Commit 64117900 authored by Pablo Panero's avatar Pablo Panero
Browse files

Oauth

parent 1f77f0cb
......@@ -16,3 +16,7 @@ secrets/
*.key
*.crt
# Local env source
env.sh
......@@ -30,14 +30,24 @@ RUN chmod g=u /etc/passwd && \
chmod +x /code/scripts/*.sh && \
sh /code/scripts/create-instance.sh && \
sh /code/scripts/gen-cert.sh && \
mv wsgi.crt wsgi.key ${INVENIO_INSTANCE_PATH} && \
mv nginx.crt nginx.key ${INVENIO_INSTANCE_PATH} && \
chgrp -R 0 ${INVENIO_INSTANCE_PATH} && \
chmod -R g=u ${INVENIO_INSTANCE_PATH} &&\
adduser --uid 1000 invenio --gid 0 && \
chown -R invenio:root /code
# uWSGI configuration
ARG UWSGI_WSGI_MODULE=cern_search_rest.wsgi:application
ENV UWSGI_WSGI_MODULE ${UWSGI_WSGI_MODULE:-cern_search_rest.wsgi:application}
ARG UWSGI_PORT=5000
ENV UWSGI_PORT ${UWSGI_PORT:-5000}
ARG UWSGI_PROCESSES=2
ENV UWSGI_PROCESSES ${UWSGI_PROCESSES:-2}
ARG UWSGI_THREADS=2
ENV UWSGI_THREADS ${UWSGI_THREADS:-2}
USER 1000
EXPOSE 5000
CMD ["/bin/sh", "-c", "/code/scripts/manage-user.sh && gunicorn -b :5000 --certfile=${INVENIO_INSTANCE_PATH}/ssl.crt --keyfile=${INVENIO_INSTANCE_PATH}/ssl.key cern_search_rest.wsgi"]
\ No newline at end of file
CMD ["/bin/sh", "-c", "/code/scripts/manage-user.sh && uwsgi --module ${UWSGI_WSGI_MODULE} --socket 0.0.0.0:${UWSGI_PORT} --master --processes ${UWSGI_PROCESSES} --threads ${UWSGI_THREADS} --stats /tmp/stats.socket"]
\ No newline at end of file
events {
worker_connections 1024;
}
http {
large_client_header_buffers 8 32k;
sendfile on;
# Configuration containing list of application servers
upstream uwsgicluster {
server cern-search-api:5000 max_conns=20;
}
# Configuration for Nginx
server {
# Running port
listen 8080 ssl;
ssl_certificate /etc/nginx/tls/tls.crt;
ssl_certificate_key /etc/nginx/tls/tls.key;
# Proxying connections to application servers
location / {
include uwsgi_params;
uwsgi_pass uwsgicluster;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
\ No newline at end of file
flask
gunicorn
invenio-access>=1.0.0,<1.1.0
invenio-admin>=1.0.0,<1.1.0
invenio-accounts>=1.0.0,<1.1.0
......@@ -16,5 +15,6 @@ invenio-oauthclient>=1.0.0,<1.1.0
invenio_oauth2server>=1.0.0,<1.1.0
invenio-search[elasticsearch5]>=1.0.0,<1.1.0
invenio-theme>=1.0.0,<1.1.0
npm>=0.1.1
redis>=2.10.0
npm>=0.1.1
\ No newline at end of file
uWSGI>=2.0.16
\ No newline at end of file
......@@ -8,6 +8,7 @@ npm update && npm install --silent -g node-sass@3.8.0 clean-css@3.4.19 uglify-js
pip install -r requirements.txt
pip install -e .[all,postgresql,elasticsearch5]
# Needed for invenio-admin UI
invenio npm
export BACKPATH=$(pwd)
cd ${INVENIO_INSTANCE_PATH}/static
......
#!/usr/bin/env bash
openssl genrsa -des3 -passout pass:x -out wsgi.pass.key 2048
openssl rsa -passin pass:x -in wsgi.pass.key -out wsgi.key
rm wsgi.pass.key
openssl req -new -key wsgi.key -out wsgi.csr \
openssl genrsa -des3 -passout pass:x -out nginx.pass.key 2048
openssl rsa -passin pass:x -in nginx.pass.key -out nginx.key
rm nginx.pass.key
openssl req -new -key nginx.key -out nginx.csr \
-subj "/C=CH/ST=Geneve/L=Geneve/O=CERN/OU=IT Department/CN=Search as a Service"
openssl x509 -req -days 365 -in wsgi.csr -signkey wsgi.key -out wsgi.crt
openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
......@@ -41,7 +41,6 @@ setup_requires = []
install_requires = [
'flask',
'gunicorn',
'invenio-access>=1.0.0,<1.1.0',
'invenio-admin>=1.0.0,<1.1.0',
'invenio-accounts>=1.0.0,<1.1.0',
......@@ -60,6 +59,7 @@ install_requires = [
'invenio-theme>=1.0.0,<1.1.0',
'redis>=2.10.0',
'npm>=0.1.1',
'uWSGI>=2.0.16',
]
packages = find_packages()
......
apiVersion: v1
kind: Template
metadata:
name: cern-search-rest
name: cern-search-rest-api
annotations:
descriptino: "CERN Search RESTful API and necessary services OpenShift Template"
labels:
template: "cern-search-rest"
template: "cern-search-rest-api"
objects:
......@@ -46,7 +46,7 @@ objects:
- command:
- /bin/sh
- '-c'
- /code/scripts/manage-user.sh && gunicorn -b :5000 --certfile=${INVENIO_INSTANCE_PATH}/ssl.crt --keyfile=${INVENIO_INSTANCE_PATH}/ssl.key cern_search_rest.wsgi
- /code/scripts/manage-user.sh && uwsgi --module ${UWSGI_WSGI_MODULE} --socket 0.0.0.0:${UWSGI_PORT} --master --processes ${UWSGI_PROCESSES} --threads ${UWSGI_THREADS} --stats /tmp/stats.socket
envFrom:
- configMapRef:
name: env-configmap
......@@ -90,25 +90,19 @@ objects:
- imageChangeParams:
automatic: true
containerNames:
- init-cern-search
- cern-search-api
from:
kind: ImageStreamTag
name: cern-search-api:latest
namespace: test-cern-search
type: ImageChange
status:
availableReplicas: 0
latestVersion: 0
observedGeneration: 0
replicas: 0
unavailableReplicas: 0
updatedReplicas: 0
### Redis Server
- kind: DeploymentConfig
apiVersion: v1
metadata:
labels:
app: redis
name: redis
spec:
replicas: 1
......@@ -129,7 +123,60 @@ objects:
volumes:
- name: data
emptyDir: {}
triggers:
- type: ConfigChange
### Nginx proxy pass
- kind: DeploymentConfig
apiVersion: v1
metadata:
labels:
app: proxy
name: proxy
spec:
replicas: 1
template:
metadata:
name: proxy
labels:
app: proxy
spec:
containers:
- name: proxy
image: 'nginx:stable-alpine'
ports:
- containerPort: 8080
protocol: TCP
volumeMounts:
- mountPath: /etc/nginx/tls
name: nginx-tls
readOnly: true
- mountPath: /etc/nginx/conf.d
name: nginx-config
- mountPath: /var/cache/nginx
name: nginx-cache
- mountPath: /var/run
name: nginx-run
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: nginx-tls
secret:
defaultMode: 420
secretName: nginx-tls
- configMap:
defaultMode: 420
name: nginx-config
name: nginx-config
- emptyDir: {}
name: nginx-cache
- emptyDir: {}
name: nginx-run
triggers:
- type: ConfigChange
##############################
########## SERVICES ##########
......@@ -151,7 +198,7 @@ objects:
app: cern-search-api
deploymentconfig: cern-search-api
sessionAffinity: None
type: LoadBalancer
type: ClusterIP
# Service for the Redis server
- kind: Service
apiVersion: v1
......@@ -170,6 +217,23 @@ objects:
deploymentconfig: redis
sessionAffinity: None
type: ClusterIP
# Service for the Nginx proxy
- kind: Service
apiVersion: v1
metadata:
name: proxy-https
labels:
app: proxy
annotations:
service.alpha.openshift.io/serving-cert-secret-name: nginx-tls
spec:
ports:
- name: 'https'
port: 8080
targetPort: 8080
selector:
app: proxy
type: LoadBalancer
##############################
########### ROUTES ###########
......@@ -178,15 +242,34 @@ objects:
apiVersion: v1
metadata:
labels:
app: cern-search-api
name: cern-search-api
app: proxy
template: cern-search-rest-api
name: nginx-proxy
spec:
port:
targetPort: 5000-tcp
targetPort: https
tls:
destinationCACertificate: |
-----BEGIN COMMENT-----
This is an empty PEM file created to provide backwards compatibility
for reencrypt routes that have no destinationCACertificate. This
content will only appear for routes accessed via /oapi/v1/routes.
-----END COMMENT-----
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt
to:
kind: Service
name: cern-search-api
name: proxy-https
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- status: 'True'
type: Admitted
routerName: router
wildcardPolicy: None
# TODO: Delete when automated in OpenShift/GitLab CI
##############################
......@@ -208,6 +291,40 @@ objects:
- kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: proxy
name: nginx-config
data:
nginx.conf: |
# Configuration for Nginx
server {
# Running port
listen 8080 ssl;
ssl_certificate /etc/nginx/tls/tls.crt;
ssl_certificate_key /etc/nginx/tls/tls.key;
# Proxying connections to application servers
location / {
include uwsgi_params;
uwsgi_pass cern-search-api:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
- kind: ConfigMap
apiVersion: v1
metadata:
labels:
app: cern-search-api
name: env-configmap
data:
# Invenio
......@@ -220,5 +337,5 @@ parameters:
description: "Invenio instance path for CERN Search application."
required: true
- name: APP_ALLOWED_HOSTS
description: "Invenio App allowed hosts"
description: "Invenio App allowed hosts. Without protocol (e.g. http) nor salsh ('/') at the end"
required: true
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment