diff --git a/playbooks/openshift-apps/test-auth.yml b/playbooks/openshift-apps/test-auth.yml new file mode 100644 index 0000000000..b58c0acb5a --- /dev/null +++ b/playbooks/openshift-apps/test-auth.yml @@ -0,0 +1,67 @@ +- name: make the app be real + hosts: os_masters[0]:os_masters_stg[0] + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + vars: + + roles: + - role: openshift/project + app: test-auth + description: "Authentication testing" + appowners: + - abompard + tags: + - apply-appowners + + - role: openshift/imagestream + app: test-auth + imagename: test-auth + + - role: openshift/object + app: test-auth + template: buildconfig.yml + objectname: buildconfig.yml + + - role: openshift/object + app: test-auth + template: configmap.yml + objectname: configmap.yml + + - role: openshift/object + app: test-auth + file: service.yml + objectname: service.yml + + # - role: openshift/route + # app: test-auth + # routename: test-auth + # host: "admin{{ env_suffix }}.fedoraproject.org" + # path: "/test-auth" + # serviceport: web + # servicename: test-auth + # annotations: + # haproxy.router.openshift.io/timeout: 5m + - role: openshift/route + app: test-auth + routename: test-auth + host: "test-auth.app.os{{ env_suffix }}.fedoraproject.org" + serviceport: web + servicename: test-auth + annotations: + haproxy.router.openshift.io/timeout: 5m + + - role: openshift/object + app: test-auth + template: secret-webhook.yml + objectname: secret-webhook.yml + + - role: openshift/object + app: test-auth + template: deploymentconfig.yml + objectname: deploymentconfig.yml diff --git a/roles/openshift-apps/test-auth/files/service.yml b/roles/openshift-apps/test-auth/files/service.yml new file mode 100644 index 0000000000..9efef1c095 --- /dev/null +++ b/roles/openshift-apps/test-auth/files/service.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-auth + labels: + app: test-auth +spec: + ports: + - name: web + port: 8080 + targetPort: 8080 + selector: + app: test-auth + deploymentconfig: test-auth diff --git a/roles/openshift-apps/test-auth/templates/buildconfig.yml b/roles/openshift-apps/test-auth/templates/buildconfig.yml new file mode 100644 index 0000000000..39333efa9f --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/buildconfig.yml @@ -0,0 +1,41 @@ +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: test-auth + labels: + app: test-auth + build: test-auth +spec: + runPolicy: Serial + source: + type: Git + git: + uri: https://github.com/abompard/test-auth.git +{% if env == "staging" %} + ref: main +{% else %} + ref: stable +{% endif %} + contextDir: / + strategy: + type: Source + sourceStrategy: + from: + kind: ImageStreamTag + name: python:3.6 + namespace: openshift + output: + to: + kind: ImageStreamTag + name: test-auth:latest + triggers: + - type: ConfigChange + - type: ImageChange + - type: GitHub +{% if test_auth_stg_github_secret is defined and env == 'staging' %} + github: + secret: "{{ test_auth_stg_github_secret }}" +{% elif test_auth_github_secret is defined and env == 'production' %} + github: + secret: "{{ test_auth_github_secret }}" +{% endif %} diff --git a/roles/openshift-apps/test-auth/templates/client_secrets.json b/roles/openshift-apps/test-auth/templates/client_secrets.json new file mode 100644 index 0000000000..7c0115c7c3 --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/client_secrets.json @@ -0,0 +1,17 @@ +{ + "web": { + "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", + "client_id": "{{ test_auth_oidc_client_id }}", +{% if env == 'staging' %} + "client_secret": "{{ test_auth_stg_oidc_client_secret }}", +{% else %} + "client_secret": "{{ test_auth_oidc_client_secret }}", +{% endif %} + "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/", + "redirect_uris": [ + "https://test-auth.app.os{{env_suffix}}.fedoraproject.org/oidc/oidc_callback" + ], + "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", + "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo" + } +} diff --git a/roles/openshift-apps/test-auth/templates/config.py b/roles/openshift-apps/test-auth/templates/config.py new file mode 100644 index 0000000000..f87689c211 --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/config.py @@ -0,0 +1,18 @@ +# +# This is the config file for Test Auth as intended to be used in OpenShift +# + + +# Deployed to a subpath +# APPLICATION_ROOT = '/test-auth/' + +# Cookies +SECRET_KEY = "{{ test_auth_session_secret }}" +SESSION_COOKIE_NAME = 'test-auth' +SESSION_COOKIE_HTTPONLY = True +SESSION_COOKIE_SECURE = True + +# Auth +OIDC_CLIENT_SECRETS = "/etc/test-auth/oidc.json" +OIDC_SCOPES = ['openid', 'email', 'profile', 'https://id.fedoraproject.org/scope/groups', 'https://id.fedoraproject.org/scope/agreements'] +OPENID_ENDPOINT = "https://id{{ env_suffix }}.fedoraproject.org/openid/" diff --git a/roles/openshift-apps/test-auth/templates/configmap.yml b/roles/openshift-apps/test-auth/templates/configmap.yml new file mode 100644 index 0000000000..66bf47ec62 --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/configmap.yml @@ -0,0 +1,17 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: test-auth-config + labels: + app: test-auth + data: + test-auth.cfg: |- + {{ load_file('config.py') | indent(6) }} + oidc.json: |- + {{ load_file('client_secrets.json') | indent(6) }} diff --git a/roles/openshift-apps/test-auth/templates/deploymentconfig.yml b/roles/openshift-apps/test-auth/templates/deploymentconfig.yml new file mode 100644 index 0000000000..f0ed2b4851 --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/deploymentconfig.yml @@ -0,0 +1,59 @@ +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + name: test-auth + labels: + app: test-auth +spec: + replicas: 1 + selector: + app: test-auth + deploymentconfig: test-auth + strategy: + type: Rolling + activeDeadlineSeconds: 21600 + rollingParams: + intervalSeconds: 1 + maxSurge: 25% + maxUnavailable: 25% + timeoutSeconds: 600 + updatePeriodSeconds: 1 + template: + metadata: + creationTimestamp: null + labels: + app: test-auth + deploymentconfig: test-auth + spec: + containers: + - name: test-auth + imagePullPolicy: Always + ports: + - containerPort: 8080 + #protocol: TCP + #resources: {} + #terminationMessagePath: /dev/termination-log + #terminationMessagePolicy: File + volumeMounts: + - name: test-auth-config-volume + mountPath: "/etc/test-auth" + readOnly: true + env: + - name: TESTAUTH_SETTINGS + value: "/etc/test-auth/test-auth.cfg" + # - name: SCRIPT_NAME + # value: "/test-auth" + volumes: + - name: test-auth-config-volume + configMap: + name: test-auth-config + triggers: + - imageChangeParams: + automatic: true + containerNames: + - test-auth + from: + kind: ImageStreamTag + name: test-auth:latest + type: ImageChange + - type: ConfigChange diff --git a/roles/openshift-apps/test-auth/templates/secret-webhook.yml b/roles/openshift-apps/test-auth/templates/secret-webhook.yml new file mode 100644 index 0000000000..e8662f8cfc --- /dev/null +++ b/roles/openshift-apps/test-auth/templates/secret-webhook.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-auth-github-webhook-secret +data: + WebHookSecretKey: "{{ (env == 'production')|ternary(test_auth_github_secret, test_auth_stg_github_secret) }}" +type: Opaque