From 4c2dc64958a64ad46c1cc3ddb4ca1774a73cf388 Mon Sep 17 00:00:00 2001
From: Michal Konecny <mkonecny@redhat.com>
Date: Mon, 14 Aug 2023 12:30:45 +0200
Subject: [PATCH] [Pagure] Disable OIDC on production for now

Limiting the number of processes to 1 caused unexpected error on production
instance. For more info see https://pagure.io/fedora-infrastructure/issue/10372#comment-868823

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
---
 roles/pagure/templates/0_pagure.conf | 4 ++++
 roles/pagure/templates/pagure.cfg    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/roles/pagure/templates/0_pagure.conf b/roles/pagure/templates/0_pagure.conf
index 488ddecca5..908af4ed6d 100644
--- a/roles/pagure/templates/0_pagure.conf
+++ b/roles/pagure/templates/0_pagure.conf
@@ -3,8 +3,12 @@ WSGISocketPrefix run/wsgi
 WSGIRestrictSignal Off
 WSGIPythonOptimize 1
 WSGIPassAuthorization On
+{% if env == 'pagure-staging' %}
 # Only use a single process because flask-oidc stores its credentials in a dictionary.
 WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=1 threads=20 inactivity-timeout=300
+{% else %}
+WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=10 threads=6 inactivity-timeout=300
+{% endif %}
 WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300
 
 Protocols h2 h2c http/1.1
diff --git a/roles/pagure/templates/pagure.cfg b/roles/pagure/templates/pagure.cfg
index 1aac49deff..409ba264af 100644
--- a/roles/pagure/templates/pagure.cfg
+++ b/roles/pagure/templates/pagure.cfg
@@ -195,6 +195,7 @@ DISABLED_PLUGINS = ['IRC']
 ### Switch the authentication method
 # Specify which authentication method to use: `openid`, `oidc`, `local`
 # Default: ``fas``.
+{% if env == 'pagure-staging' %}
 PAGURE_AUTH = 'oidc'
 OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
 OIDC_ID_TOKEN_COOKIE_SECURE = True
@@ -209,6 +210,9 @@ OIDC_PAGURE_USERNAME = 'preferred_username'
 OIDC_PAGURE_SSH_KEY = 'ssh_key'
 OIDC_PAGURE_GROUPS = 'groups'
 OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
+{% else %}
+PAGURE_AUTH = 'openid'
+{% endif %}
 
 # When this is set to True, the session cookie will only be returned to the
 # server via ssl (https). If you connect to the server via plain http, the