[arvados] updated: 2.6.0-351-g89da894c2

git repository hosting git at public.arvados.org
Thu Jul 27 21:27:00 UTC 2023


Summary of changes:
 .../multi_host/aws/pillars/nginx_balancer_configuration.sls       | 5 +++++
 .../multi_host/aws/pillars/nginx_controller_configuration.sls     | 5 +++++
 tools/salt-install/installer.sh                                   | 8 ++++----
 tools/salt-install/local.params.example.multiple_hosts            | 1 +
 tools/salt-install/provision.sh                                   | 4 ++++
 5 files changed, 19 insertions(+), 4 deletions(-)

       via  89da894c27064b96186de343d421e6422ff1c7d6 (commit)
       via  f2511051643bbbdbfcfe26c4d9b009903dc8f5de (commit)
       via  dc15f94ae63b217a09ee0a8b8f4e024d134fcbdd (commit)
      from  3664b849b6f4f12a11f7ea9509b28c0a9a74fac1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 89da894c27064b96186de343d421e6422ff1c7d6
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Thu Jul 27 18:17:09 2023 -0300

    20610: Fixes deployment order to avoid failures.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index cfa7b1454..3c583a0e6 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -307,8 +307,8 @@ case "$subcmd" in
 
 	    for NODE in "${!NODES[@]}"
 	    do
-		# then 'api' or 'controller' roles
-		if [[ "${NODES[$NODE]}" =~ (api|controller) ]] ; then
+		# then 'balancer' role
+		if [[ "${NODES[$NODE]}" =~ (balancer) ]] ; then
 		    deploynode $NODE "${NODES[$NODE]}"
 		    unset NODES[$NODE]
 		fi
@@ -316,8 +316,8 @@ case "$subcmd" in
 
 	    for NODE in "${!NODES[@]}"
 	    do
-		# then 'balancer' role
-		if [[ "${NODES[$NODE]}" =~ (balancer) ]] ; then
+		# then 'api' or 'controller' roles
+		if [[ "${NODES[$NODE]}" =~ (api|controller) ]] ; then
 		    deploynode $NODE "${NODES[$NODE]}"
 		    unset NODES[$NODE]
 		fi

commit f2511051643bbbdbfcfe26c4d9b009903dc8f5de
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Thu Jul 27 16:32:36 2023 -0300

    20610: Allows disabling backend controllers for rolling updates.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_balancer_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_balancer_configuration.sls
index 92ad3af2e..73ae9ca30 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_balancer_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_balancer_configuration.sls
@@ -6,6 +6,7 @@
 {%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
 {%- set domain = "__DOMAIN__" %}
 {%- set balancer_backends = "__CONTROLLER_NODES__".split(",") %}
+{%- set disabled_controller = "__DISABLED_CONTROLLER__" %}
 
 ### NGINX
 nginx:
@@ -20,7 +21,11 @@ nginx:
           '__CLUSTER_INT_CIDR__': 0
         upstream controller_upstream:
         {%- for backend in balancer_backends %}
+          {%- if disabled_controller == "" or not backend.startswith(disabled_controller) %}
           'server {{ backend }}:80': ''
+          {%- else %}
+          'server {{ backend }}:80 down': ''
+          {% endif %}
         {%- endfor %}
 
   ### SNIPPETS
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index 4234a965d..b70ad747a 100644
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -165,6 +165,7 @@ SHELL_INT_IP=10.1.2.17
 
 # Load balancing settings
 ENABLE_BALANCER="no"
+DISABLED_CONTROLLER=""
 
 # Performance tuning parameters
 #CONTROLLER_NGINX_WORKERS=
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 610134cf3..09edaa05f 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -466,6 +466,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
        s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g;
        s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
        s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
+       s#__DISABLED_CONTROLLER__#${DISABLED_CONTROLLER}#g;
        s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
        s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
        s#__CONTROLLER_NODES__#${ROLES['controller']}#g;
@@ -559,6 +560,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
          s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g;
          s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
          s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
+         s#__DISABLED_CONTROLLER__#${DISABLED_CONTROLLER}#g;
          s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
          s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
          s#__CONTROLLER_NODES__#${ROLES['controller']}#g;

commit dc15f94ae63b217a09ee0a8b8f4e024d134fcbdd
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Thu Jul 27 15:39:56 2023 -0300

    20610: Restricts backends' HTTP access by nginx rules.
    
    I think this is better than implementing those controls through security
    groups via Terraform, because the node's role information is already available
    on the salt code.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
index d87f55f4e..5bd67a6ce 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -36,8 +36,13 @@ nginx:
             - location /.well-known:
               - root: /var/www
             {%- if balanced_controller %}
+            {%- set balancer_ip = salt['cmd.run']("getent hosts __BALANCER_NODENAME__ | awk '{print $1 ; exit}'", python_shell=True) %}
+            {%- set prometheus_ip = salt['cmd.run']("getent hosts __PROMETHEUS_NODENAME__ | awk '{print $1 ; exit}'", python_shell=True) %}
             - index: index.html index.htm
             - location /:
+              - allow: {{ balancer_ip }}
+              - allow: {{ prometheus_ip }}
+              - deny: all
               - proxy_pass: 'http://controller_upstream'
               - proxy_read_timeout: 300
               - proxy_connect_timeout: 90
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 78bd976e6..610134cf3 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -467,6 +467,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
        s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
        s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
        s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
+       s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
        s#__CONTROLLER_NODES__#${ROLES['controller']}#g;
        s#__NODELIST__#${NODELIST}#g;
        s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;
@@ -559,6 +560,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
          s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
          s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
          s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
+         s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
          s#__CONTROLLER_NODES__#${ROLES['controller']}#g;
          s#__NODELIST__#${NODELIST}#g;
          s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list