WIP

deployments/aws/deployment.cfg

@@ -17,6 +17,7 @@ VTS_PORT=${VTS_PORT:-50051}
 PROVISIONING_PORT=${PROVISIONING_PORT:-8888}
 VERIFICATION_PORT=${VERIFICATION_PORT:-8080}
 MANAGEMENT_PORT=${MANAGEMENT_PORT:-8088}
+KEYCLOAK_PORT=${MANAGEMENT_PORT:-11111}
 
 # The location of the Python venv that will be used to run the deployment
 # script. This venv must have appropriate dependencies installed (see
@@ -39,3 +40,10 @@ VERAISON_AWS_SUBNET_ID=${VERAISON_AWS_SUBNET_ID:-}
 # Instances' security groups will be configures to allow connections from this
 # CIDR.
 VERAISON_AWS_ADMIN_CIDR=${VERAISON_AWS_ADMIN_CIDR:-217.140.96.0/20}
+
+# X.509 cert that will be used to sign serivice certificates. If not specified,
+# a self-signed CA cert will be generated alongside service ones.
+VERAISON_CA_CERT=${VERAISON_CA_CERT:-}
+
+# Private key associated with VERAISON_CA_CERT.
+VERAISON_CA_CERT_KEY=${VERAISON_CA_CERT_KEY:-}

deployments/aws/deployment.sh

@@ -51,12 +51,14 @@ function bootstrap() {
 				     cut -f2 -d= | tr -d \")
 
 			case $distrib_id in
-			Arch) sudo pacman -Syy packer ssh;;
+			Arch) sudo pacman -Syy packer ssh openssl;;
 			Ubuntu)
-				sudo apt --yes install curl
+				sudo apt update
+				sudo apt --yes install curl openssl
+
 				curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
 				sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
-				sudo apt update && sudo apt --yes install packer
+				sudo apt --yes install packer
 				;;
 			*)
 				echo -e "$_error: Boostrapping is currently only supported for Arch and Ubuntu."
@@ -96,69 +98,34 @@ function bootstrap() {
 	echo "$message"
 }
 
-function create_image() {
+function bringup() {
+	_check_installed openssl
 	_check_installed packer
 
-	veraison create-image --vpc-id "${VERAISON_AWS_VPC_ID}" \
-		--subnet-id "${VERAISON_AWS_SUBNET_ID}"
-}
-
-function delete_image() {
-	veraison delete-image
-}
-
-function create_key_pair() {
-	veraison create-key-pair
-}
-
-function delete_key_pair() {
-	veraison delete-key-pair
-}
-
-function create_deb() {
-	veraison create-deb
-}
-
-function cache() {
-	veraison cache
-}
-
-function create_stack() {
-	veraison create-stack --vpc-id "${VERAISON_AWS_VPC_ID}" \
+	veraison configure --init \
+		--vpc-id "${VERAISON_AWS_VPC_ID}" \
 		--subnet-id "${VERAISON_AWS_SUBNET_ID}" \
-		--admin-cidr "${VERAISON_AWS_ADMIN_CIDR}"
-}
-
-function delete_stack() {
-	veraison delete-stack
-}
-
-function update_security_groups() {
-	veraison update-security-groups
-}
-
-function update_certs() {
-	veraison update-certs
-}
-
-function bringup() {
-	_check_installed packer
+		--admin-cidr "${VERAISON_AWS_ADMIN_CIDR}" \
+		--region "${VERAISON_AWS_REGION}"
 
 	veraison create-deb
 	veraison create-key-pair
-	veraison create-image --vpc-id "${VERAISON_AWS_VPC_ID}" \
-		--subnet-id "${VERAISON_AWS_SUBNET_ID}"
-	veraison create-stack --vpc-id "${VERAISON_AWS_VPC_ID}" \
-		--subnet-id "${VERAISON_AWS_SUBNET_ID}" \
-		--admin-cidr "${VERAISON_AWS_ADMIN_CIDR}"
+	veraison create-combined-image
+	veraison create-keycloak-image
+	veraison create-combined-stack
+
 	veraison update-security-groups
+	veraison create-certs --ca-cert "${VERAISON_CA_CERT}" \
+		--ca-cert-key "${VERAISON_CA_CERT_KEY}"
 	veraison update-certs
 }
 
 function teardown() {
-	veraison delete-stack
-	veraison delete-image
+	veraison delete-stack combined
+	veraison delete-image keycloak
+	veraison delete-image combined
 	veraison delete-key-pair
+	veraison delete-certs
 	veraison delete-deb
 }
 
@@ -207,16 +174,6 @@ case $_command in
         bootstrap) bootstrap;;
 	bringup) bringup;;
 	teardown) teardown;;
-        create-image) create_image;;
-        delete-image) delete_image;;
-        create-key-pair | create-key) create_key_pair;;
-        delete-key-pair | delete-key) delete_key_pair;;
-        create-stack) create_stack;;
-        delete-stack) delete_stack;;
-        create-deb) create_deb;;
-	update-security-groups) update_security_groups;;
-	update-certs) update_certs;;
-	cache) cache;;
 	*) echo -e "$_error: unexpected command: \"$_command\"";;
 esac
 # vim: set noet sts=8 sw=8:

deployments/aws/misc/requirements.txt

@@ -1,6 +1,7 @@
-ar==1.0.0
 boto3==1.35.8
 botocore==1.35.8
+cryptography==43.0.1
+envsubst==0.1.5
 fabric==3.2.2
 pyxdg==0.28
 PyYAML==6.0.2

deployments/aws/templates/image-keycloak.pkr.hcl

@@ -0,0 +1,103 @@
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 1.2.8"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+variable "deployment_name" {
+  type = string
+}
+
+variable "ami_name" {
+  type = string
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "region" {
+  type = string
+  default = "eu-west-1"
+}
+
+variable "instance_type" {
+  type = string
+  default = "t2.micro"
+}
+
+variable "subnet_id" {
+  type = string
+}
+
+variable "keycloak_version" {
+  type = string
+  default = "25.0.5"
+}
+
+variable "conf" {
+  type = string
+}
+
+locals {
+    conf_dest = "/opt/keycloak/conf/keycloak.conf"
+}
+
+source "amazon-ebs" "ubuntu" {
+  ami_name      = "${var.ami_name}"
+  instance_type = "${var.instance_type}"
+  region        = "${var.region}"
+  vpc_id        = "${var.vpc_id}"
+  subnet_id     = "${var.subnet_id}"
+  associate_public_ip_address = true
+  tags  = {
+    veraison-deployment = "${var.deployment_name}"
+  }
+  source_ami_filter {
+    filters = {
+      name                = "ubuntu/images/*ubuntu-jammy-22.04-amd64-server-*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+      architecture        = "x86_64"
+    }
+    owners      = ["099720109477"]  # amazon
+    most_recent = true
+  }
+  ssh_username = "ubuntu"
+}
+
+build {
+  name = "veraison-keycloak"
+  sources = [
+    "source.amazon-ebs.ubuntu"
+  ]
+
+  provisioner "file" {
+    source = "${var.conf}"
+    destination = "keycloak.conf"
+  }
+
+  provisioner "shell" {
+    inline = [
+      "sleep 1",
+      "sudo apt-get update",
+      "sudo apt-get update", # doing it twice as once doesn't seem to be enough ....
+      "sudo apt-get install -f --yes openjdk-21-jdk  2>&1",
+
+      "sudo groupadd --system keycloak",
+      "sudo useradd --system --gid keycloak --no-create-home --shell /bin/false keycloak",
+
+      "wget https://github.com/keycloak/keycloak/releases/download/${var.keycloak_version}/keycloak-${var.keycloak_version}.tar.gz",
+      "tar xf keycloak-${var.keycloak_version}.tar.gz",
+      "rm keycloak-${var.keycloak_version}.tar.gz",
+      "sudo mv keycloak-${var.keycloak_version} /opt/keycloak",
+      "sudo mv keycloak.conf /opt/keycloak/conf/keycloak.conf",
+      "sudo chown -R keycloak:keycloak /opt/keycloak"
+    ]
+  }
+}
+
+# vim: set et sts=2 sw=2:

deployments/aws/templates/keycloak.conf.template

@@ -0,0 +1,5 @@
+# See https://www.keycloak.org/server/all-config for all alvailable configuration.
+http-enabled=false
+https-port=${KEYCLOAK_PORT}
+hostname-strict=false
+

deployments/aws/templates/stack-combined.yaml

@@ -16,7 +16,10 @@ Parameters:
     Description: |
       The name of an EC2 key pair that will be used to provide access to the
       instance.
-  InstanceImage:
+  CombinedImage:
+    Type: String
+    Description: ID of the AMI image to be used for the instance.
+  KeycloakImage:
     Type: String
     Description: ID of the AMI image to be used for the instance.
   AdminCidr:
@@ -39,16 +42,19 @@ Parameters:
     Type: Number
     Description: TCP port on which the management service is listening
     Default: 8088
+  KeycloakPort:
+    Type: Number
+    Description: TCP port on which the management service is listening
+    Default: 11111
   ServiceInstanceType:
     Description: An EC2 instance type that will be used to run EC2 Instances
     Type: String
     Default: t2.micro
-    # TODO(setrofm): technicall, there is a set of AllowedValues that should be
-    # specified here (i.e. a valid type name), but since there is a ton of
-    # them, and right now I'm not sure which subset of those would even make
-    # sense for service instance, I'm leaving this unconstrained for now.
+  KeycloakInstanceType:
+    Description: An EC2 instance type that will be used to run EC2 Instances
+    Type: String
+    Default: t2.micro
 
-
 Resources:
 
   VeraisonSecurityGroup:
@@ -74,6 +80,10 @@ Resources:
           FromPort: !Ref ManagementPort
           ToPort: !Ref ManagementPort
           CidrIp: !Ref AdminCidr
+        - IpProtocol: tcp
+          FromPort: !Ref KeycloakPort
+          ToPort: !Ref KeycloakPort
+          CidrIp: !Ref AdminCidr
       Tags:
         - Key: veraison-deployment
           Value: !Ref DeploymentName
@@ -83,13 +93,30 @@ Resources:
     Properties:
       KeyName: !Ref KeyName
       InstanceType: !Ref ServiceInstanceType
-      ImageId: !Ref InstanceImage
+      ImageId: !Ref CombinedImage
       SubnetId: !Ref SubnetId
       SecurityGroupIds:
         - !GetAtt VeraisonSecurityGroup.GroupId
       Tags:
         - Key: veraison-deployment
           Value: !Ref DeploymentName
+        - Key: deployment-instance-name
+          Value: combined
+
+  KeycloakInstance:
+    Type: AWS::EC2::Instance
+    Properties:
+      KeyName: !Ref KeyName
+      InstanceType: !Ref ServiceInstanceType
+      ImageId: !Ref CombinedImage
+      SubnetId: !Ref SubnetId
+      SecurityGroupIds:
+        - !GetAtt VeraisonSecurityGroup.GroupId
+      Tags:
+        - Key: veraison-deployment
+          Value: !Ref DeploymentName
+        - Key: deployment-instance-name
+          Value: keycloak
 
   VeraisonIpAddress:
     Type: AWS::EC2::EIP
@@ -100,3 +127,13 @@ Resources:
       Tags:
         - Key: veraison-deployment
           Value: !Ref DeploymentName
+
+  KeycloakIpAddress:
+    Type: AWS::EC2::EIP
+    DependsOn: VeraisonInstance
+    Properties:
+      Domain: vpc
+      InstanceId: !Ref KeycloakInstance
+      Tags:
+        - Key: veraison-deployment
+          Value: !Ref DeploymentName