document proper prod install

docs/RUN_PROD.md

@@ -0,0 +1,123 @@
+# Details of deploying `diracx` in production
+
+The aim of this documentation is to give pointers on how to install the `diracx-charts` longside an existing `DIRAC` installation.
+
+Effectively, this means that you will be using your existing databases (`MySQL`, `OpenSearch`), and just install the new dependencies of `diracx`.
+
+We go here with the assumption that you have a `kubernetes` cluster at hand. If you do no have one, see the [k3s example](../k3s/README.md).
+
+
+If your central infrastructure already provide the following services, by all mean, use them.
+
+## IDP
+
+To authenticate a VO, you need an IDP that can work with the Oauth2 Authorization with PKCE.
+
+How you exactly configure it is idp dependant, but here are the basics:
+
+* Redirection URLs should be the following
+```
+https://<youdiracx.invalid>/api/auth/device/complete
+https://<youdiracx.invalid>/api/auth/authorize/complete
+```
+* The client should be public (no authentication)
+* The necessary scopes are `email`, `openid`, `profile`
+* The needed grant type is authorization flow
+
+### IAM client
+
+No authentication (public client)
+
+
+
+## Cert manager
+
+TODO with letsencrypt
+
+```yaml
+cert-manager:
+  enabled: false
+cert-manager-issuer:
+  enabled: false
+```
+
+## Admin VO
+
+
+A new concept in `diracx` is the `AdminVO`, which has super karma on `diracx` itself but not on the resources the VO use.
+
+We recommand using [dex](https://github.com/dexidp/dex) as the IdP for that. The [helper script](dex_config_helper.sh) can assist you in that.
+
+
+
+
+```yaml
+dex:
+  enabled: false
+```
+
+
+
+## CS
+
+
+```yaml
+init-cs:
+  enabled: true
+```
+
+## Ingress
+
+```yaml
+ingress:
+  annotations:
+    haproxy.router.openshift.io/ip_whitelist: ""
+    route.openshift.io/termination: edge
+  className: null
+  enabled: true
+  tlsSecretName: null
+```
+## Sandbox
+
+```yaml
+minio:
+  enabled: false
+```
+
+
+## DiracX configuration
+
+
+```yaml
+diracx:
+  hostname: diracx-cert.app.cern.ch
+```
+
+```yaml
+global:
+  images:
+    client: ghcr.io/diracgrid/diracx/client
+    services: ghcr.io/diracgrid/diracx/services
+    tag: dev
+    web:
+      repository: ghcr.io/diracgrid/diracx-web/static
+      tag: dev
+```
+
+
+
+```yaml
+init-secrets:
+  enabled: true
+init-sql:
+  enabled: false
+initOs:
+  enabled: true
+
+mysql:
+  enabled: false
+opensearch:
+  enabled: false
+rabbitmq:
+  enabled: false
+```

docs/dex_config_helper.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+
+validate_email() {
+    local email="$1"
+    local email_regex="^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}$"
+
+    if [[ $email =~ $email_regex ]]; then
+        echo "Valid email address"
+        return 0
+    else
+        echo "Invalid email address"
+        exit 1
+    fi
+}
+
+# Example usage:
+read -r -p "Enter admin username: " dex_admin_username
+read -r -p "Enter admin email: " dex_admin_email
+validate_email "${dex_admin_email}"
+read -r -s -p "Enter admin password: " dex_admin_password
+echo
+echo
+# Generate the static client GUID for Dex
+dex_client_uuid=$(uuidgen)
+
+# Generate the admin account for dex
+dex_admin_uuid=$(uuidgen)
+
+
+# This is how dex generates the sub from a UserID
+# https://github.com/dexidp/dex/issues/1719
+dex_admin_sub=$(printf '\n$%s\x12\x05local' "${dex_admin_uuid}" | base64 -w 0)
+
+dex_admin_hashed_password=$(htpasswd -bnBC 10 "" "${dex_admin_password}" | tr -d ':\n')
+
+
+hostname="FIXME"
+
+echo "Dex configuration for values.yaml"
+echo
+
+cat << EOF
+dex:
+  config:
+    issuer: http://${hostname}:32002
+
+    staticClients:
+      - id: "${dex_client_uuid}"
+        public: true
+        name: "Diracx app"
+        redirectURIs:
+          - "https://${hostname}:8000/api/auth/device/complete"
+          - "https://${hostname}:8000/api/auth/authorize/complete"
+
+    staticPasswords:
+      - email: "${dex_admin_email}"
+        hash: "${dex_admin_hashed_password}"
+        username: "${dex_admin_username}"
+        userID: "${dex_admin_uuid}"
+EOF
+
+
+echo "Configuration to add in the DIRAC CS"
+echo
+
+cat << EOF
+DiracX
+{
+ CsSync
+  {
+    VOs
+    {
+      dteam
+      {
+        DefaultGroup = admin
+        IdP
+        {
+          ClientID = ${dex_client_uuid}
+          URL = "http://${hostname}:32002"
+        }
+        UserSubjects
+        {
+
+          ${dex_admin_username} = ${dex_admin_sub}
+        }
+        Support
+        {
+        }
+      }
+    }
+  }
+}
+EOF