pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'nico/test-cara-dev' into 'master'

Browse source 
Fixes to OpenShift templates

See merge request cara/cara!138
This commit is contained in:
Philip James Elson 2021-03-01 15:27:39 +00:00
commit 040ed05008
5 changed files with 103 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
README.md
View file

@ -78,6 +78,8 @@ but it may be origin if you haven't configured it differently):
## OpenShift templates
### First setup
First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
```console
@ -95,22 +97,34 @@ If you need to create the application in a new project, run:
```console
$ cd app-config/openshift
$ oc process -f application.yaml | oc create -f -
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
$ oc process -f services.yaml | oc create -f -
$ oc process -f configmap.yaml | oc create -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
```
If you need to **replace** existing configuration, then run:
Then, create the webhook secret to be able to trigger automatic builds from GitLab.
Create and store the secret:
```console
$ WEBHOOKSECRET=$(openssl rand -hex 50)
$ oc create secret generic \
--from-literal="WebHookSecretKey=$WEBHOOKSECRET" \
gitlab-cara-webhook-secret
```
Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
## Update configuration
If you need to **update** existing configuration, then modify this repository and after having logged in, run:
```console
$ cd app-config/openshift
$ oc process -f application.yaml | oc replace -f -
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
$ oc process -f services.yaml | oc replace -f -
$ oc process -f configmap.yaml | oc replace -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
```
### CERN SSO Proxy
You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)
Be aware that if you change/replace the **route** of the PROD instance, it will loose the annotation to be exposed outside CERN (not committed in this repo).

83
app-config/openshift/application.yaml
View file

@ -23,9 +23,9 @@
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-app:latest'
to:
kind: ImageStreamTag
name: 'cara-app:latest'
strategy:
sourceStrategy:
env:
@ -41,6 +41,11 @@
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: ImageStream
apiVersion: v1
metadata:
name: cara-app
-
kind: BuildConfig
apiVersion: v1
@ -55,9 +60,9 @@
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-router:latest'
to:
kind: ImageStreamTag
name: 'cara-router:latest'
strategy:
sourceStrategy:
from:
@ -70,6 +75,11 @@
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: ImageStream
apiVersion: v1
metadata:
name: cara-router
-
kind: BuildConfig
apiVersion: v1
@ -83,9 +93,9 @@
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-webservice:latest'
to:
kind: ImageStreamTag
name: 'cara-webservice:latest'
strategy:
sourceStrategy:
env:
@ -102,20 +112,10 @@
name: gitlab-cara-webhook-secret
type: Generic
-
kind: ImageStream
apiVersion: v1
kind: Route
metadata:
name: cern-sso-proxy
spec:
host: cara.web.cern.ch
port:
targetPort: 8081
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: cern-sso-proxy
name: cara-webservice
-
apiVersion: v1
kind: DeploymentConfig
@ -130,6 +130,7 @@
spec:
containers:
- name: cara-app
image: '${PROJECT_NAME}/cara-app'
ports:
- containerPort: 8080
protocol: TCP
@ -142,7 +143,7 @@
from:
kind: ImageStreamTag
name: 'cara-app:latest'
namespace: cara
namespace: ${PROJECT_NAME}
-
apiVersion: v1
kind: DeploymentConfig
@ -157,6 +158,7 @@
spec:
containers:
- name: cara-router
image: '${PROJECT_NAME}/cara-router'
ports:
- containerPort: 8080
protocol: TCP
@ -171,7 +173,7 @@
from:
kind: ImageStreamTag
name: 'cara-router:latest'
namespace: cara
namespace: ${PROJECT_NAME}
-
apiVersion: v1
kind: DeploymentConfig
@ -186,6 +188,7 @@
spec:
containers:
- name: cara-webservice
image: '${PROJECT_NAME}/cara-webservice'
ports:
- containerPort: 8080
protocol: TCP
@ -198,31 +201,9 @@
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
namespace: cara
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: cern-sso-proxy
spec:
replicas;: 1
template:
metadata:
labels:
app: cern-sso-proxy
spec:
containers:
- name: cern-sso-proxy
ports:
- containerPort: 8080
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cern-sso-proxy
from:
kind: ImageStreamTag
name: 'cern-sso-proxy:latest'
namespace: cara
namespace: ${PROJECT_NAME}
parameters:
- name: PROJECT_NAME
description: The name of this project, e.g. test-cara
required: true

66
app-config/openshift/configmap.yaml
View file

@ -1,66 +0,0 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-configuration"
creationTimestamp: null
annotations:
description: "CARA Config Maps OpenShift template."
tags: "cara-configuration"
labels:
template: "cara-application"
objects:
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-proxy
data:
authorize.conf: |-
# Make sure clients cannot fake authentication by injecting headers
RequestHeader unset X-ADFS-LOGIN
RequestHeader unset X-ADFS-EMAIL
RequestHeader unset X-ADFS-FIRSTNAME
RequestHeader unset X-ADFS-LASTNAME
RequestHeader unset X-ADFS-FULLNAME
#Protected resources
<Location "/">
ShibRequestSetting requireSession 1
AuthType shibboleth
<RequireALL>
Require valid-user
Require shib-attr ADFS_GROUP cern-personnel
</RequireALL>
RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
</Location>
proxy.conf: |-
# Enable reverse proxy for websockets
# https://github.com/jupyterhub/jupyterhub/issues/367
# https://github.com/websockets/ws/issues/893
ProxyPreserveHost On
ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyRequests off
<Location "/voila-server/api/kernels">
RequestHeader set X-SCRIPT-NAME /voila-server/
ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} =websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
</Location>
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-shib
data:
shibboleth2.xml: ''

33
app-config/openshift/route.yaml Normal file
View file

@ -0,0 +1,33 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-route"
creationTimestamp: null
annotations:
description: "CARA route OpenShift template."
tags: "cara-route"
labels:
template: "cara-route"
objects:
-
apiVersion: v1
kind: Route
metadata:
name: cara-router
spec:
host: ${HOST}
port:
targetPort: 8081
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: cara-router
parameters:
- name: HOST
description: The hostname of the site, e.g. test-cara.web.cern.ch
required: true

17
app-config/openshift/services.yaml
View file

@ -10,6 +10,21 @@
labels:
template: "cara-services"
objects:
-
apiVersion: v1
kind: Service
metadata:
labels:
app: cara-app
name: cara-app
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: cara-app
-
apiVersion: v1
kind: Service
@ -44,5 +59,3 @@
targetPort: 8080
selector:
app: cara-webservice