Capomastro

Merge lp:~ce-infrastructure/capomastro/capomastro-apache-1385220 into lp:~ubuntuone-hackers/capomastro/charm

  1. capomastro-apache-1385220
  2. Merge into charm
Proposed by Caio Begotti
Status: Merged
Approved by: Daniel Manrique
Approved revision: 55
Merged at revision: 52
Proposed branch: lp:~ce-infrastructure/capomastro/capomastro-apache-1385220
Merge into: lp:~ubuntuone-hackers/capomastro/charm
Diff against target: 125 lines (+67/-10)
4 files modified
README (+22/-7)
hooks/website-relation-changed (+6/-0)
hooks/website-relation-joined (+0/-3)
templates/http_virtualhost.tmpl (+39/-0)
To merge this branch: bzr merge lp:~ce-infrastructure/capomastro/capomastro-apache-1385220
Reviewer Review Type Date Requested Status
Daniel Manrique (community) Approve
Review via email: mp+241059@code.launchpad.net

Description of the change

This change makes it possible to have Capomastro sitting behind another Apache server, from the charms store, acting like an exposed proxy. This is the first step to get SSO in Capomastro without needing to change its authentication codo right now.

Also, this is another requirement for production by IS: not to expose your own web server, and use a supported one via charming.

SSL support is still pending because we need a review of it all by IS and their advices on that.

To post a comment you must log in.
lp:~ce-infrastructure/capomastro/capomastro-apache-1385220 updated
55. By Caio Begotti

this does not belong here, forgotten leftover, even in the wrong place as openid_provider is a setting from config.yaml

Revision history for this message
Caio Begotti (caio1982) wrote :

I couldn't get SSO support on time for this merge request but since it's not a requirement for #1385220 I'll keep investigating how SSO could be attached to this in parallel, this merge request stands on its own anyway.

Revision history for this message
Daniel Manrique (roadmr) wrote :

Looks OK, can't think of anything wrong with it... actually I can't really think much right now, but this is very close to what I got working, so I agree with these changes.

Main point is the all-services thingy, which is good in this MR.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'README'
2--- README 2014-11-05 11:27:44 +0000
3+++ README 2014-11-07 10:33:56 +0000
4@@ -72,13 +72,19 @@
5 operational. This will affect Django's default security of the app because of a
6 more (securely) flexible ALLOWED_HOSTS being used instead.
7
8-Setup and deploy:
9+Initial setup:
10
11 $ export JUJU_REPOSITORY=${PWD}/charms
12 $ juju bootstrap
13
14+Deploy the infrastructure charms:
15+
16+$ juju deploy cs:apache2
17 $ juju deploy cs:postgresql
18 $ juju deploy cs:rabbitmq-server
19+
20+Now you can deploy charms used by Capomastro:
21+
22 $ juju deploy local:trusty/jenkins --constraints="mem=10G cpu-cores=10 root-disk=100G"
23 $ juju deploy local:trusty/capomastro
24
25@@ -94,21 +100,30 @@
26
27 Stop and start again this Jenkins unit to get the changes active.
28
29-Expose and connect the services:
30-
31-$ juju expose postgresql
32-$ juju expose rabbitmq-server
33-$ juju expose jenkins
34-$ juju expose capomastro
35+Now connect the service charms:
36
37 $ juju add-relation postgresql:db capomastro
38 $ juju add-relation rabbitmq-server capomastro
39 $ juju add-relation jenkins capomastro
40
41+Finally connect Capomastro to its Apache proxy:
42+
43+$ juju set apache2 enable_modules="proxy proxy_http proxy_connect rewrite headers ssl"
44+$ juju set apache2 vhost_http_template="$(base64 < templates/http_virtualhost.tmpl)"
45+$ juju add-relation apache2:reverseproxy capomastro:website
46+
47 If monitoring charms were deployed before:
48
49 $ juju add-relation nrpe-external-master capomastro
50
51+Expose the Apache proxy with OpenID, then open its IP/hostname in your browser:
52+
53+$ juju expose apache2
54+
55+If you need to make the Jenkins artifacts available (most probably), also run:
56+
57+$ juju expose jenkins
58+
59 Post-deployment configuration
60 -----------------------------
61
62
63=== added file 'hooks/website-relation-changed'
64--- hooks/website-relation-changed 1970-01-01 00:00:00 +0000
65+++ hooks/website-relation-changed 2014-11-07 10:33:56 +0000
66@@ -0,0 +1,6 @@
67+#!/bin/sh -xev
68+
69+. inc/common
70+
71+relation-set port=${port} hostname=${private_address}
72+relation-set all_services=" - {service_name: capomastro, service_port: ${port}}"
73
74=== modified file 'hooks/website-relation-joined'
75--- hooks/website-relation-joined 2014-09-30 20:03:23 +0000
76+++ hooks/website-relation-joined 1970-01-01 00:00:00 +0000
77@@ -1,3 +0,0 @@
78-#!/bin/sh
79-
80-relation-set port=$(config-get port) hostname=$(unit-get private-address)
81
82=== target is u'website-relation-changed'
83=== added file 'templates/http_virtualhost.tmpl'
84--- templates/http_virtualhost.tmpl 1970-01-01 00:00:00 +0000
85+++ templates/http_virtualhost.tmpl 2014-11-07 10:33:56 +0000
86@@ -0,0 +1,39 @@
87+# This file is Juju managed
88+#
89+# Some bits taken from https://github.com/battlemidget/juju-apache-gunicorn-django
90+#
91+# {{ servername }} comes from the apache charm config.yaml
92+# {{ capomastro }} from the all_services variable set
93+
94+# <VirtualHost *:80>
95+# ServerName {{ servername }}
96+# Redirect permanent / https://{{ servername }}/
97+# </VirtualHost>
98+
99+<VirtualHost *:80>
100+ ServerName {{ servername }}
101+
102+ CustomLog /var/log/apache2/capomastro.access-log combined
103+ ErrorLog /var/log/apache2/capomastro.error-log
104+
105+ # SSLEngine on
106+ # SSLCertificateFile /etc/ssl/certs/ssl-cert-cts.pem
107+ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-cts.key
108+ #
109+ # This ensures Django is seeing the HTTPS protocol
110+ # and prefixing all URLs with HTTPS
111+ #
112+ # RequestHeader set X-FORWARDED-SSL "on"
113+ # RequestHeader set X-FORWARDED_PROTO "https"
114+
115+ ProxyRequests off
116+ ProxyPreserveHost on
117+
118+ <Proxy *>
119+ Order Allow,Deny
120+ Allow from All
121+ </Proxy>
122+
123+ ProxyPass / http://{{ capomastro }}/
124+ ProxyPassReverse / http://{{ capomastro }}/
125+</VirtualHost>

Subscribers

People subscribed via source and target branches