Merge pull request #3706 from keshavprasadms/release-5.1.0

feat: ED-699 adding opa dependecies

private_repo/ansible/inventory/dev/Core/common.yml

@@ -241,11 +241,9 @@ cloudstorage_base_path: "{{ cloud_storage_url }}"
 valid_cloudstorage_base_urls: '["{{ cloud_storage_url }}"]'
 cloudstorage_relative_path_prefix: "CONTENT_STORAGE_BASE_PATH"
 
-
-
 # Provide the admin-api consumer access to all API's - The public repo restricts this for security reasons
-# If you dont want to key to have access to all API's, please remove the variables kong_all_consumer_groups and kong_consumers or edit the groups to have a smaller subset
-kong_all_consumer_groups:
+# If you dont want the admin api key to have access to all API's, please remove the variables "all_apis_access_group" and "kong_consumers" or edit the groups to have a smaller subset
+all_apis_access_group:
   - announcementAccess
   - anonymousAppAccess
   - anonymousCertificateAccess
@@ -367,6 +365,37 @@ kong_all_consumer_groups:
 
 kong_consumers:
   - username: api-admin
+    groups: "{{ all_apis_access_group }}"
+    state: present
+  - username: mobile_admin
+    groups: "{{ mobile_admin_groups }}"
+    print_credentials: true
+    state: present
+  - username: mobile_app
+    groups: "{{ mobile_app_groups }}"
+    state: present
+  - username: mobile_device
+    groups: "{{ mobile_device_groups }}"
+    state: present
+  - username: mobile_devicev2
+    groups: "{{ mobile_device_groups }}"
+    state: present
+  - username: portal_anonymous_register
+    groups: "{{ portal_anonymous_register }}"
+    state: present
+  - username: portal_loggedin_register
+    groups: "{{ portal_loggedin_register }}"
+    state: present
+  - username: portal_anonymous
+    groups: "{{ anonymous_user_groups }}"
+    state: present
+  - username: portal_loggedin
+    groups: "{{ kong_all_consumer_groups }}"
+    state: present
+  - username: portal_anonymous_fallback_token
+    groups: "{{ anonymous_user_groups }}"
+    state: present
+  - username: portal_loggedin_fallback_token
     groups: "{{ kong_all_consumer_groups }}"
     state: present
 
@@ -397,15 +426,48 @@ grafana_login_whitelisted_emails: |-
 # Add below var to monitor report-cassandra server
 report_cassandra_server_count: "{{ groups['report-cassandra'] | length }}"
 
-# graylog
-graylog_open_to_public: true
-send_logs_to_graylog: true
-graylog_root_timezone: "Asia/Kolkata"
-graylog_elasticsearch_discovery_enabled: "true"
-graylog_allow_leading_wildcard_searches: "true"
-graylog_allow_highlighting: "true"
-graylog_transport_email_enabled: "true"
-graylog_transport_email_hostname: "{{ mail_server_host }}"
-graylog_transport_email_auth_username: "apikey"
-graylog_transport_email_from_email: "{{ sunbird_mail_server_from_email }}"
-graylog_transport_email_use_ssl: "false"
\ No newline at end of file
+# graylog variables
+graylog_open_to_public: true  # allows you to access via domain/graylog
+send_logs_to_graylog: true    # filebeat agents will send logs to graylog instead of ES
+graylog_root_timezone: "Asia/Kolkata"  # timezone
+graylog_elasticsearch_discovery_enabled: "true"  # auto discover ES nodes and version
+graylog_allow_leading_wildcard_searches: "true"  # allows wild card searching
+graylog_allow_highlighting: "true"   # shows yellow highlights on matches
+graylog_transport_email_enabled: "true"  # enables emails to be sent via graylog
+graylog_transport_email_hostname: "{{ mail_server_host }}"  # email server host name
+graylog_transport_email_auth_username: "apikey"   # sendgrid  / email service api key 
+graylog_transport_email_from_email: "{{ sunbird_mail_server_from_email }}"  # from email address
+graylog_transport_email_use_ssl: "false"  # cannot use both tls and ssl, so disabling ssl as tls is enabled by default
+
+# Opa and Adminutils
+# Prefixes will match the starting part of the files under keys dirctory in inventory
+adminutil__device_keyprefix: "mobile_devicev2_key"  # private key prefix for mobile apps
+adminutil__device_keystart: 1   # starting number of the key file
+adminutil__device_keycount: 10  # ending number of the key file
+adminutil__access_keyprefix: "accessv1_key"  # private key prefix for user access tokens
+adminutil__access_keystart: 1  # starting number of the key file
+adminutil__access_keycount: 10  # ending number of the key file
+adminutil__desktop_keyprefix: "desktop_devicev2_key"  # private key prefix for desktop apps
+adminutil__desktop_keystart: 1  # starting number of the key file
+adminutil__desktop_keycount: 10  # ending number of the key file
+adminutil__portal_anonymous_keyprefix: "portal_anonymous_key"  # private key prefix for portal anonymous sessions
+adminutil__portal_anonymous_keystart: 1  # starting number of the key file
+adminutil__portal_anonymous_keycount: 10  # ending number of the key file
+adminutil__portal_loggedin_keyprefix: "portal_loggedin_key"  # private key prefix for portal loggedin sessions
+adminutil__portal_loggedin_keystart: 1  # starting number of the key file
+adminutil__portal_loggedin_keycount: 10  # ending number of the key file
+adminutil_embed_role: 'true'  # embeds user roles in access tokens
+
+# Kong and Adminutils
+# Consumer names will match the starting part of the files under keys dirctory in inventory 
+kong_mobile_v2_consumer: "mobile_devicev2"  # kong consumer name for mobile apps
+kong_desktop_v2_consumer: "desktop_devicev2"  # kong consumer name for desktop apps
+kong_portal_anonymous_consumer: "portal_anonymous"  # kong consumer name for portal anonymous sessions
+kong_portal_loggedin_consumer: "portal_loggedin"  # kong consumer name for portal loggedin sessions
+kong_desktop_device_consumer_names_for_opa: '["desktop_devicev2", "desktop_device"]'  # ops checks will be skipped for desktop consumers
+
+# Portal sessions
+sunbird_kong_device_register: 'true'  # enables refersh token api call after login
+sunbird_kong_device_register_anonymous: 'true'  # enables anonymous sessions
+sunbird_session_store_type: redis  # uses redis for session data instead of cassandra
+portal_redis_connection_string: "redis://:@{{ sunbird_redis_host }}:6379/3"  # Uses KP redis and DB number 3 to store session data
\ No newline at end of file

private_repo/ansible/inventory/dev/Core/secrets.yml

@@ -117,7 +117,7 @@ mongodb_keyfile_content: |
 # 4. Again vist Admin Panel post restart -> Click on Plugins => Write API
 # 5. Under MASTER TOKENS section, click on create token button, It will generate a token.
 discussionsmw_nodebb_authorization_token:    # Read the comment above to generate this key
-core_vault_mail_server_password: ""                      # Email server password
+core_vault_mail_server_password: ""                      # Email server password / api token
 
 # Oauth keys
 core_vault_sunbird_google_oauth_clientId_portal:         # Google oauth client id
@@ -126,6 +126,17 @@ core_vault_sunbird_google_captcha_site_key_portal:       # Google recaptch site
 google_captcha_private_key:                              # Google recaptch private key
 learning_content_drive_apiKey:                           # Google drive api key
 
+### Graylog ###
+graylog_password_secret: ""       # Random secret. Generate using the command: pwgen -s 96 1
+graylog_root_password_sha2: ""    # Random secret. Generate using the command: echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
+
+## Portal anonymous, loggedin sessions default tokens and register token ##
+# Get the below tokens after running the OnboardConsumers job
+sunbird_anonymous_register_token:    # Use the portal_anonymous_register consumer token
+sunbird_loggedin_register_token:     # Use portal_loggedin_register consumer token
+sunbird_anonymous_default_token:     # Use portal_anonymous_fallback_token consumer token
+sunbird_logged_default_token:        # Use portal_loggedin_fallback_token consumer token
+
 # ------------------------------------------------------------------------------------------------------------ #
 # Optional variables - Can be left blank if you dont plan to use the intended features
 core_vault_monitor_alerts_slack_url: ""                  # Slack webhook for alerts from alertmanager
@@ -183,4 +194,7 @@ ml_analytics_api_authorization_key: ApiAuthorizationKey
 
 # update if seperate object storage is used
 cloud_private_storage_secret: "{{ cloud_public_storage_secret }}"
-cloud_artifact_storage_secret: "{{ cloud_public_storage_secret }}"
\ No newline at end of file
+cloud_artifact_storage_secret: "{{ cloud_public_storage_secret }}"
+
+# Graylog
+graylog_transport_email_auth_password: "{{ core_vault_mail_server_password }}"  # email server password / api token
\ No newline at end of file

private_repo/ansible/inventory/dev/DataPipeline/common.yml

@@ -288,3 +288,5 @@ processing_kafka_overriden_topics:
     retention_time: 86400000
     replication_factor: 1
 
+# graylog
+send_logs_to_graylog: true  # filebeat agents will send logs to graylog instead of ES
\ No newline at end of file

private_repo/ansible/inventory/dev/KnowledgePlatform/common.yml

@@ -207,4 +207,5 @@ postgres:
   db_admin_user: postgres
   db_admin_password: "{{dp_vault_pgdb_admin_password}}"
 
-### Lern BB
+# graylog
+send_logs_to_graylog: true  # filebeat agents will send logs to graylog instead of ES
\ No newline at end of file

private_repo/ansible/inventory/dev/Kubernetes/keys

+../Core/keys/
\ No newline at end of file

private_repo/ansible/inventory/dev/Sunbird-RC/common.yml

+../Core/common.yml
\ No newline at end of file

private_repo/ansible/inventory/dev/Sunbird-RC/hosts

+../Core/hosts
\ No newline at end of file

private_repo/ansible/inventory/dev/Sunbird-RC/keys

+../Core/keys/
\ No newline at end of file

private_repo/ansible/inventory/dev/Sunbird-RC/secrets.yml

+../Core/secrets.yml
\ No newline at end of file

private_repo/ansible/inventory/dev/UCI/keys

+../Core/keys/
\ No newline at end of file

private_repo/ansible/inventory/dev/key-generate.sh

+#!/bin/bash
+set -euo pipefail
+read -s -p 'Enter the ansible vault password (redacted): ' vault_pass
+echo
+read -s -p 'Re-enter the ansible vault password (redacted): ' confirm_vault_pass
+echo
+if [[ $vault_pass == $confirm_vault_pass ]]
+then
+  echo "$vault_pass" > temp_vault_pass
+  cd Core/keys
+  for i in {1..10}; do openssl genrsa -out mobile_devicev2_c$i 2048 && openssl pkcs8 -topk8 -inform PEM -in mobile_devicev2_c$i -out mobile_devicev2_key$i -nocrypt && rm -rf mobile_devicev2_c$i ; done
+  for i in {1..10}; do openssl genrsa -out accessv1_c$i 2048 && openssl pkcs8 -topk8 -inform PEM -in accessv1_c$i -out accessv1_key$i -nocrypt && rm -rf accessv1_c$i ; done
+  for i in {1..10}; do openssl genrsa -out desktop_devicev2_c$i 2048 && openssl pkcs8 -topk8 -inform PEM -in desktop_devicev2_c$i -out desktop_devicev2_key$i -nocrypt && rm -rf desktop_devicev2_c$i ; done
+  for i in {1..10}; do openssl genrsa -out portal_anonymous_c$i 2048 && openssl pkcs8 -topk8 -inform PEM -in portal_anonymous_c$i -out portal_anonymous_key$i -nocrypt && rm -rf portal_anonymous_c$i ; done
+  for i in {1..10}; do openssl genrsa -out portal_loggedin_c$i 2048 && openssl pkcs8 -topk8 -inform PEM -in portal_loggedin_c$i -out portal_loggedin_key$i -nocrypt && rm -rf portal_loggedin_c$i ; done
+  while read -r line; do ansible-vault encrypt $line --vault-password-file ../../temp_vault_pass; done <<< $(ls)
+  cd ../.. && rm temp_vault_pass
+  echo "OK"
+else
+  echo "Vault passwords dont match"
+fi
\ No newline at end of file

private_repo/ansible/inventory/dev/managed-learn/keys

+../Core/keys/
\ No newline at end of file