First try for the test-auth app

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/test-auth.yml

@@ -0,0 +1,67 @@
+- name: make the app be real
+  hosts: os_masters[0]:os_masters_stg[0]
+  user: root
+  gather_facts: False
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  vars:
+
+  roles:
+    - role: openshift/project
+      app: test-auth
+      description: "Authentication testing"
+      appowners:
+        - abompard
+      tags:
+        - apply-appowners
+
+    - role: openshift/imagestream
+      app: test-auth
+      imagename: test-auth
+
+    - role: openshift/object
+      app: test-auth
+      template: buildconfig.yml
+      objectname: buildconfig.yml
+
+    - role: openshift/object
+      app: test-auth
+      template: configmap.yml
+      objectname: configmap.yml
+
+    - role: openshift/object
+      app: test-auth
+      file: service.yml
+      objectname: service.yml
+
+    # - role: openshift/route
+    #   app: test-auth
+    #   routename: test-auth
+    #   host: "admin{{ env_suffix }}.fedoraproject.org"
+    #   path: "/test-auth"
+    #   serviceport: web
+    #   servicename: test-auth
+    #   annotations:
+    #     haproxy.router.openshift.io/timeout: 5m
+    - role: openshift/route
+      app: test-auth
+      routename: test-auth
+      host: "test-auth.app.os{{ env_suffix }}.fedoraproject.org"
+      serviceport: web
+      servicename: test-auth
+      annotations:
+        haproxy.router.openshift.io/timeout: 5m
+
+    - role: openshift/object
+      app: test-auth
+      template: secret-webhook.yml
+      objectname: secret-webhook.yml
+
+    - role: openshift/object
+      app: test-auth
+      template: deploymentconfig.yml
+      objectname: deploymentconfig.yml

roles/openshift-apps/test-auth/files/service.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-auth
+  labels:
+    app: test-auth
+spec:
+  ports:
+    - name: web
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: test-auth
+    deploymentconfig: test-auth

roles/openshift-apps/test-auth/templates/buildconfig.yml

@@ -0,0 +1,41 @@
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: test-auth
+  labels:
+    app: test-auth
+    build: test-auth
+spec:
+  runPolicy: Serial
+  source:
+    type: Git
+    git:
+      uri: https://github.com/abompard/test-auth.git
+{% if env == "staging" %}
+      ref: main
+{% else %}
+      ref: stable
+{% endif %}
+    contextDir: /
+  strategy:
+    type: Source
+    sourceStrategy:
+      from:
+        kind: ImageStreamTag
+        name: python:3.6
+        namespace: openshift
+  output:
+    to:
+      kind: ImageStreamTag
+      name: test-auth:latest
+  triggers:
+  - type: ConfigChange
+  - type: ImageChange
+  - type: GitHub
+{% if test_auth_stg_github_secret is defined and env == 'staging' %}
+    github:
+      secret: "{{ test_auth_stg_github_secret }}"
+{% elif test_auth_github_secret is defined and env == 'production' %}
+    github:
+      secret: "{{ test_auth_github_secret }}"
+{% endif %}

roles/openshift-apps/test-auth/templates/client_secrets.json

@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ test_auth_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ test_auth_stg_oidc_client_secret }}",
+{% else %}
+        "client_secret": "{{ test_auth_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://test-auth.app.os{{env_suffix}}.fedoraproject.org/oidc/oidc_callback"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}

roles/openshift-apps/test-auth/templates/config.py

@@ -0,0 +1,18 @@
+#
+# This is the config file for Test Auth as intended to be used in OpenShift
+#
+
+
+# Deployed to a subpath
+# APPLICATION_ROOT = '/test-auth/'
+
+# Cookies
+SECRET_KEY = "{{ test_auth_session_secret }}"
+SESSION_COOKIE_NAME = 'test-auth'
+SESSION_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SECURE = True
+
+# Auth
+OIDC_CLIENT_SECRETS = "/etc/test-auth/oidc.json"
+OIDC_SCOPES = ['openid', 'email', 'profile', 'https://id.fedoraproject.org/scope/groups', 'https://id.fedoraproject.org/scope/agreements']
+OPENID_ENDPOINT = "https://id{{ env_suffix }}.fedoraproject.org/openid/"

roles/openshift-apps/test-auth/templates/configmap.yml

@@ -0,0 +1,17 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+---
+apiVersion: v1
+kind: List
+metadata: {}
+items:
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: test-auth-config
+    labels:
+      app: test-auth
+  data:
+    test-auth.cfg: |-
+      {{ load_file('config.py') | indent(6) }}
+    oidc.json: |-
+      {{ load_file('client_secrets.json') | indent(6) }}

roles/openshift-apps/test-auth/templates/deploymentconfig.yml

@@ -0,0 +1,59 @@
+apiVersion: apps.openshift.io/v1
+kind: DeploymentConfig
+metadata:
+  name: test-auth
+  labels:
+    app: test-auth
+spec:
+  replicas: 1
+  selector:
+    app: test-auth
+    deploymentconfig: test-auth
+  strategy:
+    type: Rolling
+    activeDeadlineSeconds: 21600
+    rollingParams:
+      intervalSeconds: 1
+      maxSurge: 25%
+      maxUnavailable: 25%
+      timeoutSeconds: 600
+      updatePeriodSeconds: 1
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-auth
+        deploymentconfig: test-auth
+    spec:
+      containers:
+        - name: test-auth
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080
+              #protocol: TCP
+          #resources: {}
+          #terminationMessagePath: /dev/termination-log
+          #terminationMessagePolicy: File
+          volumeMounts:
+            - name: test-auth-config-volume
+              mountPath: "/etc/test-auth"
+              readOnly: true
+          env:
+            - name: TESTAUTH_SETTINGS
+              value: "/etc/test-auth/test-auth.cfg"
+            # - name: SCRIPT_NAME
+            #   value: "/test-auth"
+      volumes:
+        - name: test-auth-config-volume
+          configMap:
+            name: test-auth-config
+  triggers:
+    - imageChangeParams:
+        automatic: true
+        containerNames:
+          - test-auth
+        from:
+          kind: ImageStreamTag
+          name: test-auth:latest
+      type: ImageChange
+    - type: ConfigChange

roles/openshift-apps/test-auth/templates/secret-webhook.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-auth-github-webhook-secret
+data:
+  WebHookSecretKey: "{{ (env == 'production')|ternary(test_auth_github_secret, test_auth_stg_github_secret) }}"
+type: Opaque