From 79117889449c34f16cd422262bb4c498f0a9cd47 Mon Sep 17 00:00:00 2001 From: Wade Barnes Date: Wed, 27 Jun 2018 13:29:43 -0700 Subject: [PATCH] EDIVORCE-45 - Update configurations and documentation - All of the RP and SiteMinder changes have been implemented. Update the configurations and documentation to reflect the changes. - Remove the public route from the nginx configuration template, it is no longer used. --- openshift/README.md | 74 +++++++++++++++++-- openshift/edivorce-django-deploy.prod.param | 4 +- openshift/edivorce-django-deploy.test.param | 4 +- openshift/nginx-proxy-deploy.dev.param | 1 - openshift/nginx-proxy-deploy.param | 1 - openshift/nginx-proxy-deploy.prod.param | 1 - openshift/nginx-proxy-deploy.test.param | 1 - .../nginx-proxy/nginx-proxy-deploy.yaml | 25 ------- 8 files changed, 73 insertions(+), 38 deletions(-) diff --git a/openshift/README.md b/openshift/README.md index 770c4a7b..1a97a86f 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -141,10 +141,19 @@ Use `-h` to get advanced usage information. Use the `-l` option to apply any lo #### Mandatory Settings: -PROXY_NETWORK +**PROXY_NETWORK** While running `genDepls.sh` you will be prompted for the network address of the upstream proxy. This is used to ensure that requests come from the Justice Proxy only. You will need to enter the address in IPV4 CIDR notation e.g. 10.10.15.10/16. The actual value you need to enter cannot be stored on Github because this would violate BC Government Github policies. The PROXY_NETWORK setting is currently the same for all 3 environments (dev, test, and prod) +An example of the [edivorce-django-deploy.overrides.sh](./edivorce-django-deploy.overrides.sh) script prompting for the value to use for PROXY_NETWORK; +``` +Processing deployment configuration; templates/edivorce-django/edivorce-django-deploy.yaml ... +Loading parameter overrides for templates/edivorce-django/edivorce-django-deploy.yaml ... + +Enter the network of the upstream proxy (in CIDR notation; for example 0.0.0.0/0); defaults to 0.0.0.0/0: + +``` + SITEMINDER_WHITE_LIST While running `genDepls.sh` you will be prompted for a list of IP addresses that make up the white-list of hosts allowed to access the service. @@ -153,6 +162,62 @@ The list must be provided as a space delimited list of IP addresses. The actual values cannot be stored on Github because this would violate BC Government Github policies. The addresses are different for each environment (dev, test, and prod). +An example of the [nginx-proxy-deploy.overrides.sh](./nginx-proxy-deploy.overrides.sh) script prompting for the value to use for SITEMINDER_WHITE_LIST; +``` +Processing deployment configuration; templates/nginx-proxy/nginx-proxy-deploy.yaml ... +Loading parameter overrides for templates/nginx-proxy/nginx-proxy-deploy.yaml ... + +Enter the white list of trusted IP addresses that should be allowed to access the SiteMinder route (as a space delimited list of IP addresses): + +``` + +This has the affect of adding the white-list to the `haproxy.router.openshift.io/ip_whitelist` element of the associated route configuration in the template [nginx-proxy-deploy.yaml](./templates/nginx-proxy/nginx-proxy-deploy.yaml) + +The result looks something like this; + +``` +{ + "apiVersion": "v1", + "kind": "Route", + "metadata": { + "annotations": { + "haproxy.router.openshift.io/ip_whitelist": "1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4" + }, + "labels": { + "app": "nginx-proxy-siteminder-route", + "template": "nginx-proxy-deployment-template" + }, + "name": "nginx-proxy-siteminder-route" + }, + "spec": { + "host": "edivorce-dev.pathfinder.bcgov", + "port": { + "targetPort": "8080-tcp" + }, + "to": { + "kind": "Service", + "name": "nginx-proxy", + "weight": 100 + } + } +}, +``` + +Once deployed to OpenShift, the white-list can be viewed on the associated route's configuration page by clicking `Show Annotations`. +``` +haproxy.router.openshift.io/ip_whitelist 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 +``` + +The white-list can be updated manually by editing the associated route's yaml configuration directly. +``` +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + annotations: + haproxy.router.openshift.io/ip_whitelist: 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 +... +``` + #### Other Settings: BASICAUTH_ENABLED @@ -202,10 +267,10 @@ There are three deployment environments set up for different purposes within Ope | Environment | URL | Justice URL | | ----------- | ----- | ----------- | | DEV | http://edivorce-dev.pathfinder.bcgov | https://dev.justice.gov.bc.ca/divorce | -| TEST | https://edivorce-test.pathfinder.gov.bc.ca | https://justice.gov.bc.ca/divorce-test | -| PROD | https://edivorce-prod.pathfinder.gov.bc.ca | https://justice.gov.bc.ca/divorce | +| TEST | https://edivorce-test.pathfinder.bcgov | https://test.justice.gov.bc.ca/divorce | +| PROD | https://edivorce-prod.pathfinder.bcgov | https://justice.gov.bc.ca/divorce | -*Environments are typically only accessable through the associated Justice URL due to white-list applied to the pathfinder routes.* +*Environments are typically only accessible through the associated Justice URL due to white-list applied to the pathfinder routes.* These instructions assume you have 4 EMPTY projects created in OpenShift: @@ -242,7 +307,6 @@ oc get pods | grep Running oc rsh postgresql-2-qp0oh ``` - ### Sample postgresql terminal session ``` psql -d default diff --git a/openshift/edivorce-django-deploy.prod.param b/openshift/edivorce-django-deploy.prod.param index cc9a9b0a..b9e3403d 100644 --- a/openshift/edivorce-django-deploy.prod.param +++ b/openshift/edivorce-django-deploy.prod.param @@ -11,8 +11,8 @@ # #DJANGO_SECRET_KEY=[\w]{50} # IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=prod -# PROXY_URL_PREFIX=/divorce -# PROXY_BASE_URL=https://justice.gov.bc.ca +PROXY_URL_PREFIX=/divorce +PROXY_BASE_URL=https://justice.gov.bc.ca BASICAUTH_ENABLED=False # BASICAUTH_USERNAME=divorce # BASICAUTH_PASSWORD=[a-zA-Z0-9]{16} diff --git a/openshift/edivorce-django-deploy.test.param b/openshift/edivorce-django-deploy.test.param index cd1a2154..b1aa9108 100644 --- a/openshift/edivorce-django-deploy.test.param +++ b/openshift/edivorce-django-deploy.test.param @@ -11,8 +11,8 @@ # #DJANGO_SECRET_KEY=[\w]{50} # IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=test -# PROXY_URL_PREFIX=/divorce -# PROXY_BASE_URL=https://test.justice.gov.bc.ca +PROXY_URL_PREFIX=/divorce +PROXY_BASE_URL=https://test.justice.gov.bc.ca BASICAUTH_ENABLED=True # BASICAUTH_USERNAME=divorce # BASICAUTH_PASSWORD=[a-zA-Z0-9]{16} diff --git a/openshift/nginx-proxy-deploy.dev.param b/openshift/nginx-proxy-deploy.dev.param index 1a63f14d..5d5ad1e8 100644 --- a/openshift/nginx-proxy-deploy.dev.param +++ b/openshift/nginx-proxy-deploy.dev.param @@ -6,6 +6,5 @@ # NAME=nginx-proxy # IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=dev -APPLICATION_DOMAIN=edivorce-dev.pathfinder.gov.bc.ca SITEMINDER_APPLICATION_DOMAIN=edivorce-dev.pathfinder.bcgov # SITEMINDER_WHITE_LIST= diff --git a/openshift/nginx-proxy-deploy.param b/openshift/nginx-proxy-deploy.param index 28f958a3..061908a9 100644 --- a/openshift/nginx-proxy-deploy.param +++ b/openshift/nginx-proxy-deploy.param @@ -6,6 +6,5 @@ NAME=nginx-proxy IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=dev -APPLICATION_DOMAIN=edivorce-dev.pathfinder.gov.bc.ca SITEMINDER_APPLICATION_DOMAIN=edivorce-dev.pathfinder.bcgov SITEMINDER_WHITE_LIST= diff --git a/openshift/nginx-proxy-deploy.prod.param b/openshift/nginx-proxy-deploy.prod.param index e14c0050..ba6c1092 100644 --- a/openshift/nginx-proxy-deploy.prod.param +++ b/openshift/nginx-proxy-deploy.prod.param @@ -6,6 +6,5 @@ # NAME=nginx-proxy # IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=prod -APPLICATION_DOMAIN=edivorce-prod.pathfinder.gov.bc.ca SITEMINDER_APPLICATION_DOMAIN=edivorce-prod.pathfinder.bcgov # SITEMINDER_WHITE_LIST= diff --git a/openshift/nginx-proxy-deploy.test.param b/openshift/nginx-proxy-deploy.test.param index 6f4548bd..2c7c84a2 100644 --- a/openshift/nginx-proxy-deploy.test.param +++ b/openshift/nginx-proxy-deploy.test.param @@ -6,6 +6,5 @@ # NAME=nginx-proxy # IMAGE_NAMESPACE=jag-csb-edivorce-tools TAG_NAME=test -APPLICATION_DOMAIN=edivorce-test.pathfinder.gov.bc.ca SITEMINDER_APPLICATION_DOMAIN=edivorce-test.pathfinder.bcgov # SITEMINDER_WHITE_LIST= diff --git a/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml b/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml index b1e10dbe..90dd3abc 100644 --- a/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml +++ b/openshift/templates/nginx-proxy/nginx-proxy-deploy.yaml @@ -83,26 +83,6 @@ objects: deploymentconfig: "${NAME}" type: ClusterIP sessionAffinity: None -- kind: Route - apiVersion: v1 - metadata: - name: "${NAME}" - creationTimestamp: - labels: - app: "${NAME}" - annotations: - openshift.io/host.generated: 'true' - spec: - host: "${APPLICATION_DOMAIN}" - to: - kind: Service - name: "${NAME}" - weight: 100 - port: - targetPort: 8080-tcp - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - kind: Route apiVersion: v1 metadata: @@ -147,11 +127,6 @@ parameters: description: The TAG name for this environment, e.g., dev, test, prod. required: true value: "dev" -- name: APPLICATION_DOMAIN - displayName: Application Hostname - description: The exposed hostname that will route to the Django service, if left blank a value will be defaulted. - required: true - value: "edivorce-dev.pathfinder.gov.bc.ca" - name: SITEMINDER_APPLICATION_DOMAIN displayName: SiteMinder Application Domain description: The endpoint used for SiteMinder routed access to the application.