Skip to content

Add keycloak support #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add keycloak support #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
617c1ca
Add keycloak support
fydai Feb 17, 2020
c8befc7
Add back liveness probes
fydai Feb 17, 2020
8343f59
Remove dependencies on ocf docker
fydai Feb 17, 2020
c414b80
Only use ipv4 for puppetboard
fydai Feb 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 2 additions & 12 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,15 @@
FROM docker.ocf.berkeley.edu/theocf/debian:buster
FROM debian:buster
Copy link
Member

@dkess dkess Feb 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for not using OCF Debian? AIUI the main benefit is that it's configured to use our mirrors. If you want to keep things lightweight, you could look into using Alpine instead.

Copy link
Contributor Author

@fydai fydai Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It also includes a bunch of OCF specific stuff, specifically a bunch of ldap configuration and kerberos configuration. If a service doesn't depend on it, I would prefer to not use the OCF docker image for determinism's sake. I'm indifferent to the actual OS used, but seeing as it's already configured on debian, I don't see a reason to move to alpine or something.

Regarding mirrors usage, this thing will be rebuilt once every blue moon, so I don't think it there's a pressing need to use OCF mirrors. If you think that's a good idea however, I can spend ~10 minutes putting something in sources.list.

Copy link
Member

@jvperrin jvperrin Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We get some things like the correct timezone used, backports enabled, etc. that I think would be useful to have too. It also makes getting security updates and getting changes into all services much easier for us.

Does having the ldap config and all that extra matter much?

ARG PUPPETBOARD_VERSION


RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
git \
libpam-krb5 \
nginx \
python3 \
runit \
virtualenv \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

COPY services/nginx/nginx.conf /etc/nginx
COPY puppetboard_pam /etc/pam.d/puppetboard

RUN mkdir -p /opt/puppetboard
RUN chown nobody:nogroup /opt/puppetboard
WORKDIR /opt/puppetboard
Expand All @@ -24,10 +18,6 @@ USER nobody
RUN git clone https://github.com/voxpupuli/puppetboard.git . \
&& git checkout $PUPPETBOARD_VERSION

# Only allow users in the ocfstaff group to access puppetboard
RUN echo "ocfstaff" > /opt/puppetboard/allowed-groups

COPY --chown=nobody:nogroup services /opt/puppetboard/services
COPY --chown=nobody:nogroup settings.py /opt/puppetboard

RUN virtualenv -ppython3 /opt/puppetboard/venv \
Expand All @@ -36,4 +26,4 @@ RUN virtualenv -ppython3 /opt/puppetboard/venv \

ENV PUPPETBOARD_SETTINGS /opt/puppetboard/settings.py

CMD ["runsvdir", "/opt/puppetboard/services"]
CMD ["/opt/puppetboard/venv/bin/gunicorn", "-b", "127.0.0.1:8000", "puppetboard.app:app"]
4 changes: 1 addition & 3 deletions Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
servicePipeline(
upstreamProjects: ['dockers/master'],
Copy link
Member

@jvperrin jvperrin Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is here so we get security updates, so I think it'd be better if it was left in place

)
servicePipeline()

// vim: ft=groovy
53 changes: 44 additions & 9 deletions kubernetes/puppetboard.yml.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,32 @@ spec:
app: puppetboard
spec:
containers:
- name: puppetboard
image: "docker.ocf.berkeley.edu/puppetboard:<%= version %>"
resources:
limits:
memory: 2048Mi
cpu: 750m
- name: auth
image: "keycloak/keycloak-gatekeeper:6.0.1"
args:
- --client-id=puppetboard
- --client-secret=$(KEYCLOAK_SECRET)
- --encryption-key=$(ENCRYPTION_KEY)
- --redirection-url=https://puppet.ocf.berkeley.edu/
- --discovery-url=https://auth.ocf.berkeley.edu/auth/realms/ocf
- --enable-default-deny=true
- --enable-session-cookies
- --listen=:8080
- --upstream-url=http://127.0.0.1:8000
- --resources=uri=/*|roles=ocfstaff
env:
- name: KEYCLOAK_SECRET
valueFrom:
secretKeyRef:
name: keycloak-client
key: secret
- name: ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: keycloak-client
key: encryption_key
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /opt/puppetboard/keys
name: secrets
livenessProbe:
tcpSocket:
port: 8080
Expand All @@ -47,6 +62,17 @@ spec:
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
- name: puppetboard
image: "docker.ocf.berkeley.edu/puppetboard:<%= version %>"
resources:
limits:
memory: 2048Mi
cpu: 750m
ports:
- containerPort: 8000
volumeMounts:
- mountPath: /opt/puppetboard/keys
name: secrets
volumes:
- name: secrets
hostPath:
Expand All @@ -69,3 +95,12 @@ spec:
- backend:
serviceName: service
servicePort: 80
---
apiVersion: v1
kind: Secret
metadata:
name: keycloak-client
type: Opaque
stringData:
secret: <%= keycloak_secret %>
encryption_key: <%= keycloak_encryption_key %>
14 changes: 0 additions & 14 deletions puppetboard_pam
View file
Open in desktop

This file was deleted.

3 changes: 0 additions & 3 deletions services/app/log/run
View file
Open in desktop

This file was deleted.

7 changes: 0 additions & 7 deletions services/app/run
View file
Open in desktop

This file was deleted.

3 changes: 0 additions & 3 deletions services/nginx/log/run
View file
Open in desktop

This file was deleted.

45 changes: 0 additions & 45 deletions services/nginx/nginx.conf
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions services/nginx/run
View file
Open in desktop

This file was deleted.