diff --git a/README.md b/README.md
index bea592b6..8e187a42 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,8 @@ but it may be origin if you haven't configured it differently):
## OpenShift templates
+### First setup
+
First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
```console
@@ -95,22 +97,34 @@ If you need to create the application in a new project, run:
```console
$ cd app-config/openshift
-$ oc process -f application.yaml | oc create -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
$ oc process -f services.yaml | oc create -f -
-$ oc process -f configmap.yaml | oc create -f -
+$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
```
-If you need to **replace** existing configuration, then run:
+Then, create the webhook secret to be able to trigger automatic builds from GitLab.
+
+Create and store the secret:
+
+```console
+$ WEBHOOKSECRET=$(openssl rand -hex 50)
+$ oc create secret generic \
+ --from-literal="WebHookSecretKey=$WEBHOOKSECRET" \
+ gitlab-cara-webhook-secret
+```
+
+Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
+
+## Update configuration
+
+If you need to **update** existing configuration, then modify this repository and after having logged in, run:
```console
$ cd app-config/openshift
-$ oc process -f application.yaml | oc replace -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
$ oc process -f services.yaml | oc replace -f -
-$ oc process -f configmap.yaml | oc replace -f -
+$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
```
-### CERN SSO Proxy
-
-You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
-The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)
+Be aware that if you change/replace the **route** of the PROD instance, it will loose the annotation to be exposed outside CERN (not committed in this repo).
diff --git a/app-config/openshift/application.yaml b/app-config/openshift/application.yaml
index 258501d1..dafb6dfa 100644
--- a/app-config/openshift/application.yaml
+++ b/app-config/openshift/application.yaml
@@ -23,9 +23,9 @@
sourceSecret:
name: sshdeploykey
output:
- to:
- kind: ImageStreamTag
- name: 'cara-app:latest'
+ to:
+ kind: ImageStreamTag
+ name: 'cara-app:latest'
strategy:
sourceStrategy:
env:
@@ -41,6 +41,11 @@
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
+ -
+ kind: ImageStream
+ apiVersion: v1
+ metadata:
+ name: cara-app
-
kind: BuildConfig
apiVersion: v1
@@ -55,9 +60,9 @@
sourceSecret:
name: sshdeploykey
output:
- to:
- kind: ImageStreamTag
- name: 'cara-router:latest'
+ to:
+ kind: ImageStreamTag
+ name: 'cara-router:latest'
strategy:
sourceStrategy:
from:
@@ -70,6 +75,11 @@
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
+ -
+ kind: ImageStream
+ apiVersion: v1
+ metadata:
+ name: cara-router
-
kind: BuildConfig
apiVersion: v1
@@ -83,9 +93,9 @@
sourceSecret:
name: sshdeploykey
output:
- to:
- kind: ImageStreamTag
- name: 'cara-webservice:latest'
+ to:
+ kind: ImageStreamTag
+ name: 'cara-webservice:latest'
strategy:
sourceStrategy:
env:
@@ -102,20 +112,10 @@
name: gitlab-cara-webhook-secret
type: Generic
-
+ kind: ImageStream
apiVersion: v1
- kind: Route
metadata:
- name: cern-sso-proxy
- spec:
- host: cara.web.cern.ch
- port:
- targetPort: 8081
- tls:
- insecureEdgeTerminationPolicy: Redirect
- termination: edge
- to:
- kind: Service
- name: cern-sso-proxy
+ name: cara-webservice
-
apiVersion: v1
kind: DeploymentConfig
@@ -130,6 +130,7 @@
spec:
containers:
- name: cara-app
+ image: '${PROJECT_NAME}/cara-app'
ports:
- containerPort: 8080
protocol: TCP
@@ -142,7 +143,7 @@
from:
kind: ImageStreamTag
name: 'cara-app:latest'
- namespace: cara
+ namespace: ${PROJECT_NAME}
-
apiVersion: v1
kind: DeploymentConfig
@@ -157,6 +158,7 @@
spec:
containers:
- name: cara-router
+ image: '${PROJECT_NAME}/cara-router'
ports:
- containerPort: 8080
protocol: TCP
@@ -171,7 +173,7 @@
from:
kind: ImageStreamTag
name: 'cara-router:latest'
- namespace: cara
+ namespace: ${PROJECT_NAME}
-
apiVersion: v1
kind: DeploymentConfig
@@ -186,6 +188,7 @@
spec:
containers:
- name: cara-webservice
+ image: '${PROJECT_NAME}/cara-webservice'
ports:
- containerPort: 8080
protocol: TCP
@@ -198,31 +201,9 @@
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
- namespace: cara
- -
- apiVersion: v1
- kind: DeploymentConfig
- metadata:
- name: cern-sso-proxy
- spec:
- replicas;: 1
- template:
- metadata:
- labels:
- app: cern-sso-proxy
- spec:
- containers:
- - name: cern-sso-proxy
- ports:
- - containerPort: 8080
- protocol: TCP
- triggers:
- - type: ImageChange
- imageChangeParams:
- automatic: true
- containerNames:
- - cern-sso-proxy
- from:
- kind: ImageStreamTag
- name: 'cern-sso-proxy:latest'
- namespace: cara
+ namespace: ${PROJECT_NAME}
+
+ parameters:
+ - name: PROJECT_NAME
+ description: The name of this project, e.g. test-cara
+ required: true
diff --git a/app-config/openshift/configmap.yaml b/app-config/openshift/configmap.yaml
deleted file mode 100644
index 52f0ef83..00000000
--- a/app-config/openshift/configmap.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
- kind: "Template"
- apiVersion: "v1"
- metadata:
- name: "cara-configuration"
- creationTimestamp: null
- annotations:
- description: "CARA Config Maps OpenShift template."
- tags: "cara-configuration"
- labels:
- template: "cara-application"
- objects:
- -
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: cern-sso-proxy
- data:
- authorize.conf: |-
- # Make sure clients cannot fake authentication by injecting headers
- RequestHeader unset X-ADFS-LOGIN
- RequestHeader unset X-ADFS-EMAIL
- RequestHeader unset X-ADFS-FIRSTNAME
- RequestHeader unset X-ADFS-LASTNAME
- RequestHeader unset X-ADFS-FULLNAME
-
- #Protected resources
-
- ShibRequestSetting requireSession 1
- AuthType shibboleth
-
- Require valid-user
- Require shib-attr ADFS_GROUP cern-personnel
-
- RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
- RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
- RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
- RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
- RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
-
- proxy.conf: |-
- # Enable reverse proxy for websockets
- # https://github.com/jupyterhub/jupyterhub/issues/367
- # https://github.com/websockets/ws/issues/893
-
- ProxyPreserveHost On
- ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
- ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
- ProxyRequests off
-
-
- RequestHeader set X-SCRIPT-NAME /voila-server/
- ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
- RewriteEngine on
- RewriteCond %{HTTP:UPGRADE} =websocket [NC]
- RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
- RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
- RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
-
- -
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: cern-sso-shib
- data:
- shibboleth2.xml: ''
diff --git a/app-config/openshift/route.yaml b/app-config/openshift/route.yaml
new file mode 100644
index 00000000..8f1f3bd7
--- /dev/null
+++ b/app-config/openshift/route.yaml
@@ -0,0 +1,33 @@
+---
+ kind: "Template"
+ apiVersion: "v1"
+ metadata:
+ name: "cara-route"
+ creationTimestamp: null
+ annotations:
+ description: "CARA route OpenShift template."
+ tags: "cara-route"
+ labels:
+ template: "cara-route"
+ objects:
+ -
+ apiVersion: v1
+ kind: Route
+ metadata:
+ name: cara-router
+ spec:
+ host: ${HOST}
+ port:
+ targetPort: 8081
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+ to:
+ kind: Service
+ name: cara-router
+
+ parameters:
+ - name: HOST
+ description: The hostname of the site, e.g. test-cara.web.cern.ch
+ required: true
+
diff --git a/app-config/openshift/services.yaml b/app-config/openshift/services.yaml
index 081dd967..6e39cb6c 100644
--- a/app-config/openshift/services.yaml
+++ b/app-config/openshift/services.yaml
@@ -10,6 +10,21 @@
labels:
template: "cara-services"
objects:
+ -
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app: cara-app
+ name: cara-app
+ spec:
+ ports:
+ - name: 8080-tcp
+ port: 8080
+ protocol: TCP
+ targetPort: 8080
+ selector:
+ app: cara-app
-
apiVersion: v1
kind: Service
@@ -44,5 +59,3 @@
targetPort: 8080
selector:
app: cara-webservice
-
-