-18.18t14.3-6.2a14.28 14.28 0 0 1 11.27 4.88q4.29 4.88 4.28 12.91v36.78h13.84v-39.54q0-12.27-7.25-20t-18.98-7.68z" id="path17"/><path class="cls-2" d="M607 149q-9.09-9.34-23.72-9.35a31 31 0 0 0-22.8 9.75q-9.63 9.75-9.62 24.78.01 15.03 9.59 24.82a31 31 0 0 0 22.8 9.75q14.5 0 23.72-9.22v7.38h13.85V112H607Zm-6.45 41.39a21.06 21.06 0 0 1-15 6.2 20.48 20.48 0 0 1-15.16-6.13q-6.06-6.14-6.06-16.28t6-16.18a20.35 20.35 0 0 1 15.16-6.2 21 21 0 0 1 15 6.26q6.45 6.27 6.45 16.15 0 9.88-6.42 16.19z" id="path19"/><path class="cls-2" d="M682.64 171.68q0 12-5.14 18.2-5.14 6.2-14.23 6.19a14.35 14.35 0 0 1-11.4-4.94q-4.29-4.95-4.28-13V141.5h-13.71v39.41q0 12.39 7.18 20.1 7.18 7.71 19.05 7.71 14.24 0 22.53-9.88v8h13.71V141.5h-13.71z" id="path21"/><path class="cls-2" d="M860.21 140.05q-14.76 0-25 9.56T825 174.19q0 15 10.22 24.65 10.22 9.65 25 9.62a34.67 34.67 0 0 0 24.78-9.62q10.15-9.63 10.15-24.65 0-15.02-10.08-24.58-10.07-9.55-24.86-9.56zm15.16 50.29a21.72 21.72 0 0 1-30.51 0q-6.39-6.27-6.39-16.15 0-9.88 6.39-16.19a21.72 21.72 0 0 1 30.51 0q6.46 6.27 6.46 16.15 0 9.88-6.46 16.19z" id="path23"/><path class="cls-2" d="M944.1 140.71q-15.95 0-24.91 14.76v-14h-13.71v65.38h13.71v-23.04q0-13.83 6.33-21.68t18.48-7.84a36 36 0 0 1 3.82.13l.93-13.18a16.36 16.36 0 0 0-4.65-.53z" id="path25"/><path class="cls-2" d="M347.63 130.18a30.08 30.08 0 0 1 21 9.28 31.21 31.21 0 0 1 7.7 13.48h14.73a44.39 44.39 0 0 0-87.87 9.78q0 19.38 13.38 32.69a43 43 0 0 0 62.07 0 43.7 43.7 0 0 0 12.28-22.27h-14.75a31.37 31.37 0 0 1-7.52 12.86 28.48 28.48 0 0 1-42 0q-9.15-9.44-9.16-23.27-.01-13.83 9.16-23.26a30.08 30.08 0 0 1 20.98-9.29z" id="path27"/><path class="cls-2" d="M740.55 152.31a20.21 20.21 0 0 1 19.85 14.1h13.91a31.94 31.94 0 0 0-9.31-17 35.54 35.54 0 0 0-48.91 0Q706 159.16 706 174.19q0 15.03 10.09 24.81a35.7 35.7 0 0 0 48.91 0 31.68 31.68 0 0 0 9.23-16.67h-13.88a19.45 19.45 0 0 1-4.65 7.71 20.38 20.38 0 0 1-15.15 6q-9.24 0-15.16-6t-5.93-15.88q0-9.62 6-15.75a20.23 20.23 0 0 1 15.09-6.1z" id="path29"/><path class="cls-2" d="M808.24 195.81a10.32 10.32 0 0 1-7.91-3.1q-2.9-3.11-2.9-9v-30.87h22.41V141.5h-22.41v-20.3h-13.7v63.4q0 11.86 6.32 18 6.32 6.14 17.27 6.13 7.77 0 16.21-5l-4.22-11.46a19.91 19.91 0 0 1-11.07 3.54z" id="path31"/><path class="cls-3" d="m237.69 171.63-25.39 44a5.75 5.75 0 0 1-5 2.88h-8.51l27.06-46.86h-15.1l-27.06 46.86h-36.44a5.76 5.76 0 0 1-5-2.88l-30-52a5.74 5.74 0 0 1 0-5.75l30-52a5.75 5.75 0 0 1 5-2.87h28.86l-5.69-9.86a23 23 0 0 0-2.37-3.24h-20.8a18.88 18.88 0 0 0-16.31 9.42l-30 52a18.87 18.87 0 0 0 0 18.84l30 52a18.91 18.91 0 0 0 16.32 9.42h60.07a18.91 18.91 0 0 0 16.32-9.42l29.17-50.53z" id="path33"/><path class="cls-3" d="M167.15 238.13a23.94 23.94 0 0 1-9.88 2.18H143a24 24 0 0 1-20.73-12l-32.16-55.62a24 24 0 0 1 0-23.94l32.13-55.66a24 24 0 0 1 20.73-12h14.3a24 24 0 0 1 20.74 12l32.74 56.71h15.12L198.81 103h8.51a5.76 5.76 0 0 1 5 2.87l25.39 44h15.12l-29.19-50.6a18.91 18.91 0 0 0-16.32-9.42h-16.07l-1.9-3.31A37.15 37.15 0 0 0 157.27 68H143a37.12 37.12 0 0 0-32.1 18.54L78.77 142.2a37.1 37.1 0 0 0 0 37l32.13 55.66A37.12 37.12 0 0 0 143 253.4h14.3a37.11 37.11 0 0 0 29.9-15.27z" id="path35"/></g></svg>

After

Width:  |  Height:  |  Size: 3.8 KiB

3
v3.13.6/build/robots.txt Normal file
View File

@ -0,0 +1,3 @@
# https://www.robotstxt.org/robotstxt.html
User-agent: *
Disallow:

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,151 @@
/*
object-assign
(c) Sindre Sorhus
@license MIT
*/
/*! *****************************************************************************
Copyright (c) Microsoft Corporation.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
***************************************************************************** */
/*! Hammer.JS - v2.0.17-rc - 2019-12-16
* http://naver.github.io/egjs
*
* Forked By Naver egjs
* Copyright (c) hammerjs
* Licensed under the MIT license */
/*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/facebook/regenerator/blob/main/LICENSE */
/**
* @license
* Copyright (c) 2012-2013 Chris Pettitt
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* @license
* Lodash <https://lodash.com/>
* Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
* Released under MIT license <https://lodash.com/license>
* Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
* Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
*/
/**
* A better abstraction over CSS.
*
* @copyright Oleg Isonen (Slobodskoi) / Isonen 2014-present
* @website https://github.com/cssinjs/jss
* @license MIT
*/
/**
* vis-timeline and vis-graph2d
* https://visjs.github.io/vis-timeline/
*
* Create a fully customizable, interactive timeline with items and ranges.
*
* @version 7.7.0
* @date 2022-07-10T21:34:08.601Z
*
* @copyright (c) 2011-2017 Almende B.V, http://almende.com
* @copyright (c) 2017-2019 visjs contributors, https://github.com/visjs
*
* @license
* vis.js is dual licensed under both
*
* 1. The Apache 2.0 License
* http://www.apache.org/licenses/LICENSE-2.0
*
* and
*
* 2. The MIT License
* http://opensource.org/licenses/MIT
*
* vis.js may be distributed under either license.
*/
/** @license React v0.19.1
* scheduler.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
/** @license React v16.13.1
* react-is.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
/** @license React v16.14.0
* react-dom.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
/** @license React v16.14.0
* react-jsx-runtime.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
/** @license React v16.14.0
* react.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
/** @license React v17.0.2
* react-is.production.min.js
*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
//! moment.js

File diff suppressed because one or more lines are too long

183
v3.13.6/config.dev/App.jsx Normal file
View File

@ -0,0 +1,183 @@
import React, { Component } from "react";
import { Route, Switch } from "react-router-dom";
import { makeStyles } from "@material-ui/styles";
import { Button, AppBar, Toolbar } from "@material-ui/core";
import AppLogo from "./plugins/AppLogo";
import NavLink from "./components/NavLink";
import WorkflowSearch from "./pages/executions/WorkflowSearch";
import TaskSearch from "./pages/executions/TaskSearch";
import Execution from "./pages/execution/Execution";
import WorkflowDefinitions from "./pages/definitions/Workflow";
import WorkflowDefinition from "./pages/definition/WorkflowDefinition";
import TaskDefinitions from "./pages/definitions/Task";
import TaskDefinition from "./pages/definition/TaskDefinition";
import EventHandlerDefinitions from "./pages/definitions/EventHandler";
import EventHandlerDefinition from "./pages/definition/EventHandler";
import TaskQueue from "./pages/misc/TaskQueue";
import KitchenSink from "./pages/kitchensink/KitchenSink";
import DiagramTest from "./pages/kitchensink/DiagramTest";
import Examples from "./pages/kitchensink/Examples";
import Gantt from "./pages/kitchensink/Gantt";
import CustomRoutes from "./plugins/CustomRoutes";
import AppBarModules from "./plugins/AppBarModules";
import CustomAppBarButtons from "./plugins/CustomAppBarButtons";
import Workbench from "./pages/workbench/Workbench";
import { Helmet } from "react-helmet";
const useStyles = makeStyles((theme) => ({
root: {
backgroundColor: "#efefef",
display: "flex",
},
body: {
width: "100vw",
height: "100vh",
paddingTop: theme.overrides.MuiAppBar.root.height,
},
toolbarRight: {
marginLeft: "auto",
display: "flex",
flexDirection: "row",
},
toolbarRegular: {
minHeight: 80,
},
}));
class AppAuth extends Component{
render(){
return (
<div>
<Helmet>
<script src="https://cdn.dev.d4science.org/boot/d4s-boot.js"></script>
</Helmet>
<d4s-boot-2 url="https://accounts.dev.d4science.org/auth" redirect-url="http://localhost/login/callback" gateway="conductor-ui">
</d4s-boot-2>
</div>
)
}
}
class AppBody extends Component{
constructor(props){
super(props)
this.state = { open : false }
}
setOpen(v){
this.setState({ open : v })
}
componentDidMount() {
document.addEventListener("authenticated", ev=>{
this.setOpen(true)
})
}
render(){
const classes = this.props.classes;
return !this.state.open ? <div></div> : (
<div className={classes.root}>
<AppBar position="fixed">
<Toolbar
classes={{
regular: classes.toolbarRegular,
}}
>
<AppLogo />
<Button component={NavLink} path="/">
Executions
</Button>
<Button component={NavLink} path="/workflowDefs">
Definitions
</Button>
<Button component={NavLink} path="/taskQueue">
Task Queues
</Button>
<Button component={NavLink} path="/workbench">
Workbench
</Button>
<CustomAppBarButtons />
<div className={classes.toolbarRight}>
<AppBarModules />
</div>
</Toolbar>
</AppBar>
<div className={classes.body}>
<Switch>
<Route exact path="/">
<WorkflowSearch />
</Route>
<Route exact path="/search/by-tasks">
<TaskSearch />
</Route>
<Route path="/execution/:id/:taskId?">
<Execution />
</Route>
<Route exact path="/workflowDefs">
<WorkflowDefinitions />
</Route>
<Route exact path="/workflowDef/:name?/:version?">
<WorkflowDefinition />
</Route>
<Route exact path="/taskDefs">
<TaskDefinitions />
</Route>
<Route exact path="/taskDef/:name?">
<TaskDefinition />
</Route>
<Route exact path="/eventHandlerDef">
<EventHandlerDefinitions />
</Route>
<Route exact path="/eventHandlerDef/:name">
<EventHandlerDefinition />
</Route>
<Route exact path="/taskQueue/:name?">
<TaskQueue />
</Route>
<Route exact path="/workbench">
<Workbench />
</Route>
<Route exact path="/kitchen">
<KitchenSink />
</Route>
<Route exact path="/kitchen/diagram">
<DiagramTest />
</Route>
<Route exact path="/kitchen/examples">
<Examples />
</Route>
<Route exact path="/kitchen/gantt">
<Gantt />
</Route>
<CustomRoutes />
</Switch>
</div>
</div>
)
}
}
class AppContent extends Component{
render(){
return(
<div>
<AppAuth/>
<AppBody classes={this.props.classes}/>
</div>
)
}
}
//Keep functional constructor to avoid problems with useStyles
export default function App() {
const classes = useStyles();
return <AppContent classes={classes}/>
}

View File

@ -0,0 +1,11 @@
[common]
loglevel = info
threads = 1
pollrate = 1
[pymail]
server = smtp-relay.d4science.org
user = conductor_dev
password =
protocol = starttls
port = 587

View File

@ -0,0 +1,26 @@
# Database persistence type.
conductor.db.type=postgres
spring.datasource.url=jdbc:postgresql://postgres:5432/conductor
spring.datasource.username=conductor
spring.datasource.password=conductor
# Hikari pool sizes are -1 by default and prevent startup
spring.datasource.hikari.maximum-pool-size=10
spring.datasource.hikari.minimum-idle=2
# Elastic search instance indexing is disabled.
conductor.indexing.enabled=true
conductor.elasticsearch.version=7
conductor.elasticsearch.url=http://es:9200
conductor.elasticsearch.clusterHealthColor=yellow
#Enable Prometheus
conductor.metrics-prometheus.enabled=true
management.endpoints.web.exposure.include=prometheus,health,info,metrics
# GRPC disabled
conductor.grpc-server.enabled=false
# Load sample kitchen sink disabled
loadSample=false

View File

@ -0,0 +1,87 @@
upstream conductor_server {
ip_hash;
server conductor-server:8080;
}
map $http_authorization $source_auth {
default "";
}
js_var $auth_token;
js_var $pep_credentials;
server {
listen 80;
server_name conductor conductor.dev.d4science.org;
location / {
# This would be the directory where your React app's static files are stored at
root /usr/share/nginx/html;
try_files $uri /index.html;
}
location /health {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /actuator/prometheus {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /api/ {
js_content pep.enforce;
}
location @backend {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_pass http://conductor_server;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
proxy_ignore_headers Cache-Control Expires Set-Cookie;
gunzip on;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_pass "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
gunzip on;
}
}

183
v3.13.6/config.pre/App.jsx Normal file
View File

@ -0,0 +1,183 @@
import React, { Component } from "react";
import { Route, Switch } from "react-router-dom";
import { makeStyles } from "@material-ui/styles";
import { Button, AppBar, Toolbar } from "@material-ui/core";
import AppLogo from "./plugins/AppLogo";
import NavLink from "./components/NavLink";
import WorkflowSearch from "./pages/executions/WorkflowSearch";
import TaskSearch from "./pages/executions/TaskSearch";
import Execution from "./pages/execution/Execution";
import WorkflowDefinitions from "./pages/definitions/Workflow";
import WorkflowDefinition from "./pages/definition/WorkflowDefinition";
import TaskDefinitions from "./pages/definitions/Task";
import TaskDefinition from "./pages/definition/TaskDefinition";
import EventHandlerDefinitions from "./pages/definitions/EventHandler";
import EventHandlerDefinition from "./pages/definition/EventHandler";
import TaskQueue from "./pages/misc/TaskQueue";
import KitchenSink from "./pages/kitchensink/KitchenSink";
import DiagramTest from "./pages/kitchensink/DiagramTest";
import Examples from "./pages/kitchensink/Examples";
import Gantt from "./pages/kitchensink/Gantt";
import CustomRoutes from "./plugins/CustomRoutes";
import AppBarModules from "./plugins/AppBarModules";
import CustomAppBarButtons from "./plugins/CustomAppBarButtons";
import Workbench from "./pages/workbench/Workbench";
import { Helmet } from "react-helmet";
const useStyles = makeStyles((theme) => ({
root: {
backgroundColor: "#efefef",
display: "flex",
},
body: {
width: "100vw",
height: "100vh",
paddingTop: theme.overrides.MuiAppBar.root.height,
},
toolbarRight: {
marginLeft: "auto",
display: "flex",
flexDirection: "row",
},
toolbarRegular: {
minHeight: 80,
},
}));
class AppAuth extends Component{
render(){
return (
<div>
<Helmet>
<script src="https://cdn.pre.d4science.org/boot/d4s-boot.js"></script>
</Helmet>
<d4s-boot-2 url="https://accounts.pre.d4science.org/auth" redirect-url="http://localhost/login/callback" gateway="conductor-ui">
</d4s-boot-2>
</div>
)
}
}
class AppBody extends Component{
constructor(props){
super(props)
this.state = { open : false }
}
setOpen(v){
this.setState({ open : v })
}
componentDidMount() {
document.addEventListener("authenticated", ev=>{
this.setOpen(true)
})
}
render(){
const classes = this.props.classes;
return !this.state.open ? <div></div> : (
<div className={classes.root}>
<AppBar position="fixed">
<Toolbar
classes={{
regular: classes.toolbarRegular,
}}
>
<AppLogo />
<Button component={NavLink} path="/">
Executions
</Button>
<Button component={NavLink} path="/workflowDefs">
Definitions
</Button>
<Button component={NavLink} path="/taskQueue">
Task Queues
</Button>
<Button component={NavLink} path="/workbench">
Workbench
</Button>
<CustomAppBarButtons />
<div className={classes.toolbarRight}>
<AppBarModules />
</div>
</Toolbar>
</AppBar>
<div className={classes.body}>
<Switch>
<Route exact path="/">
<WorkflowSearch />
</Route>
<Route exact path="/search/by-tasks">
<TaskSearch />
</Route>
<Route path="/execution/:id/:taskId?">
<Execution />
</Route>
<Route exact path="/workflowDefs">
<WorkflowDefinitions />
</Route>
<Route exact path="/workflowDef/:name?/:version?">
<WorkflowDefinition />
</Route>
<Route exact path="/taskDefs">
<TaskDefinitions />
</Route>
<Route exact path="/taskDef/:name?">
<TaskDefinition />
</Route>
<Route exact path="/eventHandlerDef">
<EventHandlerDefinitions />
</Route>
<Route exact path="/eventHandlerDef/:name">
<EventHandlerDefinition />
</Route>
<Route exact path="/taskQueue/:name?">
<TaskQueue />
</Route>
<Route exact path="/workbench">
<Workbench />
</Route>
<Route exact path="/kitchen">
<KitchenSink />
</Route>
<Route exact path="/kitchen/diagram">
<DiagramTest />
</Route>
<Route exact path="/kitchen/examples">
<Examples />
</Route>
<Route exact path="/kitchen/gantt">
<Gantt />
</Route>
<CustomRoutes />
</Switch>
</div>
</div>
)
}
}
class AppContent extends Component{
render(){
return(
<div>
<AppAuth/>
<AppBody classes={this.props.classes}/>
</div>
)
}
}
//Keep functional constructor to avoid problems with useStyles
export default function App() {
const classes = useStyles();
return <AppContent classes={classes}/>
}

View File

@ -0,0 +1,11 @@
[common]
loglevel = info
threads = 1
pollrate = 1
[pymail]
server = smtp-relay.d4science.org
user = conductor_pre
password =
protocol = starttls
port = 587

View File

@ -0,0 +1,26 @@
# Database persistence type.
conductor.db.type=postgres
spring.datasource.url=jdbc:postgresql://postgres:5432/conductor
spring.datasource.username=conductor
spring.datasource.password=conductor
# Hikari pool sizes are -1 by default and prevent startup
spring.datasource.hikari.maximum-pool-size=10
spring.datasource.hikari.minimum-idle=2
# Elastic search instance indexing is disabled.
conductor.indexing.enabled=true
conductor.elasticsearch.version=7
conductor.elasticsearch.url=http://es:9200
conductor.elasticsearch.clusterHealthColor=yellow
#Enable Prometheus
conductor.metrics-prometheus.enabled=true
management.endpoints.web.exposure.include=prometheus,health,info,metrics
# GRPC disabled
conductor.grpc-server.enabled=false
# Load sample kitchen sink disabled
loadSample=false

View File

@ -0,0 +1,88 @@
upstream conductor_server {
ip_hash;
server conductor-server:8080;
}
map $http_authorization $source_auth {
default "";
}
js_var $auth_token;
js_var $pep_credentials;
server {
listen 80;
server_name conductor.pre.d4science.org;
location / {
# This would be the directory where your React app's static files are stored at
root /usr/share/nginx/html;
try_files $uri /index.html;
}
location /health {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /actuator/prometheus {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /api/ {
js_content pep.enforce;
}
location @backend {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_pass http://conductor_server;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.pre.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
proxy_ignore_headers Cache-Control Expires Set-Cookie;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.pre.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.pre.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
}
}

183
v3.13.6/config.prod/App.jsx Normal file
View File

@ -0,0 +1,183 @@
import React, { Component } from "react";
import { Route, Switch } from "react-router-dom";
import { makeStyles } from "@material-ui/styles";
import { Button, AppBar, Toolbar } from "@material-ui/core";
import AppLogo from "./plugins/AppLogo";
import NavLink from "./components/NavLink";
import WorkflowSearch from "./pages/executions/WorkflowSearch";
import TaskSearch from "./pages/executions/TaskSearch";
import Execution from "./pages/execution/Execution";
import WorkflowDefinitions from "./pages/definitions/Workflow";
import WorkflowDefinition from "./pages/definition/WorkflowDefinition";
import TaskDefinitions from "./pages/definitions/Task";
import TaskDefinition from "./pages/definition/TaskDefinition";
import EventHandlerDefinitions from "./pages/definitions/EventHandler";
import EventHandlerDefinition from "./pages/definition/EventHandler";
import TaskQueue from "./pages/misc/TaskQueue";
import KitchenSink from "./pages/kitchensink/KitchenSink";
import DiagramTest from "./pages/kitchensink/DiagramTest";
import Examples from "./pages/kitchensink/Examples";
import Gantt from "./pages/kitchensink/Gantt";
import CustomRoutes from "./plugins/CustomRoutes";
import AppBarModules from "./plugins/AppBarModules";
import CustomAppBarButtons from "./plugins/CustomAppBarButtons";
import Workbench from "./pages/workbench/Workbench";
import { Helmet } from "react-helmet";
const useStyles = makeStyles((theme) => ({
root: {
backgroundColor: "#efefef",
display: "flex",
},
body: {
width: "100vw",
height: "100vh",
paddingTop: theme.overrides.MuiAppBar.root.height,
},
toolbarRight: {
marginLeft: "auto",
display: "flex",
flexDirection: "row",
},
toolbarRegular: {
minHeight: 80,
},
}));
class AppAuth extends Component{
render(){
return (
<div>
<Helmet>
<script src="https://cdn.pre.d4science.org/boot/d4s-boot.js"></script>
</Helmet>
<d4s-boot-2 url="https://accounts.d4science.org/auth" redirect-url="http://localhost/login/callback" gateway="conductor-ui">
</d4s-boot-2>
</div>
)
}
}
class AppBody extends Component{
constructor(props){
super(props)
this.state = { open : false }
}
setOpen(v){
this.setState({ open : v })
}
componentDidMount() {
document.addEventListener("authenticated", ev=>{
this.setOpen(true)
})
}
render(){
const classes = this.props.classes;
return !this.state.open ? <div></div> : (
<div className={classes.root}>
<AppBar position="fixed">
<Toolbar
classes={{
regular: classes.toolbarRegular,
}}
>
<AppLogo />
<Button component={NavLink} path="/">
Executions
</Button>
<Button component={NavLink} path="/workflowDefs">
Definitions
</Button>
<Button component={NavLink} path="/taskQueue">
Task Queues
</Button>
<Button component={NavLink} path="/workbench">
Workbench
</Button>
<CustomAppBarButtons />
<div className={classes.toolbarRight}>
<AppBarModules />
</div>
</Toolbar>
</AppBar>
<div className={classes.body}>
<Switch>
<Route exact path="/">
<WorkflowSearch />
</Route>
<Route exact path="/search/by-tasks">
<TaskSearch />
</Route>
<Route path="/execution/:id/:taskId?">
<Execution />
</Route>
<Route exact path="/workflowDefs">
<WorkflowDefinitions />
</Route>
<Route exact path="/workflowDef/:name?/:version?">
<WorkflowDefinition />
</Route>
<Route exact path="/taskDefs">
<TaskDefinitions />
</Route>
<Route exact path="/taskDef/:name?">
<TaskDefinition />
</Route>
<Route exact path="/eventHandlerDef">
<EventHandlerDefinitions />
</Route>
<Route exact path="/eventHandlerDef/:name">
<EventHandlerDefinition />
</Route>
<Route exact path="/taskQueue/:name?">
<TaskQueue />
</Route>
<Route exact path="/workbench">
<Workbench />
</Route>
<Route exact path="/kitchen">
<KitchenSink />
</Route>
<Route exact path="/kitchen/diagram">
<DiagramTest />
</Route>
<Route exact path="/kitchen/examples">
<Examples />
</Route>
<Route exact path="/kitchen/gantt">
<Gantt />
</Route>
<CustomRoutes />
</Switch>
</div>
</div>
)
}
}
class AppContent extends Component{
render(){
return(
<div>
<AppAuth/>
<AppBody classes={this.props.classes}/>
</div>
)
}
}
//Keep functional constructor to avoid problems with useStyles
export default function App() {
const classes = useStyles();
return <AppContent classes={classes}/>
}

View File

@ -0,0 +1,11 @@
[common]
loglevel = info
threads = 1
pollrate = 1
[pymail]
server = smtp-relay.d4science.org
user = conductor_prod
password =
protocol = starttls
port = 587

View File

@ -0,0 +1,26 @@
# Database persistence type.
conductor.db.type=postgres
spring.datasource.url=jdbc:postgresql://postgresql-srv.d4science.org:5432/conductor
spring.datasource.username=conductor_u
spring.datasource.password=c36dda661add7c2b5093087ddb655992
# Hikari pool sizes are -1 by default and prevent startup
spring.datasource.hikari.maximum-pool-size=10
spring.datasource.hikari.minimum-idle=2
# Elastic search instance indexing is disabled.
conductor.indexing.enabled=true
conductor.elasticsearch.version=7
conductor.elasticsearch.url=http://es:9200
conductor.elasticsearch.clusterHealthColor=yellow
#Enable Prometheus
conductor.metrics-prometheus.enabled=true
management.endpoints.web.exposure.include=prometheus,health,info,metrics
# GRPC disabled
conductor.grpc-server.enabled=false
# Load sample kitchen sink disabled
loadSample=false

View File

@ -0,0 +1,88 @@
upstream conductor_server {
ip_hash;
server conductor-server:8080;
}
map $http_authorization $source_auth {
default "";
}
js_var $auth_token;
js_var $pep_credentials;
server {
listen 80;
server_name conductor.d4science.org;
location / {
# This would be the directory where your React app's static files are stored at
root /usr/share/nginx/html;
try_files $uri /index.html;
}
location /health {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /actuator/prometheus {
proxy_set_header Host $host;
proxy_pass http://conductor_server;
}
location /api/ {
js_content pep.enforce;
}
location @backend {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_pass http://conductor_server;
}
location /jwt_verify_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
proxy_ignore_headers Cache-Control Expires Set-Cookie;
proxy_cache token_responses; # Enable caching
proxy_cache_key $source_auth; # Cache for each source authentication
proxy_cache_lock on; # Duplicate tokens must wait
proxy_cache_valid 200 10s; # How long to use each response
}
location /jwt_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Authorization $pep_credentials;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
}
location /permission_request {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Bearer $auth_token";
proxy_set_header Accept-Encoding identity;
proxy_pass "https://accounts.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
}
}

View File

@ -0,0 +1,12 @@
# In memory database persistence model.
conductor.db.type=memory
# Elastic search instance indexing is disabled.
conductor.indexing.enabled=false
conductor.elasticsearch.clusterHealthColor=yellow
# GRPC disabled
conductor.grpc-server.enabled=false
# Load sample kitchen sink disabled
loadSample=false

42
v3.13.6/config/fetch.js Normal file
View File

@ -0,0 +1,42 @@
import { useEnv } from "./env";
export function useFetchContext() {
const { stack } = useEnv();
return {
stack,
ready: true,
};
}
export function fetchWithContext(
path,
context,
fetchParams,
isJsonResponse = true
) {
const newParams = { ...fetchParams };
const newPath = `/api/${path}`;
const cleanPath = newPath.replace(/([^:]\/)\/+/g, "$1"); // Cleanup duplicated slashes
const boot = document.querySelector("d4s-boot-2")
return boot.secureFetch(cleanPath, newParams)
.then((res) => Promise.all([res, res.text()]))
.then(([res, text]) => {
if (!res.ok) {
// get error message from body or default to response status
const error = text || res.status;
return Promise.reject(error);
} else if (!text || text.length === 0) {
return null;
} else if (!isJsonResponse) {
return text;
} else {
try {
return JSON.parse(text);
} catch (e) {
return text;
}
}
});
}

View File

@ -0,0 +1,139 @@
export default { config };
var config = {
"hosts" : [
{
"host": ["conductor.d4science.org", "conductor.pre.d4science.org", "conductor.dev.d4science.org", "conductor.int.d4science.net", "conductor"],
"audience" : "conductor-server",
"allow-basic-auth" : true,
"paths" : [
{
"name" : "metadata",
"path" : "^/api/metadata/(taskdefs|workflow)/?.*$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get","list"]
}
]
},
{
"name" : "metadata.taskdefs",
"path" : "^/api/metadata/taskdefs/?.*$",
"methods" : [
{
"method" : "POST",
"scopes" : ["create"]
},
{
"method" : "DELETE",
"scopes" : ["delete"],
},
{
"method" : "PUT",
"scopes" : ["update"],
}
]
},
{
"name" : "metadata.workflow",
"path" : "^/api/metadata/workflow/?.*$",
"methods" : [
{
"method" : "POST",
"scopes" : ["create"]
},
{
"method" : "DELETE",
"scopes" : ["delete"],
},
{
"method" : "PUT",
"scopes" : ["update"],
}
]
},
{
"name" : "workflow",
"path" : "^/api/workflow/?.*$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get"],
},
{
"method" : "POST",
"scopes" : ["start"],
},
{
"method" : "DELETE",
"scopes" : ["terminate"],
}
]
},
{
"name" : "event",
"path" : "^/api/event/?.*$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get"],
},
{
"method" : "POST",
"scopes" : ["create"],
},
{
"method" : "DELETE",
"scopes" : ["delete"],
},
{
"method" : "PUT",
"scopes" : ["update"],
}
]
},
{
"name" : "task",
"path" : "^/api/tasks/poll/.+$",
"methods" : [
{
"method" : "GET",
"scopes" : ["poll"],
}
]
},
{
"name" : "queue",
"path" : "^/api/tasks/queue/.+$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get"],
}
]
},
{
"name" : "task",
"path" : "^/api/tasks[/]?$",
"methods" : [
{
"method" : "POST",
"scopes" : ["update"],
}
]
},
{
"name" : "log",
"path" : "^/api/tasks/.+/log$",
"methods" : [
{
"method" : "GET",
"scopes" : ["get"],
}
]
}
]
}
]
}

View File

@ -0,0 +1,45 @@
# Added to load njs module
load_module modules/ngx_http_js_module.so;
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
env pep_credentials;
http {
# added to import pep script
js_import pep.js;
# added to bind enforce function
js_set $authorization pep.enforce;
# added to create cache for tokens and auth calls
proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

332
v3.13.6/config/nginx/pep.js Normal file
View File

@ -0,0 +1,332 @@
export default { enforce };
import defaultExport from './config.js';
function log(c, s){
c.request.error(s)
}
var _debug = true
function debug(c, s){
if(_debug === true){
log(c, s)
}
}
function enforce(r) {
var context = {
request: r ,
config : defaultExport["config"],
backend : (defaultExport.backend ? defaultExport.backend : "@backend")
}
log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
context = computeProtection(context)
wkf.run(wkf.build(context), context)
}
// ######## WORKFLOW FUNCTIONS ###############
var wkf = {
build : (context)=>{
var actions = [
"export_pep_credentials",
"parse_authentication",
"check_authentication",
"export_authn_token",
"pip",
"pdp",
"export_backend_headers",
"pass"
]
return actions
},
run : (actions, context) => {
context.request.error("Starting workflow with " + njs.dump(actions))
var w = actions.reduce(
(acc, f) => { return acc.then(typeof(f) === "function" ? f : wkf[f]) },
Promise.resolve().then(()=>context)
)
w.catch(e => { context.request.error(njs.dump(e)); context.request.return(401)} )
},
export_pep_credentials : exportPepCredentials,
export_authn_token : exportAuthToken,
export_backend_headers : exportBackendHeaders,
parse_authentication : parseAuthentication,
check_authentication : checkAuthentication,
verify_token : verifyToken,
request_token : requestToken,
pip : pipExecutor,
pdp : pdpExecutor,
pass : pass,
//PIP utilities
"get-path-component" : (c, i) => c.request.uri.split("/")[i],
"get-token-field" : getTokenField,
"get-contexts" : (c) => {
var ra = c.authn.verified_token["resource_access"]
if(ra){
var out = [];
for(var k in ra){
if(ra[k].roles && ra[k].roles.length !== 0) out.push(k)
}
}
return out;
}
}
function getTokenField(context, f){
return context.authn.verified_token[f]
}
function exportVariable(context, name, value){
context.request.variables[name] = value
return context
}
function exportBackendHeaders(context){
return context
}
function exportPepCredentials(context){
if(process.env["pep_credentials"] || process.env["PEP_CREDENTIALS"]){
return exportVariable(context, "pep_credentials", "Basic " + process.env["PEP_CREDENTIALS"])
}else if(context.config["pep_credentials"]){
return exportVariable(context, "pep_credentials", "Basic " + context.config["pep_credentials"])
}else{
throw new Error("Need PEP credentials")
}
}
function exportAuthToken(context){
return exportVariable(context, "auth_token", context.authn.token)
}
function checkAuthentication(context){
return context.authn.type === "bearer" ? wkf.verify_token(context) : wkf.request_token(context)
}
function parseAuthentication(context){
context.request.log("Inside parseAuthentication")
var incomingauth = context.request.headersIn["Authorization"]
if(!incomingauth) throw new Error("Authentication required");
var arr = incomingauth.trim().replace(/\s\s+/g, " ").split(" ")
if(arr.length != 2) throw new Error("Unknown authentication scheme");
var type = arr[0].toLowerCase()
if(type === "basic" && context.authz.host && context.authz.host["allow-basic-auth"]){
var unamepass = Buffer.from(arr[1], 'base64').toString().split(":")
if(unamepass.length != 2) return null;
context.authn = { type : type, raw : arr[1], user : unamepass[0], password : unamepass[1]}
return context
}else if(type === "bearer"){
context.authn = { type : type, raw : arr[1], token : arr[1]}
return context
}
throw new Error("Unknown authentication scheme");
}
function verifyToken(context){
log(context, "Inside verifyToken")
debug(context, "Token is " + context.authn.token)
var options = {
"body" : "token=" + context.authn.token + "&token_type_hint=access_token"
}
return context.request.subrequest("/jwt_verify_request", options)
.then(reply=>{
if (reply.status === 200) {
var response = JSON.parse(reply.responseBody);
if (response.active === true) {
return response
} else {
throw new Error("Unauthorized: " + reply.responseBody)
}
} else {
throw new Error("Unauthorized: " + reply.responseBody)
}
}).then(verified_token => {
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
})
}
function requestToken(context){
log(context, "Inside requestToken")
var options = {
"body" : "grant_type=client_credentials&client_id="+context.authn.user+"&client_secret="+context.authn.password
}
return context.request.subrequest("/jwt_request", options)
.then(reply=>{
if (reply.status === 200) {
var response = JSON.parse(reply.responseBody);
context.authn.token = response.access_token
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
} else if (reply.status === 400 || reply.status === 401){
var options = {
"body" : "grant_type=password&username="+context.authn.user+"&password="+context.authn.password
}
return context.request.subrequest("/jwt_request", options)
.then( reply=>{
if (reply.status === 200) {
var response = JSON.parse(reply.responseBody);
context.authn.token = response.access_token
context.authn.verified_token =
JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
return context
} else{
throw new Error("Unauthorized " + reply.status)
}
})
} else {
throw new Error("Unauthorized " + reply.status)
}
})
}
function pipExecutor(context){
log(context, "Inside extra claims PIP")
context.authz.pip.forEach(extra =>{
//call extra claim pip function
try{
var operator = extra.operator
var result = wkf[operator](context, extra.args)
//ensure array and add to extra_claims
if(!(result instanceof Array)) result = [result]
if(!context.extra_claims) context.extra_claims = {};
context.extra_claims[extra.claim] = result
} catch (error){
log(context, "Skipping invalid extra claim " + njs.dump(error))
}
})
log(context, "Extra claims are " + njs.dump(context.extra_claims))
return context
}
function pdpExecutor(context){
log(context, "Inside PDP")
return context.authz.pdp(context)
}
function umaCall(context){
log(context, "Inside UMA call")
var options = { "body" : computePermissionRequestBody(context) };
return context.request.subrequest("/permission_request", options)
.then(reply =>{
if(reply.status === 200){
debug(context, "UMA call reply is " + reply.status)
return context
}else{
throw new Error("Response for authorization request is not ok " + reply.status + " " + njs.dump(reply.responseBody))
}
})
}
function pass(context){
log(context, "Inside pass");
if(typeof(context.backend) === "string") context.request.internalRedirect(context.backend);
else if (typeof(context.backend) === "function") context.request.internalRedirect(context.backend(context))
return context;
}
// ######## AUTHORIZATION PART ###############
function computePermissionRequestBody(context){
if(!context.authz.host || !context.authz.path ){
throw new Error("Enforcemnt mode is always enforcing. Host or path not found...")
}
var audience = computeAudience(context)
var grant = "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
var mode = "response_mode=decision"
var permissions = computePermissions(context)
var extra = ""
if(context.extra_claims){
extra =
"claim_token_format=urn:ietf:params:oauth:token-type:jwt&claim_token=" +
JSON.stringify(context.extra_claims).toString("base64url")
}
var body = audience + "&" + grant + "&" + permissions + "&" + mode + "&" + extra
context.request.error("Computed permission request body is " + body)
return body
}
function computeAudience(context){
var aud = context.request.headersIn.host
if(context.authz.host){
aud = context.authz.host.audience||context.authz.host.host
}
return "audience=" + aud
}
function computePermissions(context){
var resource = context.request.uri
if(context.authz.path){
resource = context.authz.path.name||context.authz.path.path
}
var scopes = []
if(context.authz.method && context.authz.method.scopes){
scopes = context.authz.method.scopes
}
if(scopes.length > 0){
return scopes.map(s=>"permission=" + resource + "#" + s).join("&")
}
return "permission=" + resource
}
function getPath(hostconfig, incomingpath, incomingmethod){
var paths = hostconfig.paths || []
var matchingpaths = paths
.filter(p => {return incomingpath.match(p.path) != null})
.reduce((acc, p) => {
if (!p.methods || p.methods.length === 0) acc.weak.push({ path: p});
else{
var matchingmethods = p.methods.filter(m=>m.method.toUpperCase() === incomingmethod)
if(matchingmethods.length > 0) acc.strong.push({ method : matchingmethods[0], path: p});
}
return acc;
}, { strong: [], weak: []})
return matchingpaths.strong.concat(matchingpaths.weak)[0]
}
function getHost(config, host){
var matching = config.hosts.filter(h=>{
//compare for both string and array of strings
return ((h.host.filter && h.host.indexOf(host) !== -1) || h.host === host)
})
return matching.length > 0 ? matching[0] : null
}
function computeProtection(context){
debug(context, "Getting by host " + context.request.headersIn.host)
context.authz = {}
context.authz.host = getHost(context.config, context.request.headersIn.host)
if(context.authz.host !== null){
log(context, "Host found:" + context.authz.host)
context.authz.pip = context.authz.host.pip ? context.authz.host.pip : [];
context.authz.pdp = context.authz.host.pdp ? context.authz.host.pdp : umaCall;
var pathandmethod = getPath(context.authz.host, context.request.uri, context.request.method);
if(pathandmethod){
context.authz.path = pathandmethod.path;
context.authz.pip = context.authz.path.pip ? context.authz.pip.concat(context.authz.path.pip) : context.authz.pip;
context.authz.pdp = context.authz.path.pdp ? context.authz.path.pdp : context.authz.pdp;
context.authz.method = pathandmethod.method;
if(context.authz.method){
context.authz.pip = context.authz.method.pip ? context.authz.pip.concat(context.authz.method.pip) : context.authz.pip;
context.authz.pdp = context.authz.method.pdp ? context.authz.method.pdp : context.authz.pdp;
}
}
}
debug(context, "Leaving protection computation: ")
return context
}

View File

@ -0,0 +1,150 @@
version: '3.6'
services:
postgres:
image: postgres:14
environment:
- POSTGRES_USER=conductor
- POSTGRES_PASSWORD=conductor
volumes:
- pg_db_data:/var/lib/postgresql/data
networks:
- conductor-network
healthcheck:
test: timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/5432'
interval: 5s
timeout: 5s
retries: 12
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: 5s
window: 120s
placement:
constraints: [node.role == worker]
logging:
driver: "journald"
es:
image: elasticsearch:7.6.2
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx1024m"
- transport.host=0.0.0.0
- discovery.type=single-node
- xpack.security.enabled=false
volumes:
- es_data:/usr/share/elasticsearch/data
networks:
- conductor-network
healthcheck:
test: timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/9300'
interval: 5s
timeout: 5s
retries: 12
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: 5s
window: 120s
placement:
constraints: [node.role == worker]
logging:
driver: "journald"
conductor-server:
environment:
- CONFIG_PROP=config.properties
image: "nubisware/conductor-server3:dev"
networks:
- conductor-network
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: 5s
window: 120s
placement:
constraints: [node.role == worker]
logging:
driver: "journald"
pep:
image: "nubisware/conductor-frontend:dev"
networks:
- conductor-network
- haproxy-public
deploy:
mode: replicated
endpoint_mode: dnsrr
replicas: 1
restart_policy:
condition: any
delay: 5s
window: 120s
placement:
constraints: [node.role == worker]
environment:
pep_credentials: ${pep_credentials}
workers:
environment:
CONDUCTOR_SERVER: http://conductor-server:8080/api/
CONDUCTOR_HEALTH: http://conductor-server:8080/health
worker_plugins: "Shell Eval Mail HttpBridge"
smtp_pass: ${smtp_pass}
smtp_user: ${smtp_user}
image: 'nubisware/nubisware-conductor-worker-py-d4s'
networks:
- conductor-network
deploy:
mode: replicated
replicas: 2
restart_policy:
condition: any
delay: 5s
window: 120s
logging:
driver: "journald"
pyrestworkers:
environment:
CONDUCTOR_SERVER: http://conductor-server:8080/api/
CONDUCTOR_HEALTH: http://conductor-server:8080/health
worker_plugins: Http
image: 'nubisware/nubisware-conductor-worker-py-d4s'
networks:
- conductor-network
deploy:
mode: replicated
replicas: 2
restart_policy:
condition: any
delay: 5s
window: 120s
logging:
driver: "journald"
networks:
conductor-network:
haproxy-public:
external: true
volumes:
pg_db_data:
driver: local
driver_opts:
type: nfs4
o: "nfsvers=4,addr=146.48.123.250,rw"
device: ":/nfs/conductor_pg_dev"
es_data:
driver: local
driver_opts:
type: nfs4
o: "nfsvers=4,addr=146.48.123.250,rw"
device: ":/nfs/conductor_es_dev"

Some files were not shown because too many files have changed in this diff Show More