FreeIPA wiki migration to OpenShift v3
by Martin Kosek
Hello all,
I would like to start a discussion regarding the migration of current
FreeIPA services that are running on OpenShift v2 that was obsoleted [1]
and will go soon EOL (the ultimate cut-off date is Dec 31, 2017).
After a short discussion I had with several FreeIPA developers, the
preference remained with keeping this application on OpenShift (v3
generation), as it will let us easily maintain it on a PaaS, without
having to care about maintaining our own infra. It will be also easy to
delegate maintenance powers to more people.
Given above, I have now set up a Pro account with OpenShift v3 and
migrated the base FreeIPA wiki as an application there, with today
snapshot of data and images. When the POC deployment is ready and
approved on this list, I can switch the current wiki to readonly and
request change of "www.freeipa.org" DNS records to get it to production.
The POC wiki is running in [2], with OpenShift application sources being
stored in a public git repo [3]. Eventually, the OpenShift could be
configured to rebuild the wiki after a git push to [3], to enable easy
changes to wiki to it's maintainers. Let me know if there are any
concerns about having the wiki sources public. The secrets and keys are
of course not in the repo, but configured via OpenShift environment
variable.
The POC now runs pretty well, the only issue I found so far is linking
the wiki user authentication with Fedora auth. The problem is that the
current OpenID plugin [4] is deprecated and does not run with modern PHP
version and I could not get the new OpenID Connect one [5] to work
reliably with our wiki and Fedora OIDC service. I either received
authentication errors or later problems with linking the authenticated
user to current account. So for now I gave up and enabled simple
password auth by password again.
Feedback welcome!
Thanks,
Martin
[1] https://blog.openshift.com/migrate-to-v3-v2-eol/
[2] https://freeipa-org-wiki-freeipa.b9ad.pro-us-east-1.openshiftapps.com
[3] https://github.com/freeipa/freeipa-wiki
[4] https://www.mediawiki.org/wiki/Extension:OpenID
[5] https://www.mediawiki.org/wiki/Extension:OpenID_Connect
--
Martin Kosek <mkosek(a)redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
6 years, 7 months