Merge branch 'dev'

.gitignore

@@ -5,4 +5,5 @@ node/
 yarn.lock
 .vscode
 *.csv
-*.rdb
+*.rdb
+**/*.pyc

deployment/prod/configmaps/nginx.yaml

@@ -0,0 +1,81 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: nginx
+  namespace: cmsrunregistry
+  labels:
+    app: nginx
+data:
+  nginx.conf: |
+    # sso-proxy.conf
+
+    # Disable buffering for an authenticating proxy
+    proxy_buffering off;
+    # Allow big headers (oauth2-proxy cookies) - OKD routers allow headers up to 32k
+    proxy_buffer_size          32k;
+    proxy_buffers              8 64k;
+    proxy_busy_buffers_size    64k;
+    # Do not restrict upload size (consider setting a limit here if application does not need large request bodies)
+    client_max_body_size 0;
+
+    location /oauth2/ {
+        proxy_pass       http://cern-auth-proxy:4180;    # TODO: must match the Release name used to deploy the cern-auth-proxy service
+        proxy_set_header Host                    $host;
+        proxy_set_header X-Scheme                $scheme;
+        proxy_set_header X-Auth-Request-Redirect $request_uri;
+    }
+
+    location /api/ {
+        auth_request /oauth2/auth;
+        error_page 401 = /oauth2/start;
+
+        # Capture the authentication headers set by cern-auth-proxy during the authentication subrequest
+        # (headers available iff oauth2-proxy runs with --set-xauthrequest flag)
+        auth_request_set $user               $upstream_http_x_auth_request_user;       # captures X-Auth-Request-User into $user
+        auth_request_set $email              $upstream_http_x_auth_request_email;      # captures X-Auth-Request-Email into $email
+        auth_request_set $groups             $upstream_http_x_auth_request_groups;     # captures X-Auth-Request-Groups into $groups
+        auth_request_set $preferredUsername  $upstream_http_x_auth_request_preferred_username; # captures X-Auth-Request-Preferred-Username
+
+        proxy_set_header X-Forwarded-User  $user; # pass the authenticated user as X-Forwarded-User (like cern-auth-proxy does)
+        proxy_set_header X-Remote-User     $user; # pass the authenticated user as X-Remote-User (like old SSO proxy used to do)
+        # Headers checked by the frontend, passed to the backend
+        proxy_set_header id                $user;
+        proxy_set_header email             $email;
+        proxy_set_header egroups           $groups;
+        proxy_set_header displayname       $preferredUsername;
+
+        proxy_pass http://runregistry-backend:9500/;
+        proxy_read_timeout 500s;  # Backend may take a long time to respond for some queries
+        proxy_connect_timeout 500s;
+        proxy_send_timeout 500s;
+    }
+
+    location = /logout {
+        return 301 https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/logout;
+    }
+
+    location / {
+      auth_request /oauth2/auth;
+      error_page 401 = /oauth2/start;
+
+      # Capture the authentication headers set by cern-auth-proxy during the authentication subrequest
+      # (headers available iff oauth2-proxy runs with --set-xauthrequest flag)
+      auth_request_set $user               $upstream_http_x_auth_request_user;       # captures X-Auth-Request-User into $user
+      auth_request_set $email              $upstream_http_x_auth_request_email;      # captures X-Auth-Request-Email into $email
+      auth_request_set $groups             $upstream_http_x_auth_request_groups;     # captures X-Auth-Request-Groups into $groups
+      auth_request_set $preferredUsername  $upstream_http_x_auth_request_preferred_username; # captures X-Auth-Request-Preferred-Username
+
+      proxy_set_header X-Forwarded-User  $user; # pass the authenticated user as X-Forwarded-User (like cern-auth-proxy does)
+      proxy_set_header X-Remote-User     $user; # pass the authenticated user as X-Remote-User (like old SSO proxy used to do)
+      proxy_set_header id                $user;
+      proxy_set_header email             $email;
+      proxy_set_header egroups           $groups;
+      proxy_set_header displayname       $preferredUsername;
+
+      proxy_read_timeout 500s;
+      proxy_connect_timeout 500s;
+      proxy_send_timeout 500s;
+
+      proxy_pass http://runregistry-frontend:7001/;
+
+    }

deployment/prod/deployments/backend.yaml

@@ -0,0 +1,67 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: runregistry-backend
+  namespace: cmsrunregistry
+  labels:
+    app: runregistry-backend
+    app.kubernetes.io/component: runregistry-backend
+    app.kubernetes.io/instance: runregistry-backend
+    app.kubernetes.io/name: runregistry-backend
+    app.kubernetes.io/part-of: runregistry
+    app.openshift.io/runtime-namespace: cmsrunregistry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: runregistry-backend
+  template:
+    metadata:
+      labels:
+        app: runregistry-backend
+        deployment: runregistry-backend
+    spec:
+      volumes:
+        - name: secret-volume
+          secret:
+            secretName: grid-cert-secret
+      containers:
+        - name: runregistry-backend
+          resources:
+            requests:
+              memory: 512Mi
+            limits:
+              memory: 2Gi
+          command:
+            - npm
+            - run
+            - kubernetes
+          envFrom:
+            - secretRef:
+                name: runregistry-backend-secret
+          env:
+            # Map automatically-generated redis pass to
+            # an env variable
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: redis
+                  key: database-password
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: secret-volume
+              readOnly: true
+              mountPath: "/usr/src/app/certs/"
+          image: >-
+            image-registry.openshift-image-registry.svc:5000/cmsrunregistry/runregistry-backend:latest
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

deployment/prod/deployments/frontend.yaml

@@ -0,0 +1,50 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: runregistry-frontend
+  namespace: cmsrunregistry
+  labels:
+    app: runregistry-frontend
+    app.kubernetes.io/component: runregistry-frontend
+    app.kubernetes.io/instance: runregistry-frontend
+    app.kubernetes.io/name: runregistry-frontend
+    app.kubernetes.io/part-of: runregistry
+    app.openshift.io/runtime-namespace: cmsrunregistry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: runregistry-frontend
+  template:
+    metadata:
+      labels:
+        app: runregistry-frontend
+        deployment: runregistry-frontend
+    spec:
+      containers:
+        - name: runregistry-frontend
+          resources:
+            requests:
+              memory: 256Mi
+            limits:
+              memory: 1024Mi
+          command:
+            - npm
+            - start
+          envFrom:
+            - secretRef:
+                name: runregistry-frontend-secret
+          imagePullPolicy: Always
+          image: >-
+            image-registry.openshift-image-registry.svc:5000/cmsrunregistry/runregistry-frontend:latest
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

deployment/prod/deployments/nginx.yaml

@@ -0,0 +1,64 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: nginx
+  namespace: cmsrunregistry
+  labels:
+    app: nginx
+    app.kubernetes.io/component: nginx
+    app.kubernetes.io/instance: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      deployment: nginx
+  template:
+    metadata:
+      labels:
+        deployment: nginx
+    spec:
+      volumes:
+        - name: nginx-default-d
+          configMap:
+            name: nginx
+            defaultMode: 420
+      containers:
+        - resources:
+            limits:
+              cpu: "1"
+              memory: 150Mi
+            requests:
+              cpu: 20m
+              memory: 30Mi
+          terminationMessagePath: /dev/termination-log
+          name: nginx
+          command:
+            - /usr/libexec/s2i/run
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+            - containerPort: 8443
+              protocol: TCP
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: nginx-default-d
+              mountPath: /opt/app-root/etc/nginx.default.d
+          terminationMessagePolicy: File
+          image: "image-registry.openshift-image-registry.svc:5000/openshift/nginx@sha256:77076b4757a344ccc3d133de9c44d7d2af0935e19d4e9cefbd1b42815d08df84"
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600
+status:
+  observedGeneration: 6
+  replicas: 1
+  updatedReplicas: 1
+  unavailableReplicas: 1

deployment/prod/image_stream.yaml

@@ -0,0 +1,36 @@
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: runregistry-backend
+  namespace: cmsrunregistry
+spec:
+  lookupPolicy:
+    local: false
+  tags:
+    - name: latest
+      annotations:
+        openshift.io/imported-from: registry.cern.ch/cms-dqmdc/runregistry-backend
+      from:
+        kind: DockerImage
+        name: registry.cern.ch/cms-dqmdc/runregistry-backend
+      referencePolicy:
+        type: Local
+
+---
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: runregistry-frontend
+  namespace: cmsrunregistry
+spec:
+  lookupPolicy:
+    local: false
+  tags:
+    - name: latest
+      annotations:
+        openshift.io/imported-from: registry.cern.ch/cms-dqmdc/runregistry-frontend
+      from:
+        kind: DockerImage
+        name: registry.cern.ch/cms-dqmdc/runregistry-frontend
+      referencePolicy:
+        type: Local

deployment/prod/routes.yaml

@@ -0,0 +1,34 @@
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: nginx
+  namespace: cmsrunregistry
+  labels:
+    app: nginx
+    app.kubernetes.io/component: nginx
+    app.kubernetes.io/instance: nginx
+  annotations:
+    external-dns.alpha.kubernetes.io/target: paas-apps-shard-1.cern.ch
+    haproxy.router.openshift.io/ip_whitelist: ""
+    haproxy.router.openshift.io/timeout: 500s
+spec:
+  host: cmsrunregistry.web.cern.ch
+  to:
+    kind: Service
+    name: nginx
+    weight: 100
+  port:
+    targetPort: 8080-tcp
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+  wildcardPolicy: None
+status:
+  ingress:
+    - host: cmsrunregistry.web.cern.ch
+      routerName: apps-shard-1
+      conditions:
+        - type: Admitted
+          status: "True"
+      wildcardPolicy: None
+      routerCanonicalHostname: router-apps-shard-1.paas-apps-shard-1.cern.ch

deployment/prod/secrets/backend.yaml

@@ -0,0 +1,28 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: runregistry-backend-secret
+  namespace: cmsrunregistry
+type: Opaque
+data:
+  CLIENT_SECRET:
+  DB_HOSTNAME:
+  DB_NAME:
+  DB_PASSWORD:
+  DB_PORT:
+  DB_USERNAME:
+  ENV: cHJvZF9rdWJlcm5ldGVz
+  NODE_ENV: cHJvZHVjdGlvbg==
+  REDIS_HOST: cmVkaXM=
+  REDIS_PORT: NjM3OQ==
+
+---
+# Grid certificate contents for accessing
+# the Offline DQMGUI
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grid-cert-secret
+data:
+  usercert.pem:
+  userkey.pem:

deployment/prod/secrets/frontend.yaml

@@ -0,0 +1,9 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: runregistry-frontend-secret
+  namespace: cmsrunregistry
+type: Opaque
+data:
+  NODE_ENV: cHJvZHVjdGlvbg==
+  ENV: a3ViZXJuZXRlcw==