Merge branch 'move-prod-to-okd4' into 'master'

Changes to move PROD to OKD4

See merge request cara/cara!317

.gitignore

@@ -15,3 +15,4 @@ support
 
 # openshift config check folder
 app-config/openshift/test-cara
+app-config/openshift/cara-prod

.gitlab-ci.yml

@@ -72,16 +72,16 @@ check_openshift_config_test:
     CARA_INSTANCE: 'test-cara'
     BRANCH: 'live/test-cara'
     OC_SERVER: https://api.paas.okd.cern.ch
-    OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_TEST_CARA}"
+    OC_TOKEN: "${OPENSHIFT_TEST_CONFIG_CHECKER_TOKEN}"
 
 
 check_openshift_config_prod:
   extends: .test_openshift_config
   variables:
-    CARA_INSTANCE: 'cara'
+    CARA_INSTANCE: 'cara-prod'
     BRANCH: 'master'
-    OC_SERVER: https://openshift.cern.ch
-    OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_PROD}"
+    OC_SERVER: https://api.paas.okd.cern.ch
+    OC_TOKEN: "${OPENSHIFT_PROD_CONFIG_CHECKER_TOKEN}"
 
 
 # ###################################################################################################
@@ -93,23 +93,18 @@ check_openshift_config_prod:
   rules:
     - if: '$CI_COMMIT_BRANCH == "live/test-cara"'
       variables:
-        DOCKER_REGISTRY: $CI_REGISTRY_IMAGE
         IMAGE_TAG: test-cara-latest
-        KANIKO_AUTH: "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}"
     - if: '$CI_COMMIT_BRANCH == "master"'
       variables:
-        DOCKER_REGISTRY: "${OPENSHIFT_DOCKER_REGISTRY_PROD}"
-        # change to `cara-latest` after moving prod to OKD4
-        IMAGE_TAG: latest
-        KANIKO_AUTH: "{\"auths\":{\"$OPENSHIFT_DOCKER_REGISTRY_PROD\":{\"auth\":\"$OPENSHIFT_DOCKER_TOKEN_PROD\"}}}"
+        IMAGE_TAG: cara-prod-latest
   image:
     # Based on guidance at https://gitlab.cern.ch/gitlabci-examples/build_docker_image.
     name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
     entrypoint: [""]
   script:
-    - echo ${KANIKO_AUTH} > /kaniko/.docker/config.json
+    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
     - echo "Building ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:latest Docker image..."
-    - /kaniko/executor --context ${CI_PROJECT_DIR}/${DOCKER_CONTEXT_DIRECTORY} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE_DIRECTORY}/Dockerfile --destination ${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}
+    - /kaniko/executor --context ${CI_PROJECT_DIR}/${DOCKER_CONTEXT_DIRECTORY} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE_DIRECTORY}/Dockerfile --destination ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
 
 
 auth-service-image_builder:
@@ -148,19 +143,16 @@ oci_calculator:
   rules:
     - if: '$CI_COMMIT_BRANCH == "live/test-cara"'
       variables:
-        OC_SERVER: "https://api.paas.okd.cern.ch"
         OC_PROJECT: "test-cara"
-        OC_TOKEN: ${OPENSHIFT_CARA_TEST_DEPLOY_TOKEN}
+        OC_TOKEN: ${OPENSHIFT_TEST_DEPLOY_TOKEN}
         IMAGE_TAG: test-cara-latest
-    # UNCOMMENT when prod migrated to OKD4
-    # - if: '$CI_COMMIT_BRANCH == "master"'
-    #   variables:
-    #     OC_SERVER: "https://openshift.cern.ch"
-    #     OC_PROJECT: "cara"
-    #     OC_TOKEN: ${OPENSHIFT_CARA_DEPLOY_TOKEN}
-    #     IMAGE_TAG: cara-latest
+    - if: '$CI_COMMIT_BRANCH == "master"'
+      variables:
+        OC_PROJECT: "cara-prod"
+        OC_TOKEN: ${OPENSHIFT_PROD_DEPLOY_TOKEN}
+        IMAGE_TAG: cara-prod-latest
   script:
-     - oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=${OC_SERVER} -n ${OC_PROJECT}
+     - oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=https://api.paas.okd.cern.ch -n ${OC_PROJECT}
 
 link_auth-service_with_gitlab_registry:
   extends:
@@ -189,13 +181,11 @@ trigger_cara-router_build_on_openshift:
   rules:
     - if: '$CI_COMMIT_BRANCH == "live/test-cara"'
       variables:
-        OC_SERVER: "https://api.paas.okd.cern.ch"
         OC_PROJECT: "test-cara"
         BUILD_WEBHOOK_SECRET: ${OPENSHIFT_TEST_BUILD_WEBHOOK_SECRET}
     - if: '$CI_COMMIT_BRANCH == "master"'
       variables:
-        OC_SERVER: "https://openshift.cern.ch"
-        OC_PROJECT: "cara"
-        BUILD_WEBHOOK_SECRET: ${OPENSHIFT_BUILD_WEBHOOK_SECRET}
+        OC_PROJECT: "cara-prod"
+        BUILD_WEBHOOK_SECRET: ${OPENSHIFT_PROD_BUILD_WEBHOOK_SECRET}
   script:
-     - curl -X POST -k ${OC_SERVER}/apis/build.openshift.io/v1/namespaces/${OC_PROJECT}/buildconfigs/cara-router/webhooks/${BUILD_WEBHOOK_SECRET}/generic
+     - curl -X POST -k https://api.paas.okd.cern.ch/apis/build.openshift.io/v1/namespaces/${OC_PROJECT}/buildconfigs/cara-router/webhooks/${BUILD_WEBHOOK_SECRET}/generic

README.md

@@ -181,27 +181,12 @@ $ oc login https://api.paas.okd.cern.ch
 Then, switch to the project that you want to update:
 
 ```console
-$ oc project test-cara
-```
-
-If you need to create the application in a new project, run:
-
-```console
-$ cd app-config/openshift
-
-$ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
-$ oc process -f configmap.yaml | oc create -f -
-$ oc process -f services.yaml | oc create -f -
-$ oc process -f imagestreams.yaml | oc create -f -
-$ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc create -f -
-$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='test-cara'  | oc create -f -
+$ oc project cara-test
 ```
 
 Create a new service account in OpenShift to use GitLab container registry:
 
 ```console
-$ oc project test-cara
-
 $ oc create serviceaccount gitlabci-deployer
 serviceaccount "gitlabci-deployer" created
 
@@ -212,11 +197,11 @@ $ oc serviceaccounts get-token gitlabci-deployer
 <...test-token...>
 ```
 
-Add the token to GitLab to allow GitLab to access OpenShift and define/change image stream tags. Go to `Settings` -> `CI / CD` -> `Variables` -> click on `Expand` button and create the variable `OPENSHIFT_CARA_TEST_DEPLOY_TOKEN`: insert the token `<...test-token...>`.
+Add the token to GitLab to allow GitLab to access OpenShift and define/change image stream tags. Go to `Settings` -> `CI / CD` -> `Variables` -> click on `Expand` button and create the variable `OPENSHIFT_TEST_DEPLOY_TOKEN`: insert the token `<...test-token...>`.
 
 Then, create the webhook secret to be able to trigger automatic builds from GitLab.
 
-Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`.
+Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_TEST_WEBHOOK_SECRET`.
 
 ```console
 $ WEBHOOKSECRET=$(openssl rand -hex 50)
@@ -231,10 +216,26 @@ For CI usage, we also suggest creating a service account:
 oc create sa gitlab-config-checker
 ```
 
-Under ``Resources`` -> ``Membership`` enable the ``View`` role for this new service account.
+Under ``User Management`` -> ``RoleBindings`` create a new `RoleBinding` to grant `View` access to the `gitlab-config-checker` service account:
 
-To get this new user's authentication token go to ``Resources`` -> ``Secrets`` and locate the token in the newly
-created secret associated with the user (in this case ``gitlab-config-checker-token-XXXX``).
+* name: `gitlab-config-checker-view-role`
+* role name: `view`
+* service account: `gitlab-config-checker`
+
+To get this new user's authentication token go to ``User Management`` -> ``Service Accounts`` -> `gitlab-config-checker` and locate the token in the newly created secret associated with the user (in this case ``gitlab-config-checker-token-XXXX``). Copy the `token` value from `Data`.
+
+Create the various configurations:
+
+```console
+$ cd app-config/openshift
+
+$ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
+$ oc process -f configmap.yaml | oc create -f -
+$ oc process -f services.yaml | oc create -f -
+$ oc process -f imagestreams.yaml | oc create -f -
+$ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc create -f -
+$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='cara-test'  | oc create -f -
+```
 
 ### CERN SSO integration
 
@@ -289,7 +290,7 @@ $ oc process -f services.yaml | oc replace -f -
 $ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
 $ oc process -f imagestreams.yaml | oc replace -f -
 $ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc replace -f -
-$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
+$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='cara-test' | oc replace -f -
 ```
 
 Be aware that if you change/replace the **route** of the PROD instance,

app-config/openshift/config-fetch.py

@@ -9,7 +9,7 @@ def configure_parser(parser: argparse.ArgumentParser) -> None:
     parser.description = "Fetch the openshift config for CARA"
     parser.set_defaults(handler=handler)
     parser.add_argument(
-        "instance", choices=['cara', 'test-cara'],
+        "instance", choices=['cara-prod', 'test-cara'],
         help="Pick the instance for which you want to fetch the config",
     )
     parser.add_argument(
@@ -32,7 +32,7 @@ def get_oc_server() -> typing.Optional[str]:
     ], check=True, stdout=subprocess.PIPE).stdout.decode().strip()
 
 
-def fetch_config(output_directory: pathlib.Path, okd_version: int):
+def fetch_config(output_directory: pathlib.Path):
     output_directory.mkdir(exist_ok=True, parents=True)
 
     for component, name in [
@@ -44,9 +44,7 @@ def fetch_config(output_directory: pathlib.Path, okd_version: int):
             ('deploymentconfig', None)]:
 
         with (output_directory / f'{component}.yaml').open('wt') as fh:
-            cmdOKD4 = ['oc', 'get', '-o', 'yaml', component]
-            cmdOKD3 = ['oc', 'get', '--export', '-o', 'yaml', component]
-            cmd = cmdOKD4 if okd_version == 4 else cmdOKD3
+            cmd = ['oc', 'get', '-o', 'yaml', component]
             if name:
                 cmd += [name]
             print(f'Running: {" ".join(cmd)}')
@@ -55,14 +53,11 @@ def fetch_config(output_directory: pathlib.Path, okd_version: int):
 
 
 def handler(args: argparse.ArgumentParser) -> None:
-    if args.instance == 'cara':
-        login_server = 'https://openshift.cern.ch:443'
-        project_name = 'cara'
-        okd_version = 3
+    login_server = 'https://api.paas.okd.cern.ch:443'
+    if args.instance == 'cara-prod':
+        project_name = 'cara-prod'
     elif args.instance == 'test-cara':
-        login_server = 'https://api.paas.okd.cern.ch:443'
         project_name = 'test-cara'
-        okd_version = 4
 
     actual_login_server = get_oc_server()
     if actual_login_server != login_server:
@@ -71,7 +66,7 @@ def handler(args: argparse.ArgumentParser) -> None:
 
     subprocess.run(['oc', 'project', project_name], stdout=subprocess.DEVNULL, check=True)
 
-    fetch_config(pathlib.Path(args.output_directory), okd_version)
+    fetch_config(pathlib.Path(args.output_directory))
 
 
 def main():

app-config/openshift/config-generate.py

@@ -8,7 +8,7 @@ def configure_parser(parser: argparse.ArgumentParser) -> None:
     parser.description = "Generate the config files which can be later submitted to openshift"
     parser.set_defaults(handler=handler)
     parser.add_argument(
-        "instance", choices=['cara', 'test-cara'],
+        "instance", choices=['cara-prod', 'test-cara'],
         help="Pick the instance for which you want to generate the config",
     )
     parser.add_argument(
@@ -39,8 +39,8 @@ def generate_config(output_directory: pathlib.Path, project_name: str, hostname:
 
 
 def handler(args: argparse.ArgumentParser) -> None:
-    if args.instance == 'cara':
-        project_name = 'cara'
+    if args.instance == 'cara-prod':
+        project_name = 'cara-prod'
         branch = 'master'
         hostname = 'cara.web.cern.ch'
     elif args.instance == 'test-cara':