From aa8315fc2fd223800a074780e1ed3953e46eec6c Mon Sep 17 00:00:00 2001 From: Ryan Gonzalez <ryan.gonzalez@collabora.com> Date: Tue, 9 Apr 2024 10:32:57 +0000 Subject: [PATCH 1/3] Use Apache instead of nginx to serve our static repo files This includes support for injecting custom Apache configuration blocks by editing the values file, which should make it possible to add authentication later on. This simplifies the switchover of deployments that are currently using Apache + mod_auth_oidc to guard their published repositories. https://phabricator.apertis.org/T10135 Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com> --- chart/templates/configmap-publish.yaml | 77 ++++++++++++++++++++------ chart/templates/statefulset.yaml | 9 +-- chart/values.yaml | 4 ++ 3 files changed, 70 insertions(+), 20 deletions(-) diff --git a/chart/templates/configmap-publish.yaml b/chart/templates/configmap-publish.yaml index 4b006eaa..d3c5498a 100644 --- a/chart/templates/configmap-publish.yaml +++ b/chart/templates/configmap-publish.yaml @@ -5,19 +5,64 @@ metadata: labels: {{- include "aptly.labels" . | nindent 4 }} data: - default.conf: | - server { - listen 80 default_server; - listen [::]:80 default_server; - - #access_log /var/log/nginx/host.access.log main; - location ~ /apertis/dists/(?<dist>[^/]+)/snapshots/latest\.txt$ { - resolver kube-dns.kube-system.svc.cluster.local; - proxy_pass http://{{ include "aptly.fullname" . }}-latest-snapshots.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.latestSnapshots.service.port }}/latest/$dist; - } - location / { - root /data; - autoindex on; - try_files $uri $uri/ =404; - } - } + httpd.conf: | + ServerRoot "/usr/local/apache2" + Listen 80 + + {{ .Values.publish.config.before_modules | indent 4 }} + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule allowmethods_module modules/mod_allowmethods.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule mime_module modules/mod_mime.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule headers_module modules/mod_headers.so + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule autoindex_module modules/mod_autoindex.so + {{ .Values.publish.config.after_modules | indent 4 }} + + <IfModule unixd_module> + User www-data + Group www-data + </IfModule> + + ErrorLog /proc/self/fd/2 + LogLevel warn + + <IfModule log_config_module> + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common + CustomLog /proc/self/fd/1 common + </IfModule> + + <IfModule headers_module> + RequestHeader unset Proxy early + </IfModule> + + <Directory /> + AllowOverride none + Require all denied + </Directory> + + DocumentRoot /data + <Directory /data> + AllowMethods GET + AllowOverride none + Require all granted + Options +Indexes + AddDefaultCharset utf-8 + </Directory> + + define SNAPSHOTS_SERVICE "{{ include "aptly.fullname" . }}-latest-snapshots.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.latestSnapshots.service.port }}" + <LocationMatch "^/apertis/dists/(?<dist>[^/]+)/snapshots/latest\.txt$"> + AllowMethods GET + ProxyPassMatch "http://${SNAPSHOTS_SERVICE}/latest/$1" + ProxyPassReverse ${SNAPSHOTS_SERVICE} + </LocationMatch> + + <IfModule mime_module> + TypesConfig conf/mime.types + </IfModule> + + {{ .Values.publish.config.after_body | indent 4 }} diff --git a/chart/templates/statefulset.yaml b/chart/templates/statefulset.yaml index a30aa2c3..0272e01a 100644 --- a/chart/templates/statefulset.yaml +++ b/chart/templates/statefulset.yaml @@ -76,7 +76,7 @@ spec: - name: {{ .Chart.Name }}-publish securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: docker.io/library/nginx:1.25 + image: docker.io/library/httpd:2.4 imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http @@ -96,8 +96,9 @@ spec: - name: data mountPath: "/data" subPath: "public" - - name: "nginx-config" - mountPath: "/etc/nginx/conf.d" + - name: "apache-config" + mountPath: "/usr/local/apache2/conf/httpd.conf" + subPath: "httpd.conf" {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} @@ -110,7 +111,7 @@ spec: secret: secretName: {{ include "aptly.gpgSecretName" . }} {{- end }} - - name: nginx-config + - name: apache-config configMap: name: {{ include "aptly.fullname" . }}-publish - name: data diff --git a/chart/values.yaml b/chart/values.yaml index f32c0f5f..83081975 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -22,6 +22,10 @@ api: extraEnvVars: [] publish: + config: + before_modules: '' + after_modules: '' + after_body: '' resources: {} latestSnapshots: -- GitLab From 64ac45de69e8850f1e90e610a1e9e21d851f1111 Mon Sep 17 00:00:00 2001 From: Ryan Gonzalez <ryan.gonzalez@collabora.com> Date: Tue, 9 Apr 2024 12:05:16 -0500 Subject: [PATCH 2/3] aptly: Make sure directory URLs always have a trailing slash mod_dir is needed to redirect directory URLs to include the trailing slash; without that, following links in the index will *overwrite* the trailing path component instead of appending to it, leading to 404s. https://phabricator.apertis.org/T10135 Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com> --- chart/templates/configmap-publish.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/chart/templates/configmap-publish.yaml b/chart/templates/configmap-publish.yaml index d3c5498a..b8b8a41b 100644 --- a/chart/templates/configmap-publish.yaml +++ b/chart/templates/configmap-publish.yaml @@ -20,6 +20,7 @@ data: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule unixd_module modules/mod_unixd.so + LoadModule dir_module modules/mod_dir.so LoadModule autoindex_module modules/mod_autoindex.so {{ .Values.publish.config.after_modules | indent 4 }} -- GitLab From 05f71869efc26d40a1e392a88ef0437f817eb86f Mon Sep 17 00:00:00 2001 From: Pablo Vigo <pvigo@collabora.com> Date: Tue, 16 Apr 2024 14:00:49 +0200 Subject: [PATCH 3/3] Add extravolumes to Helm Chart It is necessary to add a new block to allow new volumes from the values file without modifying the original Helm chart. Signed-off-by: Pablo Vigo <pvigo@collabora.com> --- chart/templates/statefulset.yaml | 3 +++ chart/values.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/chart/templates/statefulset.yaml b/chart/templates/statefulset.yaml index 0272e01a..230ba93b 100644 --- a/chart/templates/statefulset.yaml +++ b/chart/templates/statefulset.yaml @@ -121,6 +121,9 @@ spec: {{- else }} claimName: {{ include "aptly.fullname" . }}-data {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/chart/values.yaml b/chart/values.yaml index 83081975..1980a0a3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -68,6 +68,8 @@ gpg: # Expects a list of armored GPG private key strings. keys: [] +extraVolumes: [] + extraVolumeMounts: [] serviceAccount: -- GitLab