On 09/15/2017 12:54 PM, Martin Kosek wrote: > Hello all, > > I would like to start a discussion regarding the migration of current > FreeIPA services that are running on OpenShift v2 that was obsoleted [1] > and will go soon EOL (the ultimate cut-off date is Dec 31, 2017). > > After a short discussion I had with several FreeIPA developers, the > preference remained with keeping this application on OpenShift (v3 > generation), as it will let us easily maintain it on a PaaS, without > having to care about maintaining our own infra. It will be also easy to > delegate maintenance powers to more people. > > Given above, I have now set up a Pro account with OpenShift v3 and > migrated the base FreeIPA wiki as an application there, with today > snapshot of data and images. When the POC deployment is ready and > approved on this list, I can switch the current wiki to readonly and > request change of "www.freeipa.org" DNS records to get it to production. > > The POC wiki is running in [2], with OpenShift application sources being > stored in a public git repo [3]. Eventually, the OpenShift could be > configured to rebuild the wiki after a git push to [3], to enable easy > changes to wiki to it's maintainers. Let me know if there are any > concerns about having the wiki sources public. The secrets and keys are > of course not in the repo, but configured via OpenShift environment > variable. > > The POC now runs pretty well, the only issue I found so far is linking > the wiki user authentication with Fedora auth. The problem is that the > current OpenID plugin [4] is deprecated and does not run with modern PHP > version and I could not get the new OpenID Connect one [5] to work > reliably with our wiki and Fedora OIDC service. I either received > authentication errors or later problems with linking the authenticated > user to current account. So for now I gave up and enabled simple > password auth by password again. > > Feedback welcome! > > Thanks, > Martin > > [1] https://blog.openshift.com/migrate-to-v3-v2-eol/ > [2] https://freeipa-org-wiki-freeipa.b9ad.pro-us-east-1.openshiftapps.com > [3] https://github.com/freeipa/freeipa-wiki > [4] https://www.mediawiki.org/wiki/Extension:OpenID > [5] https://www.mediawiki.org/wiki/Extension:OpenID_Connect
Hello all, I did not see any discussion on this topic, so I assume that people either missed my message are are fine with the progress so far. I worked on the new FreeIPA.org wiki over the weekend and did couple fixes: - configured the site to expose the old guides that we still keep referenced in https://www.freeipa.org/page/Upstream_User_Guide. That should be all the missing external content needed on the site I am aware off. - added new secured routes for the application, to respond on "www.freeipa.org" and "freeipa.org" Thanks to the second step, you can now test the deployment by simply adding an alias to /etc/hosts: sudo echo "52.203.52.40 www.freeipa.org" >> /etc/hosts and then going to www.freeipa.org (delete it after the testing) You can tell that the alias is working when https://www.freeipa.org/page/Special:Version shows you the 1.29.1 Mediawiki version. So what is missing to let us migrate? 1) As mentioned above, OpenID authentication is no longer working, so unless someone can help and make it working, we will start authenticating with plain passwords again. 2) I need to also make the mails working (useful for password resets or other notifications). For that, I would need an SMTP server. Unless someone has an SMTP server I could easily use from Mediawiki: https://www.mediawiki.org/wiki/Manual:$wgSMTP I would need to register us with something like https://www.mailgun.com/ that would let me send emails from "freeipa.org" domain. Martin _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
