♻️ [#200] Configure Autorisaties API connection via setup-configuration

bin/setup_configuration.sh

@@ -6,4 +6,4 @@
 #set -e
 
 src/manage.py migrate
-src/manage.py setup_configuration --no-selftest
+src/manage.py setup_configuration --yaml-file setup_configuration/data.yaml

docker-compose.yml

@@ -3,11 +3,11 @@ version: '3.4'
 
 services:
   db:
-    image: postgres:12-alpine
+    image: postgis/postgis:12-2.5
     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust
     volumes:
-      - ./docker-init-db.sql:/docker-entrypoint-initdb.d/init_db.sql
+      - ./docker/postgres.entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro
       - db:/var/lib/postgresql/data
     command: postgres -c max_connections=300 -c log_min_messages=LOG
 
@@ -36,14 +36,6 @@ services:
       - OPENNOTIFICATIES_SUPERUSER_USERNAME=admin
       - OPENNOTIFICATIES_SUPERUSER_EMAIL=admin@localhost
       - DJANGO_SUPERUSER_PASSWORD=admin
-      # setup_configuration env vars
-      - OPENNOTIFICATIES_DOMAIN=web:8000
-      - OPENNOTIFICATIES_ORGANIZATION=ON
-      - AUTORISATIES_API_ROOT=https://open-zaak.example.nl/autorisaties/api/v1/
-      - NOTIF_OPENZAAK_CLIENT_ID=notif-client-id
-      - NOTIF_OPENZAAK_SECRET=notif-secret
-      - OPENZAAK_NOTIF_CLIENT_ID=oz-client-id
-      - OPENZAAK_NOTIF_SECRET=oz-secret
     healthcheck:
       test: ["CMD", "python", "-c", "import requests; exit(requests.head('http://localhost:8000/admin/').status_code not in [200, 302])"]
       interval: 30s
@@ -57,6 +49,7 @@ services:
       - 8000:8000
     volumes: &app-volumes
       - media:/app/media  # Shared media volume to get access to saved OAS files
+      - ./docker/setup_configuration:/app/setup_configuration
     depends_on:
       web-init:
         condition: service_completed_successfully
@@ -115,6 +108,44 @@ services:
     depends_on:
       - web
 
+  openzaak:
+    image: openzaak/open-zaak:latest
+    environment: &app-env
+      - DJANGO_SETTINGS_MODULE=openzaak.conf.docker
+      - SECRET_KEY=${SECRET_KEY:-7(h1r2hk)8z9+05edulo_3qzymwbo&c24=)qz7+_@3&2sp=u%i}
+      - DB_NAME=openzaak
+      - DB_USER=openzaak
+      - IS_HTTPS=no
+      - ALLOWED_HOSTS=localhost,127.0.0.1,web,web.local,openzaak
+      - CORS_ALLOW_ALL_ORIGINS=True
+      - CSRF_TRUSTED_ORIGINS=http://localhost:9000
+      - CACHE_DEFAULT=redis:6379/0
+      - CACHE_AXES=redis:6379/0
+      - SUBPATH=${SUBPATH:-/}
+      - IMPORT_DOCUMENTEN_BASE_DIR=${IMPORT_DOCUMENTEN_BASE_DIR:-/app/import-data}
+      - IMPORT_DOCUMENTEN_BATCH_SIZE=${IMPORT_DOCUMENTEN_BATCH_SIZE:-500}
+      - OPENZAAK_SUPERUSER_USERNAME=admin
+      - DJANGO_SUPERUSER_PASSWORD=admin
+      - OPENZAAK_SUPERUSER_EMAIL=admin@localhost
+      - CELERY_BROKER_URL=redis://redis:6379/1
+      - CELERY_RESULT_BACKEND=redis://redis:6379/1
+      - CELERY_LOGLEVEL=DEBUG
+      - CELERY_WORKER_CONCURRENCY=${CELERY_WORKER_CONCURRENCY:-4}
+      - ENVIRONMENT=dev
+    healthcheck:
+      test: ["CMD", "python", "-c", "import requests; exit(requests.head('http://localhost:8000/admin/').status_code not in [200, 302])"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      # This should allow for enough time for migrations to run before the max
+      # retries have passed. This healthcheck in turn allows other containers
+      # to wait for the database migrations.
+      start_period: 30s
+    depends_on:
+      - db
+    ports:
+      - 8001:8000
+
 volumes:
   media:
   db:

docker/postgres.entrypoint-initdb.d/0002-openzaak.sql

@@ -0,0 +1,3 @@
+CREATE USER openzaak;
+CREATE DATABASE openzaak;
+GRANT ALL PRIVILEGES ON DATABASE openzaak TO openzaak;

docker/postgres.entrypoint-initdb.d/0003-openzaak-extensions.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "openzaak" <<-EOSQL
+    CREATE EXTENSION postgis;
+    CREATE EXTENSION pg_trgm;
+EOSQL

docker/setup_configuration/data.yaml

@@ -0,0 +1,36 @@
+zgw_consumers_config_enable: True
+zgw_consumers:
+  services:
+  - identifier: autorisaties-api
+    label: Autorisaties API
+    api_root: http://openzaak:8000/autorisaties/api/v1/
+    api_type: ac
+    auth_type: zgw
+    client_id: open-notificaties
+    secret: oPMsHCEuoP9Qh8vP06D7
+    user_id: open-notificaties
+    user_representation: Open Notificaties
+  - identifier: notificaties-api
+    label: Notificaties API
+    api_root: http://web:8000/api/v1/
+    api_type: nrc
+    auth_type: zgw
+    client_id: open-notificaties
+    secret: oPMsHCEuoP9Qh8vP06D7
+    user_id: open-notificaties
+    user_representation: Open Notificaties Demodam
+
+autorisaties_api_config_enable: True
+autorisaties_api:
+  # Configure Open Notificaties to make use of Open Zaak's Autorisaties API
+  authorizations_api_service_identifier: autorisaties-api
+
+vng_api_common_credentials_config_enable: True
+vng_api_common_credentials:
+  items:
+  # Credentials for Open Zaak to be able to make requests to Open Notificaties
+  - identifier: open-zaak2
+    secret: G2LIVfXal1J93puQkV3O
+  # Credentials for Open Notificaties, required for autorisaties subscription
+  - identifier: open-notificaties
+    secret: oPMsHCEuoP9Qh8vP06D7

docs/installation/configuration/opennotifs_config_cli.rst

@@ -5,11 +5,12 @@ Open Notificaties configuration (CLI)
 =====================================
 
 After deploying Open Notificaties, it needs to be configured to be fully functional. The
-command line tool ``setup_configuration`` assists with this configuration:
+command line tool ``setup_configuration`` assist with this configuration by loading a
+YAML file in which the configuration information is specified.
 
-* It uses environment variables for all configuration choices, therefore you can integrate this with your
-  infrastructure tooling such as init containers and/or Kubernetes Jobs.
-* The command can self-test the configuration to detect problems early on
+.. code-block:: bash
+
+    src/manage.py setup_configuration --yaml-file /path/to/your/yaml
 
 You can get the full command documentation with:
 
@@ -21,96 +22,95 @@ You can get the full command documentation with:
    running the command and you then run the exact same command again, the manual
    changes will be reverted.
 
-
 Preparation
 ===========
 
 The command executes the list of pluggable configuration steps, and each step
-requires specific environment variables, that should be prepared.
-Here is the description of all available configuration steps and the environment variables,
-use by each step.
-
-Sites configuration
--------------------
-
-Configure the domain where Open Notificaties is hosted
-
-* ``SITES_CONFIG_ENABLE``: enable Site configuration. Defaults to ``False``.
-* ``OPENNOTIFICATIES_DOMAIN``:  a ``[host]:[port]`` or ``[host]`` value. Required.
-* ``OPENNOTIFICATIES_ORGANIZATION``: name of Open Notificaties organization. Required.
-
-Authorization configuration
----------------------------
-
-Open Notificaties uses Open Zaak Authorisaties API to check authorizations
-of its consumers, therefore Open Notificaties should be able to request Open Zaak.
-Make sure that the correct permissions are configured in Open Zaak Autorisaties API.
-
-* ``AUTHORIZATION_CONFIG_ENABLE``: enable Authorization configuration. Defaults
-  to ``False``.
-* ``AUTORISATIES_API_ROOT``: full URL to the Authorisaties API root, for example
-  ``https://open-zaak.gemeente.local/autorisaties/api/v1/``. Required.
-* ``NOTIF_OPENZAAK_CLIENT_ID``: a client id, which Open Notificaties uses to request
-  Open Zaak, for example, ``open-notificaties``. Required.
-* ``NOTIF_OPENZAAK_SECRET``: some random string. Required.
-
-Open Zaak authentication configuration
---------------------------------------
-
-Open Zaak published notifications to the Open Notificaties, therefore it should have access.
-Make sure that the correct permissions are configured in Open Zaak Autorisaties API.
-
-* ``OPENZAAK_NOTIF_CONFIG_ENABLE``: enable Open Zaak configuration. Defaults to ``False``.
-* ``OPENZAAK_NOTIF_CLIENT_ID``: a client id, which Open Zaak uses to request Open Notificaties,
-  for example, ``open-zaak``. Required.
-* ``OPENZAAK_NOTIF_SECRET``: some random string. Required.
+requires specific configuration information, that should be prepared.
+Here is the description of all available configuration steps and the shape of the data,
+used by each step.
+
+
+Services configuration
+----------------------
+
+In order for Open Notificaties to make requests to external services (such as the Autorisaties API),
+``Services`` must be configured. To enable this step, set ``zgw_consumers_config_enable`` to ``true`` in your
+configuration file and specify a list of ``Services``, for example:
+
+.. code-block:: yaml
+
+    zgw_consumers_config_enable: true
+    zgw_consumers:
+    services:
+      # all possible configurable fields
+      - identifier: objecten-test
+        label: Objecten API test
+        api_root: http://objecten.local/api/v1/
+        api_connection_check_path: objects
+        api_type: orc
+        auth_type: api_key
+        header_key: Authorization
+        header_value: Token foo
+        client_id: client
+        secret: super-secret
+        nlx: http://some-outway-adress.local:8080/
+        user_id: open-formulieren
+        user_representation: Open Formulieren
+        timeout: 5
+      # minimum required fields
+      - identifier: objecttypen-test
+        label: Objecttypen API test
+        api_root: http://objecttypen.local/api/v1/
+        api_type: orc
+        auth_type: api_key
+
+Client credentials
+------------------
+
+TODO: add generated documentation for ``JWTSecretsConfigurationStep``
+
+
+Autorisaties API configuration
+------------------------------
+
+Open Notificaties uses Autorisaties API to check permissions of the clients that
+make requests to Open Notificaties.
+
+This step configures Open Notificaties to use the specified Autorisaties API (see also :ref:`installation_configuration`). It is
+dependent on the `Services configuration`_ step to load a ``Service`` for this Autorisaties API,
+which is referred to in this step by ``authorizations_api_service_identifier``.
+To enable this step, set ``autorisaties_api_config_enable`` to ``true`` in your
+configuration file and specify which ``Service`` to use as the Autorisaties API, for example:
+
+.. code-block:: yaml
+
+    autorisaties_api_config_enable: True
+    autorisaties_api:
+      authorizations_api_service_identifier: autorisaties-api
 
 .. _installation_configuration_cli_retry:
 
-Notification retry configuration
---------------------------------
+Notificaties configuration
+--------------------------
+
+TODO: add generated documentation
 
-Open Notifications has a retry mechanism to guarantee notification delivery, this mechanism
-is described in :ref:`delivery_guarantees`. The parameters for this behavior can be configured via the
-following environment variables.
 
-* ``NOTIFICATION_RETRY_CONFIG_ENABLE``: enable Notification retry configuration. Defaults to ``False``.
-* ``NOTIFICATION_DELIVERY_MAX_RETRIES``: the maximum number of retries Celery will do if sending a notification failed.
-* ``NOTIFICATION_DELIVERY_RETRY_BACKOFF``: a boolean or a number. If this option is set to
-  ``True``, autoretries will be delayed following the rules of exponential backoff. If
-  this option is set to a number, it is used as a delay factor.
-* ``NOTIFICATION_DELIVERY_RETRY_BACKOFF_MAX``: an integer, specifying number of seconds.
-  If ``retry_backoff`` is enabled, this option will set a maximum delay in seconds
-  between task autoretries. By default, this option is set to 48 seconds.
+Sites configuration
+-------------------
 
-These settings can also later be changed via the admin interface, under ``Configuration > Notification component configuration``.
+TODO: add generated documentation
 
 Execution
 =========
 
-With the full command invocation, everything is configured at once and immediately
-tested. For all the self-tests to succeed, it's important that the configuration in the
-Open Zaak is done before calling this command.
-
-.. code-block:: bash
-
-    src/manage.py setup_configuration
-
-
-Alternatively, you can skip the self-tests by using the ``--no-selftest`` flag.
-
-.. code-block:: bash
-
-    src/manage.py setup_configuration --no-self-test
-
-
-``setup_configuration`` command checks if the configuration already exists before changing it.
-If you want to change some of the values of the existing configuration you can use ``--overwrite`` flag.
-
-.. code-block:: bash
-
-    src/manage.py setup_configuration --overwrite
+Open Notificaties configuration
+-------------------------------
 
+With the full command invocation, all defined configuration steps are applied. Each step is idempotent,
+so it's safe to run the command multiple times. The steps will overwrite any manual changes made in
+the admin if you run the command after making these changes.
 
 .. note:: Due to a cache-bug in the underlying framework, you need to restart all
    replicas for part of this change to take effect everywhere.

requirements/base.in

@@ -4,3 +4,5 @@ open-api-framework
 markdown
 self-certifi
 furl
+zgw-consumers[setup-configuration]
+commonground-api-common[setup-configuration]