blsmith/dc-deployments-automation
1
0
Fork 0
mirror of https://bitbucket.org/atlassian/dc-deployments-automation.git synced 2025-12-14 00:43:06 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'DCD-352-confluence-support'

Browse Source
This commit is contained in:
Steve Smith
2019-05-27 14:12:02 +10:00
parent e9d1fd2a47 8bcae6751d
commit 92b71f63f8
12 changed files with 480 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
aws_confluence_dc_node.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- hosts: aws_node_local
become: true
vars:
# See group_vars/aws_node_local.yml, which pull vars from the environment.
atl_product_family: "confluence"
atl_product_user: "confluence"
atl_product_edition: "confluence"
roles:
- role: linux_common
- role: aws_common
- role: aws_efs_config
- role: product_common
- role: product_install
- role: database_init
- role: confluence_config

7
group_vars/aws_node_local.yml
View File

@@ -17,7 +17,11 @@ atl_shared_mountpoint: "/media/atl"
# FIXME: Some of these should be overridden from the environment? # FIXME: Some of these should be overridden from the environment?
atl_home_base: "/var/atlassian/application-data" atl_home_base: "/var/atlassian/application-data"
atl_product_home: "{{ atl_home_base }}/{{ atl_product_family }}" atl_product_home: "{{ atl_home_base }}/{{ atl_product_family }}"
atl_product_home_shared: "{{ atl_shared_mountpoint }}/{{ atl_product_family }}/shared" atl_product_shared_home_map:
confluence: "shared-home"
jira: "shared"
stash: "shared"
atl_product_home_shared: "{{ atl_shared_mountpoint }}/{{ atl_product_family }}/{{ atl_product_shared_home_map[atl_product_family] }}"
atl_product_shared_plugins: "{{ atl_product_home_shared }}/plugins/installed-plugins" atl_product_shared_plugins: "{{ atl_product_home_shared }}/plugins/installed-plugins"
atl_installation_base: "/opt/atlassian" atl_installation_base: "/opt/atlassian"
@@ -33,6 +37,7 @@ atl_installer_temp: "{{ atl_installation_base }}/tmp"
atl_product_version: "{{ lookup('env', 'ATL_PRODUCT_VERSION') | lower }}" atl_product_version: "{{ lookup('env', 'ATL_PRODUCT_VERSION') | lower }}"
atl_efs_id: "{{ lookup('env', 'ATL_EFS_ID') }}" atl_efs_id: "{{ lookup('env', 'ATL_EFS_ID') }}"
atl_aws_stack_name: "{{ lookup('env', 'ATL_AWS_STACK_NAME') }}"
atl_db_host: "{{ lookup('env', 'ATL_DB_HOST') }}" atl_db_host: "{{ lookup('env', 'ATL_DB_HOST') }}"
atl_db_port: "{{ lookup('env', 'ATL_DB_PORT') or '5432' }}" atl_db_port: "{{ lookup('env', 'ATL_DB_PORT') or '5432' }}"

12
roles/confluence_config/.yamllint Normal file
View File

@@ -0,0 +1,12 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable
trailing-spaces: false

47
roles/confluence_config/defaults/main.yml Normal file
View File

@@ -0,0 +1,47 @@
---
atl_jvm_heap: "2048m"
atl_db_timeout: "{{ lookup('env', 'ATL_DB_TIMEOUT') or '30' }}"
atl_db_idletestperiod: "{{ lookup('env', 'ATL_DB_IDLETESTPERIOD') or '100' }}"
atl_db_maxstatements: "{{ lookup('env', 'ATL_DB_MAXSTATEMENTS') or '0' }}"
atl_db_validate: "{{ lookup('env', 'ATL_ATL_DB_VALIDATE') or 'false' }}"
atl_db_acquireincrement: "{{ lookup('env', 'ATL_DB_ACQUIREINCREMENT') or '1' }}"
atl_hazelcast_network_aws_tag_key: "Cluster"
atl_hazelcast_network_aws_host_header: "ec2.amazonaws.com"
atl_hazelcast_network_aws_iam_region: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_IAM_REGION') }}"
atl_hazelcast_network_aws_iam_role: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_IAM_ROLE') }}"
atl_hazelcast_network_aws_tag_value: "{{ lookup('env', 'ATL_HAZELCAST_NETWORK_AWS_TAG_VALUE') }}"
atl_autologin_cookie_age: "{{ lookup('env', 'ATL_AUTOLOGIN_COOKIE_AGE') }}"
atl_synchrony_service_url: "{{ lookup('env', 'ATL_SYNCHRONY_SERVICE_URL') }}"
atl_catalina_opts: ""
atl_catalina_opts_extra: >-
-Datlassian.event.thread_pool_configuration.queue_size=4096
-Datlassian.plugins.enable.wait=300
-Dconfluence.upgrade.recovery.file.enabled=false
-Dfile.encoding=UTF-8
-Djava.net.preferIPv4Stack=true
-Dshare.group.email.mapping=atlassian-all:atlassian-all@atlassian.com,atlassian-staff:atlassian-staff@atlassian.com
-XX:+PrintAdaptiveSizePolicy
-XX:+PrintGCDetails
-XX:+PrintTenuringDistribution
-Dsynchrony.proxy.enabled=false
-Dsynchrony.service.url={{ atl_synchrony_service_url }}
-Dconfluence.cluster.node.name={{ ansible_ec2_local_ipv4 | default(ansible_default_ipv4.address) }}
-Dconfluence.cluster.hazelcast.max.no.heartbeat.seconds=60
atl_tomcat_port: "8080"
atl_tomcat_mgmt_port: "8005"
atl_tomcat_acceptcount: "10"
atl_tomcat_connectiontimeout: "20000"
atl_tomcat_contextpath: ""
atl_tomcat_maxthreads: "200"
atl_tomcat_minsparethreads: "10"
atl_tomcat_protocol: "HTTP/1.1"
atl_tomcat_redirectport: ""
atl_tomcat_scheme: "http"
atl_tomcat_secure: "false"

14
roles/confluence_config/molecule/default/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,14 @@
# Molecule managed
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi

32
roles/confluence_config/molecule/default/molecule.yml Normal file
View File

@@ -0,0 +1,32 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
platforms:
- name: amazon_linux2
image: amazonlinux:2
groups:
- aws_node_local
- name: ubuntu_lts
image: ubuntu:bionic
groups:
- aws_node_local
provisioner:
name: ansible
options:
skip-tags: runtime_pkg
lint:
name: ansible-lint
options:
x: ["701"]
inventory:
links:
group_vars: ../../../../group_vars/
verifier:
name: testinfra
lint:
name: flake8
enabled: false

20
roles/confluence_config/molecule/default/playbook.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Converge
hosts: all
vars:
atl_product_family: "confluence"
atl_product_edition: "confluence"
atl_product_user: "confluence"
atl_product_version: "latest"
atl_jdbc_user: 'confluence'
atl_jvm_heap: 'PLACEHOLDER'
atl_cluster_node_id: 'FAKEID'
atl_autologin_cookie_age: "COOKIEAGE"
ansible_ec2_local_ipv4: "1.1.1.1"
ansible_default_ipv4: "2.2.2.2"
roles:
- role: linux_common
- role: product_common
- role: product_install
- role: confluence_config

61
roles/confluence_config/molecule/default/tests/test_default.py Normal file
View File

@@ -0,0 +1,61 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_seraph_file(host):
f = host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/classes/seraph-config.xml')
assert f.exists
assert f.contains('<param-value>COOKIEAGE</param-value>')
def test_setenv_file(host):
f = host.file('/opt/atlassian/confluence/current/bin/setenv.sh')
assert f.exists
assert f.contains('-XmsPLACEHOLDER')
assert f.contains('-XmxPLACEHOLDER')
assert f.contains('-Dconfluence.cluster.node.name=1.1.1.1')
def test_server_file(host):
f = host.file('/opt/atlassian/confluence/current/conf/server.xml')
assert f.exists
assert f.contains('Connector port="8080"')
assert f.contains('Server port="8005"')
assert f.contains('<Context path=""')
assert f.contains('maxThreads="200"')
assert f.contains('minSpareThreads="10"')
assert f.contains('connectionTimeout="20000"')
assert f.contains('enableLookups="false"')
assert f.contains('protocol="HTTP/1.1"')
assert f.contains('redirectPort=""')
assert f.contains('acceptCount="10"')
assert f.contains('secure="false"')
assert f.contains('scheme="http"')
assert not f.contains('proxyName=')
assert not f.contains('proxyPort=')
def test_install_permissions(host):
assert host.file('/opt/atlassian/confluence/current/conf/server.xml').user == 'root'
assert host.file('/opt/atlassian/confluence/current/confluence/WEB-INF/web.xml').user == 'root'
assert host.file('/opt/atlassian/confluence/current/logs/').user == 'confluence'
assert host.file('/opt/atlassian/confluence/current/work/').user == 'confluence'
assert host.file('/opt/atlassian/confluence/current/temp/').user == 'confluence'
@pytest.mark.parametrize('directory', [
'/var/atlassian/application-data/confluence/',
'/media/atl/confluence/shared-home/'
])
def test_home_directories(host, directory):
d = host.file(directory)
assert d.exists
assert d.user == 'confluence'
def test_confluence_config_file(host):
f = host.file('/var/atlassian/application-data/confluence/confluence.cfg.xml')
assert f.exists
assert f.user == 'confluence'
assert f.contains('<property name="confluence.cluster.home">/media/atl/confluence/shared-home</property>')
assert f.contains('<property name="hibernate.connection.driver_class">org.postgresql.Driver</property>')

76
roles/confluence_config/tasks/main.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Create application directories
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ atl_product_user }}"
group: "{{ atl_product_user }}"
with_items:
- "{{ atl_product_home }}"
- "{{ atl_product_home_shared }}"
- "{{ atl_product_shared_plugins }}"
changed_when: false # For Molecule idempotence check
- name: Create Tomcat server config
template:
src: server.xml.j2
dest: "{{ atl_product_installation_versioned }}/conf/server.xml"
- name: Override JVM memory settings.
replace:
path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
regexp: "-{{ item }}\\d+m "
replace: "-{{ item }}{{ atl_jvm_heap }} "
with_items:
- 'Xmx'
- 'Xms'
- name: Set the Tomcat environment
lineinfile:
path: "{{ atl_product_installation_versioned }}/bin/setenv.sh"
insertafter: "EOF"
line: 'export CATALINA_OPTS="${CATALINA_OPTS} {{ atl_catalina_opts }} {{ atl_catalina_opts_extra }}"'
- name: Configure login properties
template:
src: seraph-config.xml.j2
dest: "{{ atl_product_installation_versioned }}/confluence/WEB-INF/classes/seraph-config.xml"
- name: Create Confluence configuration
template:
src: confluence.cfg.xml.j2
dest: "{{ atl_product_home }}/confluence.cfg.xml"
owner: "{{ atl_product_user }}"
group: "{{ atl_product_user }}"
- name: Limit permissions on the installation directory
file:
path: "{{ atl_product_installation_versioned }}"
owner: "root"
group: "root"
mode: "u=rwX,g=rX,o=rX"
recurse: true
with_items:
- "{{ atl_installer_temp }}"
- "{{ atl_product_installation_versioned }}"
- "{{ atl_product_version_cache_dir }}"
changed_when: false # For Molecule idempotence check
- name: Grant access to the product working directories
file:
path: "{{ item }}"
state: directory
mode: "u=rwX,g=rX,o-rwx"
owner: "{{ atl_product_user }}"
group: "{{ atl_product_user }}"
recurse: true
with_items:
- "{{ atl_product_installation_versioned }}/logs"
- "{{ atl_product_installation_versioned }}/temp"
- "{{ atl_product_installation_versioned }}/work"
changed_when: false # For Molecule idempotence check

42
roles/confluence_config/templates/confluence.cfg.xml.j2 Normal file
View File

@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<confluence-configuration>
<setupStep>setupstart</setupStep>
<setupType>custom</setupType>
<buildNumber>0</buildNumber>
<properties>
<property name="confluence.database.choice">postgresql</property>
<property name="confluence.database.connection.type">database-type-standard</property>
<property name="hibernate.dialect">com.atlassian.confluence.impl.hibernate.dialect.PostgreSQLDialect</property>
<property name="webwork.multipart.saveDir">${localHome}/temp</property>
<property name="attachments.dir">${confluenceHome}/attachments</property>
<property name="hibernate.connection.driver_class">{{ atl_db_driver }}</property>
<property name="hibernate.connection.url">{{ atl_jdbc_url }}</property>
<property name="hibernate.connection.username">{{ atl_jdbc_user }}</property>
<property name="hibernate.connection.password">{{ atl_jdbc_password }}</property>
<property name="hibernate.c3p0.min_size">{{ atl_db_poolminsize }}</property>
<property name="hibernate.c3p0.max_size">{{ atl_db_poolmaxsize }}</property>
<property name="hibernate.c3p0.timeout">{{ atl_db_timeout }}</property>
<property name="hibernate.c3p0.idle_test_period">{{ atl_db_idletestperiod }}</property>
<property name="hibernate.c3p0.max_statements">{{ atl_db_maxstatements }}</property>
<property name="hibernate.c3p0.validate">{{ atl_db_validate }}</property>
<property name="hibernate.c3p0.acquire_increment">{{ atl_db_acquireincrement }}</property>
<property name="hibernate.c3p0.preferredTestQuery">select version();</property>
<property name="shared-home">{{ atl_product_home_shared }}</property>
<property name="confluence.cluster">true</property>
<property name="confluence.cluster.home">{{ atl_product_home_shared }}</property>
<property name="confluence.cluster.aws.iam.role">{{ atl_hazelcast_network_aws_iam_role }}</property>
<property name="confluence.cluster.aws.region">{{ atl_hazelcast_network_aws_iam_region }}</property>
<property name="confluence.cluster.aws.host.header">{{ atl_hazelcast_network_aws_host_header }}</property>
<property name="confluence.cluster.aws.tag.key">{{ atl_hazelcast_network_aws_tag_key }}</property>
<property name="confluence.cluster.aws.tag.value">{{ atl_hazelcast_network_aws_tag_value }}</property>
<property name="confluence.cluster.join.type">aws</property>
<property name="confluence.cluster.name">{{ atl_aws_stack_name }}</property>
<property name="confluence.cluster.ttl">1</property>
</properties>
</confluence-configuration>

71
roles/confluence_config/templates/seraph-config.xml.j2 Normal file
View File

@@ -0,0 +1,71 @@
<security-config>
<parameters>
<init-param>
<param-name>login.url</param-name>
<param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>/login.action</param-value>
</init-param>
<init-param>
<param-name>cookie.encoding</param-name>
<param-value>cNf</param-value>
</init-param>
<init-param>
<param-name>login.cookie.key</param-name>
<param-value>seraph.confluence</param-value>
</init-param>
{% if atl_autologin_cookie_age is defined and atl_autologin_cookie_age|length %}
<init-param>
<param-name>autologin.cookie.age</param-name>
<param-value>{{ atl_autologin_cookie_age }}</param-value>
</init-param>
{% endif %}
<!--only basic authentication available-->
<init-param>
<param-name>authentication.type</param-name>
<param-value>os_authType</param-value>
</init-param>
<!-- Invalidate session on login to prevent session fixation attack -->
<init-param>
<param-name>invalidate.session.on.login</param-name>
<param-value>true</param-value>
</init-param>
<!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
Currently it is empty (i.e. all attributes will be copied). -->
<init-param>
<param-name>invalidate.session.exclude.list</param-name>
<param-value></param-value>
</init-param>
</parameters>
<rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
<controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>
<!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->
<!-- Authenticator with support for Crowd single-sign on (SSO). -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->
<!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->
<services>
<service class="com.atlassian.seraph.service.PathService">
<init-param>
<param-name>config.file</param-name>
<param-value>seraph-paths.xml</param-value>
</init-param>
</service>
</services>
<elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>
</security-config>

81
roles/confluence_config/templates/server.xml.j2 Normal file
View File

@@ -0,0 +1,81 @@
<?xml version="1.0" encoding="utf-8"?>
<Server port="{{ atl_tomcat_mgmt_port }}"
shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<Service name="Catalina">
<Connector port="{{ atl_tomcat_port }}"
maxThreads="{{ atl_tomcat_maxthreads }}"
minSpareThreads="{{ atl_tomcat_minsparethreads }}"
connectionTimeout="{{ atl_tomcat_connectiontimeout }}"
enableLookups="{{ atl_tomcat_enablelookups }}"
protocol="{{ atl_tomcat_protocol }}"
redirectPort="{{ atl_tomcat_redirectport }}"
acceptCount="{{ atl_tomcat_acceptcount }}"
secure="{{ atl_tomcat_secure }}"
scheme="{{ atl_tomcat_scheme }}"
{% if atl_proxy_name is defined and atl_proxy_name != '' %}
proxyName="{{ atl_proxy_name }}"
{% endif %}
{% if atl_proxy_port is defined and atl_proxy_port != '' %}
proxyPort="{{ atl_proxy_port }}"
{% endif %}
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
bindOnInit="false"
maxHttpHeaderSize="8192"
useBodyEncodingForURI="true"
disableUploadTimeout="true" />
{% if atl_tomcat_redirectport is defined and atl_tomcat_redirectport != '' %}
<Connector port="{{ atl_tomcat_redirectport }}"
protocol="{{ atl_tomcat_protocol }}"
connectionTimeout="{{ atl_tomcat_connectiontimeout }}"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`&quot;&lt;&gt;"
maxHttpHeaderSize="65536"
URIEncoding="UTF-8"
useBodyEncodingForURI="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />
{% endif %}
<Engine name="Catalina"
defaultHost="localhost">
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="true">
<Context path="{{ atl_tomcat_contextpath }}"
docBase="${catalina.home}/confluence"
reloadable="false"
useHttpOnly="true">
<Resource name="UserTransaction"
auth="Container"
type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory"
jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve"
threshold="120" />
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
</Engine>
</Service>
</Server>