From 5c5160e51b3b4d2c0f377dbf7285028b16c3f7d6 Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Dec 04 2024 08:22:18 +0000 Subject: [release-monitoring] Authlib update Add Authlib related configuration and build variables. Remove libraries.io consumer, it's no longer available. Remove ConfigChange deployment trigger so we don't deploy twice when pushing changes through ansible repository. Signed-off-by: Michal Konecny --- diff --git a/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml b/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml index 94b66d4..e245ff9 100644 --- a/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml +++ b/roles/openshift-apps/release-monitoring/files/deploymentconfig.yml @@ -99,7 +99,6 @@ items: name: release-monitoring-web:latest namespace: release-monitoring type: ImageChange - - type: ConfigChange - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: @@ -191,98 +190,5 @@ items: name: release-monitoring-web:latest namespace: release-monitoring type: ImageChange - - type: ConfigChange -- apiVersion: apps.openshift.io/v1 - kind: DeploymentConfig - metadata: - labels: - app: release-monitoring-librariesio-consumer - service: web - name: release-monitoring-librariesio-consumer - spec: - replicas: 1 - selector: - deploymentconfig: release-monitoring-librariesio-consumer - strategy: - activeDeadlineSeconds: 900 - recreateParams: - timeoutSeconds: 30 - mid: - failurePolicy: Retry - execNewPod: - containerName: release-monitoring-web - command: - - /bin/bash - - -c - - | - python3 -m alembic -c /etc/anitya/alembic.ini current | grep '(head)' - env: - - name: ANITYA_WEB_CONFIG - value: /etc/anitya/anitya.toml - volumes: - - config-volume - resources: {} - type: Recreate - template: - metadata: - creationTimestamp: null - labels: - app: release-monitoring-librariesio-consumer - deploymentconfig: release-monitoring-librariesio-consumer - spec: - containers: - - name: release-monitoring-web - image: release-monitoring/release-monitoring-web:latest - command: - - python3 - args: - - /usr/local/bin/librariesio_consumer - env: - - name: ANITYA_WEB_CONFIG - value: /etc/anitya/anitya.toml - resources: {} - volumeMounts: - - name: config-volume - mountPath: /etc/anitya - readOnly: true - - name: fedora-messaging-config-volume - mountPath: /etc/fedora-messaging - readOnly: true - - name: fedora-messaging-ca-volume - mountPath: /etc/pki/rabbitmq/ca - readOnly: true - - name: fedora-messaging-key-volume - mountPath: /etc/pki/rabbitmq/key - readOnly: true - - name: fedora-messaging-cert-volume - mountPath: /etc/pki/rabbitmq/cert - readOnly: true - volumes: - - name: config-volume - configMap: - name: release-monitoring-configmap - - name: fedora-messaging-config-volume - configMap: - name: fedora-messaging-configmap - - name: fedora-messaging-ca-volume - secret: - secretName: release-monitoring-fedora-messaging-ca - - name: fedora-messaging-key-volume - secret: - secretName: release-monitoring-fedora-messaging-key - - name: fedora-messaging-cert-volume - secret: - secretName: release-monitoring-fedora-messaging-cert - triggers: - - imageChangeParams: - automatic: true - containerNames: - - release-monitoring-web - from: - kind: ImageStreamTag - name: release-monitoring-web:latest - namespace: release-monitoring - type: ImageChange - - type: ConfigChange kind: List metadata: {} diff --git a/roles/openshift-apps/release-monitoring/templates/anitya.toml b/roles/openshift-apps/release-monitoring/templates/anitya.toml index 54cf4cf..065a66c 100644 --- a/roles/openshift-apps/release-monitoring/templates/anitya.toml +++ b/roles/openshift-apps/release-monitoring/templates/anitya.toml @@ -40,15 +40,59 @@ email_errors = false # List of users that are not allowed to sign in blacklisted_users = [] -librariesio_platform_whitelist = [ - 'pypi', - 'rubygems', -] - +{% if env == 'staging' %} +# Enabled authentication backends +authlib_enabled_backends = ["Fedora", "GitHub", "Google"] + +# Github OAuth backend variables +# Github OAuth app client id +# See https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app +github_client_id = "{{ anitya_stg_github_client_id }}" +# Github OAuth app client secret +# See https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app +github_client_secret = "{{ anitya_stg_github_client_secret }}" +# Github access token URL +github_access_token_url = "https://github.com/login/oauth/access_token" +# Github URL used for authorization +github_authorize_url = "https://github.com/login/oauth/authorize" +# Github URL for API +github_api_base_url = "https://api.github.com/" +# Additional arguments for Github authentication +[github_client_kwargs] +scope = "openid profile email" + +# Fedora OAuth backend variables +# Fedora OAuth client id +# Have to be requested in a ticket on https://pagure.io/fedora-infrastructure +fedora_client_id = "{{ anitya_stg_fedora_client_id }}" +# Fedora OAuth secret +# Have to be requested in a ticket on https://pagure.io/fedora-infrastructure +fedora_client_secret = "{{ anitya_stg_fedora_client_secret }}" +# Fedora OAuth authentication endpoint +fedora_server_metadata_url = "https://id.stg.fedoraproject.org/.well-known/openid-configuration" +# Additional arguments for Fedora authentication +[fedora_client_kwargs] +scope = "openid profile email" +token_endpoint_auth_method = "client_secret_post" + +# Google OAuth backend variables +# Google OAuth client id +# See https://support.google.com/cloud/answer/6158849 +google_client_id = "{{ anitya_stg_google_client_id }}" +# Google OAuth client secret +# See https://support.google.com/cloud/answer/6158849 +google_client_secret = "{{ anitya_stg_google_client_secret }}" +# Google OAuth authentication endpoint +google_server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration" +# Additional arguments for Google authentication +[google_client_kwargs] +scope = "openid profile email" +{% else %} social_auth_authentication_backends = [ 'social_core.backends.fedora.FedoraOpenId', 'social_core.backends.open_id.OpenIdAuth', ] +{% endif %} # Default regular expression used for backend default_regex = """\ diff --git a/roles/openshift-apps/release-monitoring/templates/buildconfig.yml b/roles/openshift-apps/release-monitoring/templates/buildconfig.yml index 3621a25..260b59d 100644 --- a/roles/openshift-apps/release-monitoring/templates/buildconfig.yml +++ b/roles/openshift-apps/release-monitoring/templates/buildconfig.yml @@ -24,6 +24,7 @@ items: npm \ poetry \ python3-alembic \ + python3-authlib \ python3-beautifulsoup4 \ python3-arrow \ python3-dateutil \ @@ -73,14 +74,11 @@ items: pip-3 install dist/*.whl && \ popd && \ rm -rf anitya -{% if env == 'staging' %} - # Let's use staging auth server in staging - RUN sed -i 's/id.fedoraproject.org/id.stg.fedoraproject.org/g' /usr/local/lib/python3.12/site-packages/social_core/backends/fedora.py -{% endif %} - +{% if env == 'production' %} # Hotfix for social_auth-sqlalchemy # Could be removed when we switch to something else RUN sed -i 's/base64.encodestring/base64.encodebytes/g' /usr/local/lib/python3.12/site-packages/social_sqlalchemy/storage.py +{% endif %} RUN mkdir /httpdir RUN chmod 777 /httpdir EXPOSE 8080