diff --git a/openshift_playbooks/files/attribute-map.xml b/openshift_playbooks/files/attribute-map.xml
new file mode 100755
index 0000000..9b3633d
--- /dev/null
+++ b/openshift_playbooks/files/attribute-map.xml
@@ -0,0 +1,254 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/openshift_playbooks/files/shibd.logger b/openshift_playbooks/files/shibd.logger
new file mode 100755
index 0000000..b66048d
--- /dev/null
+++ b/openshift_playbooks/files/shibd.logger
@@ -0,0 +1,69 @@
+# set overall behavior
+log4j.rootCategory=DEBUG, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
+log4j.appender.shibd_log.maxFileSize=1000000
+log4j.appender.shibd_log.maxBackupIndex=10
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+log4j.appender.warn_log.maxFileSize=1000000
+log4j.appender.warn_log.maxBackupIndex=10
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
+log4j.appender.tran_log.maxFileSize=1000000
+log4j.appender.tran_log.maxBackupIndex=20
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=%m
diff --git a/openshift_playbooks/provision_openshift.yml b/openshift_playbooks/provision_openshift.yml
index f0d7baa..bee83ca 100644
--- a/openshift_playbooks/provision_openshift.yml
+++ b/openshift_playbooks/provision_openshift.yml
@@ -6,6 +6,9 @@
- name: "project_name"
prompt: "Enter new project name for installation"
private: no
+ - name: "pouta_project_code"
+ prompt: "Enter cPouta project code for project creation on rahti"
+ private: no
tasks:
- include: environment_context_openshift.yml
- name: Create openshift project
@@ -13,7 +16,7 @@
api_version: v1
kind: Project
name: "{{ project_name }}"
- description: Pebbles Project
+ description: "csc_project: {{ pouta_project_code }}"
display_name: "{{ project_name }}"
state: present
- name: Switch to created openshift project
@@ -26,10 +29,12 @@
recurse: yes
state: directory
mode: 0700
- - name: Template out the secrets file
+
+ - name: Template out the secrets file for m2m
template:
src: pebbles-m2m.j2
dest: "{{ local_secrets_path }}/pebbles-m2m"
+
- name: Create secret object from the secrets file
openshift_raw:
state: present
@@ -37,14 +42,94 @@
apiVersion: v1
kind: Secret
metadata:
- name: pebbles-m2m
+ name: "{{ template_name }}-m2m"
namespace: "{{project_name}}"
data:
pebbles-m2m: "{{ lookup('file', '{{ local_secrets_path }}/pebbles-m2m') | b64encode }}"
+ - name: Template out Shibboleth.xml
+ template:
+ src: shibboleth2.xml.j2
+ dest: "{{ local_secrets_path }}/shibboleth2.xml"
+ when: use_sso
+
+ - name: copy private SSO key to in-memory file
+ local_action:
+ module: copy
+ dest: "{{ local_secrets_path }}/sp_key.pem"
+ content: "{{ vaulted_private_sso_key }}"
+ mode: 0700
+ when: use_sso
+
+ - name: copy SSO service provider certificate
+ local_action:
+ module: copy
+ dest: "{{ local_secrets_path }}/sp_cert.pem"
+ content: "{{ sp_cert }}"
+ mode: 0700
+ when: use_sso
+
+ - name: copy SSO identity provider certificate
+ local_action:
+ module: copy
+ dest: "{{ local_secrets_path }}/idp_cert.pem"
+ content: "{{ idp_cert }}"
+ mode: 0700
+ when: use_sso
+
+
+ - name: Create secret object from the shibboleth configs
+ openshift_raw:
+ state: present
+ definition:
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "{{ template_name }}-sso-shib"
+ namespace: "{{project_name}}"
+ data:
+ shibboleth2.xml: "{{ lookup('file', '{{ local_secrets_path }}/shibboleth2.xml') | b64encode }}"
+ attribute-map.xml: "{{ lookup('file', 'attribute-map.xml') | b64encode }}"
+ sp_key.pem: "{{ lookup('file', '{{ local_secrets_path }}/sp_key.pem') | b64encode }}"
+ sp_cert.pem: "{{ lookup('file', '{{ local_secrets_path }}/sp_cert.pem') | b64encode }}"
+ idp_cert.pem: "{{ lookup('file', '{{ local_secrets_path }}/idp_cert.pem') | b64encode }}"
+ shibd.logger: "{{ lookup('file', 'shibd.logger') | b64encode }}"
+ when: use_sso
+
+ - name: Template out pebbles-login.conf
+ template:
+ src: pebbles-login.conf.j2
+ dest: "{{ local_secrets_path }}/pebbles-login.conf"
+ when: use_sso
+
+ - name: Create secret object from the apache config
+ openshift_raw:
+ state: present
+ definition:
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "{{ template_name }}-sso-apache"
+ namespace: "{{project_name}}"
+ data:
+ pebbles-login.conf: "{{ lookup('file', '{{ local_secrets_path }}/pebbles-login.conf') | b64encode }}"
+ when: use_sso
+
+ - name: Clean secrets
+ local_action:
+ module: file
+ state: absent
+ path: "{{ local_secrets_path }}/{{ project_name }}"
+
- name: Template out the oc template variables file
template:
src: oc_template_vars.j2
dest: /tmp/oc_template_vars.env
- - name: Process the pebbles openshift template and create deployments
- shell: oc process --param-file=/tmp/oc_template_vars.env -f templates/pebbles-template.yml | oc apply -f -
+
+ - name: Process the pebbles openshift template and create deployments (without SSO)
+ shell: oc process --param-file=/tmp/oc_template_vars.env -p NAME="{{ template_name }}" -f templates/pebbles-template.yml | oc apply -f -
+ when: not use_sso
+
+ - name: Process the pebbles openshift template and create deployments (with SSO)
+ shell: oc process --param-file=/tmp/oc_template_vars.env -p NAME="{{ template_name }}" -f templates/pebbles-template-sso.yml | oc apply -f -
+ when: use_sso
diff --git a/openshift_playbooks/templates/pebbles-login.conf.j2 b/openshift_playbooks/templates/pebbles-login.conf.j2
new file mode 100644
index 0000000..2f31150
--- /dev/null
+++ b/openshift_playbooks/templates/pebbles-login.conf.j2
@@ -0,0 +1,28 @@
+# reverse proxy module
+LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
+
+LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
+
+# apache documentation recommends a http proxy, but we go with ajp, because only it
+# supports request environment variables, strongly endorsed by the shibboleth documentation
+LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
+
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+
+LoadModule slotmem_shm_module /usr/lib/apache2/modules/mod_slotmem_shm.so
+
+# listen to a high port because we don't have root privileges
+Listen 8000
+
+
+
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ ShibUseHeaders On
+ require shib-session
+
+ ProxyPass http://{{ template_name }}-api:8080/login
+ ProxyPassReverse http://{{ template_name }}-api:8080/login
+
+
+ServerName https://{{ sso_hostname }}:443
diff --git a/openshift_playbooks/templates/pebbles-template-sso.yml b/openshift_playbooks/templates/pebbles-template-sso.yml
new file mode 100644
index 0000000..9648239
--- /dev/null
+++ b/openshift_playbooks/templates/pebbles-template-sso.yml
@@ -0,0 +1,786 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+ app: pebbles
+ template: pebbles
+message: |-
+ The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.
+
+metadata:
+ annotations:
+ description: Pebbles
+ iconClass: icon-python
+ openshift.io/display-name: Pebbles
+ openshift.io/documentation-url: https://github.com/CSCfi/pebbles
+ openshift.io/long-description: Pebbles
+ openshift.io/provider-display-name: CSC
+ tags: pebbles,python
+ template.openshift.io/bindable: "false"
+ name: pebbles
+
+objects:
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ name: ${NAME}
+ stringData:
+ database-password: ${DATABASE_PASSWORD}
+ database-user: ${DATABASE_USER}
+ pb-secret-key: ${PB_SECRET_KEY}
+
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes and load balances the application pods
+ service.alpha.openshift.io/dependencies: '[{"name": "${DATABASE_SERVICE_NAME}",
+ "kind": "Service"}]'
+ name: ${NAME}-api
+ spec:
+ ports:
+ - name: web
+ port: 8080
+ targetPort: 8080
+ selector:
+ name: ${NAME}-api
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-api
+ spec:
+ host: ${APPLICATION_DOMAIN}
+ to:
+ kind: Service
+ name: ${NAME}-api
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-api-sp
+ spec:
+ host: ${SSO_DOMAIN}
+ to:
+ kind: Service
+ name: ${NAME}-api
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-sso-login
+ spec:
+ host: ${APPLICATION_DOMAIN}
+ path: "/login"
+ to:
+ kind: Service
+ name: ${NAME}-sso
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-sso-login-sp
+ spec:
+ host: ${SSO_DOMAIN}
+ path: "/login"
+ to:
+ kind: Service
+ name: ${NAME}-sso
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-sso-shibboleth
+ spec:
+ host: ${APPLICATION_DOMAIN}
+ path: "/Shibboleth.sso"
+ to:
+ kind: Service
+ name: ${NAME}-sso
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: Route
+ metadata:
+ name: ${NAME}-sso-shibboleth-sp
+ spec:
+ host: ${SSO_DOMAIN}
+ path: "/Shibboleth.sso"
+ to:
+ kind: Service
+ name: ${NAME}-sso
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+
+- apiVersion: v1
+ kind: ImageStream
+ metadata:
+ annotations:
+ description: Keeps track of changes in the application image
+ name: ${NAME}
+
+- apiVersion: v1
+ kind: BuildConfig
+ metadata:
+ name: ${NAME}
+ spec:
+ output:
+ to:
+ kind: ImageStreamTag
+ name: ${NAME}:latest
+ postCommit: {}
+ resources: {}
+ runPolicy: Serial
+ source:
+ type: Git
+ contextDir: ${CONTEXT_DIR}
+ git:
+ ref: ${SOURCE_REPOSITORY_REF}
+ uri: ${SOURCE_REPOSITORY_URL}
+ strategy:
+ type: Source
+ sourceStrategy:
+ from:
+ kind: ImageStreamTag
+ name: python:2.7
+ namespace: ${BUILD_IMAGE_NAMESPACE}
+ env:
+ - name: UPGRADE_PIP_TO_LATEST
+ value: "1"
+ triggers:
+ - type: ConfigChange
+ - type: ImageChange
+ imageChange: {}
+ - type: GitHub
+ github:
+ secret: ${GITHUB_WEBHOOK_SECRET}
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: Pebbles API
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${NAME}-api
+ spec:
+ replicas: 1
+ selector:
+ name: ${NAME}-api
+ strategy:
+ type: Rolling
+ template:
+ metadata:
+ labels:
+ name: ${NAME}-api
+ name: ${NAME}-api
+ spec:
+ containers:
+ - name: pebbles-api
+ env:
+ - name: APP_MODULE
+ value: pebbles.server:app
+ - name: PB_SQLALCHEMY_DATABASE_URI
+ value: postgresql://pebbles:pebbles@postgresql/pebbles
+ - name: PB_DB_AUTOMIGRATION
+ value: "1"
+ - name: PB_DEBUG
+ value: "1"
+ - name: DB_AUTOMIGRATION
+ value: "1"
+ - name: DEBUG
+ value: "1"
+ - name: GUNICORN_CMD_ARGS
+ value: "--workers=2 --max-requests=100"
+ - name: PB_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: ${NAME}
+ key: pb-secret-key
+ - name: PB_ENABLE_SHIBBOLETH_LOGIN
+ value: "true"
+ image: ' '
+ readinessProbe:
+ httpGet:
+ path: /
+ port: 8080
+ initialDelaySeconds: 3
+ timeoutSeconds: 3
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 8080
+ initialDelaySeconds: 30
+ timeoutSeconds: 3
+ ports:
+ - containerPort: 8080
+ resources:
+ requests:
+ memory: ${MEMORY_API}
+ limits:
+ memory: ${MEMORY_API}
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - pebbles-api
+ from:
+ kind: ImageStreamTag
+ name: ${NAME}:latest
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: Pebbles worker
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${NAME}-worker
+ spec:
+ replicas: 1
+ selector:
+ name: ${NAME}-worker
+ strategy:
+ type: Rolling
+ template:
+ metadata:
+ labels:
+ name: ${NAME}-worker
+ name: ${NAME}-worker
+ spec:
+ containers:
+ - name: worker
+ volumeMounts:
+ - name: ${NAME}-m2m-vol
+ mountPath: ${M2M_STORE}
+ readOnly: true
+ env:
+ - name: APP_SCRIPT
+ value: /opt/app-root/src/deployment/run_celery.bash
+ - name: CELERY_PROCESS_NAME
+ value: worker
+ - name: CELERY_QUEUE
+ value: provisioning_tasks-1
+ - name: CELERY_LOGLEVEL
+ value: DEBUG
+ - name: PB_PLUGIN_WHITELIST
+ value: ${PLUGIN_WHITELIST}
+ - name: PB_INTERNAL_API_BASE_URL
+ value: http://${NAME}-api:8080/api/v1
+ - name: PB_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: ${NAME}
+ key: pb-secret-key
+ - name: PB_M2M_CREDENTIAL_STORE
+ value: ${M2M_STORE}/pebbles-m2m
+ image: ' '
+ resources:
+ requests:
+ memory: ${MEMORY_WORKER}
+ limits:
+ memory: ${MEMORY_WORKER}
+ volumes:
+ - name: ${NAME}-m2m-vol
+ secret:
+ secretName: ${NAME}-m2m
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - worker
+ from:
+ kind: ImageStreamTag
+ name: ${NAME}:latest
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: Pebbles system worker
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${NAME}-system-worker
+ spec:
+ replicas: 1
+ selector:
+ name: ${NAME}-system-worker
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ name: ${NAME}-system-worker
+ name: ${NAME}-system-worker
+ spec:
+ containers:
+ - name: worker
+ env:
+ - name: APP_SCRIPT
+ value: /opt/app-root/src/deployment/run_celery.bash
+ - name: CELERY_PROCESS_NAME
+ value: system_worker
+ - name: CELERY_QUEUE
+ value: system_tasks
+ - name: CELERY_LOGLEVEL
+ value: DEBUG
+ - name: PB_PLUGIN_WHITELIST
+ value: ${PLUGIN_WHITELIST}
+ - name: PB_INTERNAL_API_BASE_URL
+ value: http://${NAME}-api:8080/api/v1
+ - name: PB_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: ${NAME}
+ key: pb-secret-key
+ image: ' '
+ resources:
+ requests:
+ memory: ${MEMORY_WORKER}
+ limits:
+ memory: ${MEMORY_WORKER}
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - worker
+ from:
+ kind: ImageStreamTag
+ name: ${NAME}:latest
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: Pebbles periodical worker
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${NAME}-periodical-worker
+ spec:
+ replicas: 1
+ selector:
+ name: ${NAME}-periodical-worker
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ name: ${NAME}-periodical-worker
+ name: ${NAME}-periodical-worker
+ spec:
+ containers:
+ - name: worker
+ env:
+ - name: APP_SCRIPT
+ value: /opt/app-root/src/deployment/run_celery.bash
+ - name: CELERY_CMD
+ value: beat
+ - name: CELERY_PROCESS_NAME
+ value: system_worker
+ - name: CELERY_QUEUE
+ value: system
+ - name: CELERY_LOGLEVEL
+ value: DEBUG
+ - name: PB_INTERNAL_API_BASE_URL
+ value: http://${NAME}-api:8080/api/v1
+ - name: PB_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: ${NAME}
+ key: pb-secret-key
+ image: ' '
+ resources:
+ requests:
+ memory: ${MEMORY_WORKER}
+ limits:
+ memory: ${MEMORY_WORKER}
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - worker
+ from:
+ kind: ImageStreamTag
+ name: ${NAME}:latest
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: PersistentVolumeClaim
+ metadata:
+ name: ${DATABASE_SERVICE_NAME}
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: ${VOLUME_CAPACITY}
+
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes the database server
+ name: ${DATABASE_SERVICE_NAME}
+ spec:
+ ports:
+ - name: postgresql
+ port: 5432
+ targetPort: 5432
+ selector:
+ name: ${DATABASE_SERVICE_NAME}
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: Defines how to deploy the database
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${DATABASE_SERVICE_NAME}
+ spec:
+ replicas: 1
+ selector:
+ name: ${DATABASE_SERVICE_NAME}
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ name: ${DATABASE_SERVICE_NAME}
+ name: ${DATABASE_SERVICE_NAME}
+ spec:
+ containers:
+ - name: postgresql
+ env:
+ - name: POSTGRESQL_USER
+ valueFrom:
+ secretKeyRef:
+ key: database-user
+ name: ${NAME}
+ - name: POSTGRESQL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: database-password
+ name: ${NAME}
+ - name: POSTGRESQL_DATABASE
+ value: ${DATABASE_NAME}
+ image: ' '
+ livenessProbe:
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 5432
+ timeoutSeconds: 1
+ ports:
+ - containerPort: 5432
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -i
+ - -c
+ - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE}
+ -c 'SELECT 1'
+ initialDelaySeconds: 5
+ timeoutSeconds: 1
+ resources:
+ requests:
+ memory: ${MEMORY_POSTGRESQL}
+ limits:
+ memory: ${MEMORY_POSTGRESQL}
+ volumeMounts:
+ - mountPath: /var/lib/pgsql/data
+ name: ${DATABASE_SERVICE_NAME}-data
+ volumes:
+ - name: ${DATABASE_SERVICE_NAME}-data
+ persistentVolumeClaim:
+ claimName: ${DATABASE_SERVICE_NAME}
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - postgresql
+ from:
+ kind: ImageStreamTag
+ name: postgresql:9.5
+ namespace: ${BUILD_IMAGE_NAMESPACE}
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ template.openshift.io/expose-uri: redis://{.spec.clusterIP}:{.spec.ports[?(.name=="redis")].port}
+ name: redis
+ spec:
+ ports:
+ - name: redis
+ nodePort: 0
+ port: 6379
+ protocol: TCP
+ targetPort: 6379
+ selector:
+ name: redis
+ sessionAffinity: None
+ type: ClusterIP
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: redis
+ spec:
+ replicas: 1
+ selector:
+ name: redis
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ name: redis
+ spec:
+ containers:
+ - capabilities: {}
+ env: {}
+ image: ' '
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ initialDelaySeconds: 30
+ tcpSocket:
+ port: 6379
+ timeoutSeconds: 1
+ name: redis
+ ports:
+ - containerPort: 6379
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -i
+ - -c
+ - test "$(redis-cli -h 127.0.0.1 ping)" == "PONG"
+ initialDelaySeconds: 5
+ timeoutSeconds: 1
+ resources:
+ requests:
+ memory: 100Mi
+ limits:
+ memory: 100Mi
+ terminationMessagePath: /dev/termination-log
+ volumeMounts:
+ - mountPath: /var/lib/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ volumes:
+ - emptyDir: {}
+ name: redis-data
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - redis
+ from:
+ kind: ImageStreamTag
+ name: redis:3.2
+ namespace: openshift
+ lastTriggeredImage: ""
+ type: ImageChange
+ - type: ConfigChange
+
+- apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ description: Exposes the apache server
+ name: ${NAME}-sso
+ spec:
+ ports:
+ - name: apache2
+ port: 80
+ targetPort: 8000
+ selector:
+ name: ${NAME}-sso
+
+- apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ annotations:
+ description: How to deploy the apache + sso
+ template.alpha.openshift.io/wait-for-ready: "true"
+ name: ${NAME}-sso
+ spec:
+ replicas: 1
+ selector:
+ name: ${NAME}-sso
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ name: ${NAME}-sso
+ name: ${NAME}-sso
+ spec:
+ containers:
+ - name: apache2
+ env: {}
+ image: ' '
+ resources:
+ requests:
+ memory: 200Mi
+ limits:
+ memory: 200Mi
+ volumeMounts:
+ - mountPath: /etc/shibboleth/secret
+ name: ${NAME}-sso-shib-data
+ - mountPath: /etc/apache2/sites-enabled/pebbles-login.conf
+ name: ${NAME}-sso-apache-data
+ subPath: pebbles-login.conf
+ volumes:
+ - name: ${NAME}-sso-shib-data
+ secret:
+ secretName: ${NAME}-sso-shib
+ - name: ${NAME}-sso-apache-data
+ secret:
+ secretName: ${NAME}-sso-apache
+ triggers:
+ - imageChangeParams:
+ automatic: true
+ containerNames:
+ - apache2
+ from:
+ kind: ImageStreamTag
+ name: apache-shib:latest
+ namespace: apache-shibboleth
+ type: ImageChange
+ - type: ConfigChange
+
+
+parameters:
+- description: The name assigned to all of the frontend objects defined in this template.
+ displayName: Name
+ name: NAME
+ required: true
+ value: pebbles
+
+- description: The OpenShift Namespace where the build image ImageStream resides.
+ displayName: Build Image Namespace
+ name: BUILD_IMAGE_NAMESPACE
+ required: true
+ value: openshift
+
+- description: Memory for API container
+ displayName: Memory (API)
+ name: MEMORY_API
+ required: true
+ value: 200Mi
+
+- description: Memory for worker containers
+ displayName: Memory (workers)
+ name: MEMORY_WORKER
+ required: true
+ value: 200Mi
+
+- description: The URL of the repository with your application source code.
+ displayName: Git Repository URL
+ name: SOURCE_REPOSITORY_URL
+ required: true
+ value: https://github.com/CSCfi/pebbles
+
+- description: Set this to a branch name, tag or other ref of your repository if you
+ are not using the default branch.
+ displayName: Git Reference
+ name: SOURCE_REPOSITORY_REF
+
+- description: Set this to the relative path to your project if it is not in the root
+ of your repository.
+ displayName: Context Directory
+ name: CONTEXT_DIR
+
+- description: The exposed hostname that will route to the Flask service, if left
+ blank a value will be defaulted.
+ displayName: Application Hostname
+ name: APPLICATION_DOMAIN
+
+- description: The SSO domain name which has been configured in the service provider
+ displayName: SSO Hostname
+ name: SSO_DOMAIN
+
+- description: Github trigger secret. A difficult to guess string encoded as part
+ of the webhook URL. Not encrypted.
+ displayName: GitHub Webhook Secret
+ from: '[a-zA-Z0-9]{40}'
+ generate: expression
+ name: GITHUB_WEBHOOK_SECRET
+
+- displayName: Database Service Name
+ name: DATABASE_SERVICE_NAME
+ required: true
+ value: postgresql
+
+- displayName: Database Name
+ name: DATABASE_NAME
+ required: true
+ value: pebbles
+
+- displayName: Database Username
+ name: DATABASE_USER
+ required: true
+ value: pebbles
+
+- displayName: Database User Password
+ from: '[a-zA-Z0-9]{16}'
+ value: pebbles
+ name: DATABASE_PASSWORD
+
+- description: Memory for PostgreSQL container
+ displayName: Memory (PostgreSQL)
+ name: MEMORY_POSTGRESQL
+ required: true
+ value: 200Mi
+
+- description: Volume space available for data, e.g. 512Mi, 2Gi
+ displayName: Volume Capacity
+ name: VOLUME_CAPACITY
+ required: true
+ value: 2Gi
+
+- description: Relative path to Gunicorn configuration file (optional).
+ displayName: Application Configuration File Path
+ name: APP_CONFIG
+
+- description: The custom PyPi index URL
+ displayName: Custom PyPi Index URL
+ name: PIP_INDEX_URL
+
+- displayName: Plugins whitelist
+ name: PLUGIN_WHITELIST
+ value: OpenShiftDriver
+
+- description: Secret master key
+ displayName: Secret master key
+ name: PB_SECRET_KEY
+ value: change_me
+
+- displayName: M2M Credentials Store
+ name: M2M_STORE
+ value: /run/shm
diff --git a/openshift_playbooks/templates/pebbles-template.yml b/openshift_playbooks/templates/pebbles-template.yml
index 4799197..2ece651 100644
--- a/openshift_playbooks/templates/pebbles-template.yml
+++ b/openshift_playbooks/templates/pebbles-template.yml
@@ -216,7 +216,7 @@ objects:
name: ${NAME}
key: pb-secret-key
- name: PB_M2M_CREDENTIAL_STORE
- value: ${M2M_STORE}/${NAME}-m2m
+ value: ${M2M_STORE}/pebbles-m2m
image: ' '
resources:
requests:
diff --git a/openshift_playbooks/templates/shibboleth2.xml.j2 b/openshift_playbooks/templates/shibboleth2.xml.j2
new file mode 100644
index 0000000..cdb078c
--- /dev/null
+++ b/openshift_playbooks/templates/shibboleth2.xml.j2
@@ -0,0 +1,122 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SAML2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+