Skip to content

ArctiqTeam/openshift-gocd

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

openshift-gocd

This small repo provides a Dockerfile and some templates that can run gocd-server on OpenShift.

Note: The elastic-kubernetes-agents requires higher privileges than we would normally give to a tenant on the platform, namely the node privileges. All other privileges can/should be provided scoped to the namespace(s), but node events would not be accessible to users.

Until the privilege is more multi-tenant friendly, users can keep an agent online at all times and configure autoscaling and auto registering agents.

Note: Sensitive information is stored in the configmap and is only for demonstration purposes. Please do not store production system sensitive configuration data in git.

Templates

The templates directory holds some examples to utilize this within OpenShift. This could be combined into an OpenShift template if desired, however, they are currently only provided as individual manifests.

To create everything:

  • Update all templates with the appropriate namespace references
  • Create each of the objects
  • This can be done with the following command (as an example) from the root of this repo
for n in $(ls templates); do sed 's/${NAMESPACE}/PUT_YOUR_PROJECT_NAME_HERE/g' templates/$n | oc apply -f -; done

OAuth Integration with OpenShift

The following sidecar can be included with GoCD to provide some basic authentication to the instance. This does not integrate with GoCD, but does block users that don't have permission to the namespace from utilizing it.

## OAuth Init Container
			- args:
        - --http-address=:8080
        - --https-address=
        - --openshift-service-account=gocd
        - --upstream=http://localhost:8153
        - --provider=openshift
        - --cookie-secret=SECRET                                         # This can/should be pulled from a file with a secure secret
        - --bypass-auth-except-for=/go                                   # This seemed to help get rid of redirect loops
        - --pass-basic-auth=false
        - '-openshift-sar={"namespace": "${NAMESPACE}", "verb": "list", "resource":
          "services"}'
        image: registry.access.redhat.com/openshift3/oauth-proxy:v3.11
        imagePullPolicy: IfNotPresent
        name: oauth-proxy
        ports:
        - containerPort: 8080
          name: oauth-proxy
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File

Troubleshooting OAuth

  • The ambigious error:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.","state":"1ae8d970418f1d54643aa83911c60365:/"}

Digging through the docs, I was originally testing with an HTTP route, which is not supported by default as outlined here. Change the route to https (edge, in our case) and all should be good.

Resources

https://blog.sakuragawa.moe/deploy-granafa-with-prometheus-and-oauth2-on-openshift/ https://github.com/openshift/oauth-proxy https://docs.gocd.org/current/

About

Tools for running GoCD on OpenShift

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published