Skip to content
Snippets Groups Projects
Select Git revision
  • 24.0.88-patches protected
  • 23.0 protected
  • 24.0 protected
  • main default protected
  • ravinab-main-patch-1974
  • cherry-pick-cc95510f
  • ravinab-main-patch-33a5
  • cherry-pick-69e7eea2
  • 21.2 protected
  • cherry-pick-c985ec22
  • cherry-pick-3d96ba0c-2
  • cherry-pick-3d96ba0c
  • rwang-main-patch-99192
  • moreCIUpdate
  • mb_EMECSD_firstMR
  • testpcal
  • sawyer-24.0-patch-50428
  • ravinab-main-patch-7633
  • dguest-main-patch-03027
  • jajimene-24.0-patch-79944
  • nightly/23.0/2025-07-08T2211
  • nightly/24.0/2025-07-08T2100
  • nightly/main/2025-07-08T2100
  • nightly/main/2025-07-07T2100
  • nightly/24.0/2025-07-07T2100
  • nightly/24.0/2025-07-05T2100
  • nightly/24.0/2025-07-06T2100
  • nightly/main/2025-07-04T2100
  • nightly/main/2025-07-05T2100
  • nightly/main/2025-07-06T2100
  • nightly/24.0/2025-07-04T2100
  • release/24.0.102 protected
  • nightly/21.2/2025-07-05T0010
  • nightly/21.2/2025-07-05T0328
  • nightly/21.2/2025-07-05T0434
  • nightly/24.0/2025-07-03T2100
  • nightly/main/2025-07-03T2100
  • release/25.0.36 protected
  • 23.6.51
  • nightly/24.0/2025-07-02T2100
40 results
Compare
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
Name Last commit Last update
..
templates
.gitlab-ci.yml
Dockerfile
README.md
httpd.conf
httpd.sh
shib.sh
shib_httpd.conf
shibboleth2.xml
README.md

Overview

This project builds and hosts a Docker Image that provides an Apache reverse proxy that does Single Sign-On authentication. The image built is accessible from the rest of the OpenShift projects so any can use the proxy.

Deployment of the ImageStream

This image is intended to be deployed as an externally managed resource. Check the internal documentation in OneNote for instructions on how to do it.

Deploy templates:

The templates will be automatically deployed with gitlab-CI when they are changed. To deploy on prod, change the template on branch master

Usage:

Using the template will result on the creation of a Pod spawning two containers, running httpd and shibd respectively, that will proxy connection through a route to other sevice running the project. By default, the proxy will require authentication for every path on the route.

There are two ConfigMaps where you can define custom files that will be injected into the containers.

  • cern-sso-proxy : This ConfigMap contains files that will be copied to /etc/httpd/conf/configurable/ and included in the httpd configuration on runtime. By default, two files are present, proxy.conf and authorize.conf that define a single proxy of every route in the path

  • cern-sso-shib: This ConfigMap contains files that will be copied to /etc/shibboleth/. It includes the configuration for shibd daemon and algo the shib_httpd.conf apache configuration that also lives in this folder. It is very unlikely that you will need to change something here.

IMPORTANT:

This template will define a single entrypoint for you application, which may conflict with existing routes on the project. Therefore, it is recommended to remove all the routes that may already exist in the project before using the template. To do so, you can run:

oc delete routes --all -n <name-of-your-project>

Custom DNS names

By default the proxy configuration assumes the webservices-assigned DNS name (<sitename>.web.cern.ch). In specific cases where a different DNS name is used, it needs to be passed to the proxy. An environment variable can be set to achieve this:

oc env dc/cern-sso-proxy --containers='*' HOSTNAME_FQDN=foo.cern.ch --overwrite

The route then needs to be reconfigured with appropriate hostname and certificate.

Continuous integration tests

As part of the Continuous Integration jobs, both the newly built image and the template are tested in two OpenShift projects, created specifically for this task in the dev cluster.

  • test-cern-sso-proxy: Create a new SSO proxy using the new built image and template and wait until it redirects to login.cern.ch
  • test-cern-sso-proxy-2: Create a new SSO proxy using the new template as-is (will use the stable images) and wait until it redirects to login.cern.ch

These 2 projects are created as normal webservices applications, then we need to grant admin access to the serviceaccount associated with the cern-sso-proxy resource/template:

oc adm policy add-role-to-user admin system:serviceaccount:openshift:cern-sso-proxy -n test-cern-sso-proxy
oc adm policy add-role-to-user admin system:serviceaccount:openshift:cern-sso-proxy -n test-cern-sso-proxy-2