Fixed to OpenShift templates

2021-02-15 19:45:42 +01:00 · 2021-02-15 19:45:42 +01:00 · 175fc49338
commit 175fc49338
parent 182294348f
5 changed files with 103 additions and 128 deletions
--- a/README.md
+++ b/README.md
@ -78,6 +78,8 @@ but it may be origin if you haven't configured it differently):
 ## OpenShift templates
 ### First setup
 First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
 ```console
@ -95,22 +97,34 @@ If you need to create the application in a new project, run:
 ```console
 $ cd app-config/openshift
-$ oc process -f application.yaml | oc create -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
 $ oc process -f services.yaml | oc create -f -
-$ oc process -f configmap.yaml | oc create -f -
+$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
 ```
-If you need to **replace** existing configuration, then run:
+Then, create the webhook secret to be able to trigger automatic builds from GitLab.
 Create and store the secret:
 ```console
 $ WEBHOOKSECRET=$(openssl rand -hex 50)
 $ oc create secret generic \
  --from-literal="WebHookSecretKey=$WEBHOOKSECRET" \
  gitlab-cara-webhook-secret
 ```
 Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
 ## Update configuration
 If you need to **update** existing configuration, then modify this repository and after having logged in, run:
 ```console
 $ cd app-config/openshift
-$ oc process -f application.yaml | oc replace -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
 $ oc process -f services.yaml | oc replace -f -
-$ oc process -f configmap.yaml | oc replace -f -
+$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
 ```
-### CERN SSO Proxy
+Be aware that if you change/replace the **route** of the PROD instance, it will loose the annotation to be exposed outside CERN (not committed in this repo).
 You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
 The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)
--- a/app-config/openshift/application.yaml
+++ b/app-config/openshift/application.yaml
@ -41,6 +41,11 @@
              secretReference:
                name: gitlab-cara-webhook-secret
            type: Generic
    -
      kind: ImageStream
      apiVersion: v1
      metadata:
        name: cara-app
    -
      kind: BuildConfig
      apiVersion: v1
@ -70,6 +75,11 @@
              secretReference:
                name: gitlab-cara-webhook-secret
            type: Generic
    -
      kind: ImageStream
      apiVersion: v1
      metadata:
        name: cara-router
    -
      kind: BuildConfig
      apiVersion: v1
@ -102,20 +112,10 @@
                name: gitlab-cara-webhook-secret
            type: Generic
    -
      kind: ImageStream
      apiVersion: v1
      kind: Route
      metadata:
-        name: cern-sso-proxy
+        name: cara-webservice
      spec:
        host: cara.web.cern.ch
        port:
          targetPort: 8081
        tls:
          insecureEdgeTerminationPolicy: Redirect
          termination: edge
        to:
          kind: Service
          name: cern-sso-proxy
    -
      apiVersion: v1
      kind: DeploymentConfig
@ -130,6 +130,7 @@
          spec:
            containers:
              - name: cara-app
                image: '${PROJECT_NAME}/cara-app'
                ports:
                  - containerPort: 8080
                    protocol: TCP
@ -142,7 +143,7 @@
              from:
                kind: ImageStreamTag
                name: 'cara-app:latest'
-                namespace: cara
+                namespace: ${PROJECT_NAME}
    -
      apiVersion: v1
      kind: DeploymentConfig
@ -157,6 +158,7 @@
          spec:
            containers:
              - name: cara-router
                image: '${PROJECT_NAME}/cara-router'
                ports:
                  - containerPort: 8080
                    protocol: TCP
@ -171,7 +173,7 @@
              from:
                kind: ImageStreamTag
                name: 'cara-router:latest'
-                namespace: cara
+                namespace: ${PROJECT_NAME}
    -
      apiVersion: v1
      kind: DeploymentConfig
@ -186,6 +188,7 @@
          spec:
            containers:
              - name: cara-webservice
                image: '${PROJECT_NAME}/cara-webservice'
                ports:
                  - containerPort: 8080
                    protocol: TCP
@ -198,31 +201,9 @@
              from:
                kind: ImageStreamTag
                name: 'cara-webservice:latest'
-                namespace: cara
+                namespace: ${PROJECT_NAME}
-    -
+
-      apiVersion: v1
+  parameters:
-      kind: DeploymentConfig
+    - name: PROJECT_NAME
-      metadata:
+      description: The name of this project, e.g. test-cara
-        name: cern-sso-proxy
+      required: true
      spec:
        replicas;: 1
        template:
          metadata:
            labels:
              app: cern-sso-proxy
          spec:
            containers:
              - name: cern-sso-proxy
                ports:
                  - containerPort: 8080
                    protocol: TCP
        triggers:
          - type: ImageChange
            imageChangeParams:
              automatic: true
              containerNames:
                - cern-sso-proxy
              from:
                kind: ImageStreamTag
                name: 'cern-sso-proxy:latest'
                namespace: cara
--- a/app-config/openshift/configmap.yaml
+++ b/app-config/openshift/configmap.yaml
@ -1,66 +0,0 @@
 ---
  kind: "Template"
  apiVersion: "v1"
  metadata:
    name: "cara-configuration"
    creationTimestamp: null
    annotations:
      description: "CARA Config Maps OpenShift template."
      tags: "cara-configuration"
  labels:
    template: "cara-application"
  objects:
    -
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: cern-sso-proxy
      data:
        authorize.conf: |-
          # Make sure clients cannot fake authentication by injecting headers
          RequestHeader unset X-ADFS-LOGIN
          RequestHeader unset X-ADFS-EMAIL
          RequestHeader unset X-ADFS-FIRSTNAME
          RequestHeader unset X-ADFS-LASTNAME
          RequestHeader unset X-ADFS-FULLNAME
          #Protected resources
          <Location "/">
            ShibRequestSetting requireSession 1
            AuthType shibboleth
            <RequireALL>
              Require valid-user
              Require shib-attr ADFS_GROUP cern-personnel
            </RequireALL>
            RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
            RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
            RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
            RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
            RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
          </Location>
        proxy.conf: |-
          # Enable reverse proxy for websockets
          # https://github.com/jupyterhub/jupyterhub/issues/367
          # https://github.com/websockets/ws/issues/893
          ProxyPreserveHost On
          ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
          ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
          ProxyRequests off
          <Location "/voila-server/api/kernels">
            RequestHeader set X-SCRIPT-NAME /voila-server/
            ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
            RewriteEngine on
            RewriteCond %{HTTP:UPGRADE} =websocket [NC]
            RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
            RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
            RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
          </Location>
    -
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: cern-sso-shib
      data:
        shibboleth2.xml: ''
--- a/app-config/openshift/route.yaml
+++ b/app-config/openshift/route.yaml
@ -0,0 +1,33 @@
 ---
  kind: "Template"
  apiVersion: "v1"
  metadata:
    name: "cara-route"
    creationTimestamp: null
    annotations:
      description: "CARA route OpenShift template."
      tags: "cara-route"
  labels:
    template: "cara-route"
  objects:
    -
      apiVersion: v1
      kind: Route
      metadata:
        name: cara-router
      spec:
        host: ${HOST}
        port:
          targetPort: 8081
        tls:
          insecureEdgeTerminationPolicy: Redirect
          termination: edge
        to:
          kind: Service
          name: cara-router
  parameters:
    - name: HOST
      description: The hostname of the site, e.g. test-cara.web.cern.ch
      required: true
--- a/app-config/openshift/services.yaml
+++ b/app-config/openshift/services.yaml
@ -10,6 +10,21 @@
  labels:
    template: "cara-services"
  objects:
    -
      apiVersion: v1
      kind: Service
      metadata:
        labels:
          app: cara-app
        name: cara-app
      spec:
        ports:
          - name: 8080-tcp
            port: 8080
            protocol: TCP
            targetPort: 8080
        selector:
          app: cara-app
    -
      apiVersion: v1
      kind: Service
@ -44,5 +59,3 @@
            targetPort: 8080
        selector:
          app: cara-webservice