Skip to content

Commit

Permalink
Drop all internal SSL
Browse files Browse the repository at this point in the history
- Move SSL to the route
- Drop extra httpd modules
- Don't generate certificates
  • Loading branch information
bdunne committed Aug 15, 2017
1 parent 26384c9 commit b6a4e36
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 23 deletions.
18 changes: 6 additions & 12 deletions images/miq-app-frontend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,28 +17,21 @@ LABEL name="manageiq" \
description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
io.k8s.display-name="ManageIQ" \
io.k8s.description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
io.openshift.expose-services="443:https" \
io.openshift.expose-services="80:http" \
io.openshift.tags="ManageIQ,miq,manageiq"

## Install EPEL repo, yum necessary packages for the build without docs, clean all caches
RUN yum -y install centos-release-scl-rh && \
yum -y install --setopt=tsflags=nodocs \
httpd \
mod_auth_kerb \
mod_authnz_pam \
mod_intercept_form_submit \
mod_lookup_identity \
mod_ssl \
&& \
yum -y install httpd --setopt=tsflags=nodocs && \
yum clean all

## GIT clone service UI repo (SUI)
RUN mkdir -p ${SUI_ROOT} && \
curl -L https://github.com/ManageIQ/manageiq-ui-service/tarball/${REF} | tar vxz -C ${SUI_ROOT} --strip 1

## Setup environment
RUN mv /etc/httpd/conf.d/ssl.conf{,.orig} && \
echo "# This file intentionally left blank. ManageIQ maintains its own SSL configuration" > /etc/httpd/conf.d/ssl.conf
RUN rm /etc/httpd/conf.d/ssl.conf && \
rm -f /etc/httpd/conf.d/manageiq-http*.conf

## Change workdir to application root, build/install gems
WORKDIR ${APP_ROOT}
Expand All @@ -61,9 +54,10 @@ RUN source /etc/default/evm && \
yarn cache clean

## Expose required container ports
EXPOSE 80 443
EXPOSE 80

COPY docker-assets/check-dependent-services.sh /bin
COPY docker-assets/manageiq-http.conf /etc/httpd/conf.d

ENTRYPOINT ["/usr/local/bin/dumb-init", "--single-child", "--"]
CMD ["entrypoint"]
29 changes: 29 additions & 0 deletions images/miq-app-frontend/docker-assets/manageiq-http.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
## ManageIQ HTTP Virtual Host Context

# Timeout: The number of seconds before receives and sends time out.
Timeout 120

# HTTP Start-up error log
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log

# Disable this section if using HTTP only
RewriteEngine On
Options SymLinksIfOwnerMatch

<VirtualHost *:80>
DocumentRoot /var/www/miq/vmdb/public
Include conf.d/manageiq-redirects-ui
Include conf.d/manageiq-redirects-ws
Include conf.d/manageiq-redirects-websocket
ProxyPreserveHost on
<Location /assets/>
Header unset ETag
FileETag None
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Location>
<Location /proxy_pages/>
ErrorDocument 403 /error/noindex.html
ErrorDocument 404 /error/noindex.html
</Location>
</VirtualHost>
3 changes: 0 additions & 3 deletions images/miq-app/docker-assets/appliance-initialize.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ write_v2_key

restore_pv_data

# Generate httpd certificate
/usr/bin/generate_miq_server_cert.sh

cd ${APP_ROOT}
bin/rake evm:deployment_status
case $? in
Expand Down
17 changes: 9 additions & 8 deletions templates/miq-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -137,9 +137,10 @@ objects:
spec:
host: "${APPLICATION_DOMAIN}"
port:
targetPort: https
targetPort: http
tls:
termination: passthrough
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: "${HTTPD_SERVICE_NAME}"
Expand Down Expand Up @@ -205,14 +206,14 @@ objects:
image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
Expand Down Expand Up @@ -691,14 +692,14 @@ objects:
- containerPort: 443
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 15
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 3
volumeMounts: []
Expand Down

0 comments on commit b6a4e36

Please sign in to comment.