pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
COVID Airborne Risk Assessment tool
607 commits 24 branches 13 tags 17 MiB
Python 61.6%
JavaScript 26.4%
Jinja 9.9%
CSS 1.1%
Dockerfile 0.4%
Other 0.5%
Find a file
Phil Elson 42e64c3064 Fix the disclaimer text which I broke in https://gitlab.cern.ch/cara/cara/-/merge_requests/141/
2021-03-03 19:53:43 +01:00
app Ensure that the application static files are available in Voila. 2020-11-20 13:22:13 +01:00
app-config Add OpenShift templates for new auth service 2021-03-03 19:37:18 +01:00
cara Fix the disclaimer text which I broke in https://gitlab.cern.ch/cara/cara/-/merge_requests/141/ 2021-03-03 19:53:43 +01:00
.gitignore Removed .pyc files 2020-11-05 11:55:17 +01:00
.gitlab-ci.yml Address remaining review actions. 2021-03-02 18:43:01 +01:00
app.sh Enable the cara-webservice in the Openshift deployment. 2020-11-05 23:01:26 +01:00
README.md Merge branch 'feature/openshift-templates-auth-service' into 'master' 2021-03-03 18:45:36 +00:00
requirements.txt Automatic report regeneration 2021-03-01 15:19:15 +00:00
setup.cfg Automatic report regeneration 2021-03-01 15:19:15 +00:00
setup.py Automatic report regeneration 2021-03-01 15:19:15 +00:00

README.md

CARA - COVID Airborne Risk Assessment

Applications

COVID Calculator

A risk assessment tool which simulates the long range airborne spread of the SARS-CoV-2 virus for space managers.

You can find the CARA COVID Calculator at https://cara.web.cern.ch/calculator/. Please see the COVID Calculator README for detailed usage instructions.

CARA Expert App

A tool to interact with various parameters of the CARA model. This is currently in beta, and can be found at https://cara.web.cern.ch/expert-app.

Disclaimer

The code and data of this repository are provided to promote reproducible research. They are not intended for clinical care or commercial use.

The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and non infringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

Development guide

Running the COVID calculator app locally

pip install -e .   # At the root of the repository
python -m cara.apps.calculator

Running the CARA Expert-App app locally

pip install -e .   # At the root of the repository
voila ./app/cara.ipynb

Then visit http://localhost:8080/calculator.

Running the tests

pip install -e .[test]
pytest ./cara

Building the whole environment for local execution

Simulate the docker build that takes place on openshift with:

s2i build file://$(pwd) --copy --keep-symlinks --context-dir ./app-config/nginx/ centos/nginx-112-centos7 cara-nginx-app
s2i build file://$(pwd) --copy --keep-symlinks --env APP_NAME=cara-voila --context-dir ./ centos/python-36-centos7 cara-voila-app
s2i build file://$(pwd) --copy --keep-symlinks --env APP_NAME=cara-webservice --context-dir ./  centos/python-36-centos7 cara-webservice
s2i build file://$(pwd) --copy --keep-symlinks --context-dir ./app-config/auth-service centos/python-36-centos7 auth-service
cd app-config
docker-compose up

Then visit http://localhost:8080/.

Setting up the application on openshift

The https://cern.ch/cara application is running on CERN's OpenShift platform. In order to set it up for the first time, we followed the documentation at https://cern.service-now.com/service-portal?id=kb_article&n=KB0004498. In particular we:

  • Added the OpenShift application deploy key to the GitLab repository
  • Created a Python 3.6 (the highest possible at the time of writing) application in OpenShift
  • Configured a generic webhook on OpenShift, and call that from the CI of the GitLab repository

Updating the test-cara.web.cern.ch instance

We have a replica of https://cara.web.cern.ch running on http://test-cara.web.cern.ch. Its purpose is to simulate what will happen when a feature is merged. To push your changes to test-cara, simply push your branch to live/test-cara and the CI pipeline will trigger the deployment. To push to this branch, there is a good chance that you will need to force push - you should always force push with care and understanding why you are doing it. Syntactically, it will look something like (assuming that you have "upstream" as your remote name, but it may be origin if you haven't configured it differently):

git push --force upstream name-of-local-branch:live/test-cara

OpenShift templates

First setup

First, get the oc client and then login:

$ oc login https://openshift-dev.cern.ch

Then, switch to the project that you want to update:

$ oc project test-cara

If you need to create the application in a new project, run:

$ cd app-config/openshift

$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc create -f -
$ oc process -f configmap.yaml | oc create -f -
$ oc process -f services.yaml | oc create -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc create -f -

Then, create the webhook secret to be able to trigger automatic builds from GitLab.

Create and store the secret. Copy the secret above and add it to the GitLab project under CI /CD -> Variables with the name OPENSHIFT_CARA_TEST_WEBHOOK_SECRET.

$ WEBHOOKSECRET=$(openssl rand -hex 50)
$ oc create secret generic \
  --from-literal="WebHookSecretKey=$WEBHOOKSECRET" \
  gitlab-cara-webhook-secret

CERN SSO integration

The SSO integration uses OpenID credentials configured in CERN Applications portal. How to configure the application:

  • Application Identifier: cara-test
  • Homepage: https://test-cara.web.cern.ch
  • Administrators: cara-dev
  • SSO Registration:
    • Protocol: OpenID (OIDC)
    • Redirect URI: https://test-cara.web.cern.ch/auth/authorize
    • Leave unchecked all the other checkboxes
  • Define new roles:
    • Name: CERN Users
      • Role Identifier: external-users
      • Leave unchecked checkboxes
      • Minimum Level Of Assurance: CERN (highest)
      • Assign role to groups: cern-accounts-primary e-group
    • Name: External accounts
      • Role Identifier: admin
      • Leave unchecked checkboxes
      • Minimum Level Of Assurance: Any (no restrictions)
      • Assign role to groups: cara-app-external-access e-group
    • Name: Allowed users
      • Role Identifier: allowed-users
      • Check This role is required to access my application
      • Minimum Level Of Assurance:Any (no restrictions)
      • Assign role to groups: cern-accounts-primary and cara-app-external-access e-groups

Copy the client id and client secret and use it below.

$ COOKIE_SECRET=$(openssl rand -hex 50)
$ oc create secret generic \
  --from-literal="CLIENT_ID=$CLIENT_ID" \
  --from-literal="CLIENT_SECRET=$CLIENT_SECRET" \
  --from-literal="COOKIE_SECRET=$COOKIE_SECRET" \
  auth-service-secrets

Update configuration

If you need to update existing configuration, then modify this repository and after having logged in, run:

$ cd app-config/openshift

$ oc process -f application.yaml --param PROJECT_NAME='test-cara' --param GIT_BRANCH='live/test-cara' | oc replace -f -
$ oc process -f configmap.yaml | oc replace -f -
$ oc process -f services.yaml | oc replace -f -
$ oc process -f route.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f -

Be aware that if you change/replace the route of the PROD instance, it will loose the annotation to be exposed outside CERN (not committed in this repo).