From b8c333f545288341a0da4f7c4d7e1c5787f5a0d0 Mon Sep 17 00:00:00 2001 From: Mike Bonnet Date: Apr 15 2019 20:07:52 +0000 Subject: [PATCH 1/2] configure the MBS frontend to run under httpd, and handle SSL requests --- diff --git a/resources/openshift/templates/mbs.yaml b/resources/openshift/templates/mbs.yaml index ef3d4ec..3e41fe7 100644 --- a/resources/openshift/templates/mbs.yaml +++ b/resources/openshift/templates/mbs.yaml @@ -27,6 +27,20 @@ parameters: displayName: SSL key for messaging description: base64 encoded SSL key for message bus authentication required: true +- name: FRONTEND_CERT + displayName: SSL certificate for the MBS frontend + description: base64 encoded SSL certificate used by the MBS frontend + required: true +- name: FRONTEND_KEY + displayName: SSL key for the MBS frontend + description: base64 encoded SSL key used by the MBS frontend + required: true +- name: FRONTEND_CA + displayName: MBS frontend CA + description: >- + base64 encoded certificate of the CA + that issued the HTTP frontend certificate for MBS + required: true - name: KOJI_CERT displayName: Koji client certificate description: base 64 encoded client certificate used to authenticate with Koji @@ -320,11 +334,28 @@ objects: environment: test-${TEST_ID} data: mbs.conf: | + WSGIDaemonProcess mbs user=fedmsg group=fedmsg home=/usr/share/mbs maximum-requests=1000 display-name=mbs processes=2 threads=2 + WSGISocketPrefix run/wsgi + WSGIRestrictStdout Off + WSGIRestrictSignal Off + WSGIPythonOptimize 1 + WSGIApplicationGroup %{GLOBAL} + + # For our Authorization bearer token header + WSGIPassAuthorization On + WSGIScriptAlias / /usr/share/mbs/mbs.wsgi + + WSGIProcessGroup mbs Require all granted - + RedirectMatch ^/$ /module-build-service/1/module-builds/ + + RewriteEngine on + RewriteCond %{REQUEST_URI} !=/server-status + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} - apiVersion: v1 kind: ConfigMap metadata: @@ -379,6 +410,12 @@ objects: ${MESSAGING_CERT} messaging.key: |- ${MESSAGING_KEY} + frontend.crt: |- + ${FRONTEND_CERT} + frontend.key: |- + ${FRONTEND_KEY} + frontendca.crt: |- + ${FRONTEND_CA} - apiVersion: v1 kind: Service metadata: @@ -402,7 +439,7 @@ objects: - apiVersion: v1 kind: Route metadata: - name: mbs-${TEST_ID}-api + name: mbs-${TEST_ID}-frontend labels: app: mbs service: frontend @@ -412,9 +449,9 @@ objects: kind: Service name: mbs-${TEST_ID}-frontend port: - targetPort: http + targetPort: https tls: - termination: edge + termination: passthrough insecureEdgeTerminationPolicy: Redirect - apiVersion: v1 kind: DeploymentConfig @@ -426,8 +463,6 @@ objects: environment: test-${TEST_ID} spec: replicas: 1 - strategy: - type: Recreate selector: app: mbs service: frontend @@ -445,9 +480,6 @@ objects: - name: frontend image: "${MBS_FRONTEND_IMAGE}" imagePullPolicy: Always - env: - - name: FLASK_DEBUG - value: "1" ports: - containerPort: 8080 protocol: TCP @@ -466,7 +498,8 @@ objects: mountPath: /etc/module-build-service readOnly: true - name: httpd-config - mountPath: /etc/httpd/conf.d + mountPath: /etc/httpd/conf.d/mbs.conf + subPath: mbs.conf readOnly: true - name: wsgi-config mountPath: /usr/share/mbs @@ -776,8 +809,6 @@ objects: environment: test-${TEST_ID} spec: replicas: 1 - strategy: - type: Recreate selector: app: mbs service: backend @@ -919,7 +950,7 @@ objects: resources: limits: memory: 512Mi - cpu: 0.4 + cpu: 400m readinessProbe: timeoutSeconds: 1 initialDelaySeconds: 5 diff --git a/vars/mbs.groovy b/vars/mbs.groovy index c3ff855..270199d 100644 --- a/vars/mbs.groovy +++ b/vars/mbs.groovy @@ -1,7 +1,7 @@ // Functions to deploy a containerized MBS // Mike Bonnet (mikeb@redhat.com), 2019-01-07 -def deploy(test_id, kojicert, kojica, msgcert, cacerts, kojiurl, stompuri, +def deploy(test_id, kojicert, kojica, msgcert, frontendcert, frontendca, cacerts, kojiurl, stompuri, backend_image="quay.io/factory2/mbs-backend:latest", frontend_image="quay.io/factory2/mbs-frontend:latest") { stage("Deploy MBS") { @@ -14,6 +14,9 @@ def deploy(test_id, kojicert, kojica, msgcert, cacerts, kojiurl, stompuri, '-p', "KOJI_SERVERCA=" + kojica.cert.bytes.encodeBase64().toString(), '-p', "MESSAGING_CERT=" + msgcert.cert.bytes.encodeBase64().toString(), '-p', "MESSAGING_KEY=" + msgcert.key.bytes.encodeBase64().toString(), + '-p', "FRONTEND_CERT=" + frontendcert.cert.bytes.encodeBase64().toString(), + '-p', "FRONTEND_KEY=" + frontendcert.key.bytes.encodeBase64().toString(), + '-p', "FRONTEND_CA=" + frontendca.cert.bytes.encodeBase64().toString(), '-p', "CA_CERTS=" + cacerts.bytes.encodeBase64().toString(), '-p', "KOJI_URL=${kojiurl}", '-p', "STOMP_URI=${stompuri}", From e64e36e779bfd1a49582468dd21b3c05a5631040 Mon Sep 17 00:00:00 2001 From: Mike Bonnet Date: Apr 16 2019 16:25:47 +0000 Subject: [PATCH 2/2] add liveness and readiness probes --- diff --git a/resources/openshift/templates/mbs.yaml b/resources/openshift/templates/mbs.yaml index 3e41fe7..e32e94b 100644 --- a/resources/openshift/templates/mbs.yaml +++ b/resources/openshift/templates/mbs.yaml @@ -351,11 +351,6 @@ objects: RedirectMatch ^/$ /module-build-service/1/module-builds/ - - RewriteEngine on - RewriteCond %{REQUEST_URI} !=/server-status - RewriteCond %{HTTPS} off - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} - apiVersion: v1 kind: ConfigMap metadata: @@ -487,6 +482,26 @@ objects: - containerPort: 8443 protocol: TCP name: https + livenessProbe: + failureThreshold: 3 + httpGet: + path: /module-build-service/1/monitor/metrics + port: 8080 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /module-build-service/1/module-builds/?per_page=1&short=true + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 volumeMounts: - name: fedmsg-config mountPath: /etc/fedmsg.d