DIRACGrid · chaen · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/README.md b/README.md
@@ -243,7 +243,7 @@ Note that this configuration is trivial and does not follow production recommand
 | developer.autoReload | bool | `true` | Enable automatic reloading inside uvicorn when the sources change Used by the integration tests for running closer to prod setup |
 | developer.editableMountedPythonModules | bool | `true` | Use pip install -e for mountedPythonModulesToInstall This is used by the integration tests because editable install might behave differently |
 | developer.enableCoverage | bool | `false` | Enable collection of coverage reports (intended for CI usage only) |
-| developer.enabled | bool | `true` |  |
+| developer.enabled | bool | `false` |  |
 | developer.ipAlias | string | `nil` | The IP that the demo is running at |
 | developer.localCSPath | string | `"/local_cs_store"` | If set, mount the CS stored localy instead of initializing a default one |
 | developer.mountedNodeModuleToInstall | string | `nil` | Node module to install |
@@ -271,7 +271,7 @@ Note that this configuration is trivial and does not follow production recommand
 | dex.config.storage.type | string | `"sqlite3"` |  |
 | dex.config.web.http | int | `8000` |  |
 | dex.enabled | bool | `true` |  |
-| dex.image.tag | string | `"v2.37.0"` |  |
+| dex.image.tag | string | `"v2.41.1"` |  |
 | dex.ingress.enabled | bool | `false` |  |
 | dex.service.ports.http.nodePort | int | `32002` |  |
 | dex.service.ports.http.port | int | `8000` |  |

diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml
@@ -6,6 +6,7 @@ global:
   batchJobTTL: 3600
 
 developer:
+  enabled: true
   urls:
     diracx: https://{{ hostname }}:8000
     minio: http://{{ hostname }}:32000
@@ -52,7 +53,7 @@ dex:
     issuer: http://{{ hostname }}:32002
 
     staticClients:
-      - id: d396912e-2f04-439b-8ae7-d8c585a34790
+      - id: {{ dex_client_uuid }}
         public: true
         name: "CLI app"
         redirectURIs:
@@ -61,8 +62,11 @@ dex:
 
     staticPasswords:
       - email: "admin@example.com"
+        # bcrypt hash of the string "password"
+        # htpasswd -bnBC 10 "" "password" | tr -d ':\n'
         hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
         username: "admin"
+        userID: {{ dex_admin_uuid }}
 
 indigoiam:
   config:

diff --git a/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl b/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl
@@ -129,18 +129,6 @@ generate_secret_if_needed diracx-sql-root-connection-urls \
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
 {{- if .Values.initOs.enabled }}
 # If we deploy opensearch ourselves
 {{- if .Values.opensearch.enabled }}

diff --git a/diracx/values.yaml b/diracx/values.yaml
@@ -83,7 +83,7 @@ initOs:
   enabled: true
 
 developer:
-  enabled: true
+  enabled: false
   # -- Make it possible to launch the demo without having an internet connection
   offline: false
   # -- URLs which can be used to access various components of the demo (diracx, minio, dex, etc).
@@ -283,7 +283,7 @@ dex:
   enabled: true
   https.enabled: false
   image:
-    tag: v2.37.0
+    tag: v2.41.1
 
   service:
     type: NodePort
@@ -297,12 +297,10 @@ dex:
 
   config:
     issuer: http://anything:32002
-
     storage:
       type: sqlite3
       config:
         file: /tmp/dex.db
-
     web:
       http: 8000
 

diff --git a/docs/RUN_PROD.md b/docs/RUN_PROD.md
@@ -0,0 +1,103 @@
+# Details of deploying `diracx` in production
+
+The aim of this documentation is to give pointers on how to install the `diracx-charts` longside an existing `DIRAC` installation.
+
+Effectively, this means that you will be using your existing databases (`MySQL`, `OpenSearch`), and just install the new dependencies of `diracx`.
+
+We go here with the assumption that you have a `kubernetes` cluster at hand. If you do no have one, see the [k3s example](../k3s/README.md).
+
+
+If your central infrastructure already provide the following services, by all mean, use them.
+
+
+## Cert manager
+
+TODO with letsencrypt
+
+```yaml
+cert-manager:
+  enabled: false
+cert-manager-issuer:
+  enabled: false
+```
+
+## Admin VO
+
+
+A new concept in `diracx` is the `AdminVO`, which has super karma on `diracx` itself but not on the resources the VO use.
+
+We recommand using [dex](https://github.com/dexidp/dex) as the IdP for that. The [helper script](dex_config_helper.sh) can assist you in that.
+
+
+
+
+```yaml
+dex:
+  enabled: false
+```
+
+
+
+## CS
+
+
+```yaml
+init-cs:
+  enabled: true
+```
+
+## Ingress
+
+```yaml
+ingress:
+  annotations:
+    haproxy.router.openshift.io/ip_whitelist: ""
+    route.openshift.io/termination: edge
+  className: null
+  enabled: true
+  tlsSecretName: null
+```
+## Sandbox
+
+```yaml
+minio:
+  enabled: false
+```
+
+
+## DiracX configuration
+
+
+```yaml
+diracx:
+  hostname: diracx-cert.app.cern.ch
+```
+
+```yaml
+global:
+  images:
+    client: ghcr.io/diracgrid/diracx/client
+    services: ghcr.io/diracgrid/diracx/services
+    tag: dev
+    web:
+      repository: ghcr.io/diracgrid/diracx-web/static
+      tag: dev
+```
+
+
+
+```yaml
+init-secrets:
+  enabled: true
+init-sql:
+  enabled: false
+initOs:
+  enabled: true
+
+mysql:
+  enabled: false
+opensearch:
+  enabled: false
+rabbitmq:
+  enabled: false
+```
diff --git a/docs/dex_config_helper.sh b/docs/dex_config_helper.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+
+validate_email() {
+    local email="$1"
+    local email_regex="^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}$"
+
+    if [[ $email =~ $email_regex ]]; then
+        echo "Valid email address"
+        return 0
+    else
+        echo "Invalid email address"
+        exit 1
+    fi
+}
+
+# Example usage:
+read -r -p "Enter admin username: " dex_admin_username
+read -r -p "Enter admin email: " dex_admin_email
+validate_email "${dex_admin_email}"
+read -r -s -p "Enter admin password: " dex_admin_password
+echo
+echo
+# Generate the static client GUID for Dex
+dex_client_uuid=$(uuidgen)
+
+# Generate the admin account for dex
+dex_admin_uuid=$(uuidgen)
+
+
+# This is how dex generates the sub from a UserID
+# https://github.com/dexidp/dex/issues/1719
+dex_admin_sub=$(printf '\n$%s\x12\x05local' "${dex_admin_uuid}" | base64 -w 0)
+
+dex_admin_hashed_password=$(htpasswd -bnBC 10 "" "${dex_admin_password}" | tr -d ':\n')
+
+
+hostname="FIXME"
+
+echo "Dex configuration for values.yaml"
+echo
+
+cat << EOF
+dex:
+  config:
+    issuer: http://${hostname}:32002
+
+    staticClients:
+      - id: "${dex_client_uuid}"
+        public: true
+        name: "Diracx app"
+        redirectURIs:
+          - "https://${hostname}:8000/api/auth/device/complete"
+          - "https://${hostname}:8000/api/auth/authorize/complete"
+
+    staticPasswords:
+      - email: "${dex_admin_email}"
+        hash: "${dex_admin_hashed_password}"
+        username: "${dex_admin_username}"
+        userID: "${dex_admin_uuid}"
+EOF
+
+
+echo "Configuration to add in the DIRAC CS"
+echo
+
+cat << EOF
+DiracX
+{
+ CsSync
+  {
+    VOs
+    {
+      dteam
+      {
+        DefaultGroup = admin
+        IdP
+        {
+          ClientID = ${dex_client_uuid}
+          URL = "http://${hostname}:32002"
+        }
+        UserSubjects
+        {
+
+          ${dex_admin_username} = ${dex_admin_sub}
+        }
+        Support
+        {
+        }
+      }
+    }
+  }
+}
+EOF
diff --git a/k3s/examples/my.values.yaml b/k3s/examples/my.values.yaml
@@ -28,9 +28,6 @@ ingress:
   tlsSecretName: myingress-cert
   annotations: {}
 
-developer:
-  enabled: false
-
 
 
 dex:

diff --git a/run_demo.sh b/run_demo.sh
@@ -516,6 +516,20 @@ fi
 json="${json%,}]"
 printf "%b Node workspaces json: %s\n" ${UNICORN_EMOJI} "${json}"
 sed "s#{{ node_module_workspaces }}#${json}#g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml"
+mv "${demo_dir}/values.yaml" "${demo_dir}/values.yaml.bak"
+
+
+# Generate the static client GUID for Dex
+dex_client_uuid=$(uuidgen)
+sed "s/{{ dex_client_uuid }}/${dex_client_uuid}/g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml"
+mv "${demo_dir}/values.yaml" "${demo_dir}/values.yaml.bak"
+
+# Generate the admin account for dex
+dex_admin_uuid=$(uuidgen)
+sed "s/{{ dex_admin_uuid }}/${dex_admin_uuid}/g" "${demo_dir}/values.yaml.bak" > "${demo_dir}/values.yaml"
+# This is how dex generates the sub from a UserID
+# https://github.com/dexidp/dex/issues/1719
+dex_admin_sub=$(printf '\n$%s\x12\x05local' "${dex_admin_uuid}" | base64 -w 0)
 
 
 # Final check
@@ -585,12 +599,12 @@ else
     "${demo_dir}/kubectl" exec deployments/diracx-demo-cli -- bash /entrypoint.sh dirac internal add-vo /cs_store/initialRepo \
      --vo="diracAdmin" \
      --idp-url="http://${machine_hostname}:32002" \
-     --idp-client-id="d396912e-2f04-439b-8ae7-d8c585a34790" \
+     --idp-client-id="${dex_client_uuid}" \
      --default-group="admin" >> /tmp/init_cs.log
 
     "${demo_dir}/kubectl" exec deployments/diracx-demo-cli -- bash /entrypoint.sh  dirac internal add-user /cs_store/initialRepo \
      --vo="diracAdmin" \
-     --sub="EgVsb2NhbA" \
+     --sub="${dex_admin_sub}" \
      --preferred-username="admin" \
      --group="admin" >> /tmp/init_cs.log
Original file line number	Diff line number	Diff line change
Expand Up		@@ -129,18 +129,6 @@ generate_secret_if_needed diracx-sql-root-connection-urls \















		{{- if .Values.initOs.enabled }}
		# If we deploy opensearch ourselves
		{{- if .Values.opensearch.enabled }}
Expand Down