files: added x509 authentication to EOS offload.

[alejandromumo]

closes https://github.com/zenodo/ops/issues/322

I added docs on how to replace the certificate.

This was tested in zenodo-rdm-qa, inside a pod. I added the configmap to the worker deployment and mounted the certificates. The test was run in an invenio shell, using a requests.Session.get request to retrieve a file from eosmedia and it worked.

Deployment

⚠️ even though the changes are behind a configuration, please align with me before this is deployed

In Openshift, set the following variables (we need to create the deployment config first INVENIO_ZENODO_EOS_* so they are added to the application):

INVENIO_ZENODO_EOS_OFFLOAD_AUTH_X509 = True 
INVENIO_ZENODO_EOS_OFFLOAD_X509_CERT_PATH = "/etc/certificates/cert.pem"
INVENIO_ZENODO_EOS_OFFLOAD_X509_KEY_PATH = "/etc/certificates/key.pem"
INVENIO_ZENODO_EOS_OFFLOAD_HTTPHOST = "https://eosmedia.cern.ch:8444"

To create the config map and the volume in openshift:

# Create configmap
oc create configmap service-certificates --from-literal=key.pem=""  --from-literal=cert.pem=""

# Create volume in "worker" and "web" deployments
oc set volume deployment/worker --add  --name=service-certificates --type=configmap  --mount-path=/etc/certificates  --configmap-name=service-certificates
oc set volume deployment/web --add  --name=service-certificates --type=configmap  --mount-path=/etc/certificates  --configmap-name=service-certificates

Then add the certificate and key as detailed here