Merge pull request #197 from bdunne/http

Drop all internal SSL

images/miq-app-frontend/Dockerfile

@@ -17,28 +17,21 @@ LABEL name="manageiq" \
       description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
       io.k8s.display-name="ManageIQ" \
       io.k8s.description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
-      io.openshift.expose-services="443:https" \
+      io.openshift.expose-services="80:http" \
       io.openshift.tags="ManageIQ,miq,manageiq"
 
 ## Install EPEL repo, yum necessary packages for the build without docs, clean all caches
 RUN yum -y install centos-release-scl-rh && \
-    yum -y install --setopt=tsflags=nodocs \
-                   httpd                   \
-                   mod_auth_kerb           \
-                   mod_authnz_pam          \
-                   mod_intercept_form_submit \
-                   mod_lookup_identity     \
-                   mod_ssl                 \
-                   &&                      \
+    yum -y install httpd --setopt=tsflags=nodocs && \
     yum clean all
 
 ## GIT clone service UI repo (SUI)
 RUN mkdir -p ${SUI_ROOT} && \
     curl -L https://github.com/ManageIQ/manageiq-ui-service/tarball/${REF} | tar vxz -C ${SUI_ROOT} --strip 1
 
 ## Setup environment
-RUN mv /etc/httpd/conf.d/ssl.conf{,.orig} && \
-    echo "# This file intentionally left blank. ManageIQ maintains its own SSL configuration" > /etc/httpd/conf.d/ssl.conf
+RUN rm -f /etc/httpd/conf.d/ssl.conf && \
+    rm -f /etc/httpd/conf.d/manageiq-http*.conf
 
 ## Change workdir to application root, build/install gems
 WORKDIR ${APP_ROOT}
@@ -61,9 +54,10 @@ RUN source /etc/default/evm && \
     yarn cache clean
 
 ## Expose required container ports
-EXPOSE 80 443
+EXPOSE 80
 
 COPY docker-assets/check-dependent-services.sh /bin
+COPY docker-assets/manageiq-http.conf /etc/httpd/conf.d
 
 ENTRYPOINT ["/usr/local/bin/dumb-init", "--single-child", "--"]
 CMD ["entrypoint"]

images/miq-app-frontend/docker-assets/manageiq-http.conf

@@ -0,0 +1,28 @@
+## ManageIQ HTTP Virtual Host Context
+
+# Timeout: The number of seconds before receives and sends time out.
+Timeout 120
+
+# HTTP Start-up error log
+ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log
+
+RewriteEngine On
+Options SymLinksIfOwnerMatch
+
+<VirtualHost *:80>
+  DocumentRoot /var/www/miq/vmdb/public
+  Include conf.d/manageiq-redirects-ui
+  Include conf.d/manageiq-redirects-ws
+  Include conf.d/manageiq-redirects-websocket
+  ProxyPreserveHost on
+  <Location /assets/>
+    Header unset ETag
+    FileETag None
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+  </Location>
+  <Location /proxy_pages/>
+    ErrorDocument 403 /error/noindex.html
+    ErrorDocument 404 /error/noindex.html
+  </Location>
+</VirtualHost>

images/miq-app/docker-assets/appliance-initialize.sh

@@ -15,9 +15,6 @@ write_v2_key
 
 restore_pv_data
 
-# Generate httpd certificate
-/usr/bin/generate_miq_server_cert.sh
-
 cd ${APP_ROOT}
 bin/rake evm:deployment_status
 case $? in

templates/miq-template-ext-db.yaml

@@ -51,10 +51,6 @@ objects:
       port: 80
       protocol: TCP
       targetPort: 80
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 443
     selector:
       name: "${NAME}"
 - apiVersion: v1
@@ -64,9 +60,10 @@ objects:
   spec:
     host: "${APPLICATION_DOMAIN}"
     port:
-      targetPort: https
+      targetPort: http
     tls:
-      termination: passthrough
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
     to:
       kind: Service
       name: "${HTTPD_SERVICE_NAME}"
@@ -114,21 +111,19 @@ objects:
           image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
           livenessProbe:
             tcpSocket:
-              port: 443
+              port: 80
             initialDelaySeconds: 480
             timeoutSeconds: 3
           readinessProbe:
             httpGet:
               path: "/"
-              port: 443
-              scheme: HTTPS
+              port: 80
+              scheme: HTTP
             initialDelaySeconds: 200
             timeoutSeconds: 3
           ports:
           - containerPort: 80
             protocol: TCP
-          - containerPort: 443
-            protocol: TCP
           volumeMounts:
           - name: "${NAME}-server"
             mountPath: "/persistent"
@@ -484,9 +479,6 @@ objects:
     - name: http
       port: 80
       targetPort: 80
-    - name: https
-      port: 443
-      targetPort: 443
     selector:
       name: httpd
 - apiVersion: v1
@@ -525,23 +517,19 @@ objects:
           image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
           ports:
           - containerPort: 80
-          - containerPort: 443
           livenessProbe:
             tcpSocket:
-              port: 443
+              port: 80
             initialDelaySeconds: 15
             timeoutSeconds: 3
           readinessProbe:
             httpGet:
               path: "/"
-              port: 443
-              scheme: HTTPS
+              port: 80
+              scheme: HTTP
             initialDelaySeconds: 10
             timeoutSeconds: 3
           volumeMounts: []
-          env:
-          - name: MANAGEIQ_SERVICE_NAME
-            value: "${NAME}"
           resources:
             requests:
               memory: "${HTTPD_MEM_REQ}"

templates/miq-template.yaml

@@ -124,10 +124,6 @@ objects:
       port: 80
       protocol: TCP
       targetPort: 80
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 443
     selector:
       name: "${NAME}"
 - apiVersion: v1
@@ -137,9 +133,10 @@ objects:
   spec:
     host: "${APPLICATION_DOMAIN}"
     port:
-      targetPort: https
+      targetPort: http
     tls:
-      termination: passthrough
+      termination: edge
+      insecureEdgeTerminationPolicy: Redirect
     to:
       kind: Service
       name: "${HTTPD_SERVICE_NAME}"
@@ -205,21 +202,19 @@ objects:
           image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
           livenessProbe:
             tcpSocket:
-              port: 443
+              port: 80
             initialDelaySeconds: 480
             timeoutSeconds: 3
           readinessProbe:
             httpGet:
               path: "/"
-              port: 443
-              scheme: HTTPS
+              port: 80
+              scheme: HTTP
             initialDelaySeconds: 200
             timeoutSeconds: 3
           ports:
           - containerPort: 80
             protocol: TCP
-          - containerPort: 443
-            protocol: TCP
           volumeMounts:
           - name: "${NAME}-server"
             mountPath: "/persistent"
@@ -647,9 +642,6 @@ objects:
     - name: http
       port: 80
       targetPort: 80
-    - name: https
-      port: 443
-      targetPort: 443
     selector:
       name: httpd
 - apiVersion: v1
@@ -688,23 +680,19 @@ objects:
           image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
           ports:
           - containerPort: 80
-          - containerPort: 443
           livenessProbe:
             tcpSocket:
-              port: 443
+              port: 80
             initialDelaySeconds: 15
             timeoutSeconds: 3
           readinessProbe:
             httpGet:
               path: "/"
-              port: 443
-              scheme: HTTPS
+              port: 80
+              scheme: HTTP
             initialDelaySeconds: 10
             timeoutSeconds: 3
           volumeMounts: []
-          env:
-          - name: MANAGEIQ_SERVICE_NAME
-            value: "${NAME}"
           resources:
             requests:
               memory: "${HTTPD_MEM_REQ}"