creylopez
/
django-ex
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 2 Wiki Activity
Browse Source

DIV-1225 - Refactor Settings Files #2 

- Removed PROXY_NETWORK
- Moved Keycloak secrets into OpenShift secrets
pull/172/head
Michael Olund 5 years ago
parent
f1349608ef
commit
73e527c2fb
7 changed files with 51 additions and 37 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      .env.example
  2. +1
    -3
      edivorce/settings/base.py
  3. +21
    -7
      openshift/EFILING-README.md
  4. +0
    -13
      openshift/README.md
  5. +1
    -7
      openshift/edivorce-django-deploy.overrides.sh
  6. +26
    -5
      openshift/templates/edivorce-django/edivorce-django-deploy.yaml
  7. +1
    -1
      openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml

+ 1
- 1
.env.example View File

@ -22,7 +22,7 @@ REDIS_PASSWORD=
EFILING_HUB_TOKEN_BASE_URL=''
EFILING_HUB_REALM=''
EFILING_HUB_CLIENT_ID=''
EFILING_HUB_CLIENT_SECRET=''
EFILING_KEYCLOAK_SECRET=''
EFILING_HUB_API_BASE_URL=''
# BCE ID test accounts for localdev


+ 1
- 3
edivorce/settings/base.py View File

@ -159,8 +159,6 @@ STATICFILES_FINDERS = (
'compressor.finders.CompressorFinder',
)
BCGOV_NETWORK = os.environ.get('PROXY_NETWORK', '0.0.0.0/0')
FORCE_SCRIPT_NAME = '/'
FIXTURE_DIRS = (
@ -201,7 +199,7 @@ OIDC_RP_SIGN_ALGO = 'RS256'
OIDC_RP_SCOPES = 'openid email profile'
# this is needed to bypass the Keycloak login screen
OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'kc_idp_hint': 'bceid'}
OIDC_RP_CLIENT_SECRET = env('KEYCLOAK_CLIENT_SECRET', '')
OIDC_RP_CLIENT_SECRET = env('EDIVORCE_KEYCLOAK_SECRET', '')
OIDC_OP_LOGOUT_URL_METHOD = 'edivorce.apps.core.middleware.keycloak.keycloak_logout'
VIRTUAL_SWEARING_ENABLED = False

+ 21
- 7
openshift/EFILING-README.md View File

@ -15,17 +15,31 @@ https://raw.githubusercontent.com/bcgov/eDivorce/master/openshift/templates/clam
## Adding new Environment variabales:
Go to "Resources" => Secrets
Click "Create Secret"
- Secret Type = Generic Secret
- Secret Name = keycloak-secrets
Add the following two values:
- edivorce-client-secret : [GUID WILL BE PROVIDED]
- efiling-client-secret : [GUID WILL BE PROVIDED]
Go to "Applications" => Deployments => edivorce-django
Select the "Environment" tab.
Add 2 new environment variables:
REDIS_HOST=redis
CLAMAV_HOST=clamav
Click "Add Value from Config Map or Secret"
- name = REDIS_PASSWORD
- select a resource = "redis"
- select key = "database-password"
Click "Add Value from Config Map or Secret"
- name = EDIVORCE_KEYCLOAK_SECRET
- select a resource = "keycloak-secrets"
- select key = "edivorce-client-secrets"
name = REDIS_PASSWORD
select a resource = "redis"
select key = "database-password"
Click "Add Value from Config Map or Secret"
- name = EFILING_KEYCLOAK_SECRET
- select a resource = "keycloak-secrets"
- select key = "efiling-client-secrets"

+ 0
- 13
openshift/README.md View File

@ -125,19 +125,6 @@ Use `-h` to get advanced usage information. Use the `-l` option to apply any lo
#### Mandatory Settings:
**PROXY_NETWORK**
While running `genDepls.sh` you will be prompted for the network address of the upstream proxy. This is used to ensure that requests come from the Justice Proxy only. You will need to enter the address in IPV4 CIDR notation e.g. 10.10.15.10/16. The actual value you need to enter cannot be stored on Github because this would violate BC Government Github policies. The PROXY_NETWORK setting is currently the same for all 3 environments (dev, test, and prod)
An example of the [edivorce-django-deploy.overrides.sh](./edivorce-django-deploy.overrides.sh) script prompting for the value to use for PROXY_NETWORK;
```
Processing deployment configuration; templates/edivorce-django/edivorce-django-deploy.yaml ...
Loading parameter overrides for templates/edivorce-django/edivorce-django-deploy.yaml ...
Enter the network of the upstream proxy (in CIDR notation; for example 0.0.0.0/0); defaults to 0.0.0.0/0:
```
SITEMINDER_WHITE_LIST
While running `genDepls.sh` you will be prompted for a list of IP addresses that make up the white-list of hosts allowed to access the service.


+ 1
- 7
openshift/edivorce-django-deploy.overrides.sh View File

@ -22,11 +22,5 @@ generatePassword() {
_userName=$(generateUsername)
_password=$(generatePassword)
read -r -p $'\n\033[1;33mEnter the network of the upstream proxy (in CIDR notation; for example 0.0.0.0/0); defaults to 0.0.0.0/0:\033[0m\n' PROXY_NETWORK
if [ -z "${PROXY_NETWORK}" ]; then
PROXY_NETWORK="0.0.0.0/0"
fi
SPECIALDEPLOYPARMS="-p PROXY_NETWORK=${PROXY_NETWORK} -p BASICAUTH_USERNAME=${_userName} -p BASICAUTH_PASSWORD=${_password}"
SPECIALDEPLOYPARMS="-p BASICAUTH_USERNAME=${_userName} -p BASICAUTH_PASSWORD=${_password}"
echo ${SPECIALDEPLOYPARMS}

+ 26
- 5
openshift/templates/edivorce-django/edivorce-django-deploy.yaml View File

@ -96,8 +96,6 @@ objects:
value: "${PROXY_URL_PREFIX}"
- name: PROXY_BASE_URL
value: "${PROXY_BASE_URL}"
- name: PROXY_NETWORK
value: "${PROXY_NETWORK}"
- name: BASICAUTH_ENABLED
value: "${BASICAUTH_ENABLED}"
- name: BASICAUTH_USERNAME
@ -110,6 +108,16 @@ objects:
secretKeyRef:
key: basic-auth-password
name: ${NAME}
- name: EDIVORCE_KEYCLOAK_SECRET
valueFrom:
secretKeyRef:
key: edivorce-client-secret
name: "keycloak-secrets"
- name: EFILING_KEYCLOAK_SECRET
valueFrom:
secretKeyRef:
key: efiling-client-secret
name: "keycloak-secrets"
resources:
limits:
cpu: ${CPU_LIMIT}
@ -127,6 +135,16 @@ objects:
basic-auth-password: "${BASICAUTH_PASSWORD}"
basic-auth-username: "${BASICAUTH_USERNAME}"
type: Opaque
- kind: Secret
apiVersion: v1
metadata:
name: "keycloak-secrets"
labels:
app: "${NAME}"
data:
edivorce-client-secret: "${EDIVORCE_KEYCLOAK_SECRET}"
efiling-client-secret: "${EFILING_KEYCLOAK_SECRET}"
type: Opaque
- kind: HorizontalPodAutoscaler
apiVersion: autoscaling/v1
metadata:
@ -184,13 +202,16 @@ parameters:
displayName: Proxy Base URL
description: The proxy base URL (aka Host URL) for the application. For example `https://justice.gov.bc.ca`
required: false
- name: PROXY_NETWORK
displayName: Network of upstream proxy (CIDR notation 0.0.0.0/0)
required: true
- name: BASICAUTH_ENABLED
displayName: Enable basic auth (recommended for Dev and Test environments)
required: true
value: "False"
- name: EDIVORCE_KEYCLOAK_SECRET
displayName: Keycloak client secret for the e-divorce-app client
required: true
- name: EFILING_KEYCLOAK_SECRET
displayName: Keycloak client secret for the efiling hub
required: true
- name: BASICAUTH_USERNAME
displayName: Basic Auth Username
description: Basic Auth Username. Needs to be basee64 encoded.


+ 1
- 1
openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml View File

@ -134,5 +134,5 @@ parameters:
value: "edivorce-dev.pathfinder.bcgov"
- name: SITEMINDER_WHITE_LIST
displayName: SiteMinder Whitelist
description: The whitelist containing all of the trusted siteminder IPs.
description: The whitelist containing all of the trusted siteminder IPs (separated by spaces).
required: false

Write Preview
Loading…
Cancel
Save