From 004bdfccdd6d3ba741bc5fe5d8e323f3ac07183c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Wed, 29 May 2024 15:30:41 +0200 Subject: [PATCH] Badges: test the Flask version in staging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- .../badges/templates/buildconfig.yml | 3 +- .../badges/templates/client_secrets.json | 14 +++++ .../badges/templates/configmap.yml | 8 ++- .../badges/templates/deploymentconfig.yml | 34 ++++++----- .../badges/templates/gunicorn.conf.py | 4 ++ .../badges/templates/tahrir.cfg.py | 57 +++++++++++++++++++ roles/openshift-apps/badges/templates/wsgi.py | 9 ++- 7 files changed, 112 insertions(+), 17 deletions(-) create mode 100644 roles/openshift-apps/badges/templates/client_secrets.json create mode 100644 roles/openshift-apps/badges/templates/gunicorn.conf.py create mode 100644 roles/openshift-apps/badges/templates/tahrir.cfg.py diff --git a/roles/openshift-apps/badges/templates/buildconfig.yml b/roles/openshift-apps/badges/templates/buildconfig.yml index 98162aee4e..2d2ad79416 100644 --- a/roles/openshift-apps/badges/templates/buildconfig.yml +++ b/roles/openshift-apps/badges/templates/buildconfig.yml @@ -74,7 +74,8 @@ spec: type: Git git: uri: https://github.com/fedora-infra/tahrir.git - ref: {{ (env == 'production')|ternary('stable', 'staging') }} + # ref: {{ (env == 'production')|ternary('stable', 'staging') }} + ref: {{ (env == 'production')|ternary('stable', 'flask') }} contextDir: / strategy: type: Source diff --git a/roles/openshift-apps/badges/templates/client_secrets.json b/roles/openshift-apps/badges/templates/client_secrets.json new file mode 100644 index 0000000000..7319c6a9ba --- /dev/null +++ b/roles/openshift-apps/badges/templates/client_secrets.json @@ -0,0 +1,14 @@ +{ + "web": { + "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", + "client_id": "tahrir", + "client_secret": "{{ (env == 'production')|ternary(tahrir_oidc_client_secret, tahrir_oidc_client_secret_staging) }}", + "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/", + "redirect_uris": [ + "https://badges{{env_suffix}}.fedoraproject.org/oidc/authorize", + "https://badges.apps.ocp{{env_suffix}.fedoraproject.org/oidc/authorize" + ], + "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", + "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo" + } +} diff --git a/roles/openshift-apps/badges/templates/configmap.yml b/roles/openshift-apps/badges/templates/configmap.yml index 56558de345..f8e510fc66 100644 --- a/roles/openshift-apps/badges/templates/configmap.yml +++ b/roles/openshift-apps/badges/templates/configmap.yml @@ -21,6 +21,12 @@ items: {{ load_file('tahrir.ini') | indent(6) }} secrets.ini: |- {{ load_file('secrets.ini') | indent(6) }} + tahrir.cfg: |- + {{ load_file('tahrir.cfg.py') | indent(6) }} + gunicorn.conf.py: |- + {{ load_file('gunicorn.conf.py') | indent(6) }} + client_secrets.json: |- + {{ load_file('client_secrets.json') | indent(6) }} - apiVersion: v1 kind: ConfigMap metadata: @@ -30,4 +36,4 @@ items: data: wsgi.py: |- {{ load_file('wsgi.py') | indent(6) }} - __init__.py: "" \ No newline at end of file + __init__.py: "" diff --git a/roles/openshift-apps/badges/templates/deploymentconfig.yml b/roles/openshift-apps/badges/templates/deploymentconfig.yml index 45e889497c..a8052412d4 100644 --- a/roles/openshift-apps/badges/templates/deploymentconfig.yml +++ b/roles/openshift-apps/badges/templates/deploymentconfig.yml @@ -60,10 +60,12 @@ spec: readOnly: true env: - - name: GUNICORN_CMD_ARGS - value: "--bind=0.0.0.0:8080" + - name: FLASK_CONFIG + value: "/etc/badges/tahrir.cfg" - name: APP_MODULE value: "deploy.wsgi" + - name: APP_CONFIG + value: "/etc/badges/gunicorn.conf.py" - name: KRB5_CONFIG value: /etc/ipa/krb5.conf - name: KRB5_CLIENT_KTNAME @@ -71,18 +73,22 @@ spec: - name: FEDORA_MESSAGING_CONF value: /etc/badges/fm-tahrir.toml - # readinessProbe: - # timeoutSeconds: 1 - # initialDelaySeconds: 5 - # httpGet: - # path: /api/v1/healthz/ready - # port: 8080 - # livenessProbe: - # timeoutSeconds: 1 - # initialDelaySeconds: 20 - # httpGet: - # path: /api/v1/healthz/live - # port: 8080 +{% if env == 'staging' %} + readinessProbe: + timeoutSeconds: 10 + initialDelaySeconds: 5 + periodSeconds: 60 + httpGet: + path: "/healthz/ready" + port: 8080 + livenessProbe: + timeoutSeconds: 10 + initialDelaySeconds: 10 + periodSeconds: 60 + httpGet: + path: "/healthz/live" + port: 8080 +{% endif %} volumes: - name: etc-badges diff --git a/roles/openshift-apps/badges/templates/gunicorn.conf.py b/roles/openshift-apps/badges/templates/gunicorn.conf.py new file mode 100644 index 0000000000..eb0fd58f2b --- /dev/null +++ b/roles/openshift-apps/badges/templates/gunicorn.conf.py @@ -0,0 +1,4 @@ +bind = ["0.0.0.0:8080"] +accesslog = "-" +errorlog = "-" +timeout = 60 diff --git a/roles/openshift-apps/badges/templates/tahrir.cfg.py b/roles/openshift-apps/badges/templates/tahrir.cfg.py new file mode 100644 index 0000000000..f4510a16a2 --- /dev/null +++ b/roles/openshift-apps/badges/templates/tahrir.cfg.py @@ -0,0 +1,57 @@ +# +# This is the config file for Tahrir as intended to be used in OpenShift +# + + +{% if env == 'staging' %} +SECRET_KEY = "{{tahrirstgSessionSecret}}" +{% else %} +SECRET_KEY = "{{tahrirSessionSecret}}" +{% endif %} + +TEMPLATES_AUTO_RELOAD = False +SESSION_COOKIE_HTTPONLY = True +SESSION_COOKIE_SECURE = True + +{% if env == 'staging' %} +SQLALCHEMY_DATABASE_URI = "postgresql://{{tahrirDBUser}}:{{tahrirstgDBPassword}}@db01.stg.iad2.fedoraproject.org/tahrir" +TAHRIR_TITLE = "Fedora Badges (staging!)" +{% else %} +SQLALCHEMY_DATABASE_URI = "postgresql://{{tahrirDBUser}}:{{tahrirDBPassword}}@db-tahrir/tahrir" +TAHRIR_TITLE = "Fedora Badges" +{% endif %} +OIDC_CLIENT_SECRETS = "/etc/badges/client_secrets.json" + +TAHRIR_ADMIN_GROUPS = ["sysadmin-main", "sysadmin-badges"] +TAHRIR_DEFAULT_ISSUER = "fedora-project" +TAHRIR_DEFAULT_AVATAR = "retro" +TAHRIR_DISPLAY_TAGS = ["content", "development", "community", "quality", "event", "miscellaneous"] +TAHRIR_PNGS_PATH = "/var/lib/badges/pngs" +TAHRIR_SITEDOCS_SUBDIR = "fedora-sitedocs" +TAHRIR_USE_FEDMSG = True +TAHRIR_EMAIL_DOMAIN = "{{env_prefix}}fedoraproject.org" +TAHRIR_FAS_URL = "https://accounts{{env_suffix}}.fedoraproject.org" + +TAHRIR_SOCIAL_TWITTER = True +TAHRIR_SOCIAL_TWITTER_USER_TEXT = "Check out all these #fedorabadges :trophy:" +TAHRIR_SOCIAL_TWITTER_USER_HASH = "#fedora" + +# If this is true, we'll store the email from the user's FAS account, if +# not, then we'll use their FAS_USERNAME@fedoraproject.org. For Fedora +# Infrastructure we want this to be false due to some inconsistencies between +# the fedbadges backend awarder and the tahrir frontend. Other deployments +# may set this to true with no problem. +TAHRIR_USE_OPENID_EMAIL = False + +# Cache +CACHE = { +# disabled, trying to see if this fix this bug +# https://pagure.io/fedora-infrastructure/issue/8689 + "backend": "dogpile.cache.null", + "expiration_time": 100, + "arguments": { + "url": "memcached01{{env_suffix}}:11211", + "distributed_lock": true, + "lock_timeout": 5, + }, +} diff --git a/roles/openshift-apps/badges/templates/wsgi.py b/roles/openshift-apps/badges/templates/wsgi.py index 6a7e949a61..9023c22ef4 100644 --- a/roles/openshift-apps/badges/templates/wsgi.py +++ b/roles/openshift-apps/badges/templates/wsgi.py @@ -1,5 +1,12 @@ +{% if env == "staging" %} +from werkzeug.middleware.proxy_fix import ProxyFix +from tahrir.app import create_app +application = create_app() +application.wsgi_app = ProxyFix(application.wsgi_app, x_proto=1, x_host=1) +{% else %} from pyramid.paster import get_app, setup_logging ini_path = '/etc/badges/tahrir.ini' setup_logging(ini_path) -application = get_app(ini_path, 'main') \ No newline at end of file +application = get_app(ini_path, 'main') +{% endif %}