Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Testing on cf #17

Merged
merged 2 commits into from
Feb 9, 2021
Merged

Testing on cf #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b08155a
add manifests and tooling to push to CF
bengerman13 Feb 8, 2021
e5a6765
add cf push to pipeline
bengerman13 Feb 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@ venv
flask_session

.env

cf/secrets.yml
1 change: 1 addition & 0 deletions Procfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
web: gunicorn --access-logfile - --error-logfile - --log-level info --timeout 300 "kibana_cf_auth_proxy.app:create_app()"
53 changes: 53 additions & 0 deletions cf/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
###########################################################
# NOTE: this cluster is totally insecure and non-durable. #
# It should only be used for testing the proxy and should #
# NEVER have any sensitive or important data. #
###########################################################

version: 1
applications:
- name: elasticsearch
memory: 3G
instances: 1
disk_quota: 2G
routes:
- route: odfe-test.apps.internal
docker:
image: cloudgovoperations/test-elasticsearch-odfe:latest
env:
"discovery.type": single-node
"node.name": odfe-node1
"ES_JAVA_OPTS": "-Xms2048m -Xmx2048m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
"opendistro_security.audit.type": debug
- name: kibana
memory: 1G
instances: 1
docker:
image: cloudgovoperations/test-kibana-odfe:latest
env:
"ELASTICSEARCH_URL": https://odfe-test.apps.internal:9200
"ELASTICSEARCH_HOSTS": https://0.odfe-test.apps.internal:9200
"elasticsearch.requestHeadersWhitelist": "securitytenant,Authorization,x-forwarded-for,x-proxy-user,x-proxy-roles"
"opendistro.security.auth_type": "proxy"
"opendistro.security.proxycache.user_header": "x-proxy-user"
"opendistro.security.proxycache.roles_header": "x-proxy-roles"
routes:
- route: kbn-test.apps.internal
- name: auth-proxy
health_check_type: port
buildpacks:
- python_buildpack
routes:
- route: ((public_route))
env:
FLASK_ENV: local
KIBANA_URL: http://kbn-test.apps.internal:5601

CF_URL: ((cf_url))
UAA_AUTH_URL: ((uaa_auth_url))
UAA_TOKEN_URL: ((uaa_token_url))
UAA_CLIENT_ID: ((uaa_client_id))
UAA_CLIENT_SECRET: ((uaa_client_secret))
SECRET_KEY: ((secret_key))
SESSION_LIFETIME: ((session_lifetime))
9 changes: 9 additions & 0 deletions cf/secrets-sample.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
cf_url: https://api.example.com
uaa_auth_url: https://login.example.com/oauth/authorize
uaa_token_url: https://login.example.com/oauth/token
uaa_client_id: me
uaa_client_secret: FEEDABEE
secret_key: feedabee
session_lifetime: 3600
public_route: foo.example.com
42 changes: 42 additions & 0 deletions ci/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,38 @@ jobs:
tag_as_latest: true
cache: true

- name: cf
plan:
- get: src
params: {depth: 1}
trigger: true
passed: build-test-images

- put: cf-dev
params:
path: src
manifest: src/cf/manifest.tml
show_app_log: true
vars:
cf_url: ((dev-cf-url))
uaa_auth_url: ((dev-uaa-auth-url))
uaa_token_url: ((dev-uaa-token-url))
uaa_client_id: ((dev-uaa-client-id))
uaa_client_secret: ((dev-uaa-client-secret))
secret_key: ((dev-secret-key))
session_lifetime: 3600
public_route: ((dev-public-url))

- task: update-networking
file: src/ci/upgrade-schema.yml
params:
CF_API_URL: ((dev-cf-api-url))
CF_USERNAME: ((dev-cf-username))
CF_PASSWORD: ((dev-cf-password))
CF_ORGANIZATION: ((dev-cf-organization))
CF_SPACE: ((dev-cf-space)


############################
# RESOURCES

Expand Down Expand Up @@ -95,6 +127,16 @@ resources:
password: ((docker-password))
repository: ((docker-image-kibana-dev))

- name: cf-dev
type: cf
icon: cloud-upload
source:
api: ((dev-cf-api-url))
username: ((dev-cf-username))
password: ((dev-cf-password))
organization: ((dev-cf-organization))
space: ((dev-cf-space))

############################
# RESOURCE TYPES

Expand Down
9 changes: 9 additions & 0 deletions ci/update-networking.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/usr/bin/env bash

set -euo pipefail
shopt -s inherit_errexit

cf api ${CF_API_URL}
cf auth
cf t -o ${CF_ORGANIZATION} -s ${CF_SPACE}
./dev cf-network
12 changes: 12 additions & 0 deletions ci/update-networking.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
platform: linux

image_resource:
type: docker-image
source:
repository: 18fgsa/concourse-task

inputs:
- name: src

run:
path: src/ci/update-networking.sh
17 changes: 17 additions & 0 deletions dev
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,16 @@ watch_tests() {

}

cf_push() {
cf push -f cf/manifest.yml --vars-file cf/secrets.yml
}

cf_network() {
cf add-network-policy kibana elasticsearch --protocol tcp --port 9200
cf add-network-policy auth-proxy kibana --protocol tcp --port 5601

}

main() {
pushd ${dir}
trap popd exit
Expand Down Expand Up @@ -127,6 +137,13 @@ main() {
docker-compose down
popd
;;
cf-push)
cf_push
cf_network
;;
cf-network)
cf_network
;;
watch-test|watch-tests)
watch_tests
;;
Expand Down
3 changes: 3 additions & 0 deletions dev-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ flask==1.1.2
# via
# -r pip-tools/../requirements.txt
# flask-session
gunicorn==20.0.4
# via -r pip-tools/../requirements.txt
idna==2.10
# via
# -r pip-tools/../requirements.txt
Expand Down Expand Up @@ -112,3 +114,4 @@ zipp==3.4.0

# The following packages are considered to be unsafe in a requirements file:
# pip
# setuptools
2 changes: 1 addition & 1 deletion docker/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ services:
ELASTICSEARCH_URL: https://odfe-node1:9200
ELASTICSEARCH_HOSTS: https://odfe-node1:9200
elasticsearch.requestHeadersWhitelist: "securitytenant,Authorization,x-forwarded-for,x-proxy-user,x-proxy-roles"
openditsro.security.auth_type: "proxy"
opendistro.security.auth_type: "proxy"
opendistro.security.proxycache.user_header: "x-proxy-user"
opendistro.security.proxycache.roles_header: "x-proxy-roles"

Expand Down
1 change: 1 addition & 0 deletions pip-tools/requirements.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
environs
flask
flask-session
gunicorn
pyjwt
redis
requests
5 changes: 5 additions & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ flask==1.1.2
# via
# -r pip-tools/requirements.in
# flask-session
gunicorn==20.0.4
# via -r pip-tools/requirements.in
idna==2.10
# via requests
itsdangerous==1.1.0
Expand All @@ -42,3 +44,6 @@ urllib3==1.26.2
# via requests
werkzeug==1.0.1
# via flask

# The following packages are considered to be unsafe in a requirements file:
# setuptools