ADD mediawiki support for simplesamlphp extension

This involves 3 main changes:
- Add simplesamlphp deployment
- Route paths starting with /_saml2/ to the simplesamlphp container
- Mount simplesamlphp code in both the simplesamlphp container and the
  main wiki container

The simplesamlphp deployment is basically running simplesamlphp in SP
mode. The SP certs are provided in a configmap and mounted into the SP.
The certs had to be mounted individually as they were being mounted on
top of a pvc volume, don't know why mounting as a dir doesn't work in
such cases.

The simplesamlphp SP needs to be hosted on the same domain as wiki to
avoid cookie issues, so ingress was configured to serve all traffics
with paths starting with /_saml2/ to the SP.

On the wiki side, the simplesamlphp extension needs to import classes
from the SP codebase. This is why the code for the simplesamlphp app
lives on a shared volume. When the SP starts up, its entrypoint copies
the code into the shared volume, and apache runs the SP off of the
shared volume code. The wiki mount is set to readonly.

Incremented the minor version in Chart.yaml as this is a larger change
than usual.

mediawiki/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: mediawiki
-version: 0.6.8
-appVersion: 1.39.4
+version: 0.7.0
+appVersion: 1.39.8
 description: Extremely powerful, scalable software and a feature-rich wiki implementation
  that uses PHP to process and display data stored in a database.
 keywords:

mediawiki/templates/_helpers.tpl

@@ -1,4 +1,3 @@
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
@@ -54,6 +53,43 @@ build_id: "{{ .Values.CI_BUILD_ID }}"
 {{- end }}
 {{- end }}
 
+{{/* SimpleSAMLphp container spec */}}
+
+{{- define "simplesamlphp.domain" -}}
+{{- index .Values.ingress.hosts 0 | default .Values.CI_ENVIRONMENT_HOSTNAME | default "localhost" -}}
+{{- end -}}
+{{- define "simplesamlphp.baseurl" -}}
+https://{{ template "simplesamlphp.domain" . }}/_saml2/
+{{- end -}}
+
+{{- define "simplesamlphp.app.spec.env" }}
+- name: SIMPLESAMLPHP_SECRET_SALT
+ value: {{ .Values.simplesamlphp.secretSalt | quote }}
+- name: SIMPLESAMLPHP_ADMIN_PASSWORD
+ value: {{ .Values.simplesamlphp.adminPassword | quote }}
+- name: SIMPLESAMLPHP_CRON_SECRET
+ value: {{ .Values.simplesamlphp.cronSecret | quote }}
+- name: SIMPLESAMLPHP_MEMCACHED_SERVER
+ value: {{ template "mediawiki.fullname" . }}-memcached
+- name: SIMPLESAMLPHP_TRUSTED_DOMAIN
+ value: {{ template "simplesamlphp.domain" . }}
+- name: SIMPLESAMLPHP_BASEURL
+ value: {{ template "simplesamlphp.baseurl" . }}
+- name: SIMPLESAMLPHP_SP_ENTITY_ID
+ value: {{ template "simplesamlphp.baseurl" . }}
+- name: SIMPLESAMLPHP_IDP_ENTITY_ID
+ value: {{ .Values.simplesamlphp.idp.entityId | quote }}
+- name: SIMPLESAMLPHP_IDP_METADATA_URL
+ value: {{ .Values.simplesamlphp.idp.metadataUrl | quote }}
+{{- if .Values.simplesamlphp.enabled }}
+- name: SIMPLESAMLPHP_ENABLED
+ value: "1"
+{{- end }}
+{{- if .Values.simplesamlphp.dev }}
+- name: SIMPLESAMLPHP_DEV
+ value: "1"
+{{- end }}
+{{- end }}
 
 {{/* Mediawiki container spec */}}
 {{- define "mediawiki.app.spec" }}
@@ -281,11 +317,19 @@ env:
 - name: GOOGLE_MAP_API_KEY
  value: {{ .Values.googleMap.apiKey | quote }}
 {{- end }}
+{{- if .Values.simplesamlphp.enabled }}
+{{- include "simplesamlphp.app.spec.env" . }}
+{{- end }}
 volumeMounts:
 - name: mediawiki-data
  mountPath: /data
 - name: custom-config
  mountPath: /conf
+{{- if .Values.simplesamlphp.enabled }}
+- name: simplesamlphp-code
+ mountPath: /var/www/simplesamlphp
+ readOnly: true
+{{- end }}
 {{- end }}
 
 
@@ -301,4 +345,9 @@ volumeMounts:
 - name: custom-config
  configMap:
  name: {{ template "mediawiki.fullname" . }}
+{{- if .Values.simplesamlphp.enabled }}
+- name: simplesamlphp-code
+ persistentVolumeClaim:
+ claimName: {{ template "mediawiki.fullname" . }}-simplesamlphp-pvc
+{{- end }}
 {{- end }}

mediawiki/templates/deployment-simplesamlphp.yaml

@@ -0,0 +1,75 @@
+{{- if .Values.simplesamlphp.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ labels:
+ {{- include "common_labels" . | indent 4 }}
+ tier: app
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ template:
+ metadata:
+ labels:
+ app: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ spec:
+ containers:
+ - name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ image: "{{ .Values.simplesamlphp.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ env:
+ {{- include "simplesamlphp.app.spec.env" . | indent 10 }}
+ resources:
+{{ toYaml .Values.simplesamlphp.resources | indent 10 }}
+ ports:
+ - containerPort: 8080
+ startupProbe:
+ tcpSocket:
+ port: 8080
+ failureThreshold: 60
+ periodSeconds: 5
+ livenessProbe:
+ httpGet:
+ path: /_saml2/module.php/saml/sp/metadata/wiki-sp
+ port: 8080
+ initialDelaySeconds: 10
+ timeoutSeconds: 10
+ periodSeconds: 60
+ readinessProbe:
+ httpGet:
+ path: /_saml2/module.php/core/welcome
+ port: 8080
+ initialDelaySeconds: 10
+ timeoutSeconds: 10
+ periodSeconds: 60
+ volumeMounts:
+ - name: simplesamlphp-code
+ mountPath: /var/www/simplesamlphp
+ - name: simplesamlphp-crt
+ mountPath: /var/www/simplesamlphp/cert/wiki-sp.crt
+ # subPath cause we're mounting into a pvc, and that didn't work as
+ # a dir but worked as a single file
+ subPath: wiki-sp.crt
+ - name: simplesamlphp-pem
+ mountPath: /var/www/simplesamlphp/cert/wiki-sp.pem
+ subPath: wiki-sp.pem
+ volumes:
+ - name: simplesamlphp-code
+ persistentVolumeClaim:
+ claimName: {{ template "mediawiki.fullname" . }}-simplesamlphp-pvc
+ - name: simplesamlphp-crt
+ configMap:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ items:
+ - key: crt
+ path: wiki-sp.crt
+ - name: simplesamlphp-pem
+ configMap:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ items:
+ - key: pem
+ path: wiki-sp.pem
+{{- end -}}

mediawiki/templates/ingress.yaml

@@ -27,6 +27,13 @@ spec:
  name: {{ $serviceName }}
  port:
  number: {{ $servicePort }}
+ - path: /_saml2
+ pathType: Prefix
+ backend:
+ service:
+ name: {{ $serviceName }}-simplesamlphp
+ port:
+ number: {{ $servicePort }}
  {{- end -}}
  {{- if and (hasKey .Values.ingress.annotations "kubernetes.io/tls-acme") (index .Values.ingress.annotations "kubernetes.io/tls-acme" | eq "true") }}
  tls:

mediawiki/templates/service.yaml

@@ -75,3 +75,23 @@ spec:
  selector:
  app: {{ template "mediawiki.fullname" . }}-memcached
 {{- end -}}
+
+{{- if .Values.simplesamlphp.enabled }}
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ labels:
+ {{- include "common_labels" . | indent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.externalPort }}
+ targetPort: 8080
+ protocol: TCP
+ name: {{ .Values.service.name }}-simplesamlphp
+ selector:
+ app: {{ template "mediawiki.fullname" . }}-simplesamlphp
+{{- end -}}

mediawiki/templates/simplesamlphp-configmap.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.simplesamlphp.enabled -}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp
+ labels:
+ {{- include "common_labels" . | indent 4 }}
+data:
+ crt:
+ {{ toYaml .Values.simplesamlphp.sp.certs.crt | indent 2 }}
+ pem:
+ {{ toYaml .Values.simplesamlphp.sp.certs.pem | indent 2 }}
+
+{{- end -}}
+

mediawiki/templates/simplesamlphp-pvc.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.simplesamlphp.enabled -}}
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp-pv
+ labels:
+ {{- include "common_labels" . | indent 4 }}
+ tier: filestore
+spec:
+ accessModes:
+ - {{ .Values.simplesamlphp.persistence.accessMode | quote }}
+ capacity:
+ storage: {{ .Values.simplesamlphp.persistence.size | quote }}
+ storageClassName: {{ .Values.simplesamlphp.persistence.storageClass }}
+{{ toYaml .Values.simplesamlphp.persistence.resources | indent 2 }}
+
+---
+
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: {{ template "mediawiki.fullname" . }}-simplesamlphp-pvc
+ labels:
+ {{- include "common_labels" . | indent 4 }}
+ tier: filestore
+spec:
+ accessModes:
+ - {{ .Values.simplesamlphp.persistence.accessMode | quote }}
+ resources:
+ requests:
+ storage: {{ .Values.simplesamlphp.persistence.size | quote }}
+ storageClassName: {{ .Values.simplesamlphp.persistence.storageClass | quote }}
+ selector:
+ matchLabels:
+ app: {{ template "mediawiki.fullname" . }}
+ stage: {{ .Values.stage }}
+ tier: filestore
+{{- end -}}

mediawiki/values.yaml

@@ -4,6 +4,7 @@
 image:
  repository: ubcctlt/mediawiki
  # tag:
+ pullPolicy: IfNotPresent
 
 stage: dev
 replicas: 1
@@ -286,6 +287,40 @@ service:
  externalPort: 80
  internalPort: 80
 
+simplesamlphp:
+ enabled: false
+ image:
+ repository: ubcctlt/mediawiki-simplesamlphp
+ dev: false
+ secretSalt: 'secretsalt'
+ adminPassword: 'admin'
+ cronSecret: 'cronsecret'
+ idp:
+ entityId: ''
+ metadataUrl: ''
+ resources:
+ requests:
+ memory: 256Mi
+ persistence:
+ storageClass: ""
+ accessMode: ReadWriteMany
+ size: 2Gi
+ resources:
+ nfs:
+ server: some-nfs-server
+ path: "/wikistg-simplesamlphp"
+ sp:
+ certs:
+ crt: |
+ -----BEGIN CERTIFICATE-----
+ <place your own cert here>
+ -----END CERTIFICATE-----
+ pem: |
+ -----BEGIN PRIVATE KEY-----
+ <place your own key here>
+ -----END PRIVATE KEY-----
+
+
 ## Enable persistence using Persistent Volume Claims
 ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
 ##