From 80dedeeebb6f9b52c14c5de18fb37875ff63332d Mon Sep 17 00:00:00 2001 From: Nicola Tarocco Date: Mon, 1 Feb 2021 18:53:43 +0100 Subject: [PATCH] Add OpenShift templates --- README.md | 37 +++++ app-config/openshift/application.yaml | 228 ++++++++++++++++++++++++++ app-config/openshift/configmap.yaml | 66 ++++++++ app-config/openshift/services.yaml | 48 ++++++ 4 files changed, 379 insertions(+) create mode 100644 app-config/openshift/application.yaml create mode 100644 app-config/openshift/configmap.yaml create mode 100644 app-config/openshift/services.yaml diff --git a/README.md b/README.md index cbf9956d..7bee47fe 100644 --- a/README.md +++ b/README.md @@ -69,4 +69,41 @@ but it may be origin if you haven't configured it differently): git push --force upstream name-of-local-branch:live/test-cara +## OpenShift templates +First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login: + +```console +$ oc login https://openshift-dev.cern.ch +``` + +Then, switch to the project that you want to update: + +```console +$ oc project test-cara +``` + +If you need to create the application in a new project, run: + +```console +$ cd app-config/openshift + +$ oc process -f application.yaml | oc create -f - +$ oc process -f services.yaml | oc create -f - +$ oc process -f configmap.yaml | oc create -f - +``` + +If you need to **replace** existing configuration, then run: + +```console +$ cd app-config/openshift + +$ oc process -f application.yaml | oc replace -f - +$ oc process -f services.yaml | oc replace -f - +$ oc process -f configmap.yaml | oc replace -f - +``` + +### CERN SSO Proxy + +You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5). +The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/) diff --git a/app-config/openshift/application.yaml b/app-config/openshift/application.yaml new file mode 100644 index 00000000..258501d1 --- /dev/null +++ b/app-config/openshift/application.yaml @@ -0,0 +1,228 @@ +--- + kind: "Template" + apiVersion: "v1" + metadata: + name: "cara-application" + creationTimestamp: null + annotations: + description: "CARA application OpenShift template." + tags: "cara-application" + labels: + template: "cara-application" + objects: + - + kind: BuildConfig + apiVersion: v1 + metadata: + name: cara-app + spec: + source: + git: + ref: master + uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + sourceSecret: + name: sshdeploykey + output: + to: + kind: ImageStreamTag + name: 'cara-app:latest' + strategy: + sourceStrategy: + env: + - name: APP_NAME + value: cara-voila + from: + kind: ImageStreamTag + name: 'python:3.6' + namespace: openshift + type: Source + triggers: + - generic: + secretReference: + name: gitlab-cara-webhook-secret + type: Generic + - + kind: BuildConfig + apiVersion: v1 + metadata: + name: cara-router + spec: + source: + git: + ref: master + uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + contextDir: app-config/nginx + sourceSecret: + name: sshdeploykey + output: + to: + kind: ImageStreamTag + name: 'cara-router:latest' + strategy: + sourceStrategy: + from: + kind: ImageStreamTag + name: 'nginx:1.12' + namespace: openshift + type: Source + triggers: + - generic: + secretReference: + name: gitlab-cara-webhook-secret + type: Generic + - + kind: BuildConfig + apiVersion: v1 + metadata: + name: cara-webservice + spec: + source: + git: + ref: master + uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + sourceSecret: + name: sshdeploykey + output: + to: + kind: ImageStreamTag + name: 'cara-webservice:latest' + strategy: + sourceStrategy: + env: + - name: APP_NAME + value: cara-webservice + from: + kind: ImageStreamTag + name: 'python:3.6' + namespace: openshift + type: Source + triggers: + - generic: + secretReference: + name: gitlab-cara-webhook-secret + type: Generic + - + apiVersion: v1 + kind: Route + metadata: + name: cern-sso-proxy + spec: + host: cara.web.cern.ch + port: + targetPort: 8081 + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: cern-sso-proxy + - + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: cara-app + spec: + replicas;: 1 + template: + metadata: + labels: + app: cara-app + spec: + containers: + - name: cara-app + ports: + - containerPort: 8080 + protocol: TCP + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - cara-app + from: + kind: ImageStreamTag + name: 'cara-app:latest' + namespace: cara + - + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: cara-router + spec: + replicas;: 1 + template: + metadata: + labels: + app: cara-router + spec: + containers: + - name: cara-router + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - cara-router + from: + kind: ImageStreamTag + name: 'cara-router:latest' + namespace: cara + - + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: cara-webservice + spec: + replicas;: 1 + template: + metadata: + labels: + app: cara-webservice + spec: + containers: + - name: cara-webservice + ports: + - containerPort: 8080 + protocol: TCP + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - cara-webservice + from: + kind: ImageStreamTag + name: 'cara-webservice:latest' + namespace: cara + - + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: cern-sso-proxy + spec: + replicas;: 1 + template: + metadata: + labels: + app: cern-sso-proxy + spec: + containers: + - name: cern-sso-proxy + ports: + - containerPort: 8080 + protocol: TCP + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - cern-sso-proxy + from: + kind: ImageStreamTag + name: 'cern-sso-proxy:latest' + namespace: cara diff --git a/app-config/openshift/configmap.yaml b/app-config/openshift/configmap.yaml new file mode 100644 index 00000000..52f0ef83 --- /dev/null +++ b/app-config/openshift/configmap.yaml @@ -0,0 +1,66 @@ +--- + kind: "Template" + apiVersion: "v1" + metadata: + name: "cara-configuration" + creationTimestamp: null + annotations: + description: "CARA Config Maps OpenShift template." + tags: "cara-configuration" + labels: + template: "cara-application" + objects: + - + apiVersion: v1 + kind: ConfigMap + metadata: + name: cern-sso-proxy + data: + authorize.conf: |- + # Make sure clients cannot fake authentication by injecting headers + RequestHeader unset X-ADFS-LOGIN + RequestHeader unset X-ADFS-EMAIL + RequestHeader unset X-ADFS-FIRSTNAME + RequestHeader unset X-ADFS-LASTNAME + RequestHeader unset X-ADFS-FULLNAME + + #Protected resources + + ShibRequestSetting requireSession 1 + AuthType shibboleth + + Require valid-user + Require shib-attr ADFS_GROUP cern-personnel + + RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e + RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e + RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e + RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e + RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e + + proxy.conf: |- + # Enable reverse proxy for websockets + # https://github.com/jupyterhub/jupyterhub/issues/367 + # https://github.com/websockets/ws/issues/893 + + ProxyPreserveHost On + ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/ + ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/ + ProxyRequests off + + + RequestHeader set X-SCRIPT-NAME /voila-server/ + ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/ + RewriteEngine on + RewriteCond %{HTTP:UPGRADE} =websocket [NC] + RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L] + RewriteCond %{HTTP:UPGRADE} !=websocket [NC] + RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L] + + - + apiVersion: v1 + kind: ConfigMap + metadata: + name: cern-sso-shib + data: + shibboleth2.xml: '' diff --git a/app-config/openshift/services.yaml b/app-config/openshift/services.yaml new file mode 100644 index 00000000..081dd967 --- /dev/null +++ b/app-config/openshift/services.yaml @@ -0,0 +1,48 @@ +--- + kind: "Template" + apiVersion: "v1" + metadata: + name: "cara-services" + creationTimestamp: null + annotations: + description: "CARA services OpenShift template." + tags: "cara-services" + labels: + template: "cara-services" + objects: + - + apiVersion: v1 + kind: Service + metadata: + labels: + app: cara-router + name: cara-router + spec: + ports: + - name: 8080-tcp + port: 8080 + protocol: TCP + targetPort: 8080 + - name: 8443-tcp + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app: cara-router + - + apiVersion: v1 + kind: Service + metadata: + labels: + app: cara-webservice + name: cara-webservice + spec: + ports: + - name: 8080-tcp + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: cara-webservice + +