From 3bf33234a8da923b9b770c50b1ec274fc9c498a9 Mon Sep 17 00:00:00 2001 From: Rick Elrod Date: Fri, 8 Nov 2019 16:22:31 +0000 Subject: [PATCH] openshift-apps/sanitarium: First go at openshift role for playing with an SSH CA in stg Signed-off-by: Rick Elrod --- playbooks/openshift-apps/sanitarium.yml | 59 ++++++++++ .../sanitarium/files/buildconfig.yml | 23 ++++ .../sanitarium/files/deploymentconfig.yml | 106 ++++++++++++++++++ .../sanitarium/files/service.yml | 13 +++ .../sanitarium/templates/secret.yml | 13 +++ 5 files changed, 214 insertions(+) create mode 100644 playbooks/openshift-apps/sanitarium.yml create mode 100644 roles/openshift-apps/sanitarium/files/buildconfig.yml create mode 100644 roles/openshift-apps/sanitarium/files/deploymentconfig.yml create mode 100644 roles/openshift-apps/sanitarium/files/service.yml create mode 100644 roles/openshift-apps/sanitarium/templates/secret.yml diff --git a/playbooks/openshift-apps/sanitarium.yml b/playbooks/openshift-apps/sanitarium.yml new file mode 100644 index 0000000000..ff166eacb7 --- /dev/null +++ b/playbooks/openshift-apps/sanitarium.yml @@ -0,0 +1,59 @@ +- name: make the app be real + #hosts: os_masters[0]:os_masters_stg[0] + hosts: os_masters_stg[0] + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: openshift/project + app: sanitarium + description: sanitarium + appowners: + - codeblock + - puiterwijk + - role: openshift/secret-file + app: sanitarium + key: intermediate + secret_name: intermediate + privatefile: "sanitarium/intermediate.{{env}}.key" + - role: openshift/secret-file + app: sanitarium + key: signer + secret_name: signer + privatefile: "sanitarium/signer.{{env}}" + - role: openshift/object + app: sanitarium + objectname: secret.yml + template: secret.yml + - role: openshift/imagestream + app: sanitarium + imagename: sanitarium + - role: openshift/object + app: sanitarium + file: buildconfig.yml + objectname: buildconfig.yml + - role: openshift/start-build + app: sanitarium + buildname: sanitarium + - role: openshift/object + app: sanitarium + file: service.yml + objectname: service.yml + - role: openshift/route + app: sanitarium + routename: sanitarium + host: sanitarium-sanitarium.app.os{{env_suffix}}.fedoraproject.org + serviceport: web + servicename: sanitarium + - role: openshift/object + app: sanitarium + file: deploymentconfig.yml + objectname: deploymentconfig.yml + - role: openshift/rollout + app: sanitarium + dcname: sanitarium diff --git a/roles/openshift-apps/sanitarium/files/buildconfig.yml b/roles/openshift-apps/sanitarium/files/buildconfig.yml new file mode 100644 index 0000000000..4f5ce1a362 --- /dev/null +++ b/roles/openshift-apps/sanitarium/files/buildconfig.yml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: BuildConfig +metadata: + name: sanitarium + labels: + app: sanitarium +spec: + completionDeadlineSeconds: 1800 + runPolicy: Serial + strategy: + dockerStrategy: + dockerfilePath: Dockerfile.server + source: + type: Git + git: + uri: https://github.com/puiterwijk/Sanitarium.git + triggers: + - type: ConfigChange + output: + to: + kind: ImageStreamTag + name: sanitarium:latest diff --git a/roles/openshift-apps/sanitarium/files/deploymentconfig.yml b/roles/openshift-apps/sanitarium/files/deploymentconfig.yml new file mode 100644 index 0000000000..d3b14da0c2 --- /dev/null +++ b/roles/openshift-apps/sanitarium/files/deploymentconfig.yml @@ -0,0 +1,106 @@ +apiVersion: v1 +kind: DeploymentConfig +metadata: + name: sanitarium + labels: + app: sanitarium +spec: + replicas: 1 + selector: + app: sanitarium + strategy: + activeDeadlineSeconds: 21600 + recreateParams: + timeoutSeconds: 600 + template: + metadata: + name: sanitarium + labels: + app: sanitarium + spec: + containers: + - env: + - name: SERVICE_ROOT + value: 'https://sanitarium-sanitarium.app.os.fedoraproject.org' + - name: OIDC_PROVIDER_ROOT + value: 'https://id.fedoraproject.org/openidc/' + - name: OIDC_CLIENT_ID + value: sshcerttest + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: sanitarium + key: oidc-client-secret + - name: OIDC_SUPPORTS_OOB + value: 'no' + - name: OIDC_REQUIRED_SCOPES + value: 'openid,profile' + - name: REQUIRE_TPM + value: 'no' + - name: REQUIRE_MEASUREMENT + value: 'no' + - name: OIDC_TOKEN_INFO_URL + value: 'https://id.fedoraproject.org/openidc/TokenInfo' + - name: OIDC_USERNAME_CLAIM + value: sub + - name: INTERMEDIATE_CERT_VALIDITY + value: 8h + - name: SSH_CERT_VALIDITY + value: 5m + - name: SSH_CERT_SIGNING_KEY_PATH + value: /sshkey/signer.key + - name: SSH_CERT_ADD_GITHUB + value: 'yes' + - name: INTERMEDIATE_SIGNING_KEY_PATH + value: /sshkey/intermediate.key + image: >- + docker-registry.default.svc:5000/sanitarium:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /info + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: sanitarium + ports: + - containerPort: 8080 + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /info + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + memory: 80Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - name: signer + mountPath: /sshkey/signer.key + readyOnly: true + - name: intermediate + mountPath: /sshkey/intermediate.key + readyOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: signer + secret: + secretName: signer + - name: intermediate + secret: + secretName: intermediate + triggers: + - type: ConfigChange diff --git a/roles/openshift-apps/sanitarium/files/service.yml b/roles/openshift-apps/sanitarium/files/service.yml new file mode 100644 index 0000000000..c1307e3ca3 --- /dev/null +++ b/roles/openshift-apps/sanitarium/files/service.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: sanitarium + labels: + app: sanitarium +spec: + ports: + - name: web + port: 8080 + targetPort: 8080 + selector: + deploymentconfig: sanitarium diff --git a/roles/openshift-apps/sanitarium/templates/secret.yml b/roles/openshift-apps/sanitarium/templates/secret.yml new file mode 100644 index 0000000000..902cc92f2e --- /dev/null +++ b/roles/openshift-apps/sanitarium/templates/secret.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sanitarium + labels: + app: sanitarium +stringData: +{% if env == 'staging' %} + oidc-client-secret: "{{sanitarium_stg_oidc_secret}}" +{% endif %} +{% if env == 'production' %} + oidc-client-secret: "{{sanitarium_prod_oidc_secret}}" +{% endif %}