diff --git a/README.md b/README.md index 1d98b0bb..efb61d31 100644 --- a/README.md +++ b/README.md @@ -111,14 +111,15 @@ If you need to create the application in a new project, run: ```console $ cd app-config/openshift -$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f - +$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc create -f - +$ oc process -f configmap.yaml | oc create -f - $ oc process -f services.yaml | oc create -f - $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f - ``` Then, create the webhook secret to be able to trigger automatic builds from GitLab. -Create and store the secret: +Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`. ```console $ WEBHOOKSECRET=$(openssl rand -hex 50) @@ -127,7 +128,45 @@ $ oc create secret generic \ gitlab-cara-webhook-secret ``` -Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET` +### CERN SSO integration + +The SSO integration uses OpenID credentials configured in [CERN Applications portal](https://application-portal.web.cern.ch/). +How to configure the application: + +* Application Identifier: `cara-test` +* Homepage: `https://test-cara.web.cern.ch` +* Administrators: `cara-dev` +* SSO Registration: + * Protocol: `OpenID (OIDC)` + * Redirect URI: `https://test-cara.web.cern.ch/auth/authorize` + * Leave unchecked all the other checkboxes +* Define new roles: + * Name: `CERN Users` + * Role Identifier: `external-users` + * Leave unchecked checkboxes + * Minimum Level Of Assurance: `CERN (highest)` + * Assign role to groups: `cern-accounts-primary` e-group + * Name: `External accounts` + * Role Identifier: `admin` + * Leave unchecked checkboxes + * Minimum Level Of Assurance: `Any (no restrictions)` + * Assign role to groups: `cara-app-external-access` e-group + * Name: `Allowed users` + * Role Identifier: `allowed-users` + * Check `This role is required to access my application` + * Minimum Level Of Assurance:`Any (no restrictions)` + * Assign role to groups: `cern-accounts-primary` and `cara-app-external-access` e-groups + +Copy the client id and client secret and use it below. + +```console +$ COOKIE_SECRET=$(openssl rand -hex 50) +$ oc create secret generic \ + --from-literal="CLIENT_ID=$CLIENT_ID" \ + --from-literal="CLIENT_SECRET=$CLIENT_SECRET" \ + --from-literal="COOKIE_SECRET=$COOKIE_SECRET" \ + auth-service-secrets +``` ## Update configuration @@ -136,7 +175,8 @@ If you need to **update** existing configuration, then modify this repository an ```console $ cd app-config/openshift -$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f - +$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc replace -f - +$ oc process -f configmap.yaml | oc replace -f - $ oc process -f services.yaml | oc replace -f - $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f - ``` diff --git a/app-config/openshift/application.yaml b/app-config/openshift/application.yaml index dafb6dfa..307a1c56 100644 --- a/app-config/openshift/application.yaml +++ b/app-config/openshift/application.yaml @@ -10,6 +10,71 @@ labels: template: "cara-application" objects: + - + kind: BuildConfig + apiVersion: v1 + metadata: + name: auth-service + spec: + source: + git: + ref: ${GIT_BRANCH} + uri: ${GIT_REPO} + contextDir: app-config/auth-service + sourceSecret: + name: sshdeploykey + output: + to: + kind: ImageStreamTag + name: 'auth-service:latest' + strategy: + sourceStrategy: + from: + kind: ImageStreamTag + name: 'python:3.6' + namespace: openshift + type: Source + triggers: + - imageChange: + type: ImageChange + - generic: + secretReference: + name: gitlab-cara-webhook-secret + type: Generic + - + kind: ImageStream + apiVersion: v1 + metadata: + name: auth-service + - + kind: BuildConfig + apiVersion: v1 + metadata: + name: cara-router + spec: + source: + git: + ref: ${GIT_BRANCH} + uri: ${GIT_REPO} + contextDir: app-config/nginx + sourceSecret: + name: sshdeploykey + output: + to: + kind: ImageStreamTag + name: 'cara-router:latest' + strategy: + sourceStrategy: + from: + kind: ImageStreamTag + name: 'nginx:1.12' + namespace: openshift + type: Source + triggers: + - generic: + secretReference: + name: gitlab-cara-webhook-secret + type: Generic - kind: BuildConfig apiVersion: v1 @@ -18,8 +83,8 @@ spec: source: git: - ref: master - uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + ref: ${GIT_BRANCH} + uri: ${GIT_REPO} sourceSecret: name: sshdeploykey output: @@ -54,8 +119,8 @@ spec: source: git: - ref: master - uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + ref: ${GIT_BRANCH} + uri: ${GIT_REPO} contextDir: app-config/nginx sourceSecret: name: sshdeploykey @@ -88,8 +153,8 @@ spec: source: git: - ref: master - uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + ref: ${GIT_BRANCH} + uri: ${GIT_REPO} sourceSecret: name: sshdeploykey output: @@ -116,6 +181,40 @@ apiVersion: v1 metadata: name: cara-webservice + - + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: auth-service + spec: + replicas;: 1 + template: + metadata: + labels: + app: auth-service + spec: + containers: + - name: auth-service + image: '${PROJECT_NAME}/auth-service' + ports: + - containerPort: 8080 + protocol: TCP + - envFrom: + - configMapRef: + name: auth-service + - secretRef: + name: auth-service-secrets + triggers: + - type: ConfigChange + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - auth-service + from: + kind: ImageStreamTag + name: 'auth-service:latest' + namespace: ${PROJECT_NAME} - apiVersion: v1 kind: DeploymentConfig @@ -135,6 +234,7 @@ - containerPort: 8080 protocol: TCP triggers: + - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true @@ -165,6 +265,7 @@ - containerPort: 8443 protocol: TCP triggers: + - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true @@ -174,6 +275,7 @@ kind: ImageStreamTag name: 'cara-router:latest' namespace: ${PROJECT_NAME} + - type: ConfigChange - apiVersion: v1 kind: DeploymentConfig @@ -193,6 +295,7 @@ - containerPort: 8080 protocol: TCP triggers: + - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true @@ -202,8 +305,15 @@ kind: ImageStreamTag name: 'cara-webservice:latest' namespace: ${PROJECT_NAME} + - type: ConfigChange parameters: - name: PROJECT_NAME description: The name of this project, e.g. test-cara required: true + - name: GIT_REPO + description: The GIT repo URL + value: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git' + - name: GIT_BRANCH + description: The name of the GIT branch to use when building the app, e.g. `live/test-cara` in TEST, `master` in prod + required: true diff --git a/app-config/openshift/configmap.yaml b/app-config/openshift/configmap.yaml new file mode 100644 index 00000000..be119b92 --- /dev/null +++ b/app-config/openshift/configmap.yaml @@ -0,0 +1,19 @@ +--- + kind: "Template" + apiVersion: "v1" + metadata: + name: "cara-configuration" + annotations: + description: "CARA configuration OpenShift template." + tags: "cara-configuration" + labels: + template: "cara-configuration" + objects: + - + apiVersion: v1 + kind: ConfigMap + metadata: + name: auth-service + data: + OIDC_REALM: CERN + OIDC_SERVER: 'https://auth.cern.ch/auth' diff --git a/app-config/openshift/route.yaml b/app-config/openshift/route.yaml index 8f1f3bd7..076ac656 100644 --- a/app-config/openshift/route.yaml +++ b/app-config/openshift/route.yaml @@ -14,11 +14,11 @@ apiVersion: v1 kind: Route metadata: - name: cara-router + name: cara-route spec: host: ${HOST} port: - targetPort: 8081 + targetPort: 8080-tcp tls: insecureEdgeTerminationPolicy: Redirect termination: edge