Launchpad itself

Merge ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master

  1. Git
  2. lp:~cjwatson/launchpad
  3. charm-librarian-restricted-frontend-relation
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: f494c63833b36892ff35aa24301fbd6f77e6c4f1
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation
Merge into: launchpad:master
Diff against target: 185 lines (+92/-49)
6 files modified
charm/launchpad-librarian/metadata.yaml (+2/-0)
charm/launchpad-librarian/reactive/launchpad-librarian.py (+41/-0)
charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2 (+0/-12)
charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2 (+0/-37)
charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2 (+12/-0)
charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2 (+37/-0)
Reviewer Review Type Date Requested Status
Simone Pelosi Approve
Review via email: mp+448400@code.launchpad.net

Commit message

charm: Separate restricted librarian vhost configuration

Description of the change

I'd hoped to avoid this and to be able to combine the public and restricted librarians onto a single set of IP addresses, but the restricted librarian relies on wildcard DNS (*.restricted.launchpadlibrarian.net etc.), and Let's Encrypt only supports wildcard SANs if you're using the DNS-01 challenge type, which I don't think we can easily arrange in our environment. As such, we'll need separate frontends for each of the public and restricted librarians, which means having a separate implementation of the `vhost-config` interface for each of them.

To post a comment you must log in.
Revision history for this message
Simone Pelosi (pelpsi) wrote :

LGTM!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/charm/launchpad-librarian/metadata.yaml b/charm/launchpad-librarian/metadata.yaml
2index f114ffa..520008b 100644
3--- a/charm/launchpad-librarian/metadata.yaml
4+++ b/charm/launchpad-librarian/metadata.yaml
5@@ -21,3 +21,5 @@ provides:
6 interface: http
7 vhost-config:
8 interface: apache-vhost-config
9+ restricted-vhost-config:
10+ interface: apache-vhost-config
11diff --git a/charm/launchpad-librarian/reactive/launchpad-librarian.py b/charm/launchpad-librarian/reactive/launchpad-librarian.py
12index 2cd20c0..7675da2 100644
13--- a/charm/launchpad-librarian/reactive/launchpad-librarian.py
14+++ b/charm/launchpad-librarian/reactive/launchpad-librarian.py
15@@ -337,3 +337,44 @@ def configure_vhost():
16 )
17 def deconfigure_vhost():
18 remove_state("launchpad.vhost.configured")
19+
20+
21+@when(
22+ "config.set.domain_librarian",
23+ "restricted-vhost-config.available",
24+ "service.configured",
25+)
26+@when_not("launchpad.restricted-vhost.configured")
27+def configure_restricted_vhost():
28+ vhost_config = endpoint_from_flag("restricted-vhost-config.available")
29+ config = dict(hookenv.config())
30+ config["domain_librarian_aliases"] = yaml.safe_load(
31+ config["domain_librarian_aliases"]
32+ )
33+ vhost_config.publish_vhosts(
34+ [
35+ vhost_config.make_vhost(
36+ 80,
37+ templating.render(
38+ "vhosts/restricted-librarian-http.conf.j2", None, config
39+ ),
40+ ),
41+ vhost_config.make_vhost(
42+ 443,
43+ templating.render(
44+ "vhosts/restricted-librarian-https.conf.j2", None, config
45+ ),
46+ ),
47+ ]
48+ )
49+ set_state("launchpad.restricted-vhost.configured")
50+
51+
52+@when("launchpad.restricted-vhost.configured")
53+@when_not_all(
54+ "config.set.domain_librarian",
55+ "restricted-vhost-config.available",
56+ "service.configured",
57+)
58+def deconfigure_restricted_vhost():
59+ remove_state("launchpad.restricted-vhost.configured")
60diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
61index e36fc5f..eadba68 100644
62--- a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
63+++ b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
64@@ -23,15 +23,3 @@
65 ProxyPassReverse / balancer://cached-launchpad-librarian-download/
66 </VirtualHost>
67
68-<VirtualHost *:80>
69- ServerName wildcard.restricted.{{ domain_librarian }}
70- ServerAlias *.restricted.{{ domain_librarian }}
71-
72- CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
73- ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
74-
75- # The restricted librarian is only available over HTTPS.
76- RewriteEngine on
77- RewriteRule ^/(.*)$ - [R=403,L]
78-</VirtualHost>
79-
80diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
81index 2fd8431..5cdfe66 100644
82--- a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
83+++ b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
84@@ -35,40 +35,3 @@
85 ProxyPassReverse / balancer://cached-launchpad-librarian-download/
86 </VirtualHost>
87
88-<VirtualHost *:443>
89- ServerName wildcard.restricted.{{ domain_librarian }}
90- ServerAlias *.restricted.{{ domain_librarian }}
91-
92- SSLEngine on
93- SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
94- SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
95-{%- if ssl_chain_required %}
96- SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
97-{%- endif %}
98-
99- CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
100- ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
101-
102- # Make build log files auto-decompress and be viewable from the browser.
103- <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
104- AddEncoding x-gzip gz
105- </Location>
106-
107- SetEnv force-proxy-request-1.0 1
108-
109- ProxyRequests off
110- <Proxy *>
111- Require all granted
112- </Proxy>
113-
114- ProxyPreserveHost on
115- # nocanon per https://portal.admin.canonical.com/C42560 to avoid
116- # problems with Launchpad's handling of e.g. %2B.
117- ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
118- ProxyPassReverse / balancer://cached-launchpad-librarian-download/
119-
120- <Location />
121- Header set Cache-Control "max-age=604800"
122- </Location>
123-</VirtualHost>
124-
125diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
126new file mode 100644
127index 0000000..3613a8b
128--- /dev/null
129+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
130@@ -0,0 +1,12 @@
131+<VirtualHost *:80>
132+ ServerName wildcard.restricted.{{ domain_librarian }}
133+ ServerAlias *.restricted.{{ domain_librarian }}
134+
135+ CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
136+ ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
137+
138+ # The restricted librarian is only available over HTTPS.
139+ RewriteEngine on
140+ RewriteRule ^/(.*)$ - [R=403,L]
141+</VirtualHost>
142+
143diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
144new file mode 100644
145index 0000000..f1d7dd8
146--- /dev/null
147+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
148@@ -0,0 +1,37 @@
149+<VirtualHost *:443>
150+ ServerName wildcard.restricted.{{ domain_librarian }}
151+ ServerAlias *.restricted.{{ domain_librarian }}
152+
153+ SSLEngine on
154+ SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
155+ SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
156+{%- if ssl_chain_required %}
157+ SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
158+{%- endif %}
159+
160+ CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
161+ ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
162+
163+ # Make build log files auto-decompress and be viewable from the browser.
164+ <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
165+ AddEncoding x-gzip gz
166+ </Location>
167+
168+ SetEnv force-proxy-request-1.0 1
169+
170+ ProxyRequests off
171+ <Proxy *>
172+ Require all granted
173+ </Proxy>
174+
175+ ProxyPreserveHost on
176+ # nocanon per https://portal.admin.canonical.com/C42560 to avoid
177+ # problems with Launchpad's handling of e.g. %2B.
178+ ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
179+ ProxyPassReverse / balancer://cached-launchpad-librarian-download/
180+
181+ <Location />
182+ Header set Cache-Control "max-age=604800"
183+ </Location>
184+</VirtualHost>
185+

Subscribers

People subscribed via source and target branches

to status/vote changes: