diff --git a/.infra/cegedim/deploy.yaml b/.infra/cegedim/deploy.yaml index 05a0d91b..0b8bc458 100644 --- a/.infra/cegedim/deploy.yaml +++ b/.infra/cegedim/deploy.yaml @@ -4,7 +4,7 @@ become: true gather_facts: false vars_files: - - "vault-{{ env }}.yml" + - "vault-{{ env }}.yml" tasks: - name: login sur le registry docker_login: diff --git a/.infra/cegedim/generate-client-certificate.yaml b/.infra/cegedim/generate-client-certificate.yaml new file mode 100644 index 00000000..01bfd067 --- /dev/null +++ b/.infra/cegedim/generate-client-certificate.yaml @@ -0,0 +1,63 @@ +--- + - hosts: "{{ env }}-app" + name: certificats agecap + become: true + vars_files: + - "vault-{{ env }}.yml" + tasks: + - name: Check if certificate exists + stat: path=/opt/pdigi/data/server/agecap/ca-key.pem + register: certificate_output + + - name: Création du répertoire certificates + file: + path: /opt/pdigi/data/server/agecap + state: directory + + - name: Generate client certificate for AGECAP + block: + - name: Create CA key (Certification Authority) + openssl_privatekey: + path: /opt/pdigi/data/server/agecap/ca-key.pem + passphrase: "{{ vault.TLS_CA_PASSPHRASE }}" + cipher: auto + + - name: Create CSR (Certificate Signing Request) + openssl_csr: + path: /opt/pdigi/data/server/agecap/ca-csr.pem + privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem + privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}" + common_name: "{{ hostname }}" + basic_constraints: + - 'CA:TRUE' + + - name: Generate CA certificate + community.crypto.x509_certificate: + path: /opt/pdigi/data/server/agecap/ca-crt.pem + csr_path: /opt/pdigi/data/server/agecap/ca-csr.pem + privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem + privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}" + provider: selfsigned + + - name: Generate client key + openssl_privatekey: + path: /opt/pdigi/data/server/agecap/client-key.pem + passphrase: "{{ vault.TLS_CLIENT_PASSPHRASE }}" + cipher: auto + + - name: Create the client CSR + openssl_csr: + path: /opt/pdigi/data/server/agecap/client-csr.pem + privatekey_path: /opt/pdigi/data/server/agecap/client-key.pem + privatekey_passphrase: "{{ vault.TLS_CLIENT_PASSPHRASE }}" + common_name: "{{ hostname }}" + + - name: Generate the client certificate + community.crypto.x509_certificate: + path: /opt/pdigi/data/server/agecap/client-crt.pem + csr_path: /opt/pdigi/data/server/agecap/client-csr.pem + provider: ownca + ownca_path: /opt/pdigi/data/server/agecap/ca-crt.pem + ownca_privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem + ownca_privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}" + when: certificate_output.stat.exists == False diff --git a/.infra/cegedim/scripts/push-images.sh b/.infra/cegedim/scripts/push-images.sh index a59c14c6..527ff764 100644 --- a/.infra/cegedim/scripts/push-images.sh +++ b/.infra/cegedim/scripts/push-images.sh @@ -65,10 +65,14 @@ docker build ./reverse_proxy -t registry.kleegroup.com/dgefp-pdigi/cerfa_reverse # On supprime le fichier location_metabase.conf.template rm ./reverse_proxy/app/nginx/templates/includes/location_metabase.conf.template +# L'enchainement de commande plante régulièrement => Le sleep 3 résoud en partie le problème +sleep 3 echo "Push des images locales sur le registry" echo "Pushing cerfa_ui:$v ..." docker push registry.kleegroup.com/dgefp-pdigi/cerfa_ui:"$v" +sleep 3 echo "Pushing cerfa_server:$v ..." docker push registry.kleegroup.com/dgefp-pdigi/cerfa_server:"$v" +sleep 3 echo "Pushing cerfa_reverse_proxy:$v ..." docker push registry.kleegroup.com/dgefp-pdigi/cerfa_reverse_proxy:"$v" diff --git a/.infra/cegedim/setup.yaml b/.infra/cegedim/setup.yaml index fc06d94f..991553f0 100644 --- a/.infra/cegedim/setup.yaml +++ b/.infra/cegedim/setup.yaml @@ -77,7 +77,8 @@ - name: "Install requisites" apt: - name: + name: + - vim - docker-ce - python3-pip - python3-docker diff --git a/server/src/common/apis/ApiAgecap.js b/server/src/common/apis/ApiAgecap.js index aeb2fc6f..a8353e55 100644 --- a/server/src/common/apis/ApiAgecap.js +++ b/server/src/common/apis/ApiAgecap.js @@ -9,6 +9,7 @@ const { oleoduc, writeData } = require("oleoduc"); const { PassThrough } = require("stream"); const Boom = require("boom"); const { getS3ObjectAsStream } = require("../utils/S3Utils"); +const https = require("https"); // Cf Documentation : Api Agecap const executeWithRateLimiting = apiRateLimiter("apiAgecap", { @@ -19,6 +20,9 @@ const executeWithRateLimiting = apiRateLimiter("apiAgecap", { baseURL: config.agecap.url, timeout: 5000, headers: { Authorization: `Basic ${config.agecap.key}` }, + httpsAgent: new https.Agent({ + rejectUnauthorized: config.env !== "recette", + }), }), }); @@ -33,6 +37,7 @@ class ApiAgecap { if (this.auth) return true; try { logger.debug(`[Agecap API] Authenticate`); + console.log(`Basic ${config.agecap.key}`); let response = await client.post(`authenticate`); if (!response?.data?.token) { throw new ApiError("Api Agecap", ` Authenticate: Something went wrong`);