splitting keycloak out

Signed-off-by: Ryan Cook <rcook@redhat.com>

Author: cooktheryan

roles/sigstore_scaffolding/defaults/main.yml

@@ -28,6 +28,10 @@ sigstore_trillian_templates:
   - manifests/trillian/trillian-logserver.yaml
   - manifests/trillian/trillian-logsigner.yaml
 
+ctlog_enabled: true
+tuf_enabled: true
+
+trillian_enabled: true
 trillian:
   mysql:
    user: mysql
@@ -74,7 +78,7 @@ remote_ctlog_public_key: "{{ certs_dir }}/{{ ctlog_public_key_filename }}"
 remote_rekor_signer: "{{ certs_dir }}/{{ rekor_signer_filename }}"
 remote_rekor_public_key: "{{ certs_dir }}/{{ rekor_public_key_filename }}"
 
-
+rekor_enabled: true
 rekor_public_key_retries: 5
 rekor_public_key_delay: 10
 fulcio_server_config: "{{ kube_configmap_dir }}/fulcio-config.yaml"
@@ -90,6 +94,7 @@ keycloak_certs_config: "{{ kube_configmap_dir }}/keycloak-certs.yaml"
 setup_host_dns: true
 base_hostname: ""
 
+fulcio_enabled: true
 fulcio_ca_passphrase: sigstore
 ctlog_ca_passphrase: sigstore
 rekor_ca_passphrase: sigstore
@@ -134,4 +139,4 @@ trillian_db_image: gcr.io/trillian-opensource-ci/db_server@sha256:22b7fddcb4bafc
 tuf_image: quay.io/rcook/tuf/server:latest
 netcat_image: quay.io/rcook/netcat:v1.0.0
 nginx_image: registry.access.redhat.com/ubi8/nginx-120@sha256:0d4543b4cf26eb46b1632006cc5b24a1925336973eb3ec17cdfb9fec372da5b8
-curl_image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+curl_image: registry.access.redhat.com/ubi9/ubi-minimal:latest

roles/sigstore_scaffolding/tasks/podman.yml

@@ -24,18 +24,24 @@
 
 - name: Configure/Deploy Trillian
   ansible.builtin.include_tasks: podman/trillian.yml
+  when: trillian_enabled | bool
 
 - name: Setup Trillian Tree ID
   ansible.builtin.include_tasks: podman/createtree.yml
+  when: trillian_enabled | bool
 
 - name: Configure/Deploy Rekor
   ansible.builtin.include_tasks: podman/rekor.yml
+  when: rekor_enabled | bool
 
 - name: Configure/Deploy Fulcio
   ansible.builtin.include_tasks: podman/fulcio.yml
+  when: fulcio_enabled | bool
 
 - name: Configure/Deploy ctlog
   ansible.builtin.include_tasks: podman/ctlog.yml
+  when: ctlog_enabled | bool
 
 - name: Configure/Deploy tuf
-  ansible.builtin.include_tasks: podman/tuf.yml
+  ansible.builtin.include_tasks: podman/tuf.yml
+  when: tuf_enabled | bool

roles/sigstore_scaffolding/templates/configs/nginx.conf.j2

@@ -10,8 +10,10 @@ events {
     worker_connections  1024;
 }
 
-
 http {
+    map_hash_bucket_size 128;
+    map_hash_max_size 128;
+    server_names_hash_bucket_size  128;
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
@@ -41,28 +43,47 @@ http {
 
 stream {  
 
+  map_hash_bucket_size 128;
   map $ssl_server_name $targetBackend {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }}  rekor-server-pod:3000;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }}  tuf-pod:8080;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }}  fulcio-server-pod:5555;
+{% endif %}
 {% if keycloak_enabled %}
     {{ keycloak_url }}  keycloak:8080;
 {% endif %}
   }
 
   map $ssl_server_name $targetCert {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }} /certs/ingress-rekor.pem;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }} /certs/ingress-tuf.pem;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }} /certs/ingress-fulcio.pem;
+{% endif %}
 {% if keycloak_enabled %}
     {{ keycloak_url }}  /certs/ingress-keycloak.pem;
 {% endif %}
   }
 
   map $ssl_server_name $targetCertKey {
+{% if rekor_enabled %}
     rekor.{{ base_hostname }}  /certs/ingress-rekor.key;
+{% endif %}
+{% if tuf_enabled %}
     tuf.{{ base_hostname }}  /certs/ingress-tuf.key;
+{% endif %}
+{% if fulcio_enabled %}
     fulcio.{{ base_hostname }}  /certs/ingress-fulcio.key;
+{% endif %}
 {% if keycloak_enabled %}
     {{ keycloak_url }}  /certs/ingress-keycloak.key;
 {% endif %}