Oauth

.gitignore

@@ -16,3 +16,7 @@ secrets/
 
 *.key
 *.crt
+
+# Local env source
+
+env.sh

Dockerfile

@@ -30,14 +30,24 @@ RUN chmod g=u /etc/passwd && \
     chmod +x /code/scripts/*.sh && \
     sh /code/scripts/create-instance.sh && \
     sh /code/scripts/gen-cert.sh && \
-    mv wsgi.crt wsgi.key ${INVENIO_INSTANCE_PATH} && \
+    mv nginx.crt nginx.key ${INVENIO_INSTANCE_PATH} && \
     chgrp -R 0 ${INVENIO_INSTANCE_PATH} && \
     chmod -R g=u ${INVENIO_INSTANCE_PATH} &&\
     adduser --uid 1000 invenio --gid 0 && \
     chown -R invenio:root /code
 
+# uWSGI configuration
+ARG UWSGI_WSGI_MODULE=cern_search_rest.wsgi:application
+ENV UWSGI_WSGI_MODULE ${UWSGI_WSGI_MODULE:-cern_search_rest.wsgi:application}
+ARG UWSGI_PORT=5000
+ENV UWSGI_PORT ${UWSGI_PORT:-5000}
+ARG UWSGI_PROCESSES=2
+ENV UWSGI_PROCESSES ${UWSGI_PROCESSES:-2}
+ARG UWSGI_THREADS=2
+ENV UWSGI_THREADS ${UWSGI_THREADS:-2}
+
 USER 1000
 
 EXPOSE 5000
 
-CMD ["/bin/sh", "-c", "/code/scripts/manage-user.sh && gunicorn -b :5000 --certfile=${INVENIO_INSTANCE_PATH}/ssl.crt --keyfile=${INVENIO_INSTANCE_PATH}/ssl.key cern_search_rest.wsgi"]
\ No newline at end of file
+CMD ["/bin/sh", "-c", "/code/scripts/manage-user.sh && uwsgi --module ${UWSGI_WSGI_MODULE} --socket 0.0.0.0:${UWSGI_PORT} --master --processes ${UWSGI_PROCESSES} --threads ${UWSGI_THREADS} --stats /tmp/stats.socket"]
\ No newline at end of file

nginx/nginx.conf

+
+events {
+  worker_connections 1024;
+}
+
+http {
+
+  large_client_header_buffers 8 32k;
+  sendfile on;
+
+  # Configuration containing list of application servers
+  upstream uwsgicluster {
+    server cern-search-api:5000 max_conns=20;
+  }
+
+  # Configuration for Nginx
+
+  server {
+    # Running port
+    listen 8080 ssl;
+    ssl_certificate /etc/nginx/tls/tls.crt;
+    ssl_certificate_key /etc/nginx/tls/tls.key;
+
+    # Proxying connections to application servers
+    location / {
+      include            uwsgi_params;
+      uwsgi_pass         uwsgicluster;
+
+      proxy_redirect     off;
+      proxy_set_header   Host $host;
+      proxy_set_header   X-Real-IP $remote_addr;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header   X-Forwarded-Host $server_name;
+
+    }
+  }
+}
\ No newline at end of file

requirements.txt

 flask
-gunicorn
 invenio-access>=1.0.0,<1.1.0
 invenio-admin>=1.0.0,<1.1.0
 invenio-accounts>=1.0.0,<1.1.0
@@ -16,5 +15,6 @@ invenio-oauthclient>=1.0.0,<1.1.0
 invenio_oauth2server>=1.0.0,<1.1.0
 invenio-search[elasticsearch5]>=1.0.0,<1.1.0
 invenio-theme>=1.0.0,<1.1.0
+npm>=0.1.1
 redis>=2.10.0
-npm>=0.1.1
\ No newline at end of file
+uWSGI>=2.0.16
\ No newline at end of file

scripts/create-instance.sh

@@ -8,6 +8,7 @@ npm update && npm install --silent -g node-sass@3.8.0 clean-css@3.4.19 uglify-js
 pip install -r requirements.txt
 pip install -e .[all,postgresql,elasticsearch5]
 
+# Needed for invenio-admin UI
 invenio npm
 export BACKPATH=$(pwd)
 cd ${INVENIO_INSTANCE_PATH}/static

scripts/gen-cert.sh

 #!/usr/bin/env bash
 
-openssl genrsa -des3 -passout pass:x -out wsgi.pass.key 2048
-openssl rsa -passin pass:x -in wsgi.pass.key -out wsgi.key
-rm wsgi.pass.key
-openssl req -new -key wsgi.key -out wsgi.csr \
+openssl genrsa -des3 -passout pass:x -out nginx.pass.key 2048
+openssl rsa -passin pass:x -in nginx.pass.key -out nginx.key
+rm nginx.pass.key
+openssl req -new -key nginx.key -out nginx.csr \
   -subj "/C=CH/ST=Geneve/L=Geneve/O=CERN/OU=IT Department/CN=Search as a Service"
-openssl x509 -req -days 365 -in wsgi.csr -signkey wsgi.key -out wsgi.crt
+openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt

setup.py

@@ -41,7 +41,6 @@ setup_requires = []
 
 install_requires = [
     'flask',
-    'gunicorn',
     'invenio-access>=1.0.0,<1.1.0',
     'invenio-admin>=1.0.0,<1.1.0',
     'invenio-accounts>=1.0.0,<1.1.0',
@@ -60,6 +59,7 @@ install_requires = [
     'invenio-theme>=1.0.0,<1.1.0',
     'redis>=2.10.0',
     'npm>=0.1.1',
+    'uWSGI>=2.0.16',
 ]
 
 packages = find_packages()

template/cern-search-api.yml

 apiVersion: v1
 kind: Template
 metadata:
-  name: cern-search-rest
+  name: cern-search-rest-api
   annotations:
     descriptino: "CERN Search RESTful API and necessary services OpenShift Template"
 labels:
-  template: "cern-search-rest"
+  template: "cern-search-rest-api"
 
 objects:
 
@@ -46,7 +46,7 @@ objects:
         - command:
             - /bin/sh
             - '-c'
-            - /code/scripts/manage-user.sh && gunicorn -b :5000 --certfile=${INVENIO_INSTANCE_PATH}/ssl.crt --keyfile=${INVENIO_INSTANCE_PATH}/ssl.key cern_search_rest.wsgi
+            - /code/scripts/manage-user.sh && uwsgi --module ${UWSGI_WSGI_MODULE} --socket 0.0.0.0:${UWSGI_PORT} --master --processes ${UWSGI_PROCESSES} --threads ${UWSGI_THREADS} --stats /tmp/stats.socket
           envFrom:
             - configMapRef:
                 name: env-configmap
@@ -90,25 +90,19 @@ objects:
     - imageChangeParams:
         automatic: true
         containerNames:
-        - init-cern-search
         - cern-search-api
         from:
           kind: ImageStreamTag
           name: cern-search-api:latest
           namespace: test-cern-search
       type: ImageChange
-  status:
-    availableReplicas: 0
-    latestVersion: 0
-    observedGeneration: 0
-    replicas: 0
-    unavailableReplicas: 0
-    updatedReplicas: 0
 
 ### Redis Server
 - kind: DeploymentConfig
   apiVersion: v1
   metadata:
+    labels:
+      app: redis
     name: redis
   spec:
     replicas: 1
@@ -129,7 +123,60 @@ objects:
         volumes:
           - name: data
             emptyDir: {}
+    triggers:
+    - type: ConfigChange
 
+### Nginx proxy pass
+- kind: DeploymentConfig
+  apiVersion: v1
+  metadata:
+    labels:
+      app: proxy
+    name: proxy
+  spec:
+    replicas: 1
+    template:
+      metadata:
+        name: proxy
+        labels:
+          app: proxy
+      spec:
+        containers:
+        - name: proxy
+          image: 'nginx:stable-alpine'
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+          volumeMounts:
+            - mountPath: /etc/nginx/tls
+              name: nginx-tls
+              readOnly: true
+            - mountPath: /etc/nginx/conf.d
+              name: nginx-config
+            - mountPath: /var/cache/nginx
+              name: nginx-cache
+            - mountPath: /var/run
+              name: nginx-run
+        dnsPolicy: ClusterFirst
+        restartPolicy: Always
+        schedulerName: default-scheduler
+        securityContext: {}
+        terminationGracePeriodSeconds: 30
+        volumes:
+          - name: nginx-tls
+            secret:
+              defaultMode: 420
+              secretName: nginx-tls
+          - configMap:
+              defaultMode: 420
+              name: nginx-config
+            name: nginx-config
+          - emptyDir: {}
+            name: nginx-cache
+          - emptyDir: {}
+            name: nginx-run
+    triggers:
+      - type: ConfigChange
 
 ##############################
 ########## SERVICES ##########
@@ -151,7 +198,7 @@ objects:
       app: cern-search-api
       deploymentconfig: cern-search-api
     sessionAffinity: None
-    type: LoadBalancer
+    type: ClusterIP
 # Service for the Redis server
 - kind: Service
   apiVersion: v1
@@ -170,6 +217,23 @@ objects:
       deploymentconfig: redis
     sessionAffinity: None
     type: ClusterIP
+# Service for the Nginx proxy
+- kind: Service
+  apiVersion: v1
+  metadata:
+    name: proxy-https
+    labels:
+      app: proxy
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: nginx-tls
+  spec:
+    ports:
+    - name: 'https'
+      port: 8080
+      targetPort: 8080
+    selector:
+      app: proxy
+    type: LoadBalancer
 
 ##############################
 ########### ROUTES ###########
@@ -178,15 +242,34 @@ objects:
   apiVersion: v1
   metadata:
     labels:
-      app: cern-search-api
-    name: cern-search-api
+      app: proxy
+      template: cern-search-rest-api
+    name: nginx-proxy
   spec:
     port:
-      targetPort: 5000-tcp
+      targetPort: https
+    tls:
+      destinationCACertificate: |
+        -----BEGIN COMMENT-----
+        This is an empty PEM file created to provide backwards compatibility
+        for reencrypt routes that have no destinationCACertificate. This
+        content will only appear for routes accessed via /oapi/v1/routes.
+        -----END COMMENT-----
+      insecureEdgeTerminationPolicy: Redirect
+      termination: reencrypt
     to:
       kind: Service
-      name: cern-search-api
+      name: proxy-https
       weight: 100
+    wildcardPolicy: None
+  status:
+    ingress:
+      - conditions:
+          - status: 'True'
+            type: Admitted
+        routerName: router
+        wildcardPolicy: None
+
 
 # TODO: Delete when automated in OpenShift/GitLab CI
 ##############################
@@ -208,6 +291,40 @@ objects:
 - kind: ConfigMap
   apiVersion: v1
   metadata:
+    labels:
+      app: proxy
+    name: nginx-config
+  data:
+    nginx.conf: |
+
+      # Configuration for Nginx
+
+      server {
+          # Running port
+          listen 8080 ssl;
+          ssl_certificate /etc/nginx/tls/tls.crt;
+          ssl_certificate_key /etc/nginx/tls/tls.key;
+
+          # Proxying connections to application servers
+          location / {
+              include            uwsgi_params;
+              uwsgi_pass         cern-search-api:5000;
+
+              proxy_redirect     off;
+              proxy_set_header   Host $host;
+              proxy_set_header   X-Real-IP $remote_addr;
+              proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header   X-Forwarded-Host $server_name;
+
+          }
+      }
+
+
+- kind: ConfigMap
+  apiVersion: v1
+  metadata:
+    labels:
+      app: cern-search-api
     name: env-configmap
   data:
     # Invenio
@@ -220,5 +337,5 @@ parameters:
     description: "Invenio instance path for CERN Search application."
     required: true
   - name: APP_ALLOWED_HOSTS
-    description: "Invenio App allowed hosts"
+    description: "Invenio App allowed hosts. Without protocol (e.g. http) nor salsh ('/') at the end"
     required: true
\ No newline at end of file