pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add OpenShift templates for new auth service

Browse source
This commit is contained in:
Nicola Tarocco 2021-03-03 19:37:18 +01:00
parent 18af16f749
commit babde8b0bc
4 changed files with 181 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
README.md
View file

@ -98,14 +98,15 @@ If you need to create the application in a new project, run:
```console
$ cd app-config/openshift
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc create -f -
$ oc process -f configmap.yaml | oc create -f -
$ oc process -f services.yaml | oc create -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
```
Then, create the webhook secret to be able to trigger automatic builds from GitLab.
Create and store the secret:
Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`.
```console
$ WEBHOOKSECRET=$(openssl rand -hex 50)
@ -114,7 +115,45 @@ $ oc create secret generic \
gitlab-cara-webhook-secret
```
Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
### CERN SSO integration
The SSO integration uses OpenID credentials configured in [CERN Applications portal](https://application-portal.web.cern.ch/).
How to configure the application:
* Application Identifier: `cara-test`
* Homepage: `https://test-cara.web.cern.ch`
* Administrators: `cara-dev`
* SSO Registration:
* Protocol: `OpenID (OIDC)`
* Redirect URI: `https://test-cara.web.cern.ch/auth/authorize`
* Leave unchecked all the other checkboxes
* Define new roles:
* Name: `CERN Users`
* Role Identifier: `external-users`
* Leave unchecked checkboxes
* Minimum Level Of Assurance: `CERN (highest)`
* Assign role to groups: `cern-accounts-primary` e-group
* Name: `External accounts`
* Role Identifier: `admin`
* Leave unchecked checkboxes
* Minimum Level Of Assurance: `Any (no restrictions)`
* Assign role to groups: `cara-app-external-access` e-group
* Name: `Allowed users`
* Role Identifier: `allowed-users`
* Check `This role is required to access my application`
* Minimum Level Of Assurance:`Any (no restrictions)`
* Assign role to groups: `cern-accounts-primary` and `cara-app-external-access` e-groups
Copy the client id and client secret and use it below.
```console
$ COOKIE_SECRET=$(openssl rand -hex 50)
$ oc create secret generic \
--from-literal="CLIENT_ID=$CLIENT_ID" \
--from-literal="CLIENT_SECRET=$CLIENT_SECRET" \
--from-literal="COOKIE_SECRET=$COOKIE_SECRET" \
auth-service-secrets
```
## Update configuration
@ -123,7 +162,8 @@ If you need to **update** existing configuration, then modify this repository an
```console
$ cd app-config/openshift
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc replace -f -
$ oc process -f configmap.yaml | oc replace -f -
$ oc process -f services.yaml | oc replace -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
```

122
app-config/openshift/application.yaml
View file

@ -10,6 +10,71 @@
labels:
template: "cara-application"
objects:
-
kind: BuildConfig
apiVersion: v1
metadata:
name: auth-service
spec:
source:
git:
ref: ${GIT_BRANCH}
uri: ${GIT_REPO}
contextDir: app-config/auth-service
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'auth-service:latest'
strategy:
sourceStrategy:
from:
kind: ImageStreamTag
name: 'python:3.6'
namespace: openshift
type: Source
triggers:
- imageChange:
type: ImageChange
- generic:
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: ImageStream
apiVersion: v1
metadata:
name: auth-service
-
kind: BuildConfig
apiVersion: v1
metadata:
name: cara-router
spec:
source:
git:
ref: ${GIT_BRANCH}
uri: ${GIT_REPO}
contextDir: app-config/nginx
sourceSecret:
name: sshdeploykey
output:
to:
kind: ImageStreamTag
name: 'cara-router:latest'
strategy:
sourceStrategy:
from:
kind: ImageStreamTag
name: 'nginx:1.12'
namespace: openshift
type: Source
triggers:
- generic:
secretReference:
name: gitlab-cara-webhook-secret
type: Generic
-
kind: BuildConfig
apiVersion: v1
@ -18,8 +83,8 @@
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
ref: ${GIT_BRANCH}
uri: ${GIT_REPO}
sourceSecret:
name: sshdeploykey
output:
@ -54,8 +119,8 @@
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
ref: ${GIT_BRANCH}
uri: ${GIT_REPO}
contextDir: app-config/nginx
sourceSecret:
name: sshdeploykey
@ -88,8 +153,8 @@
spec:
source:
git:
ref: master
uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
ref: ${GIT_BRANCH}
uri: ${GIT_REPO}
sourceSecret:
name: sshdeploykey
output:
@ -116,6 +181,40 @@
apiVersion: v1
metadata:
name: cara-webservice
-
apiVersion: v1
kind: DeploymentConfig
metadata:
name: auth-service
spec:
replicas;: 1
template:
metadata:
labels:
app: auth-service
spec:
containers:
- name: auth-service
image: '${PROJECT_NAME}/auth-service'
ports:
- containerPort: 8080
protocol: TCP
- envFrom:
- configMapRef:
name: auth-service
- secretRef:
name: auth-service-secrets
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- auth-service
from:
kind: ImageStreamTag
name: 'auth-service:latest'
namespace: ${PROJECT_NAME}
-
apiVersion: v1
kind: DeploymentConfig
@ -135,6 +234,7 @@
- containerPort: 8080
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
@ -165,6 +265,7 @@
- containerPort: 8443
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
@ -174,6 +275,7 @@
kind: ImageStreamTag
name: 'cara-router:latest'
namespace: ${PROJECT_NAME}
- type: ConfigChange
-
apiVersion: v1
kind: DeploymentConfig
@ -193,6 +295,7 @@
- containerPort: 8080
protocol: TCP
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
@ -202,8 +305,15 @@
kind: ImageStreamTag
name: 'cara-webservice:latest'
namespace: ${PROJECT_NAME}
- type: ConfigChange
parameters:
- name: PROJECT_NAME
description: The name of this project, e.g. test-cara
required: true
- name: GIT_REPO
description: The GIT repo URL
value: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
- name: GIT_BRANCH
description: The name of the GIT branch to use when building the app, e.g. `live/test-cara` in TEST, `master` in prod
required: true

19
app-config/openshift/configmap.yaml Normal file
View file

@ -0,0 +1,19 @@
---
kind: "Template"
apiVersion: "v1"
metadata:
name: "cara-configuration"
annotations:
description: "CARA configuration OpenShift template."
tags: "cara-configuration"
labels:
template: "cara-configuration"
objects:
-
apiVersion: v1
kind: ConfigMap
metadata:
name: auth-service
data:
OIDC_REALM: CERN
OIDC_SERVER: 'https://auth.cern.ch/auth'

4
app-config/openshift/route.yaml
View file

@ -14,11 +14,11 @@
apiVersion: v1
kind: Route
metadata:
name: cara-router
name: cara-route
spec:
host: ${HOST}
port:
targetPort: 8081
targetPort: 8080-tcp
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge