[arvados] updated: 2.6.0-383-gb48f7d783
git repository hosting
git at public.arvados.org
Thu Aug 3 14:31:30 UTC 2023
Summary of changes:
.../pillars/nginx_workbench2_configuration.sls | 39 +++----
.../pillars/nginx_workbench_configuration.sls | 120 +++++++++++++--------
2 files changed, 90 insertions(+), 69 deletions(-)
via b48f7d783d1d865a259282f3177cbd7e17731254 (commit)
from cf74bf7dcd2c0c34ec025cf28640c6bc62a1250b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit b48f7d783d1d865a259282f3177cbd7e17731254
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Aug 3 10:31:05 2023 -0400
20688: Update single host/multiple hostname template
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls
index 50c960cbc..081be151e 100644
--- a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls
@@ -1,18 +1,14 @@
---
# Copyright (C) The Arvados Authors. All rights reserved.
#
-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: AGPL-3.0
-{%- if grains.os_family in ('RedHat',) %}
- {%- set group = 'nginx' %}
-{%- else %}
- {%- set group = 'www-data' %}
-{%- endif %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
config:
- group: {{ group }}
+ group: www-data
### NGINX
nginx:
@@ -25,11 +21,9 @@ nginx:
overwrite: true
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- 80
- - location /.well-known:
- - root: /var/www
- location /:
- return: '301 https://$host$request_uri'
@@ -37,22 +31,21 @@ nginx:
enabled: true
overwrite: true
requires:
- file: extra_custom_certs_file_copy_arvados-workbench2.pem
+ __CERT_REQUIRES__
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- - index: index.html index.htm
+
- location /:
- - root: /var/www/arvados-workbench2/workbench2
- - try_files: '$uri $uri/ /index.html'
- - 'if (-f $document_root/maintenance.html)':
- - return: 503
- - location /config.json:
- - return: {{ "200 '" ~ '{"API_HOST":"__CLUSTER__.__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
+ - return: '301 https://workbench.__DOMAIN__$request_uri'
+
- include: snippets/ssl_hardening_default.conf
- - ssl_certificate: /etc/nginx/ssl/arvados-workbench2.pem
- - ssl_certificate_key: /etc/nginx/ssl/arvados-workbench2.key
- - access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
+ - ssl_certificate: __CERT_PEM__
+ - ssl_certificate_key: __CERT_KEY__
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
+ {%- endif %}
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
index 90248fcb2..87ed7c450 100644
--- a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
@@ -3,28 +3,15 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- if grains.os_family in ('RedHat',) %}
- {%- set group = 'nginx' %}
-{%- else %}
- {%- set group = 'www-data' %}
-{%- endif %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
config:
- group: {{ group }}
+ group: www-data
### NGINX
nginx:
- ### SERVER
- server:
- config:
-
- ### STREAMS
- http:
- upstream workbench_upstream:
- - server: 'workbench.internal:9000 fail_timeout=10s'
-
### SITES
servers:
managed:
@@ -34,11 +21,9 @@ nginx:
overwrite: true
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- 80
- - location /.well-known:
- - root: /var/www
- location /:
- return: '301 https://$host$request_uri'
@@ -46,38 +31,81 @@ nginx:
enabled: true
overwrite: true
requires:
- file: extra_custom_certs_file_copy_arvados-workbench.pem
+ __CERT_REQUIRES__
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
+
+ # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+ # Paths that are not redirected because wb1 and wb2 have similar enough paths
+ # that a redirect is pointless and would create a redirect loop.
+ # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+ # rewrite ^/repositories.* /repositories redirect;
+ # rewrite ^/links.* /links redirect;
+ # rewrite ^/projects.* /projects redirect;
+ # rewrite ^/trash /trash redirect;
+
+ # Redirects that include a uuid
+ - rewrite: '^/work_units/(.*) /processes/$1 redirect'
+ - rewrite: '^/container_requests/(.*) /processes/$1 redirect'
+ - rewrite: '^/users/(.*) /user/$1 redirect'
+ - rewrite: '^/groups/(.*) /group/$1 redirect'
+
+ # Special file download redirects
+ - 'if ($arg_disposition = attachment)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect'
+
+ - 'if ($arg_disposition = inline)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect'
+
+ # Redirects that go to a roughly equivalent page
+ - rewrite: '^/virtual_machines.* /virtual-machines-admin redirect'
+ - rewrite: '^/users/.*/virtual_machines /virtual-machines-user redirect'
+ - rewrite: '^/authorized_keys.* /ssh-keys-admin redirect'
+ - rewrite: '^/users/.*/ssh_keys /ssh-keys-user redirect'
+ - rewrite: '^/containers.* /all_processes redirect'
+ - rewrite: '^/container_requests /all_processes redirect'
+ - rewrite: '^/job.* /all_processes redirect'
+ - rewrite: '^/users/link_account /link_account redirect'
+ - rewrite: '^/search.* /search-results redirect'
+ - rewrite: '^/keep_services.* /keep-services redirect'
+ - rewrite: '^/trash_items.* /trash redirect'
+
+ # Redirects that don't have a good mapping and
+ # just go to root.
+ - rewrite: '^/themes.* / redirect'
+ - rewrite: '^/keep_disks.* / redirect'
+ - rewrite: '^/user_agreements.* / redirect'
+ - rewrite: '^/nodes.* / redirect'
+ - rewrite: '^/humans.* / redirect'
+ - rewrite: '^/traits.* / redirect'
+ - rewrite: '^/sessions.* / redirect'
+ - rewrite: '^/logout.* / redirect'
+ - rewrite: '^/logged_out.* / redirect'
+ - rewrite: '^/current_token / redirect'
+ - rewrite: '^/logs.* / redirect'
+ - rewrite: '^/factory_jobs.* / redirect'
+ - rewrite: '^/uploaded_datasets.* / redirect'
+ - rewrite: '^/specimens.* / redirect'
+ - rewrite: '^/pipeline_templates.* / redirect'
+ - rewrite: '^/pipeline_instances.* / redirect'
+
- location /:
- - proxy_pass: 'http://workbench_upstream'
- - proxy_read_timeout: 300
- - proxy_connect_timeout: 90
- - proxy_redirect: 'off'
- - proxy_set_header: X-Forwarded-Proto https
- - proxy_set_header: 'Host $http_host'
- - proxy_set_header: 'X-Real-IP $remote_addr'
- - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
+ - root: /var/www/arvados-workbench2/workbench2
+ - try_files: '$uri $uri/ /index.html'
+ - 'if (-f $document_root/maintenance.html)':
+ - return: 503
+ - location /config.json:
+ - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
- include: snippets/ssl_hardening_default.conf
- - ssl_certificate: /etc/nginx/ssl/arvados-workbench.pem
- - ssl_certificate_key: /etc/nginx/ssl/arvados-workbench.key
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
-
- arvados_workbench_upstream.conf:
- enabled: true
- overwrite: true
- config:
- - server:
- - listen: 'workbench.internal:9000'
- - server_name: workbench
- - root: /var/www/arvados-workbench/current/public
- - index: index.html index.htm
- - passenger_enabled: 'on'
- # yamllint disable-line rule:line-length
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.error.log
+ - ssl_certificate: __CERT_PEM__
+ - ssl_certificate_key: __CERT_KEY__
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
+ {%- endif %}
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list