chore(oauth): using passport authentication

Author: lijianguo

charts/controller/templates/_helpers.tpl

@@ -142,8 +142,10 @@ env:
 {{- end }}
 {{- if eq .Values.global.passport_location "on-cluster"}}
 - name: "DRYCC_PASSPORT_DOMAIN"
-  value: drycc-passport.{{ .Values.global.platform_domain }}
+  value: http://drycc-passport.{{ .Values.global.platform_domain }}
 - name: "SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/authorize/"
+- name: "SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL"
   value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/token/"
 - name: "SOCIAL_AUTH_DRYCC_ACCESS_API_URL"
   value: "$(DRYCC_PASSPORT_DOMAIN)/users/"
@@ -153,6 +155,8 @@ env:
   value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/.well-known/jwks.json"
 - name: "SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT"
   value: "$(DRYCC_PASSPORT_DOMAIN)/oauth"
+- name: "LOGIN_REDIRECT_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/login/done/"
 - name: SOCIAL_AUTH_DRYCC_CONTROLLER_KEY
   valueFrom:
     secretKeyRef:

charts/controller/templates/controller-cronjob-hourly.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: drycc-controller-cronjob-daily
+  name: drycc-controller-cronjob-hourly
   labels:
     heritage: drycc
   annotations:
@@ -27,5 +27,3 @@ spec:
             args:
               - python -u /app/manage.py measure_app
             {{- include "controller.envs" . | indent 12 }}
-            {{- include "controller.volumeMounts" . | indent 12 }}
-          {{- include "controller.volumes" . | indent 10 }}

charts/controller/templates/controller-ingress.yaml

@@ -17,14 +17,17 @@ spec:
   - host: drycc.{{ .Values.global.platform_domain }}
     http:
       paths:
-      {{- if eq .Values.global.ingress_class "gce" "alb" }}
-      - path: /*
-      {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
-      - path: /
-      {{- end }}
+      - pathType: Prefix
+        {{- if eq .Values.global.ingress_class "gce" "alb" }}
+        path: /*
+        {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+        path: /
+        {{- end }}
         backend:
-          serviceName: drycc-controller
-          servicePort: 80
+          service:
+            name: drycc-controller
+            port:
+              number: 80
   {{- if .Values.global.cert_manager_enabled }}
   tls:
     - secretName: drycc-controller-certificate-auto

rootfs/api/settings/production.py

@@ -81,7 +81,7 @@
     'corsheaders.middleware.CorsMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
+    # 'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -430,11 +430,11 @@
 SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL = os.environ.get('SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL')
 SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL = os.environ.get('SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL')
 SOCIAL_AUTH_DRYCC_ACCESS_API_URL = os.environ.get('SOCIAL_AUTH_DRYCC_ACCESS_API_URL')
-SOCIAL_AUTH_DRYCC_USERINFO_URL = os.environ.get('SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL')
-SOCIAL_AUTH_DRYCC_JWKS_URI = os.environ.get('SOCIAL_AUTH_DRYCC_ACCESS_API_URL')
+SOCIAL_AUTH_DRYCC_USERINFO_URL = os.environ.get('SOCIAL_AUTH_DRYCC_USERINFO_URL')
+SOCIAL_AUTH_DRYCC_JWKS_URI = os.environ.get('SOCIAL_AUTH_DRYCC_JWKS_URI')
 SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT = os.environ.get('SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT')
-SOCIAL_AUTH_DRYCC_KEY = os.environ.get('SOCIAL_AUTH_DRYCC_KEY')
-SOCIAL_AUTH_DRYCC_SECRET = os.environ.get('SOCIAL_AUTH_DRYCC_SECRET')
+SOCIAL_AUTH_DRYCC_KEY = os.environ.get('SOCIAL_AUTH_DRYCC_CONTROLLER_KEY')
+SOCIAL_AUTH_DRYCC_SECRET = os.environ.get('SOCIAL_AUTH_DRYCC_CONTROLLER_SECRET')
 SOCIAL_AUTH_POSTGRES_JSONFIELD = True
 SOCIAL_AUTH_PIPELINE = (
     'social_core.pipeline.social_auth.social_details',

rootfs/scheduler/mock.py

@@ -124,7 +124,7 @@ def get_type(key):
 def replace_api_version(old, new='api_v1'):
     return old.replace('apis_autoscaling_v1', new)\
         .replace('apis_apps_v1', new)\
-        .replace('apis_networking.k8s.io_v1beta1', new)\
+        .replace('apis_networking.k8s.io_v1', new)\
         .replace('apis_servicecatalog.k8s.io_v1beta1', new)
 
 

rootfs/scheduler/resources/ingress.py

@@ -28,9 +28,14 @@ def manifest(self, api_version, ingress, ingress_class, namespace, **kwargs):
                     "paths": [
                         {
                             "path": path,
+                            "pathType": "Prefix",
                             "backend": {
-                                "serviceName": ingress,
-                                "servicePort": 80
+                                "service": {
+                                    "name": ingress,
+                                    "port": {
+                                        "number": 80
+                                    }
+                                }
                             }
                         }
                     ]