From d84a24b5c0a3ed2699b7ce93cc94cb70a1aed90e Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Fri, 13 Dec 2024 15:50:49 +0100 Subject: [PATCH 1/4] Make dex configuration more dynamic --- demo/values.tpl.yaml | 5 ++++- .../diracx/init-secrets/_init-secrets.sh.tpl | 12 ------------ run_demo.sh | 18 ++++++++++++++++-- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml index fe0d0dd..dd8ddf1 100644 --- a/demo/values.tpl.yaml +++ b/demo/values.tpl.yaml @@ -52,7 +52,7 @@ dex: issuer: http://{{ hostname }}:32002 staticClients: - - id: d396912e-2f04-439b-8ae7-d8c585a34790 + - id: {{ dex_client_uuid }} public: true name: "CLI app" redirectURIs: @@ -61,8 +61,11 @@ dex: staticPasswords: - email: "admin@example.com" + # bcrypt hash of the string "password" + # htpasswd -bnBC 10 "" "password" | tr -d ':\n' hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" username: "admin" + userID: {{ dex_admin_uuid }} indigoiam: config: diff --git a/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl b/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl index f11f4b4..ce4fb1f 100644 --- a/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl +++ b/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl @@ -129,18 +129,6 @@ generate_secret_if_needed diracx-sql-root-connection-urls \ - - - - - - - - - - - - {{- if .Values.initOs.enabled }} # If we deploy opensearch ourselves {{- if .Values.opensearch.enabled }} diff --git a/run_demo.sh b/run_demo.sh index 989bb1f..a05866a 100755 --- a/run_demo.sh +++ b/run_demo.sh @@ -516,6 +516,20 @@ fi json="${json%,}]" printf "%b Node workspaces json: %s\n" ${UNICORN_EMOJI} "${json}" sed "s#{{ node_module_workspaces }}#${json}#g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml" +mv "${demo_dir}/values.yaml" "${demo_dir}/values.yaml.bak" + + +# Generate the static client GUID for Dex +dex_client_uuid=$(uuidgen) +sed "s/{{ dex_client_uuid }}/${dex_client_uuid}/g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml" +mv "${demo_dir}/values.yaml" "${demo_dir}/values.yaml.bak" + +# Generate the admin account for dex +dex_admin_uuid=$(uuidgen) +sed "s/{{ dex_admin_uuid }}/${dex_admin_uuid}/g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml" +# This is how dex generates the sub from a UserID +# https://github.com/dexidp/dex/issues/1719 +dex_admin_sub=$(printf '\n$%s\x12\x05local' "${dex_admin_uuid}" | base64 -w 0) # Final check @@ -585,12 +599,12 @@ else "${demo_dir}/kubectl" exec deployments/diracx-demo-cli -- bash /entrypoint.sh dirac internal add-vo /cs_store/initialRepo \ --vo="diracAdmin" \ --idp-url="http://${machine_hostname}:32002" \ - --idp-client-id="d396912e-2f04-439b-8ae7-d8c585a34790" \ + --idp-client-id="${dex_client_uuid}" \ --default-group="admin" >> /tmp/init_cs.log "${demo_dir}/kubectl" exec deployments/diracx-demo-cli -- bash /entrypoint.sh dirac internal add-user /cs_store/initialRepo \ --vo="diracAdmin" \ - --sub="EgVsb2NhbA" \ + --sub="${dex_admin_sub}" \ --preferred-username="admin" \ --group="admin" >> /tmp/init_cs.log From 3703d2c36de7240e12a8da99109678b1f47b892a Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Fri, 13 Dec 2024 15:52:06 +0100 Subject: [PATCH 2/4] Make developper option false by default --- README.md | 2 +- demo/values.tpl.yaml | 1 + diracx/values.yaml | 2 +- k3s/examples/my.values.yaml | 3 --- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 05e83a7..7b9b596 100644 --- a/README.md +++ b/README.md @@ -243,7 +243,7 @@ Note that this configuration is trivial and does not follow production recommand | developer.autoReload | bool | `true` | Enable automatic reloading inside uvicorn when the sources change Used by the integration tests for running closer to prod setup | | developer.editableMountedPythonModules | bool | `true` | Use pip install -e for mountedPythonModulesToInstall This is used by the integration tests because editable install might behave differently | | developer.enableCoverage | bool | `false` | Enable collection of coverage reports (intended for CI usage only) | -| developer.enabled | bool | `true` | | +| developer.enabled | bool | `false` | | | developer.ipAlias | string | `nil` | The IP that the demo is running at | | developer.localCSPath | string | `"/local_cs_store"` | If set, mount the CS stored localy instead of initializing a default one | | developer.mountedNodeModuleToInstall | string | `nil` | Node module to install | diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml index dd8ddf1..479ac2a 100644 --- a/demo/values.tpl.yaml +++ b/demo/values.tpl.yaml @@ -6,6 +6,7 @@ global: batchJobTTL: 3600 developer: + enabled: true urls: diracx: https://{{ hostname }}:8000 minio: http://{{ hostname }}:32000 diff --git a/diracx/values.yaml b/diracx/values.yaml index ab51646..760a50e 100644 --- a/diracx/values.yaml +++ b/diracx/values.yaml @@ -83,7 +83,7 @@ initOs: enabled: true developer: - enabled: true + enabled: false # -- Make it possible to launch the demo without having an internet connection offline: false # -- URLs which can be used to access various components of the demo (diracx, minio, dex, etc). diff --git a/k3s/examples/my.values.yaml b/k3s/examples/my.values.yaml index 8ded283..4022a45 100644 --- a/k3s/examples/my.values.yaml +++ b/k3s/examples/my.values.yaml @@ -28,9 +28,6 @@ ingress: tlsSecretName: myingress-cert annotations: {} -developer: - enabled: false - dex: From 7560efe6019a0facbad1e6bc22ced531750c2a71 Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Fri, 13 Dec 2024 15:52:42 +0100 Subject: [PATCH 3/4] Up dex version to 2.41.1 --- README.md | 2 +- diracx/values.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7b9b596..ab82a75 100644 --- a/README.md +++ b/README.md @@ -271,7 +271,7 @@ Note that this configuration is trivial and does not follow production recommand | dex.config.storage.type | string | `"sqlite3"` | | | dex.config.web.http | int | `8000` | | | dex.enabled | bool | `true` | | -| dex.image.tag | string | `"v2.37.0"` | | +| dex.image.tag | string | `"v2.41.1"` | | | dex.ingress.enabled | bool | `false` | | | dex.service.ports.http.nodePort | int | `32002` | | | dex.service.ports.http.port | int | `8000` | | diff --git a/diracx/values.yaml b/diracx/values.yaml index 760a50e..bc3f36b 100644 --- a/diracx/values.yaml +++ b/diracx/values.yaml @@ -283,7 +283,7 @@ dex: enabled: true https.enabled: false image: - tag: v2.37.0 + tag: v2.41.1 service: type: NodePort @@ -297,12 +297,10 @@ dex: config: issuer: http://anything:32002 - storage: type: sqlite3 config: file: /tmp/dex.db - web: http: 8000 From 003c8790c860816e24001950a4e23d9a76c0e9ce Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Fri, 13 Dec 2024 17:17:02 +0100 Subject: [PATCH 4/4] document proper prod install --- docs/RUN_PROD.md | 103 ++++++++++++++++++++++++++++++++++++++ docs/dex_config_helper.sh | 96 +++++++++++++++++++++++++++++++++++ 2 files changed, 199 insertions(+) create mode 100644 docs/RUN_PROD.md create mode 100755 docs/dex_config_helper.sh diff --git a/docs/RUN_PROD.md b/docs/RUN_PROD.md new file mode 100644 index 0000000..252587d --- /dev/null +++ b/docs/RUN_PROD.md @@ -0,0 +1,103 @@ +# Details of deploying `diracx` in production + +The aim of this documentation is to give pointers on how to install the `diracx-charts` longside an existing `DIRAC` installation. + +Effectively, this means that you will be using your existing databases (`MySQL`, `OpenSearch`), and just install the new dependencies of `diracx`. + +We go here with the assumption that you have a `kubernetes` cluster at hand. If you do no have one, see the [k3s example](../k3s/README.md). + + +If your central infrastructure already provide the following services, by all mean, use them. + + +## Cert manager + +TODO with letsencrypt + +```yaml +cert-manager: + enabled: false +cert-manager-issuer: + enabled: false +``` + +## Admin VO + + +A new concept in `diracx` is the `AdminVO`, which has super karma on `diracx` itself but not on the resources the VO use. + +We recommand using [dex](https://github.com/dexidp/dex) as the IdP for that. The [helper script](dex_config_helper.sh) can assist you in that. + + + + +```yaml +dex: + enabled: false +``` + + + +## CS + + +```yaml +init-cs: + enabled: true +``` + +## Ingress + +```yaml +ingress: + annotations: + haproxy.router.openshift.io/ip_whitelist: "" + route.openshift.io/termination: edge + className: null + enabled: true + tlsSecretName: null +``` +## Sandbox + +```yaml +minio: + enabled: false +``` + + +## DiracX configuration + + +```yaml +diracx: + hostname: diracx-cert.app.cern.ch +``` + +```yaml +global: + images: + client: ghcr.io/diracgrid/diracx/client + services: ghcr.io/diracgrid/diracx/services + tag: dev + web: + repository: ghcr.io/diracgrid/diracx-web/static + tag: dev +``` + + + +```yaml +init-secrets: + enabled: true +init-sql: + enabled: false +initOs: + enabled: true + +mysql: + enabled: false +opensearch: + enabled: false +rabbitmq: + enabled: false +``` diff --git a/docs/dex_config_helper.sh b/docs/dex_config_helper.sh new file mode 100755 index 0000000..994608a --- /dev/null +++ b/docs/dex_config_helper.sh @@ -0,0 +1,96 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + + +validate_email() { + local email="$1" + local email_regex="^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}$" + + if [[ $email =~ $email_regex ]]; then + echo "Valid email address" + return 0 + else + echo "Invalid email address" + exit 1 + fi +} + +# Example usage: +read -r -p "Enter admin username: " dex_admin_username +read -r -p "Enter admin email: " dex_admin_email +validate_email "${dex_admin_email}" +read -r -s -p "Enter admin password: " dex_admin_password +echo +echo +# Generate the static client GUID for Dex +dex_client_uuid=$(uuidgen) + +# Generate the admin account for dex +dex_admin_uuid=$(uuidgen) + + +# This is how dex generates the sub from a UserID +# https://github.com/dexidp/dex/issues/1719 +dex_admin_sub=$(printf '\n$%s\x12\x05local' "${dex_admin_uuid}" | base64 -w 0) + +dex_admin_hashed_password=$(htpasswd -bnBC 10 "" "${dex_admin_password}" | tr -d ':\n') + + +hostname="FIXME" + +echo "Dex configuration for values.yaml" +echo + +cat << EOF +dex: + config: + issuer: http://${hostname}:32002 + + staticClients: + - id: "${dex_client_uuid}" + public: true + name: "Diracx app" + redirectURIs: + - "https://${hostname}:8000/api/auth/device/complete" + - "https://${hostname}:8000/api/auth/authorize/complete" + + staticPasswords: + - email: "${dex_admin_email}" + hash: "${dex_admin_hashed_password}" + username: "${dex_admin_username}" + userID: "${dex_admin_uuid}" +EOF + + +echo "Configuration to add in the DIRAC CS" +echo + +cat << EOF +DiracX +{ + CsSync + { + VOs + { + dteam + { + DefaultGroup = admin + IdP + { + ClientID = ${dex_client_uuid} + URL = "http://${hostname}:32002" + } + UserSubjects + { + + ${dex_admin_username} = ${dex_admin_sub} + } + Support + { + } + } + } + } +} +EOF