diff --git a/roles/openshift-apps/flask-oidc-dev/files/service.yml b/roles/openshift-apps/flask-oidc-dev/files/service.yml new file mode 100644 index 0000000000..f276490282 --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/files/service.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: flask-oidc-dev + labels: + app: flask-oidc-dev +spec: + ports: + - name: web + port: 8080 + targetPort: 8080 + selector: + app: flask-oidc-dev + deploymentconfig: flask-oidc-dev diff --git a/roles/openshift-apps/flask-oidc-dev/templates/buildconfig.yml b/roles/openshift-apps/flask-oidc-dev/templates/buildconfig.yml new file mode 100644 index 0000000000..fa0dece3af --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/buildconfig.yml @@ -0,0 +1,41 @@ +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: flask-oidc-dev + labels: + app: flask-oidc-dev + build: flask-oidc-dev +spec: + runPolicy: Serial + source: + type: Git + git: + uri: https://github.com/abompard/test-auth.git +{% if env == "staging" %} + ref: main +{% else %} + ref: stable +{% endif %} + contextDir: / + strategy: + type: Source + sourceStrategy: + from: + kind: ImageStreamTag + name: python:3.6 + namespace: openshift + output: + to: + kind: ImageStreamTag + name: flask-oidc-dev:latest + triggers: + - type: ConfigChange + - type: ImageChange + - type: GitHub +{% if test_auth_stg_github_secret is defined and env == 'staging' %} + github: + secret: "{{ test_auth_stg_github_secret }}" +{% elif test_auth_github_secret is defined and env == 'production' %} + github: + secret: "{{ test_auth_github_secret }}" +{% endif %} diff --git a/roles/openshift-apps/flask-oidc-dev/templates/client_secrets.json b/roles/openshift-apps/flask-oidc-dev/templates/client_secrets.json new file mode 100644 index 0000000000..134d427eb0 --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/client_secrets.json @@ -0,0 +1,17 @@ +{ + "web": { + "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", + "client_id": "flask-oidc-dev", +{% if env == 'staging' %} + "client_secret": "{{ flask_oidc_dev_stg_oidc_client_secret }}", +{% else %} + "client_secret": "{{ flask_oidc_dev_oidc_client_secret }}", +{% endif %} + "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/", + "redirect_uris": [ + "https://app-flask-oidc-dev.apps.ocp{{env_suffix}}.fedoraproject.org/oidc/oidc_callback" + ], + "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", + "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo" + } +} diff --git a/roles/openshift-apps/flask-oidc-dev/templates/config.py b/roles/openshift-apps/flask-oidc-dev/templates/config.py new file mode 100644 index 0000000000..cfd9c79774 --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/config.py @@ -0,0 +1,18 @@ +# +# This is the config file for Test Auth as intended to be used in OpenShift +# + + +# Deployed to a subpath +# APPLICATION_ROOT = '/test-auth/' + +# Cookies +SECRET_KEY = "{{ flask_oidc_dev_session_secret }}" +SESSION_COOKIE_NAME = 'flask-oidc-dev' +SESSION_COOKIE_HTTPONLY = True +SESSION_COOKIE_SECURE = True + +# Auth +OIDC_CLIENT_SECRETS = "/etc/flask-oidc-dev/oidc.json" +OPENID_ENDPOINT = "https://id{{ env_suffix }}.fedoraproject.org/openid/" +FAS_OPENID_ENDPOINT = "https://id{{ env_suffix }}.fedoraproject.org/openid/" diff --git a/roles/openshift-apps/flask-oidc-dev/templates/configmap.yml b/roles/openshift-apps/flask-oidc-dev/templates/configmap.yml new file mode 100644 index 0000000000..0b342bc4b1 --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/configmap.yml @@ -0,0 +1,17 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: flask-oidc-dev-config + labels: + app: flask-oidc-dev + data: + flask-oidc-dev.cfg: |- + {{ load_file('config.py') | indent(6) }} + oidc.json: |- + {{ load_file('client_secrets.json') | indent(6) }} diff --git a/roles/openshift-apps/flask-oidc-dev/templates/deploymentconfig.yml b/roles/openshift-apps/flask-oidc-dev/templates/deploymentconfig.yml new file mode 100644 index 0000000000..7867651641 --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/deploymentconfig.yml @@ -0,0 +1,59 @@ +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + name: flask-oidc-dev + labels: + app: flask-oidc-dev +spec: + replicas: 1 + selector: + app: flask-oidc-dev + deploymentconfig: flask-oidc-dev + strategy: + type: Rolling + activeDeadlineSeconds: 21600 + rollingParams: + intervalSeconds: 1 + maxSurge: 25% + maxUnavailable: 25% + timeoutSeconds: 600 + updatePeriodSeconds: 1 + template: + metadata: + creationTimestamp: null + labels: + app: flask-oidc-dev + deploymentconfig: flask-oidc-dev + spec: + containers: + - name: flask-oidc-dev + imagePullPolicy: Always + ports: + - containerPort: 8080 + #protocol: TCP + #resources: {} + #terminationMessagePath: /dev/termination-log + #terminationMessagePolicy: File + volumeMounts: + - name: flask-oidc-dev-config-volume + mountPath: "/etc/flask-oidc-dev" + readOnly: true + env: + - name: TESTAUTH_SETTINGS + value: "/etc/flask-oidc-dev/flask-oidc-dev.cfg" + # - name: SCRIPT_NAME + # value: "/flask-oidc-dev" + volumes: + - name: flask-oidc-dev-config-volume + configMap: + name: flask-oidc-dev-config + triggers: + - imageChangeParams: + automatic: true + containerNames: + - flask-oidc-dev + from: + kind: ImageStreamTag + name: flask-oidc-dev:latest + type: ImageChange + - type: ConfigChange diff --git a/roles/openshift-apps/flask-oidc-dev/templates/secret-webhook.yml b/roles/openshift-apps/flask-oidc-dev/templates/secret-webhook.yml new file mode 100644 index 0000000000..e8662f8cfc --- /dev/null +++ b/roles/openshift-apps/flask-oidc-dev/templates/secret-webhook.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-auth-github-webhook-secret +data: + WebHookSecretKey: "{{ (env == 'production')|ternary(test_auth_github_secret, test_auth_stg_github_secret) }}" +type: Opaque