[eduVPN-deploy] Let's Connect! & eduVPN 2.0

[François Kooman]

Hi all,

Recently I branched "v1" of the various Let's Connect! (LC) and eduVPN
components in the Git repository. This means that v1 is now in
"maintenance mode" where it will receive only small fixes, i.e. security
updates or compatibility fixes. The release of vpn-user-portal 1.8.6 the
other day was such a release. The "v1" branch will be supported for the
foreseeable future, until the majority of known deployments are updated,
and supporting v1 is no longer needed.

All development takes place in the "master" branch. Many things are
updated there, so it will never be an "automatic" update for currently
installed deployments. Instead, after the 2.0 release an upgrade script
will be provided that takes care of updating any (fully up to date 1.0
installation) to 2.0 as much as possible.

The release of 2.0 will take place at the end of Q1-2019, somewhere in
March 2019.

The list of changes is substantial, and may also impact existing
deployments, especially regarding SAML configuration and custom
template/theme overrides which need to be manually fixed during an upgrade.

A high level overview of the changes so far part of the new release:

- Switch to integrated SAML support, remove mod_auth_mellon support,
greater flexibility and ease of configuration;

- Merge admin portal and user portal;

- New template engine for the portal with much easier support for
internationalization;

- Simplify "translations" to one file per language;

- Removed 2FA support for the VPN layer, everything takes place in the
browser;

- Removed VOOT ACL support;

- Removed YubiKey support;

- Removed "multi instance" support, never publicly documented anyway,
and now removed;

- ACL (user groups / permissions) only handled through the browser now,
e.g. through SAML entitlements/affiliation, no "backchannel" support any
longer;

- Ability to configure "session expiry" forcing users to authenticate
(with 2FA) periodically;

A number of items are still on the TODO for the 2.0 release:

- Security audit of the embedded SAML SP library;

- Merge "vpn-server-api" in the "vpn-user-portal" as well and call the
result "vpn-portal";

- Switch the EdDSA JWT tokens with "key ID" support for OAuth;

- Write upgrade script from v1 to v2;

- Update documentation repository, a lot has already been updated in the
"dev" branch;

If you want to test the future 2.0 release, you can simply do that by
looking in the "dev" branch of the documentation repository [1]. Using
the "deploy_centos.sh" script from the dev branch installs the
development version. There are no guarantees that updates in the "dev"
branch do not break your installation, so only use it on a test machine
that you can and are willing to regularly reset/reconfigure.

Let me know if you have any questions, remarks or something you are
missing from this list that I promised before. The could be things
implemented I forgot to mention above ;-)

Cheers,
François

[1] https://github.com/eduvpn/documentation/tree/dev