From a25f94251bcb95e7595950f3ffe448396e63b404 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:29:28 +0100 Subject: [PATCH 1/8] Add one env file and radixconfig file for each env --- .env.c2 | 3 + .env.dev | 4 ++ .env.platform | 3 + .env.playground | 3 + Makefile | 8 +++ docker-compose.yml | 4 +- proxy/nginx.conf | 41 ----------- radixconfig.c2.yaml | 138 ++++++++++++++++++++++++++++++++++++ radixconfig.dev.yaml | 138 ++++++++++++++++++++++++++++++++++++ radixconfig.platform.yaml | 138 ++++++++++++++++++++++++++++++++++++ radixconfig.playground.yaml | 138 ++++++++++++++++++++++++++++++++++++ radixconfig.tpl.yaml | 108 ++++++++++++++++++++++++++++ 12 files changed, 684 insertions(+), 42 deletions(-) create mode 100644 .env.c2 create mode 100644 .env.dev create mode 100644 .env.platform create mode 100644 .env.playground delete mode 100644 proxy/nginx.conf create mode 100644 radixconfig.c2.yaml create mode 100644 radixconfig.dev.yaml create mode 100644 radixconfig.platform.yaml create mode 100644 radixconfig.playground.yaml create mode 100644 radixconfig.tpl.yaml diff --git a/.env.c2 b/.env.c2 new file mode 100644 index 000000000..cf0cbd74f --- /dev/null +++ b/.env.c2 @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=8186a108-135d-478e-af97-e200cb238757 +export OAUTH2_REDIS_QA_HOSTNAME=radix-c2-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-c2-prod.redis.cache.windows.net diff --git a/.env.dev b/.env.dev new file mode 100644 index 000000000..52d8fe191 --- /dev/null +++ b/.env.dev @@ -0,0 +1,4 @@ +export AZURE_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84 +export OAUTH2_CLIENT_ID=8186a108-135d-478e-af97-e200cb238757 +export OAUTH2_REDIS_QA_HOSTNAME=radix-dev-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-dev-prod.redis.cache.windows.net diff --git a/.env.platform b/.env.platform new file mode 100644 index 000000000..449f27353 --- /dev/null +++ b/.env.platform @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=a593a59c-8f76-490e-937b-a90779039a90 +export OAUTH2_REDIS_QA_HOSTNAME=radix-platform-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-platform-prod.redis.cache.windows.net diff --git a/.env.playground b/.env.playground new file mode 100644 index 000000000..517f3f811 --- /dev/null +++ b/.env.playground @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=a593a59c-8f76-490e-937b-a90779039a90 +export OAUTH2_REDIS_QA_HOSTNAME=radix-playground-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-playground-prod.redis.cache.windows.net diff --git a/Makefile b/Makefile index a7ff2cb55..6f8236020 100644 --- a/Makefile +++ b/Makefile @@ -71,3 +71,11 @@ run-mac-rebuild: down: docker compose down +.PHONY: radixconfigs +radixconfigs: SHELL:=/bin/bash +radixconfigs: + source .env.dev; envsubst < radixconfig.tpl.yaml > radixconfig.dev.yaml + source .env.c2; envsubst < radixconfig.tpl.yaml > radixconfig.c2.yaml + source .env.platform; envsubst < radixconfig.tpl.yaml > radixconfig.platform.yaml + source .env.playground; envsubst < radixconfig.tpl.yaml > radixconfig.playground.yaml + diff --git a/docker-compose.yml b/docker-compose.yml index a4417ac0c..1d596e260 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,6 +48,8 @@ services: - radix ports: - "8080:8080" + depends_on: + - auth auth: image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 @@ -70,7 +72,7 @@ services: - OAUTH2_PROXY_PROVIDER=oidc - OAUTH2_PROXY_REDIRECT_URL=http://localhost:8000/oauth2/callback - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://auth-state:6379 - - OAUTH2_PROXY_SCOPE=openid profile offline_access ${API_RESOURCE_ID}/user.read email # offline_access scope needed to get refresh token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1 + - OAUTH2_PROXY_SCOPE=openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email # offline_access scope needed to get refresh token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1 - OAUTH2_PROXY_SESSION_STORE_TYPE=redis - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true - OAUTH2_PROXY_UPSTREAMS=http://proxy:8080 diff --git a/proxy/nginx.conf b/proxy/nginx.conf deleted file mode 100644 index 3245a81c8..000000000 --- a/proxy/nginx.conf +++ /dev/null @@ -1,41 +0,0 @@ -events { - worker_connections 1024; -} -http { - include /etc/nginx/mime.types; - - server { - large_client_header_buffers 4 32k; # Required for OAuth2 Proxy - - listen 80; - root /app; - gzip on; - gzip_types text/css application/javascript image/svg+xml text/plain; - error_page 500 502 503 504 /50x.html; - - location /api/ { - proxy_pass https://server-radix-api-${RADIX_ENVIRONMENT}.${RADIX_CLUSTERNAME}.${RADIX_DNS_ZONE}; - proxy_set_header Authorization "Bearer $http_x_forwarded_access_token"; - proxy_set_header x-forwarded-access-token ""; - } - - location /uptime/ { - proxy_pass https://uptime.ext-mon.radix.equinor.com/; - } - - location /cost-api/ { - proxy_pass https://server-radix-cost-allocation-api-${RADIX_ENVIRONMENT}.${RADIX_CLUSTERNAME}.${RADIX_DNS_ZONE}/api/v1/; - proxy_set_header Authorization "Bearer $http_x_forwarded_access_token"; - proxy_set_header x-forwarded-access-token ""; - } - - location / { - try_files $uri /index.html; - } - - location = /50x.html { - sub_filter_once on; - sub_filter HTTP_STATUS_CODE $status; - } - } -} diff --git a/radixconfig.c2.yaml b/radixconfig.c2.yaml new file mode 100644 index 000000000..352377250 --- /dev/null +++ b/radixconfig.c2.yaml @@ -0,0 +1,138 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "" + authentication: + oauth2: + clientId: "8186a108-135d-478e-af97-e200cb238757" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-c2-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - name: auth + readOnlyFileSystem: true + image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + ports: + - name: http + port: 8000 + publicPort: http + runtime: + architecture: arm64 + secrets: + - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster + - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` + - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret + - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) + variables: + OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted + OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on + OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID + OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" + OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) + OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default + OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default + OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly + OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect + OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) + environmentConfig: + - environment: qa + resources: + requests: + cpu: "30m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml new file mode 100644 index 000000000..ef2fb815f --- /dev/null +++ b/radixconfig.dev.yaml @@ -0,0 +1,138 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "8186a108-135d-478e-af97-e200cb238757" + authentication: + oauth2: + clientId: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-dev-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - name: auth + readOnlyFileSystem: true + image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + ports: + - name: http + port: 8000 + publicPort: http + runtime: + architecture: arm64 + secrets: + - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster + - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` + - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret + - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) + variables: + OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted + OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on + OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID + OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" + OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) + OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default + OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default + OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly + OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect + OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) + environmentConfig: + - environment: qa + resources: + requests: + cpu: "30m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.platform.yaml b/radixconfig.platform.yaml new file mode 100644 index 000000000..55947804f --- /dev/null +++ b/radixconfig.platform.yaml @@ -0,0 +1,138 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "" + authentication: + oauth2: + clientId: "a593a59c-8f76-490e-937b-a90779039a90" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-platform-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - name: auth + readOnlyFileSystem: true + image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + ports: + - name: http + port: 8000 + publicPort: http + runtime: + architecture: arm64 + secrets: + - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster + - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` + - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret + - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) + variables: + OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted + OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on + OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID + OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" + OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) + OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default + OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default + OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly + OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect + OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) + environmentConfig: + - environment: qa + resources: + requests: + cpu: "30m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.playground.yaml b/radixconfig.playground.yaml new file mode 100644 index 000000000..9e29107f2 --- /dev/null +++ b/radixconfig.playground.yaml @@ -0,0 +1,138 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "" + authentication: + oauth2: + clientId: "a593a59c-8f76-490e-937b-a90779039a90" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-playground-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - name: auth + readOnlyFileSystem: true + image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + ports: + - name: http + port: 8000 + publicPort: http + runtime: + architecture: arm64 + secrets: + - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster + - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` + - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info + - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret + - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) + variables: + OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted + OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on + OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID + OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" + OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) + OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default + OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default + OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly + OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect + OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) + environmentConfig: + - environment: qa + resources: + requests: + cpu: "30m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.tpl.yaml b/radixconfig.tpl.yaml new file mode 100644 index 000000000..99923b177 --- /dev/null +++ b/radixconfig.tpl.yaml @@ -0,0 +1,108 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "${OAUTH2_CLIENT_ID}" + authentication: + oauth2: + clientId: "${AZURE_CLIENT_ID}" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://${OAUTH2_REDIS_QA_HOSTNAME}:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + environmentConfig: + - environment: qa + resources: + requests: + cpu: "30m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" From 2fd1d53c493947b742057e37946d005a87eb2141 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:32:39 +0100 Subject: [PATCH 2/8] same oauth client id in frontend and oauth2 --- .env.dev | 1 - radixconfig.c2.yaml | 32 +------------------------------- radixconfig.dev.yaml | 32 +------------------------------- radixconfig.platform.yaml | 32 +------------------------------- radixconfig.playground.yaml | 32 +------------------------------- radixconfig.tpl.yaml | 2 +- 6 files changed, 5 insertions(+), 126 deletions(-) diff --git a/.env.dev b/.env.dev index 52d8fe191..3f2ac4373 100644 --- a/.env.dev +++ b/.env.dev @@ -1,4 +1,3 @@ export AZURE_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84 -export OAUTH2_CLIENT_ID=8186a108-135d-478e-af97-e200cb238757 export OAUTH2_REDIS_QA_HOSTNAME=radix-dev-qa.redis.cache.windows.net export OAUTH2_REDIS_PROD_HOSTNAME=radix-dev-prod.redis.cache.windows.net diff --git a/radixconfig.c2.yaml b/radixconfig.c2.yaml index 352377250..81a94a3c8 100644 --- a/radixconfig.c2.yaml +++ b/radixconfig.c2.yaml @@ -41,7 +41,7 @@ spec: SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" - OAUTH2_CLIENT_ID: "" + OAUTH2_CLIENT_ID: "8186a108-135d-478e-af97-e200cb238757" authentication: oauth2: clientId: "8186a108-135d-478e-af97-e200cb238757" @@ -79,36 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - - name: auth - readOnlyFileSystem: true - image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md - ports: - - name: http - port: 8000 - publicPort: http - runtime: - architecture: arm64 - secrets: - - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster - - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` - - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret - - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) - variables: - OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m - OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted - OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on - OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID - OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) - OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default - OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default - OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly - OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect - OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) environmentConfig: - environment: qa resources: diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml index ef2fb815f..54206f22b 100644 --- a/radixconfig.dev.yaml +++ b/radixconfig.dev.yaml @@ -41,7 +41,7 @@ spec: SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" - OAUTH2_CLIENT_ID: "8186a108-135d-478e-af97-e200cb238757" + OAUTH2_CLIENT_ID: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" authentication: oauth2: clientId: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" @@ -79,36 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - - name: auth - readOnlyFileSystem: true - image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md - ports: - - name: http - port: 8000 - publicPort: http - runtime: - architecture: arm64 - secrets: - - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster - - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` - - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret - - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) - variables: - OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m - OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted - OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on - OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID - OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) - OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default - OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default - OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly - OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect - OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) environmentConfig: - environment: qa resources: diff --git a/radixconfig.platform.yaml b/radixconfig.platform.yaml index 55947804f..9b1376168 100644 --- a/radixconfig.platform.yaml +++ b/radixconfig.platform.yaml @@ -41,7 +41,7 @@ spec: SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" - OAUTH2_CLIENT_ID: "" + OAUTH2_CLIENT_ID: "a593a59c-8f76-490e-937b-a90779039a90" authentication: oauth2: clientId: "a593a59c-8f76-490e-937b-a90779039a90" @@ -79,36 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - - name: auth - readOnlyFileSystem: true - image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md - ports: - - name: http - port: 8000 - publicPort: http - runtime: - architecture: arm64 - secrets: - - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster - - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` - - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret - - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) - variables: - OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m - OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted - OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on - OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID - OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) - OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default - OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default - OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly - OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect - OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) environmentConfig: - environment: qa resources: diff --git a/radixconfig.playground.yaml b/radixconfig.playground.yaml index 9e29107f2..3916228f0 100644 --- a/radixconfig.playground.yaml +++ b/radixconfig.playground.yaml @@ -41,7 +41,7 @@ spec: SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" - OAUTH2_CLIENT_ID: "" + OAUTH2_CLIENT_ID: "a593a59c-8f76-490e-937b-a90779039a90" authentication: oauth2: clientId: "a593a59c-8f76-490e-937b-a90779039a90" @@ -79,36 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - - name: auth - readOnlyFileSystem: true - image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md - ports: - - name: http - port: 8000 - publicPort: http - runtime: - architecture: arm64 - secrets: - - OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster - - OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'` - - OAUTH2_PROXY_REDIRECT_URL # Should be "https:///oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access /user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info - - OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret - - OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component) - variables: - OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m - OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted - OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on - OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID - OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true" - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component) - OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default - OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default - OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly - OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big) - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect - OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx) environmentConfig: - environment: qa resources: diff --git a/radixconfig.tpl.yaml b/radixconfig.tpl.yaml index 99923b177..5827d29c5 100644 --- a/radixconfig.tpl.yaml +++ b/radixconfig.tpl.yaml @@ -41,7 +41,7 @@ spec: SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" - OAUTH2_CLIENT_ID: "${OAUTH2_CLIENT_ID}" + OAUTH2_CLIENT_ID: "${AZURE_CLIENT_ID}" authentication: oauth2: clientId: "${AZURE_CLIENT_ID}" From 4330f8193969d0e6990a76ebb147e714f2f0af00 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:38:52 +0100 Subject: [PATCH 3/8] remove old envconfig --- radixconfig.c2.yaml | 19 ------------------- radixconfig.dev.yaml | 19 ------------------- radixconfig.platform.yaml | 19 ------------------- radixconfig.playground.yaml | 19 ------------------- radixconfig.tpl.yaml | 19 ------------------- 5 files changed, 95 deletions(-) diff --git a/radixconfig.c2.yaml b/radixconfig.c2.yaml index 81a94a3c8..82b1e4d0d 100644 --- a/radixconfig.c2.yaml +++ b/radixconfig.c2.yaml @@ -79,25 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - environmentConfig: - - environment: qa - resources: - requests: - cpu: "30m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - horizontalScaling: - maxReplicas: 1 - minReplicas: 0 - triggers: - - name: cron - cron: - timezone: Europe/Oslo - start: 0 7 * * 1-5 # 07:00 Monday - Friday - end: 0 17 * * 1-5 # 17:00 Monday - Friday - desiredReplicas: 1 - environment: prod resources: requests: diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml index 54206f22b..68951b583 100644 --- a/radixconfig.dev.yaml +++ b/radixconfig.dev.yaml @@ -79,25 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - environmentConfig: - - environment: qa - resources: - requests: - cpu: "30m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - horizontalScaling: - maxReplicas: 1 - minReplicas: 0 - triggers: - - name: cron - cron: - timezone: Europe/Oslo - start: 0 7 * * 1-5 # 07:00 Monday - Friday - end: 0 17 * * 1-5 # 17:00 Monday - Friday - desiredReplicas: 1 - environment: prod resources: requests: diff --git a/radixconfig.platform.yaml b/radixconfig.platform.yaml index 9b1376168..266cf13a8 100644 --- a/radixconfig.platform.yaml +++ b/radixconfig.platform.yaml @@ -79,25 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - environmentConfig: - - environment: qa - resources: - requests: - cpu: "30m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - horizontalScaling: - maxReplicas: 1 - minReplicas: 0 - triggers: - - name: cron - cron: - timezone: Europe/Oslo - start: 0 7 * * 1-5 # 07:00 Monday - Friday - end: 0 17 * * 1-5 # 17:00 Monday - Friday - desiredReplicas: 1 - environment: prod resources: requests: diff --git a/radixconfig.playground.yaml b/radixconfig.playground.yaml index 3916228f0..607f8628c 100644 --- a/radixconfig.playground.yaml +++ b/radixconfig.playground.yaml @@ -79,25 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - environmentConfig: - - environment: qa - resources: - requests: - cpu: "30m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - horizontalScaling: - maxReplicas: 1 - minReplicas: 0 - triggers: - - name: cron - cron: - timezone: Europe/Oslo - start: 0 7 * * 1-5 # 07:00 Monday - Friday - end: 0 17 * * 1-5 # 17:00 Monday - Friday - desiredReplicas: 1 - environment: prod resources: requests: diff --git a/radixconfig.tpl.yaml b/radixconfig.tpl.yaml index 5827d29c5..0304a96ae 100644 --- a/radixconfig.tpl.yaml +++ b/radixconfig.tpl.yaml @@ -79,25 +79,6 @@ spec: limits: cpu: "100m" memory: "50Mi" - environmentConfig: - - environment: qa - resources: - requests: - cpu: "30m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - horizontalScaling: - maxReplicas: 1 - minReplicas: 0 - triggers: - - name: cron - cron: - timezone: Europe/Oslo - start: 0 7 * * 1-5 # 07:00 Monday - Friday - end: 0 17 * * 1-5 # 17:00 Monday - Friday - desiredReplicas: 1 - environment: prod resources: requests: From e6f1bd467226edcf914748c1f21b0a390a8f8a0b Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:40:58 +0100 Subject: [PATCH 4/8] fix public port --- radixconfig.c2.yaml | 1 + radixconfig.dev.yaml | 1 + radixconfig.platform.yaml | 1 + radixconfig.playground.yaml | 1 + radixconfig.tpl.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/radixconfig.c2.yaml b/radixconfig.c2.yaml index 82b1e4d0d..e0778952b 100644 --- a/radixconfig.c2.yaml +++ b/radixconfig.c2.yaml @@ -32,6 +32,7 @@ spec: ports: - name: http port: 8080 + publicPort: http runtime: architecture: arm64 variables: diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml index 68951b583..1a5bfbbda 100644 --- a/radixconfig.dev.yaml +++ b/radixconfig.dev.yaml @@ -32,6 +32,7 @@ spec: ports: - name: http port: 8080 + publicPort: http runtime: architecture: arm64 variables: diff --git a/radixconfig.platform.yaml b/radixconfig.platform.yaml index 266cf13a8..2e24d93db 100644 --- a/radixconfig.platform.yaml +++ b/radixconfig.platform.yaml @@ -32,6 +32,7 @@ spec: ports: - name: http port: 8080 + publicPort: http runtime: architecture: arm64 variables: diff --git a/radixconfig.playground.yaml b/radixconfig.playground.yaml index 607f8628c..fd10f2ed4 100644 --- a/radixconfig.playground.yaml +++ b/radixconfig.playground.yaml @@ -32,6 +32,7 @@ spec: ports: - name: http port: 8080 + publicPort: http runtime: architecture: arm64 variables: diff --git a/radixconfig.tpl.yaml b/radixconfig.tpl.yaml index 0304a96ae..d21b92915 100644 --- a/radixconfig.tpl.yaml +++ b/radixconfig.tpl.yaml @@ -32,6 +32,7 @@ spec: ports: - name: http port: 8080 + publicPort: http runtime: architecture: arm64 variables: From 0d8d884b7fc008a930ba6e5962d126ef48b996e3 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:42:20 +0100 Subject: [PATCH 5/8] fix generate --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 6f8236020..8ce03d290 100644 --- a/Makefile +++ b/Makefile @@ -79,3 +79,9 @@ radixconfigs: source .env.platform; envsubst < radixconfig.tpl.yaml > radixconfig.platform.yaml source .env.playground; envsubst < radixconfig.tpl.yaml > radixconfig.playground.yaml +.PHONY: generate +generate: radixconfigs + +.PHONY: verify-generate +verify-generate: generate + git diff --exit-code From 28fc8d6beeb048d2854b1a213ae695422112d7a5 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:45:46 +0100 Subject: [PATCH 6/8] add pr test --- .github/workflows/radix-web-console-pr.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/radix-web-console-pr.yml b/.github/workflows/radix-web-console-pr.yml index 39f231044..1bb157c95 100644 --- a/.github/workflows/radix-web-console-pr.yml +++ b/.github/workflows/radix-web-console-pr.yml @@ -53,6 +53,13 @@ jobs: validate-radixconfig: name: Test RadixConfig runs-on: ubuntu-latest + strategy: + matrix: + env: + - dev + - c2 + - playground + - platform steps: - name: 'Fake TOKEN FOR RADIX CLI' run: echo "APP_SERVICE_ACCOUNT_TOKEN=dummy" >> $GITHUB_ENV @@ -60,4 +67,13 @@ jobs: - name: 'Validate' uses: equinor/radix-github-actions@v1 with: - args: validate radix-config --config-file radixconfig.yaml + args: validate radix-config --config-file radixconfig.${{matrix.env}}.yaml + + verify-code-generation: + name: Verify Code Generation + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Verify Code Generation + run: | + make verify-generate From 4afd001cfe050b9f2551b998845eaa0298987fd0 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:48:09 +0100 Subject: [PATCH 7/8] fix space --- .github/workflows/radix-web-console-pr.yml | 2 +- radixconfig.dev.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/radix-web-console-pr.yml b/.github/workflows/radix-web-console-pr.yml index 1bb157c95..bad762390 100644 --- a/.github/workflows/radix-web-console-pr.yml +++ b/.github/workflows/radix-web-console-pr.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 - name: Build docker image env: - REF: ${{ github. sha }} + REF: ${{ github.sha }} run: docker build -t radix-web-console:${REF##*/} . test: diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml index 1a5bfbbda..da50880cf 100644 --- a/radixconfig.dev.yaml +++ b/radixconfig.dev.yaml @@ -43,6 +43,7 @@ spec: CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" OAUTH2_CLIENT_ID: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" + Hell oworld authentication: oauth2: clientId: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" From a685c21e46e10d4069b036d09a7107d37995c3b2 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Fri, 6 Dec 2024 15:48:53 +0100 Subject: [PATCH 8/8] fix space --- radixconfig.dev.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml index da50880cf..1a5bfbbda 100644 --- a/radixconfig.dev.yaml +++ b/radixconfig.dev.yaml @@ -43,7 +43,6 @@ spec: CLUSTER_OIDC_ISSUER_URL: "" CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" OAUTH2_CLIENT_ID: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" - Hell oworld authentication: oauth2: clientId: "5687b237-eda3-4ec3-a2a1-023e85a2bd84"