From 73e527c2fb6cf144fa481d7ea8d6ce5ae77bc365 Mon Sep 17 00:00:00 2001 From: Michael Olund Date: Fri, 30 Oct 2020 10:57:19 -0700 Subject: [PATCH] DIV-1225 - Refactor Settings Files #2 - Removed PROXY_NETWORK - Moved Keycloak secrets into OpenShift secrets --- .env.example | 2 +- edivorce/settings/base.py | 4 +-- openshift/EFILING-README.md | 28 ++++++++++++----- openshift/README.md | 13 -------- openshift/edivorce-django-deploy.overrides.sh | 8 +---- .../edivorce-django-deploy.yaml | 31 ++++++++++++++++--- .../nginx-proxy/nginx-proxy-deploy.yaml | 2 +- 7 files changed, 51 insertions(+), 37 deletions(-) diff --git a/.env.example b/.env.example index 3bc33971..2dd7ba85 100644 --- a/.env.example +++ b/.env.example @@ -22,7 +22,7 @@ REDIS_PASSWORD= EFILING_HUB_TOKEN_BASE_URL='' EFILING_HUB_REALM='' EFILING_HUB_CLIENT_ID='' -EFILING_HUB_CLIENT_SECRET='' +EFILING_KEYCLOAK_SECRET='' EFILING_HUB_API_BASE_URL='' # BCE ID test accounts for localdev diff --git a/edivorce/settings/base.py b/edivorce/settings/base.py index 6405b18e..929b8682 100644 --- a/edivorce/settings/base.py +++ b/edivorce/settings/base.py @@ -159,8 +159,6 @@ STATICFILES_FINDERS = ( 'compressor.finders.CompressorFinder', ) -BCGOV_NETWORK = os.environ.get('PROXY_NETWORK', '0.0.0.0/0') - FORCE_SCRIPT_NAME = '/' FIXTURE_DIRS = ( @@ -201,7 +199,7 @@ OIDC_RP_SIGN_ALGO = 'RS256' OIDC_RP_SCOPES = 'openid email profile' # this is needed to bypass the Keycloak login screen OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'kc_idp_hint': 'bceid'} -OIDC_RP_CLIENT_SECRET = env('KEYCLOAK_CLIENT_SECRET', '') +OIDC_RP_CLIENT_SECRET = env('EDIVORCE_KEYCLOAK_SECRET', '') OIDC_OP_LOGOUT_URL_METHOD = 'edivorce.apps.core.middleware.keycloak.keycloak_logout' VIRTUAL_SWEARING_ENABLED = False diff --git a/openshift/EFILING-README.md b/openshift/EFILING-README.md index a34c3c40..b0d4d26a 100644 --- a/openshift/EFILING-README.md +++ b/openshift/EFILING-README.md @@ -15,17 +15,31 @@ https://raw.githubusercontent.com/bcgov/eDivorce/master/openshift/templates/clam ## Adding new Environment variabales: +Go to "Resources" => Secrets + +Click "Create Secret" +- Secret Type = Generic Secret +- Secret Name = keycloak-secrets + +Add the following two values: +- edivorce-client-secret : [GUID WILL BE PROVIDED] +- efiling-client-secret : [GUID WILL BE PROVIDED] + Go to "Applications" => Deployments => edivorce-django Select the "Environment" tab. -Add 2 new environment variables: - -REDIS_HOST=redis -CLAMAV_HOST=clamav +Click "Add Value from Config Map or Secret" +- name = REDIS_PASSWORD +- select a resource = "redis" +- select key = "database-password" Click "Add Value from Config Map or Secret" +- name = EDIVORCE_KEYCLOAK_SECRET +- select a resource = "keycloak-secrets" +- select key = "edivorce-client-secrets" -name = REDIS_PASSWORD -select a resource = "redis" -select key = "database-password" \ No newline at end of file +Click "Add Value from Config Map or Secret" +- name = EFILING_KEYCLOAK_SECRET +- select a resource = "keycloak-secrets" +- select key = "efiling-client-secrets" diff --git a/openshift/README.md b/openshift/README.md index 16417001..49bebf27 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -125,19 +125,6 @@ Use `-h` to get advanced usage information. Use the `-l` option to apply any lo #### Mandatory Settings: -**PROXY_NETWORK** - -While running `genDepls.sh` you will be prompted for the network address of the upstream proxy. This is used to ensure that requests come from the Justice Proxy only. You will need to enter the address in IPV4 CIDR notation e.g. 10.10.15.10/16. The actual value you need to enter cannot be stored on Github because this would violate BC Government Github policies. The PROXY_NETWORK setting is currently the same for all 3 environments (dev, test, and prod) - -An example of the [edivorce-django-deploy.overrides.sh](./edivorce-django-deploy.overrides.sh) script prompting for the value to use for PROXY_NETWORK; -``` -Processing deployment configuration; templates/edivorce-django/edivorce-django-deploy.yaml ... -Loading parameter overrides for templates/edivorce-django/edivorce-django-deploy.yaml ... - -Enter the network of the upstream proxy (in CIDR notation; for example 0.0.0.0/0); defaults to 0.0.0.0/0: - -``` - SITEMINDER_WHITE_LIST While running `genDepls.sh` you will be prompted for a list of IP addresses that make up the white-list of hosts allowed to access the service. diff --git a/openshift/edivorce-django-deploy.overrides.sh b/openshift/edivorce-django-deploy.overrides.sh index 1f0eb8d1..9dae776d 100644 --- a/openshift/edivorce-django-deploy.overrides.sh +++ b/openshift/edivorce-django-deploy.overrides.sh @@ -22,11 +22,5 @@ generatePassword() { _userName=$(generateUsername) _password=$(generatePassword) -read -r -p $'\n\033[1;33mEnter the network of the upstream proxy (in CIDR notation; for example 0.0.0.0/0); defaults to 0.0.0.0/0:\033[0m\n' PROXY_NETWORK -if [ -z "${PROXY_NETWORK}" ]; then - PROXY_NETWORK="0.0.0.0/0" -fi - -SPECIALDEPLOYPARMS="-p PROXY_NETWORK=${PROXY_NETWORK} -p BASICAUTH_USERNAME=${_userName} -p BASICAUTH_PASSWORD=${_password}" +SPECIALDEPLOYPARMS="-p BASICAUTH_USERNAME=${_userName} -p BASICAUTH_PASSWORD=${_password}" echo ${SPECIALDEPLOYPARMS} - diff --git a/openshift/templates/edivorce-django/edivorce-django-deploy.yaml b/openshift/templates/edivorce-django/edivorce-django-deploy.yaml index c23b52c4..fb65790c 100644 --- a/openshift/templates/edivorce-django/edivorce-django-deploy.yaml +++ b/openshift/templates/edivorce-django/edivorce-django-deploy.yaml @@ -96,8 +96,6 @@ objects: value: "${PROXY_URL_PREFIX}" - name: PROXY_BASE_URL value: "${PROXY_BASE_URL}" - - name: PROXY_NETWORK - value: "${PROXY_NETWORK}" - name: BASICAUTH_ENABLED value: "${BASICAUTH_ENABLED}" - name: BASICAUTH_USERNAME @@ -110,6 +108,16 @@ objects: secretKeyRef: key: basic-auth-password name: ${NAME} + - name: EDIVORCE_KEYCLOAK_SECRET + valueFrom: + secretKeyRef: + key: edivorce-client-secret + name: "keycloak-secrets" + - name: EFILING_KEYCLOAK_SECRET + valueFrom: + secretKeyRef: + key: efiling-client-secret + name: "keycloak-secrets" resources: limits: cpu: ${CPU_LIMIT} @@ -127,6 +135,16 @@ objects: basic-auth-password: "${BASICAUTH_PASSWORD}" basic-auth-username: "${BASICAUTH_USERNAME}" type: Opaque +- kind: Secret + apiVersion: v1 + metadata: + name: "keycloak-secrets" + labels: + app: "${NAME}" + data: + edivorce-client-secret: "${EDIVORCE_KEYCLOAK_SECRET}" + efiling-client-secret: "${EFILING_KEYCLOAK_SECRET}" + type: Opaque - kind: HorizontalPodAutoscaler apiVersion: autoscaling/v1 metadata: @@ -184,13 +202,16 @@ parameters: displayName: Proxy Base URL description: The proxy base URL (aka Host URL) for the application. For example `https://justice.gov.bc.ca` required: false -- name: PROXY_NETWORK - displayName: Network of upstream proxy (CIDR notation 0.0.0.0/0) - required: true - name: BASICAUTH_ENABLED displayName: Enable basic auth (recommended for Dev and Test environments) required: true value: "False" +- name: EDIVORCE_KEYCLOAK_SECRET + displayName: Keycloak client secret for the e-divorce-app client + required: true +- name: EFILING_KEYCLOAK_SECRET + displayName: Keycloak client secret for the efiling hub + required: true - name: BASICAUTH_USERNAME displayName: Basic Auth Username description: Basic Auth Username. Needs to be basee64 encoded. diff --git a/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml b/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml index 90dd3abc..a68c1bcb 100644 --- a/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml +++ b/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml @@ -134,5 +134,5 @@ parameters: value: "edivorce-dev.pathfinder.bcgov" - name: SITEMINDER_WHITE_LIST displayName: SiteMinder Whitelist - description: The whitelist containing all of the trusted siteminder IPs. + description: The whitelist containing all of the trusted siteminder IPs (separated by spaces). required: false \ No newline at end of file