Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop all internal SSL #197

Merged
merged 1 commit into from
Aug 16, 2017
Merged

Drop all internal SSL #197

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions images/miq-app-frontend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,28 +17,21 @@ LABEL name="manageiq" \
description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
io.k8s.display-name="ManageIQ" \
io.k8s.description="ManageIQ is a management and automation platform for virtual, private, and hybrid cloud infrastructures." \
io.openshift.expose-services="443:https" \
io.openshift.expose-services="80:http" \
io.openshift.tags="ManageIQ,miq,manageiq"

## Install EPEL repo, yum necessary packages for the build without docs, clean all caches
RUN yum -y install centos-release-scl-rh && \
yum -y install --setopt=tsflags=nodocs \
httpd \
mod_auth_kerb \
mod_authnz_pam \
mod_intercept_form_submit \
mod_lookup_identity \
mod_ssl \
&& \
yum -y install httpd --setopt=tsflags=nodocs && \
yum clean all

## GIT clone service UI repo (SUI)
RUN mkdir -p ${SUI_ROOT} && \
curl -L https://github.com/ManageIQ/manageiq-ui-service/tarball/${REF} | tar vxz -C ${SUI_ROOT} --strip 1

## Setup environment
RUN mv /etc/httpd/conf.d/ssl.conf{,.orig} && \
echo "# This file intentionally left blank. ManageIQ maintains its own SSL configuration" > /etc/httpd/conf.d/ssl.conf
RUN rm -f /etc/httpd/conf.d/ssl.conf && \
rm -f /etc/httpd/conf.d/manageiq-http*.conf

## Change workdir to application root, build/install gems
WORKDIR ${APP_ROOT}
Expand All @@ -61,9 +54,10 @@ RUN source /etc/default/evm && \
yarn cache clean

## Expose required container ports
EXPOSE 80 443
EXPOSE 80

COPY docker-assets/check-dependent-services.sh /bin
COPY docker-assets/manageiq-http.conf /etc/httpd/conf.d

ENTRYPOINT ["/usr/local/bin/dumb-init", "--single-child", "--"]
CMD ["entrypoint"]
28 changes: 28 additions & 0 deletions images/miq-app-frontend/docker-assets/manageiq-http.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
## ManageIQ HTTP Virtual Host Context

# Timeout: The number of seconds before receives and sends time out.
Timeout 120

# HTTP Start-up error log
ErrorLog /var/www/miq/vmdb/log/apache/miq_apache.log

RewriteEngine On
Options SymLinksIfOwnerMatch

<VirtualHost *:80>
DocumentRoot /var/www/miq/vmdb/public
Include conf.d/manageiq-redirects-ui
Include conf.d/manageiq-redirects-ws
Include conf.d/manageiq-redirects-websocket
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we will probably still need cockpit here right?

I'm not sure if they are all tested in containers, but I think that's what #97 is meant to address, so maybe we can investigate in a followup?

ProxyPreserveHost on
<Location /assets/>
Header unset ETag
FileETag None
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Location>
<Location /proxy_pages/>
ErrorDocument 403 /error/noindex.html
ErrorDocument 404 /error/noindex.html
</Location>
</VirtualHost>
3 changes: 0 additions & 3 deletions images/miq-app/docker-assets/appliance-initialize.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ write_v2_key

restore_pv_data

# Generate httpd certificate
/usr/bin/generate_miq_server_cert.sh

cd ${APP_ROOT}
bin/rake evm:deployment_status
case $? in
Expand Down
30 changes: 9 additions & 21 deletions templates/miq-template-ext-db.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,6 @@ objects:
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
name: "${NAME}"
- apiVersion: v1
Expand All @@ -64,9 +60,10 @@ objects:
spec:
host: "${APPLICATION_DOMAIN}"
port:
targetPort: https
targetPort: http
tls:
termination: passthrough
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: "${HTTPD_SERVICE_NAME}"
Expand Down Expand Up @@ -114,21 +111,19 @@ objects:
image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
volumeMounts:
- name: "${NAME}-server"
mountPath: "/persistent"
Expand Down Expand Up @@ -484,9 +479,6 @@ objects:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
selector:
name: httpd
- apiVersion: v1
Expand Down Expand Up @@ -525,23 +517,19 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
- containerPort: 443
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 15
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 3
volumeMounts: []
env:
- name: MANAGEIQ_SERVICE_NAME
value: "${NAME}"
resources:
requests:
memory: "${HTTPD_MEM_REQ}"
Expand Down
30 changes: 9 additions & 21 deletions templates/miq-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,10 +124,6 @@ objects:
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
name: "${NAME}"
- apiVersion: v1
Expand All @@ -137,9 +133,10 @@ objects:
spec:
host: "${APPLICATION_DOMAIN}"
port:
targetPort: https
targetPort: http
tls:
termination: passthrough
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: "${HTTPD_SERVICE_NAME}"
Expand Down Expand Up @@ -205,21 +202,19 @@ objects:
image: "${APPLICATION_IMG_NAME}:${FRONTEND_APPLICATION_IMG_TAG}"
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 480
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 200
timeoutSeconds: 3
ports:
- containerPort: 80
protocol: TCP
- containerPort: 443
protocol: TCP
volumeMounts:
- name: "${NAME}-server"
mountPath: "/persistent"
Expand Down Expand Up @@ -647,9 +642,6 @@ objects:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
selector:
name: httpd
- apiVersion: v1
Expand Down Expand Up @@ -688,23 +680,19 @@ objects:
image: "${HTTPD_IMG_NAME}:${HTTPD_IMG_TAG}"
ports:
- containerPort: 80
- containerPort: 443
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 15
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/"
port: 443
scheme: HTTPS
port: 80
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 3
volumeMounts: []
env:
- name: MANAGEIQ_SERVICE_NAME
value: "${NAME}"
resources:
requests:
memory: "${HTTPD_MEM_REQ}"
Expand Down