pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed to OpenShift templates

Browse source
This commit is contained in:
Nicola Tarocco 2021-02-15 19:45:42 +01:00
parent 182294348f
commit 175fc49338
5 changed files with 103 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
README.md
View file

@ -78,6 +78,8 @@ but it may be origin if you haven't configured it differently):
## OpenShift templates ## OpenShift templates
### First setup
First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login: First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
```console ```console
@ -95,22 +97,34 @@ If you need to create the application in a new project, run:
```console ```console
$ cd app-config/openshift $ cd app-config/openshift
$ oc process -f application.yaml | oc create -f - $ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
$ oc process -f services.yaml | oc create -f - $ oc process -f services.yaml | oc create -f -
$ oc process -f configmap.yaml | oc create -f - $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
``` ```
If you need to **replace** existing configuration, then run: Then, create the webhook secret to be able to trigger automatic builds from GitLab.
Create and store the secret:
```console
$ WEBHOOKSECRET=$(openssl rand -hex 50)
$ oc create secret generic \
--from-literal="WebHookSecretKey=$WEBHOOKSECRET" \
gitlab-cara-webhook-secret
```
Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
## Update configuration
If you need to **update** existing configuration, then modify this repository and after having logged in, run:
```console ```console
$ cd app-config/openshift $ cd app-config/openshift
$ oc process -f application.yaml | oc replace -f - $ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
$ oc process -f services.yaml | oc replace -f - $ oc process -f services.yaml | oc replace -f -
$ oc process -f configmap.yaml | oc replace -f - $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
``` ```
### CERN SSO Proxy Be aware that if you change/replace the **route** of the PROD instance, it will loose the annotation to be exposed outside CERN (not committed in this repo).
You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)

83
app-config/openshift/application.yaml
View file

@ -23,9 +23,9 @@
sourceSecret: sourceSecret:
name: sshdeploykey name: sshdeploykey
output: output:
to: to:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-app:latest' name: 'cara-app:latest'
strategy: strategy:
sourceStrategy: sourceStrategy:
env: env:
@ -41,6 +41,11 @@
secretReference: secretReference:
name: gitlab-cara-webhook-secret name: gitlab-cara-webhook-secret
type: Generic type: Generic
-
kind: ImageStream
apiVersion: v1
metadata:
name: cara-app
- -
kind: BuildConfig kind: BuildConfig
apiVersion: v1 apiVersion: v1
@ -55,9 +60,9 @@
sourceSecret: sourceSecret:
name: sshdeploykey name: sshdeploykey
output: output:
to: to:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-router:latest' name: 'cara-router:latest'
strategy: strategy:
sourceStrategy: sourceStrategy:
from: from:
@ -70,6 +75,11 @@
secretReference: secretReference:
name: gitlab-cara-webhook-secret name: gitlab-cara-webhook-secret
type: Generic type: Generic
-
kind: ImageStream
apiVersion: v1
metadata:
name: cara-router
- -
kind: BuildConfig kind: BuildConfig
apiVersion: v1 apiVersion: v1
@ -83,9 +93,9 @@
sourceSecret: sourceSecret:
name: sshdeploykey name: sshdeploykey
output: output:
to: to:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-webservice:latest' name: 'cara-webservice:latest'
strategy: strategy:
sourceStrategy: sourceStrategy:
env: env:
@ -102,20 +112,10 @@
name: gitlab-cara-webhook-secret name: gitlab-cara-webhook-secret
type: Generic type: Generic
- -
kind: ImageStream
apiVersion: v1 apiVersion: v1
kind: Route
metadata: metadata:
name: cern-sso-proxy name: cara-webservice
spec:
host: cara.web.cern.ch
port:
targetPort: 8081
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: cern-sso-proxy
- -
apiVersion: v1 apiVersion: v1
kind: DeploymentConfig kind: DeploymentConfig
@ -130,6 +130,7 @@
spec: spec:
containers: containers:
- name: cara-app - name: cara-app
image: '${PROJECT_NAME}/cara-app'
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
@ -142,7 +143,7 @@
from: from:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-app:latest' name: 'cara-app:latest'
namespace: cara namespace: ${PROJECT_NAME}
- -
apiVersion: v1 apiVersion: v1
kind: DeploymentConfig kind: DeploymentConfig
@ -157,6 +158,7 @@
spec: spec:
containers: containers:
- name: cara-router - name: cara-router
image: '${PROJECT_NAME}/cara-router'
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
@ -171,7 +173,7 @@
from: from:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-router:latest' name: 'cara-router:latest'
namespace: cara namespace: ${PROJECT_NAME}
- -
apiVersion: v1 apiVersion: v1
kind: DeploymentConfig kind: DeploymentConfig
@ -186,6 +188,7 @@
spec: spec:
containers: containers:
- name: cara-webservice - name: cara-webservice
image: '${PROJECT_NAME}/cara-webservice'
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
@ -198,31 +201,9 @@
from: from:
kind: ImageStreamTag kind: ImageStreamTag
name: 'cara-webservice:latest' name: 'cara-webservice:latest'
namespace: cara namespace: ${PROJECT_NAME}
-
apiVersion: v1 parameters:
kind: DeploymentConfig - name: PROJECT_NAME
metadata: description: The name of this project, e.g. test-cara
name: cern-sso-proxy required: true
spec:
replicas;: 1
template:
metadata:
labels:
app: cern-sso-proxy
spec:
containers:
- name: cern-sso-proxy
ports:
- containerPort: 8080
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cern-sso-proxy
from:
kind: ImageStreamTag
name: 'cern-sso-proxy:latest'
namespace: cara

66
app-config/openshift/configmap.yaml
View file

@ -1,66 +0,0 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-configuration"
creationTimestamp: null
annotations:
description: "CARA Config Maps OpenShift template."
tags: "cara-configuration"
labels:
template: "cara-application"
objects:
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-proxy
data:
authorize.conf: |-
# Make sure clients cannot fake authentication by injecting headers
RequestHeader unset X-ADFS-LOGIN
RequestHeader unset X-ADFS-EMAIL
RequestHeader unset X-ADFS-FIRSTNAME
RequestHeader unset X-ADFS-LASTNAME
RequestHeader unset X-ADFS-FULLNAME
#Protected resources
<Location "/">
ShibRequestSetting requireSession 1
AuthType shibboleth
<RequireALL>
Require valid-user
Require shib-attr ADFS_GROUP cern-personnel
</RequireALL>
RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
</Location>
proxy.conf: |-
# Enable reverse proxy for websockets
# https://github.com/jupyterhub/jupyterhub/issues/367
# https://github.com/websockets/ws/issues/893
ProxyPreserveHost On
ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyRequests off
<Location "/voila-server/api/kernels">
RequestHeader set X-SCRIPT-NAME /voila-server/
ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} =websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
</Location>
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-shib
data:
shibboleth2.xml: ''

33
app-config/openshift/route.yaml Normal file
View file

@ -0,0 +1,33 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-route"
creationTimestamp: null
annotations:
description: "CARA route OpenShift template."
tags: "cara-route"
labels:
template: "cara-route"
objects:
-
apiVersion: v1
kind: Route
metadata:
name: cara-router
spec:
host: ${HOST}
port:
targetPort: 8081
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: cara-router
parameters:
- name: HOST
description: The hostname of the site, e.g. test-cara.web.cern.ch
required: true

17
app-config/openshift/services.yaml
View file

@ -10,6 +10,21 @@
labels: labels:
template: "cara-services" template: "cara-services"
objects: objects:
-
apiVersion: v1
kind: Service
metadata:
labels:
app: cara-app
name: cara-app
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: cara-app
- -
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -44,5 +59,3 @@
targetPort: 8080 targetPort: 8080
selector: selector:
app: cara-webservice app: cara-webservice