Add OpenShift templates for new auth service

2021-03-03 19:37:18 +01:00 · 2021-03-03 19:37:18 +01:00 · babde8b0bc
commit babde8b0bc
parent 18af16f749
4 changed files with 181 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -98,14 +98,15 @@ If you need to create the application in a new project, run:
 ```console
 $ cd app-config/openshift
-$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc create -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc create -f -
 $ oc process -f configmap.yaml | oc create -f -
 $ oc process -f services.yaml | oc create -f -
 $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -
 ```
 Then, create the webhook secret to be able to trigger automatic builds from GitLab.
-Create and store the secret:
+Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`.
 ```console
 $ WEBHOOKSECRET=$(openssl rand -hex 50)
@ -114,7 +115,45 @@ $ oc create secret generic \
  gitlab-cara-webhook-secret
 ```
-Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`
+### CERN SSO integration
 The SSO integration uses OpenID credentials configured in [CERN Applications portal](https://application-portal.web.cern.ch/).
 How to configure the application:
 * Application Identifier: `cara-test`
 * Homepage: `https://test-cara.web.cern.ch`
 * Administrators: `cara-dev`
 * SSO Registration:
    * Protocol: `OpenID (OIDC)`
    * Redirect URI: `https://test-cara.web.cern.ch/auth/authorize`
    * Leave unchecked all the other checkboxes
 * Define new roles:
    * Name: `CERN Users`
        * Role Identifier: `external-users`
        * Leave unchecked checkboxes
        * Minimum Level Of Assurance: `CERN (highest)`
        * Assign role to groups: `cern-accounts-primary` e-group
    * Name: `External accounts`
        * Role Identifier: `admin`
        * Leave unchecked checkboxes
        * Minimum Level Of Assurance: `Any (no restrictions)`
        * Assign role to groups: `cara-app-external-access` e-group
    * Name: `Allowed users`
        * Role Identifier: `allowed-users`
        * Check `This role is required to access my application`
        * Minimum Level Of Assurance:`Any (no restrictions)`
        * Assign role to groups: `cern-accounts-primary` and `cara-app-external-access` e-groups
 Copy the client id and client secret and use it below.
 ```console
 $ COOKIE_SECRET=$(openssl rand -hex 50)
 $ oc create secret generic \
  --from-literal="CLIENT_ID=$CLIENT_ID" \
  --from-literal="CLIENT_SECRET=$CLIENT_SECRET" \
  --from-literal="COOKIE_SECRET=$COOKIE_SECRET" \
  auth-service-secrets
 ```
 ## Update configuration
@ -123,7 +162,8 @@ If you need to **update** existing configuration, then modify this repository an
 ```console
 $ cd app-config/openshift
-$ oc process -f application.yaml --param PROJECT_NAME='test-cara' | oc replace -f -
+$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc replace -f -
 $ oc process -f configmap.yaml | oc replace -f -
 $ oc process -f services.yaml | oc replace -f -
 $ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -
 ```
--- a/app-config/openshift/application.yaml
+++ b/app-config/openshift/application.yaml
@ -10,6 +10,71 @@
  labels:
    template: "cara-application"
  objects:
    -
      kind: BuildConfig
      apiVersion: v1
      metadata:
        name: auth-service
      spec:
        source:
          git:
            ref: ${GIT_BRANCH}
            uri: ${GIT_REPO}
          contextDir: app-config/auth-service
          sourceSecret:
            name: sshdeploykey
        output:
          to:
            kind: ImageStreamTag
            name: 'auth-service:latest'
        strategy:
          sourceStrategy:
            from:
              kind: ImageStreamTag
              name: 'python:3.6'
              namespace: openshift
          type: Source
        triggers:
          - imageChange:
            type: ImageChange
          - generic:
              secretReference:
                name: gitlab-cara-webhook-secret
            type: Generic
    -
      kind: ImageStream
      apiVersion: v1
      metadata:
        name: auth-service
    -
      kind: BuildConfig
      apiVersion: v1
      metadata:
        name: cara-router
      spec:
        source:
          git:
            ref: ${GIT_BRANCH}
            uri: ${GIT_REPO}
          contextDir: app-config/nginx
          sourceSecret:
            name: sshdeploykey
        output:
          to:
            kind: ImageStreamTag
            name: 'cara-router:latest'
        strategy:
          sourceStrategy:
            from:
              kind: ImageStreamTag
              name: 'nginx:1.12'
              namespace: openshift
          type: Source
        triggers:
          - generic:
              secretReference:
                name: gitlab-cara-webhook-secret
            type: Generic
    -
      kind: BuildConfig
      apiVersion: v1
@ -18,8 +83,8 @@
      spec:
        source:
          git:
-            ref: master
+            ref: ${GIT_BRANCH}
-            uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+            uri: ${GIT_REPO}
          sourceSecret:
            name: sshdeploykey
        output:
@ -54,8 +119,8 @@
      spec:
        source:
          git:
-            ref: master
+            ref: ${GIT_BRANCH}
-            uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+            uri: ${GIT_REPO}
          contextDir: app-config/nginx
          sourceSecret:
            name: sshdeploykey
@ -88,8 +153,8 @@
      spec:
        source:
          git:
-            ref: master
+            ref: ${GIT_BRANCH}
-            uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+            uri: ${GIT_REPO}
          sourceSecret:
            name: sshdeploykey
        output:
@ -116,6 +181,40 @@
      apiVersion: v1
      metadata:
        name: cara-webservice
    -
      apiVersion: v1
      kind: DeploymentConfig
      metadata:
        name: auth-service
      spec:
        replicas;: 1
        template:
          metadata:
            labels:
              app: auth-service
          spec:
            containers:
              - name: auth-service
                image: '${PROJECT_NAME}/auth-service'
                ports:
                  - containerPort: 8080
                    protocol: TCP
              - envFrom:
                - configMapRef:
                    name: auth-service
                - secretRef:
                    name: auth-service-secrets
        triggers:
          - type: ConfigChange
          - type: ImageChange
            imageChangeParams:
              automatic: true
              containerNames:
                - auth-service
              from:
                kind: ImageStreamTag
                name: 'auth-service:latest'
                namespace: ${PROJECT_NAME}
    -
      apiVersion: v1
      kind: DeploymentConfig
@ -135,6 +234,7 @@
                  - containerPort: 8080
                    protocol: TCP
        triggers:
          - type: ConfigChange
          - type: ImageChange
            imageChangeParams:
              automatic: true
@ -165,6 +265,7 @@
                  - containerPort: 8443
                    protocol: TCP
        triggers:
          - type: ConfigChange
          - type: ImageChange
            imageChangeParams:
              automatic: true
@ -174,6 +275,7 @@
                kind: ImageStreamTag
                name: 'cara-router:latest'
                namespace: ${PROJECT_NAME}
          - type: ConfigChange
    -
      apiVersion: v1
      kind: DeploymentConfig
@ -193,6 +295,7 @@
                  - containerPort: 8080
                    protocol: TCP
        triggers:
          - type: ConfigChange
          - type: ImageChange
            imageChangeParams:
              automatic: true
@ -202,8 +305,15 @@
                kind: ImageStreamTag
                name: 'cara-webservice:latest'
                namespace: ${PROJECT_NAME}
          - type: ConfigChange
  parameters:
    - name: PROJECT_NAME
      description: The name of this project, e.g. test-cara
      required: true
    - name: GIT_REPO
      description: The GIT repo URL
      value: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
    - name: GIT_BRANCH
      description: The name of the GIT branch to use when building the app, e.g. `live/test-cara` in TEST, `master` in prod
      required: true
--- a/app-config/openshift/configmap.yaml
+++ b/app-config/openshift/configmap.yaml
@ -0,0 +1,19 @@
 ---
  kind: "Template"
  apiVersion: "v1"
  metadata:
    name: "cara-configuration"
    annotations:
      description: "CARA configuration OpenShift template."
      tags: "cara-configuration"
  labels:
    template: "cara-configuration"
  objects:
    -
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: auth-service
      data:
        OIDC_REALM: CERN
        OIDC_SERVER: 'https://auth.cern.ch/auth'
--- a/app-config/openshift/route.yaml
+++ b/app-config/openshift/route.yaml
@ -14,11 +14,11 @@
      apiVersion: v1
      kind: Route
      metadata:
-        name: cara-router
+        name: cara-route
      spec:
        host: ${HOST}
        port:
-          targetPort: 8081
+          targetPort: 8080-tcp
        tls:
          insecureEdgeTerminationPolicy: Redirect
          termination: edge