SRAM deploy roles port by mrvanes · Pull Request #634 · OpenConext/OpenConext-deploy

mrvanes · 2026-03-19T15:50:51Z

Port the SRAM-deploy roles to OpenConext

…able

…ion-configurable' into develop

…to develop

…able_account_linking Featue toggle enable_account_linking

…e_app Feature toggle use_app

…feature/#1001-different-email-from-for-nudges-and-warnings

…develop

…ngs' into develop # Conflicts: # roles/myconext/templates/application.yml.j2

…-mail-usage-expression to daily

…tches-to-main' into develop

…ror_mail-configurable-for-prod-and-non-prod-develop #802-differentiate-error_mail-configurable-for-prod-and-non-prod-develop

…to-create-from-institution #1042 Add create-from-institution return-url-allowed-domains

Added sram_rp_entity_id to manage for push functionality

…script Improve ebauth log parsing, and parse stepup-authentication logs also

crosmuller

zie review comments in code

baszoetekouw · 2026-05-04T09:13:34Z

+  bind {{ haproxy_sni_ip.ipv4 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  bind {{ haproxy_sni_ip.ipv6 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  use_backend ldap_servers
+{% endif %}


Hier is ook een firewall change nodig denk ik?

Geen idee, het werkt nu in iedergeval zonder?

baszoetekouw · 2026-05-04T09:16:16Z

+  option  logasap
+  timeout client 900s
+  timeout server 901s
+  bind {{ haproxy_sni_ip.ipv4 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent


Hoe komt de ldap hostname aan een certificaat? Moet dan get_acme_certs.yml ook niet worden aangepast zocdat haproxy_ldap_servers aan de lijst met hostnames wordt toegevoegd?

Dat is geregeld in de loadbalancer hostname configuratie voor zover ik me herinner. Het gaat in elk geval goed op dit moment?

baszoetekouw · 2026-05-04T09:16:35Z

-  purge-audit-log-days: 365
+  purge-audit-log-days: 0
  # A value of 0 means no invitations will be deleted
  purge-expired-invitations-days: 365


Dit lijkt me niet de bedoeling?

Ik weet niet waar deze change vandaan komt, ik denk dat het een rebase is?

baszoetekouw · 2026-05-04T09:17:52Z

@@ -0,0 +1,5 @@
+---
+mailpit_image: "axllent/mailpit"


Ik denk niet dat we een random image van een vaag persoon op internet direct willen utirollen, zeker niet als dat straks ook in publieke test terecht komt.

Waarschijnlijk beter om zelf een baseimage te bouwen hiervoor.

baszoetekouw · 2026-05-04T10:03:21Z

+
+redis:
+{% if environment_shortname == 'test2' %}
+  uri: "redis://{{ sbs_redis_user }}:{{ sbs_redis_password }}@{{sbs_redis_host}}/"


En hoe praat SBS eigenlijk met redis? Praat hij met een lokale container, via traefik of via de loadbalancer?

Via de magic containernaam volgens mij?

baszoetekouw · 2026-05-04T10:04:09Z

+scim_schema_sram: "urn:mace:surf.nl:sram:scim:extension"
+collaboration_creation_allowed_entitlement: "urn:mace:surf.nl:sram:allow-create-co"
+
+{% if env == "prd" %}


kunnen we niet beter in prd gewoon sbs_disclaimer_label op een lege string zetten in de group_vars?

Dit is letterlijk de config.yml.j2 van onze aws deploy

baszoetekouw · 2026-05-04T10:05:33Z

@@ -0,0 +1,6 @@
+{% if env!="prd" -%}


zie comment hierboven. betre check if of sbs_disclaimer_label leeg is.

baszoetekouw · 2026-05-04T10:06:31Z

+#CustomLog /proc/self/fd/1 common
+DocumentRoot /opt/sbs/client/dist
+
+Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; block-all-mixed-content;"


In SURFconext zijn de CSPs globaal gedefinieerd. Even met @crosmuller afstemmen hoe dat het handigst te combineren is.

) - Remove obsolete certificate task - Remove obsolete template - Stop Haproxy updates during deploys

Bugfix for double quote

Tyskai and others added 30 commits July 29, 2025 15:28

Update serverapplication.yml.j2

1f51ce8

Added email.serviceDeskEmail placeholder

64c1a89

#769 Make affiliation email more configurable

961ffa8

Merge branch 'main' into feature/#769-make-scopedaffiliation-configur…

0960373

…able

Merge remote-tracking branch 'origin/feature/#769-make-scopedaffiliat…

234b5d9

…ion-configurable' into develop

Fixed indentation for myconext

3d1f884

WIP for OpenConext/OpenConext-attribute-aggregation#143

06a6381

Merge remote-tracking branch 'origin/feature/add_eduid_acr_values' in…

6a43eec

…to develop

Fixes OpenConext/OpenConext-attribute-aggregation#143

6b68917

Fixes OpenConext/OpenConext-myconext#757

05b0831

#757 Replaces hardcoded value with variable

c930adf

Merge pull request #567 from OpenConext/feature/757-feature-toggle-en…

14bff9a

…able_account_linking Featue toggle enable_account_linking

Fixes OpenConext/OpenConext-myconext#759 Adds feature toggle use_app

48bdd9a

Merge pull request #571 from OpenConext/feature/759-feature-toggle-us…

f048ae3

…e_app Feature toggle use_app

Merge branch 'main' into develop

ec66f79

#1001 Add email addresses

cf73225

Added missing attributes from feature branch

19d0a48

Merge branch 'feature/#769-make-scopedaffiliation-configurable' into …

52528ec

…feature/#1001-different-email-from-for-nudges-and-warnings

Merge branch 'feature/#769-make-scopedaffiliation-configurable' into …

42930f8

…develop

Merge branch 'feature/#1001-different-email-from-for-nudges-and-warni…

7f85717

…ngs' into develop # Conflicts: # roles/myconext/templates/application.yml.j2

Added languages for invite

9b0db98

Merge branch 'main' into develop

0cafab3

Merge branch 'main' into develop

9a481e4

Added missing mongodb_db variable for myconext CRON jobs

9026265

#1024 Add mail-institution-batch-size to 500 and set mail-institution…

6a30219

…-mail-usage-expression to daily

Merge branch 'feature/#1024-send-institutionmailwarning-in-smaller-ba…

2456b25

…tches-to-main' into develop

#802-differentiate-error_mail-configurable-for-prod-and-non-prod-develop

7a23f86

Merge pull request #582 from OpenConext/feature/#802-differentiate-er…

1feb140

…ror_mail-configurable-for-prod-and-non-prod-develop #802-differentiate-error_mail-configurable-for-prod-and-non-prod-develop

https://github.com/OpenConext/OpenConext-access/issues/322

10431c9

Merge branch 'feature/access-support-mail' into develop

09428ab

oharsta and others added 4 commits April 23, 2026 09:12

Merge pull request #650 from OpenConext/feature/#1042-add-return-url-…

0034180

…to-create-from-institution #1042 Add create-from-institution return-url-allowed-domains

Added sram_rp_entity_id to manage for push functionality

2ba4d1a

Merge pull request #658 from OpenConext/feature/manage-eb-push

ced2dda

Added sram_rp_entity_id to manage for push functionality

Merge pull request #558 from OpenConext/feature/improve_ebauth_parse_…

7cc0a50

…script Improve ebauth log parsing, and parse stepup-authentication logs also

crosmuller reviewed Apr 30, 2026

View reviewed changes

Comment thread roles/haproxy/templates/haproxy_backend.cfg.j2

Comment thread roles/sram_ldap/files/rsyslog_slapd.conf Outdated

baszoetekouw requested changes May 4, 2026

View reviewed changes

crosmuller and others added 22 commits May 4, 2026 17:30

Remove obsolete certificate task and stop patching during a deploy (#660

e709961

) - Remove obsolete certificate task - Remove obsolete template - Stop Haproxy updates during deploys

Default create_from_institution_return_url_allowed_domains voor eduID

f68cf27

Bugfix for double quote

523926f

Merge pull request #663 from OpenConext/bug/manage-typo

153f72d

Bugfix for double quote

Add engineblock parameters for SBS integration

112b538

Fix duplicate keys

165e826

Fix jinja template

2f16f08

WIP

abfe916

WIP

150b22e

WIP

28686c4

Add ldap role

114a7a9

Add plsc and mailpit roles

96bad9f

Add sram-metadata and rename apps+roles

3eee2dc

Fix haproxy_backend.cfg.j2

b3f85f1

WIP

bf52be3

WIP

1e8614e

Remove SBS cert dir

2d131ea

Add Engine-SBS integration

26d52db

Remove rsyslog dust

82f50f7

WIP

9a3c379

Fix ldap test

77ea117

Parametrize satosa image

4793fe7

mrvanes force-pushed the feature/sram branch from d704e3e to 4793fe7 Compare May 6, 2026 09:15

Add CRM to AA scopes

027c161

Conversation

mrvanes commented Mar 19, 2026

Uh oh!

crosmuller left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants