From aa8315fc2fd223800a074780e1ed3953e46eec6c Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Date: Tue, 9 Apr 2024 10:32:57 +0000
Subject: [PATCH 1/3] Use Apache instead of nginx to serve our static repo
 files

This includes support for injecting custom Apache configuration blocks
by editing the values file, which should make it possible to add
authentication later on.

This simplifies the switchover of deployments that are currently
using Apache + mod_auth_oidc to guard their published repositories.

https://phabricator.apertis.org/T10135

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
---
 chart/templates/configmap-publish.yaml | 77 ++++++++++++++++++++------
 chart/templates/statefulset.yaml       |  9 +--
 chart/values.yaml                      |  4 ++
 3 files changed, 70 insertions(+), 20 deletions(-)

diff --git a/chart/templates/configmap-publish.yaml b/chart/templates/configmap-publish.yaml
index 4b006eaa..d3c5498a 100644
--- a/chart/templates/configmap-publish.yaml
+++ b/chart/templates/configmap-publish.yaml
@@ -5,19 +5,64 @@ metadata:
   labels:
     {{- include "aptly.labels" . | nindent 4 }}
 data:
-  default.conf: |
-    server {
-      listen       80 default_server;
-      listen  [::]:80 default_server;
-
-      #access_log  /var/log/nginx/host.access.log  main;
-      location ~ /apertis/dists/(?<dist>[^/]+)/snapshots/latest\.txt$ {
-        resolver kube-dns.kube-system.svc.cluster.local;
-        proxy_pass http://{{ include "aptly.fullname" . }}-latest-snapshots.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.latestSnapshots.service.port }}/latest/$dist;
-      }
-      location / {
-        root   /data;
-        autoindex on;
-        try_files $uri $uri/ =404;
-      }
-    }
+  httpd.conf: |
+    ServerRoot "/usr/local/apache2"
+    Listen 80
+
+    {{ .Values.publish.config.before_modules | indent 4 }}
+    LoadModule mpm_event_module modules/mod_mpm_event.so
+    LoadModule authz_core_module modules/mod_authz_core.so
+    LoadModule allowmethods_module modules/mod_allowmethods.so
+    LoadModule reqtimeout_module modules/mod_reqtimeout.so
+    LoadModule mime_module modules/mod_mime.so
+    LoadModule log_config_module modules/mod_log_config.so
+    LoadModule headers_module modules/mod_headers.so
+    LoadModule proxy_module modules/mod_proxy.so
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+    LoadModule unixd_module modules/mod_unixd.so
+    LoadModule autoindex_module modules/mod_autoindex.so
+    {{ .Values.publish.config.after_modules | indent 4 }}
+
+    <IfModule unixd_module>
+      User www-data
+      Group www-data
+    </IfModule>
+
+    ErrorLog /proc/self/fd/2
+    LogLevel warn
+
+    <IfModule log_config_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
+      CustomLog /proc/self/fd/1 common
+    </IfModule>
+
+    <IfModule headers_module>
+      RequestHeader unset Proxy early
+    </IfModule>
+
+    <Directory />
+      AllowOverride none
+      Require all denied
+    </Directory>
+
+    DocumentRoot /data
+    <Directory /data>
+      AllowMethods GET
+      AllowOverride none
+      Require all granted
+      Options +Indexes
+      AddDefaultCharset utf-8
+    </Directory>
+
+    define SNAPSHOTS_SERVICE "{{ include "aptly.fullname" . }}-latest-snapshots.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.latestSnapshots.service.port }}"
+    <LocationMatch "^/apertis/dists/(?<dist>[^/]+)/snapshots/latest\.txt$">
+      AllowMethods GET
+      ProxyPassMatch "http://${SNAPSHOTS_SERVICE}/latest/$1"
+      ProxyPassReverse ${SNAPSHOTS_SERVICE}
+    </LocationMatch>
+
+    <IfModule mime_module>
+      TypesConfig conf/mime.types
+    </IfModule>
+
+    {{ .Values.publish.config.after_body | indent 4 }}
diff --git a/chart/templates/statefulset.yaml b/chart/templates/statefulset.yaml
index a30aa2c3..0272e01a 100644
--- a/chart/templates/statefulset.yaml
+++ b/chart/templates/statefulset.yaml
@@ -76,7 +76,7 @@ spec:
         - name: {{ .Chart.Name }}-publish
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: docker.io/library/nginx:1.25
+          image: docker.io/library/httpd:2.4
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
@@ -96,8 +96,9 @@ spec:
             - name: data
               mountPath: "/data"
               subPath: "public"
-            - name: "nginx-config"
-              mountPath: "/etc/nginx/conf.d"
+            - name: "apache-config"
+              mountPath: "/usr/local/apache2/conf/httpd.conf"
+              subPath: "httpd.conf"
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -110,7 +111,7 @@ spec:
           secret:
             secretName: {{ include "aptly.gpgSecretName" . }}
         {{- end }}
-        - name: nginx-config
+        - name: apache-config
           configMap:
             name: {{ include "aptly.fullname" . }}-publish
         - name: data
diff --git a/chart/values.yaml b/chart/values.yaml
index f32c0f5f..83081975 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -22,6 +22,10 @@ api:
   extraEnvVars: []
 
 publish:
+  config:
+    before_modules: ''
+    after_modules: ''
+    after_body: ''
   resources: {}
 
 latestSnapshots:
-- 
GitLab


From 64ac45de69e8850f1e90e610a1e9e21d851f1111 Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <ryan.gonzalez@collabora.com>
Date: Tue, 9 Apr 2024 12:05:16 -0500
Subject: [PATCH 2/3] aptly: Make sure directory URLs always have a trailing
 slash

mod_dir is needed to redirect directory URLs to include the trailing
slash; without that, following links in the index will *overwrite* the
trailing path component instead of appending to it, leading to 404s.

https://phabricator.apertis.org/T10135

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
---
 chart/templates/configmap-publish.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chart/templates/configmap-publish.yaml b/chart/templates/configmap-publish.yaml
index d3c5498a..b8b8a41b 100644
--- a/chart/templates/configmap-publish.yaml
+++ b/chart/templates/configmap-publish.yaml
@@ -20,6 +20,7 @@ data:
     LoadModule proxy_module modules/mod_proxy.so
     LoadModule proxy_http_module modules/mod_proxy_http.so
     LoadModule unixd_module modules/mod_unixd.so
+    LoadModule dir_module modules/mod_dir.so
     LoadModule autoindex_module modules/mod_autoindex.so
     {{ .Values.publish.config.after_modules | indent 4 }}
 
-- 
GitLab


From 05f71869efc26d40a1e392a88ef0437f817eb86f Mon Sep 17 00:00:00 2001
From: Pablo Vigo <pvigo@collabora.com>
Date: Tue, 16 Apr 2024 14:00:49 +0200
Subject: [PATCH 3/3] Add extravolumes to Helm Chart

It is necessary to add a new block to allow new volumes from the
values file without modifying the original Helm chart.

Signed-off-by: Pablo Vigo <pvigo@collabora.com>
---
 chart/templates/statefulset.yaml | 3 +++
 chart/values.yaml                | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/chart/templates/statefulset.yaml b/chart/templates/statefulset.yaml
index 0272e01a..230ba93b 100644
--- a/chart/templates/statefulset.yaml
+++ b/chart/templates/statefulset.yaml
@@ -121,6 +121,9 @@ spec:
         {{- else }}
             claimName: {{ include "aptly.fullname" . }}-data
         {{- end }}
+        {{- if .Values.extraVolumes }}
+          {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 83081975..1980a0a3 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -68,6 +68,8 @@ gpg:
   # Expects a list of armored GPG private key strings.
   keys: []
 
+extraVolumes: []
+
 extraVolumeMounts: []
 
 serviceAccount:
-- 
GitLab