pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'feature/openshift-templates' into 'master'

Browse source 
Add OpenShift templates

See merge request cara/cara!135
This commit is contained in:
Philip James Elson 2021-02-10 10:39:15 +00:00
commit 182294348f
4 changed files with 379 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -76,4 +76,41 @@ but it may be origin if you haven't configured it differently):
git push --force upstream name-of-local-branch:live/test-cara
## OpenShift templates
First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
```console
$ oc login https://openshift-dev.cern.ch
```
Then, switch to the project that you want to update:
```console
$ oc project test-cara
```
If you need to create the application in a new project, run:
```console
$ cd app-config/openshift
$ oc process -f application.yaml | oc create -f -
$ oc process -f services.yaml | oc create -f -
$ oc process -f configmap.yaml | oc create -f -
```
If you need to **replace** existing configuration, then run:
```console
$ cd app-config/openshift
$ oc process -f application.yaml | oc replace -f -
$ oc process -f services.yaml | oc replace -f -
$ oc process -f configmap.yaml | oc replace -f -
```
### CERN SSO Proxy
You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)

228
app-config/openshift/application.yaml Normal file
View file

@ -0,0 +1,228 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-application"
creationTimestamp: null
annotations:
description: "CARA application OpenShift template."
tags: "cara-application"
labels:
template: "cara-application"
objects:
-
kind: BuildConfig
apiVersion: v1
metadata:
name: cara-app
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-app:latest'
strategy:
sourceStrategy:
env:
- name: APP_NAME
value: cara-voila
from:
kind: ImageStreamTag
name: 'python:3.6'
namespace: openshift
type: Source
triggers:
- generic:
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: BuildConfig
apiVersion: v1
metadata:
name: cara-router
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
contextDir: app-config/nginx
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-router:latest'
strategy:
sourceStrategy:
from:
kind: ImageStreamTag
name: 'nginx:1.12'
namespace: openshift
type: Source
triggers:
- generic:
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: BuildConfig
apiVersion: v1
metadata:
name: cara-webservice
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-webservice:latest'
strategy:
sourceStrategy:
env:
- name: APP_NAME
value: cara-webservice
from:
kind: ImageStreamTag
name: 'python:3.6'
namespace: openshift
type: Source
triggers:
- generic:
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
apiVersion: v1
kind: Route
metadata:
name: cern-sso-proxy
spec:
host: cara.web.cern.ch
port:
targetPort: 8081
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: cern-sso-proxy
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: cara-app
spec:
replicas;: 1
template:
metadata:
labels:
app: cara-app
spec:
containers:
- name: cara-app
ports:
- containerPort: 8080
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cara-app
from:
kind: ImageStreamTag
name: 'cara-app:latest'
namespace: cara
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: cara-router
spec:
replicas;: 1
template:
metadata:
labels:
app: cara-router
spec:
containers:
- name: cara-router
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cara-router
from:
kind: ImageStreamTag
name: 'cara-router:latest'
namespace: cara
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: cara-webservice
spec:
replicas;: 1
template:
metadata:
labels:
app: cara-webservice
spec:
containers:
- name: cara-webservice
ports:
- containerPort: 8080
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cara-webservice
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
namespace: cara
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: cern-sso-proxy
spec:
replicas;: 1
template:
metadata:
labels:
app: cern-sso-proxy
spec:
containers:
- name: cern-sso-proxy
ports:
- containerPort: 8080
protocol: TCP
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- cern-sso-proxy
from:
kind: ImageStreamTag
name: 'cern-sso-proxy:latest'
namespace: cara

66
app-config/openshift/configmap.yaml Normal file
View file

@ -0,0 +1,66 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-configuration"
creationTimestamp: null
annotations:
description: "CARA Config Maps OpenShift template."
tags: "cara-configuration"
labels:
template: "cara-application"
objects:
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-proxy
data:
authorize.conf: |-
# Make sure clients cannot fake authentication by injecting headers
RequestHeader unset X-ADFS-LOGIN
RequestHeader unset X-ADFS-EMAIL
RequestHeader unset X-ADFS-FIRSTNAME
RequestHeader unset X-ADFS-LASTNAME
RequestHeader unset X-ADFS-FULLNAME
#Protected resources
<Location "/">
ShibRequestSetting requireSession 1
AuthType shibboleth
<RequireALL>
Require valid-user
Require shib-attr ADFS_GROUP cern-personnel
</RequireALL>
RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
</Location>
proxy.conf: |-
# Enable reverse proxy for websockets
# https://github.com/jupyterhub/jupyterhub/issues/367
# https://github.com/websockets/ws/issues/893
ProxyPreserveHost On
ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
ProxyRequests off
<Location "/voila-server/api/kernels">
RequestHeader set X-SCRIPT-NAME /voila-server/
ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} =websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
</Location>
-
apiVersion: v1
kind: ConfigMap
metadata:
name: cern-sso-shib
data:
shibboleth2.xml: ''

48
app-config/openshift/services.yaml Normal file
View file

@ -0,0 +1,48 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-services"
creationTimestamp: null
annotations:
description: "CARA services OpenShift template."
tags: "cara-services"
labels:
template: "cara-services"
objects:
-
apiVersion: v1
kind: Service
metadata:
labels:
app: cara-router
name: cara-router
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
- name: 8443-tcp
port: 8443
protocol: TCP
targetPort: 8443
selector:
app: cara-router
-
apiVersion: v1
kind: Service
metadata:
labels:
app: cara-webservice
name: cara-webservice
spec:
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: cara-webservice