Merge pull request #262 from OSC/develop

Update to 4.0. This has a few things in it in addition to updating to 4.0.

* It removes support for EL7 as that's been dropped since OOD version 3.1
* Adds functionality for flexible ondemand.d configurations (support for generic support for ondemand.d files #257)

Author: johrstrom

.github/workflows/tests.yml

@@ -48,26 +48,8 @@ jobs:
         run: |
           python3 -m pip install -r molecule/requirements.txt
           ansible-galaxy collection install community.general
-          sudo apt update && sudo apt install -y podman
+          sudo apt update && sudo apt upgrade -y && sudo apt install -y podman
 
-      # we have to patch crun here because Ubuntu fails with the errors similar to the 
-      # github issue below.
-      # https://github.com/containers/crun/issues/1308
-      - name: patch crun
-        run: |
-          export CRUN_VER='1.14.3'
-          mkdir -p "${HOME}/.local/bin"
-          curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "${HOME}/.local/bin/crun"
-          chmod +x "${HOME}/.local/bin/crun"
-
-          mkdir -p "${HOME}/.config/containers"
-          cat << EOF > "${HOME}/.config/containers/containers.conf"
-          [engine.runtimes]
-          crun = [
-            "${HOME}/.local/bin/crun",
-            "/usr/bin/crun"
-          ]
-          EOF
       - name: run tests
         run: molecule test --scenario-name=${{ matrix.scenario }}
         env:

README.md

@@ -15,6 +15,7 @@ This ansible role installs and configures [Open OnDemand](https://openondemand.o
     - [ood_apps](#ood_apps)
   - [Open ID Connect](#open-id-connect)
     - [Install Dex](#install-dex)
+  - [OnDemand.d Configurations](#ondemandd-configurations)
 - [Contributing](#contributing)
 
 ## Version compatibility
@@ -294,6 +295,51 @@ See [auth\_openidc](https://github.com/zmartzone/mod_auth_openidc) for more info
 
 To install dex for OIDC use set the flag `install_ondemand_dex` to true and it will install the package.
 
+### OnDemand.d Configurations
+
+In the 4.0 release of this role, configurations for `ondemand.d` files was changed.
+While this role will continue to support the old way of specifing each
+variable and writing them all out to a single `ondemand.d/ondemand.yml` file,
+users should begin to migrate to the new way to write these files.
+
+4.0 introduced `ood_ondemand_d_configs` which will in turn write out as many files
+as you've provided.
+
+Each configuration at a minimum needs `content` which will be the content of
+the file that's begin written. It can additionally accept ``group`` and ``mode``
+to set the file's group ownership and file access mode. These files are always
+owned by the ``root`` user.
+
+In this example, we're writing out two files, ``motd.yml`` and ``globus.yml``.
+These filenames are given by the top level keys under ``ood_ondemand_d_configs``.
+
+``content`` specifies the content of the file that's going to be written out.
+This should be in YAML and will be written out in YAML.
+
+In this configuration ``motd.yml`` will be written out with ``644 root:root``
+permissions.  ``globus.yml`` on the other hand will be written out with
+``640 root:specialusers`` permissions so it'll only be available for certain
+users.
+
+```yaml
+ood_ondemand_d_configs:
+  motd:
+    content:
+      motd_render_html: true
+  globus:
+    content:
+      globus_endpoints:
+        - path: "<%= CurrentUser.home %>"
+          endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+
+        - path: "/project"
+          endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+    group: specialusers
+    mode: 640
+```
+
 ## Contributing
 
 If you run into an issue or have a feature request or fixed some issue, let us know! PRs welcome! Even if you

defaults/main/install.yml

@@ -17,8 +17,8 @@ apache_etc_dir: "/etc/{{ apache_service_name }}"
 apache_conf_dir: "{{ apache_etc_dir }}/conf.d"
 apache_log_dir: "/var/log/{{ apache_service_name }}"
 
-rpm_repo_url: "https://yum.osc.edu/ondemand/3.1/ondemand-release-web-3.1-1.{{ el_distro }}.noarch.rpm"
-apt_repo_url: "https://apt.osc.edu/ondemand/3.1/ondemand-release-web_3.1.1-{{ deb_distro }}_all.deb"
+rpm_repo_url: "https://yum.osc.edu/ondemand/4.0/ondemand-release-web-4.0-1.{{ el_distro }}.noarch.rpm"
+apt_repo_url: "https://apt.osc.edu/ondemand/4.0/ondemand-release-web_4.0.0-{{ deb_distro }}_all.deb"
 
 rpm_repo_key: "https://yum.osc.edu/ondemand/RPM-GPG-KEY-ondemand"
 deb_repo_key: "https://apt.osc.edu/ondemand/DEB-GPG-KEY-ondemand"
@@ -42,7 +42,7 @@ ondemand_dex_package: ondemand-dex # behaviour as for ondemand_package
 
 # needed for testing. no reason to change these in production.
 disable_htcacheclean: false
-nodejs_version: 18
-ruby_version: 3.1
+nodejs_version: 20
+ruby_version: 3.3
 
 ood_base_apache_dir: "/var/www/ood"

defaults/main/ondemand.yml

@@ -93,3 +93,5 @@ hide_app_version: false
 # google_analytics_tag_id: null
 
 motd_render_html: false
+
+# ood_ondemand_d_configs: {}

defaults/main/ood_portal.yml

@@ -15,6 +15,7 @@
 # - 443
 
 httpd_use_rewrites: true
+ood_http_redirect_host: '%{HTTP_HOST}'
 maintenance_ip_allowlist: []
 use_maintenance: true
 # security_csp_frame_ancestors:
@@ -118,6 +119,7 @@ oidc_settings_samefile: false
 # oidc_state_max_number_of_cookies: "10 true"
 # oidc_cookie_same_site: "On"
 # oidc_settings: {}
+# ood_oidc_crypto_passphrase: changeme
 # dex_uri: null
 # dex_settings: |
 #   dex:

molecule/default/fixtures/config/ood_portal.yml.custom.apache2

@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

molecule/default/fixtures/config/ood_portal.yml.custom.httpd

@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800