From 59ab291ac66cac6e403ac4c45ecce26a497afbf1 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Mon, 30 Oct 2023 14:31:13 +1100 Subject: [PATCH 01/20] nginx-cors Signed-off-by: Deepak Devadathan --- ansible/provision_nginx_cors.yml | 7 +++ ansible/roles/nginx-cors/handlers/main.yaml | 5 ++ ansible/roles/nginx-cors/tasks/main.yaml | 24 ++++++++ .../roles/nginx-cors/templates/nginx.conf.j2 | 60 +++++++++++++++++++ .../roles/nginx-cors/templates/ssl_cert.j2 | 1 + .../nginx-cors/templates/ssl_cert_key.j2 | 1 + pipelines/provision/nginx-cors/Jenkinsfile | 51 ++++++++++++++++ 7 files changed, 149 insertions(+) create mode 100644 ansible/provision_nginx_cors.yml create mode 100644 ansible/roles/nginx-cors/handlers/main.yaml create mode 100644 ansible/roles/nginx-cors/tasks/main.yaml create mode 100644 ansible/roles/nginx-cors/templates/nginx.conf.j2 create mode 100644 ansible/roles/nginx-cors/templates/ssl_cert.j2 create mode 100644 ansible/roles/nginx-cors/templates/ssl_cert_key.j2 create mode 100644 pipelines/provision/nginx-cors/Jenkinsfile diff --git a/ansible/provision_nginx_cors.yml b/ansible/provision_nginx_cors.yml new file mode 100644 index 0000000000..3341a137d5 --- /dev/null +++ b/ansible/provision_nginx_cors.yml @@ -0,0 +1,7 @@ +--- +- hosts: kp + become: true + vars_files: + - ['{{inventory_dir}}/secrets.yml', 'secrets/{{env}}.yml'] + roles: + - nginx-cors diff --git a/ansible/roles/nginx-cors/handlers/main.yaml b/ansible/roles/nginx-cors/handlers/main.yaml new file mode 100644 index 0000000000..72d2e28067 --- /dev/null +++ b/ansible/roles/nginx-cors/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: Restart Nginx + service: + name: nginx + state: restarted diff --git a/ansible/roles/nginx-cors/tasks/main.yaml b/ansible/roles/nginx-cors/tasks/main.yaml new file mode 100644 index 0000000000..636b6a4abe --- /dev/null +++ b/ansible/roles/nginx-cors/tasks/main.yaml @@ -0,0 +1,24 @@ +--- +- name: Install Nginx + apt: + name: nginx + state: present + notify: Restart Nginx + +- name: Copy ssl cert file + template: + src: ssl_cert.j2 + dest: /etc/nginx/ssl_cert.pem + notify: Restart Nginx + +- name: Copy ssl cert key file + template: + src: ssl_cert_key.j2 + dest: /etc/nginx/ssl_cert_key.pem + notify: Restart Nginx + +- name: Copy Nginx configuration file + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + notify: Restart Nginx diff --git a/ansible/roles/nginx-cors/templates/nginx.conf.j2 b/ansible/roles/nginx-cors/templates/nginx.conf.j2 new file mode 100644 index 0000000000..b25b6f834d --- /dev/null +++ b/ansible/roles/nginx-cors/templates/nginx.conf.j2 @@ -0,0 +1,60 @@ + +server { + + resolver 127.0.0.53; + root /var/www/html; + + server_name files.{{domain_name}}; # managed by Certbot + client_max_body_size 0; + + location / { + # handle cors and allow all + if ($request_method = OPTIONS ) { + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD"; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type"; + add_header Access-Control-Allow-Credentials "true"; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + + proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}"; + # remove any CORS header from backend OSS S3 + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Methods; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Credentials; + + # inject our own CORS header to allow what we wanted + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; + # + add_header Referer ""; + # if get request, trim the query string + if ($request_method = GET ) { + proxy_pass {{cloud_storage_url}}$uri; + } + # pass everything to backend OSS S3 + proxy_pass {{cloud_storage_url}}; + } + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/nginx/ssl_cert.pem; + ssl_certificate_key /etc/nginx/ssl_cert_key.pem; + +} + +server { + if ($host = files.{{domain_name}}) { + return 301 https://$host$request_uri; + } # managed by Certbot + listen 80 ; + listen [::]:80 ; + server_name files.{{domain_name}}; + return 404; # managed by Certbot +} \ No newline at end of file diff --git a/ansible/roles/nginx-cors/templates/ssl_cert.j2 b/ansible/roles/nginx-cors/templates/ssl_cert.j2 new file mode 100644 index 0000000000..8bf149cd2c --- /dev/null +++ b/ansible/roles/nginx-cors/templates/ssl_cert.j2 @@ -0,0 +1 @@ +"{{ core_vault_proxy_site_crt }}" \ No newline at end of file diff --git a/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 b/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 new file mode 100644 index 0000000000..0304b123e1 --- /dev/null +++ b/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 @@ -0,0 +1 @@ +"{{ core_vault_proxy_site_key }}" \ No newline at end of file diff --git a/pipelines/provision/nginx-cors/Jenkinsfile b/pipelines/provision/nginx-cors/Jenkinsfile new file mode 100644 index 0000000000..ea2b9203e1 --- /dev/null +++ b/pipelines/provision/nginx-cors/Jenkinsfile @@ -0,0 +1,51 @@ +@Library('deploy-conf') _ +node() { + try { + String ANSI_GREEN = "\u001B[32m" + String ANSI_NORMAL = "\u001B[0m" + String ANSI_BOLD = "\u001B[1m" + String ANSI_RED = "\u001B[31m" + String ANSI_YELLOW = "\u001B[33m" + + stage('checkout public repo') { + folder = new File("$WORKSPACE/.git") + if (folder.exists()) + { + println "Found .git folder. Clearing it.." + sh'git clean -fxd' + } + checkout scm + } + + ansiColor('xterm') { + stage('deploy'){ + values = [:] + currentWs = sh(returnStdout: true, script: 'pwd').trim() + envDir = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-3].trim() + module = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-2].trim() + jobName = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-1].trim() + ansiblePlaybook = "${currentWs}/ansible/provision_nginx_cors.yml" + ansibleExtraArgs = "--vault-password-file /var/lib/jenkins/secrets/vault-pass" + values.put('currentWs', currentWs) + values.put('env', envDir) + values.put('module', module) + values.put('jobName', jobName) + values.put('ansiblePlaybook', ansiblePlaybook) + values.put('ansibleExtraArgs', ansibleExtraArgs) + println values + ansible_playbook_run(values) + currentBuild.result = 'SUCCESS' + currentBuild.description = "Private: ${params.private_branch}, Public: ${params.branch_or_tag}" + } + } + summary() + } + catch (err) { + currentBuild.result = 'FAILURE' + throw err + } + finally { + slack_notify(currentBuild.result) + email_notify() + } +} From 2bdd27d5ff914d6915f47b4a46a2b9c7510d2d5a Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Mon, 30 Oct 2023 14:38:43 +1100 Subject: [PATCH 02/20] hostname changed Signed-off-by: Deepak Devadathan --- ansible/provision_nginx_cors.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/provision_nginx_cors.yml b/ansible/provision_nginx_cors.yml index 3341a137d5..de45dc904a 100644 --- a/ansible/provision_nginx_cors.yml +++ b/ansible/provision_nginx_cors.yml @@ -1,5 +1,5 @@ --- -- hosts: kp +- hosts: lp-redis become: true vars_files: - ['{{inventory_dir}}/secrets.yml', 'secrets/{{env}}.yml'] From a744fee090be680c9b59c3076853bf306a5bde90 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Mon, 30 Oct 2023 14:52:48 +1100 Subject: [PATCH 03/20] test Signed-off-by: Deepak Devadathan --- ansible/roles/nginx-cors/templates/nginx.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/nginx-cors/templates/nginx.conf.j2 b/ansible/roles/nginx-cors/templates/nginx.conf.j2 index b25b6f834d..fffb70b803 100644 --- a/ansible/roles/nginx-cors/templates/nginx.conf.j2 +++ b/ansible/roles/nginx-cors/templates/nginx.conf.j2 @@ -1,4 +1,3 @@ - server { resolver 127.0.0.53; From 78ecf40fa01190b85c8fd62d95bc3cf746f6edbf Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Mon, 30 Oct 2023 15:10:53 +1100 Subject: [PATCH 04/20] test Signed-off-by: Deepak Devadathan --- ansible/roles/nginx-cors/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nginx-cors/tasks/main.yaml b/ansible/roles/nginx-cors/tasks/main.yaml index 636b6a4abe..2c78dd25ec 100644 --- a/ansible/roles/nginx-cors/tasks/main.yaml +++ b/ansible/roles/nginx-cors/tasks/main.yaml @@ -20,5 +20,5 @@ - name: Copy Nginx configuration file template: src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf + dest: /etc/nginx/conf.d/nginx-cors.conf notify: Restart Nginx From 609d980948a1d22ad9487e369690b21301aed85a Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 09:57:49 +1100 Subject: [PATCH 05/20] added nginx-cors-public chart Signed-off-by: Deepak Devadathan --- .../core/nginx-cors-public/.helmignore | 22 ++ .../core/nginx-cors-public/Chart.yaml | 21 ++ .../nginx-cors-public/templates/_helpers.tpl | 63 ++++++ .../templates/configMap.yaml | 20 ++ .../templates/deployment.yaml | 85 ++++++++ .../core/nginx-cors-public/values.j2 | 205 ++++++++++++++++++ 6 files changed, 416 insertions(+) create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/.helmignore create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml create mode 100644 kubernetes/helm_charts/core/nginx-cors-public/values.j2 diff --git a/kubernetes/helm_charts/core/nginx-cors-public/.helmignore b/kubernetes/helm_charts/core/nginx-cors-public/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml b/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml new file mode 100644 index 0000000000..429f940d82 --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: nginx-cors-public +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.16.0 diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl b/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl new file mode 100644 index 0000000000..0af5bc238a --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-public-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-public-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-public-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "nginx-public-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-public-ingress.chart" . }} +{{ include "nginx-public-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "nginx-public-ingress.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nginx-public-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "nginx-public-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "nginx-public-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml new file mode 100644 index 0000000000..ba70de2a1c --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: proxy-cors-default + namespace: {{ .Values.namespace }} +data: + proxy-default.conf: | +{{ .Values.proxyconfig | indent 4 }} + compression.conf: | +{{ .Values.compressionConfig | indent 4 }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-cors-conf + namespace: {{ .Values.namespace }} +data: + nginx.conf: | +{{ .Values.nginxconfig | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml new file mode 100644 index 0000000000..b06ab60cff --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-cors-public + namespace: {{ .Values.namespace }} + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: nginx-cors-public + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + template: + metadata: + annotations: + nginxRolloutID: {{ randAlphaNum 5 | quote }} # Restart nginx after every deployment + fluentbit.io/parser: nginx2 + labels: + app: nginx-cors-public + spec: + # Running nginx with custom config +{{- if .Values.imagepullsecrets }} + imagePullSecrets: + - name: {{ .Values.imagepullsecrets }} +{{- end }} + volumes: + - name: tls + secret: + secretName: ingress-cert + - name: proxy-config + configMap: + name: proxy-cors-default + - name: nginx-config + configMap: + name: nginx-cors-conf +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 8 }} +{{- end }} + containers: + - name: nginx-public + image: "{{ .Values.dockerhub }}/{{ .Values.repository }}:{{ .Values.image_tag }}" + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - name: tls + mountPath: /etc/secrets + readOnly: true + - name: proxy-config + mountPath: /etc/nginx/defaults.d + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 10 }} +{{- end }} + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-cors-public + namespace: {{ .Values.namespace }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + externalTrafficPolicy: Local + selector: + app: nginx-cors-public + type: {{ .Values.service.type }} +{{- if and .Values.service.nginx_public_ingress_ip (ne .Values.service.type "NodePort") }} + loadBalancerIP: {{ .Values.service.nginx_public_ingress_ip }} +{{- end }} + ports: +{{ toYaml .Values.service.ports | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 new file mode 100644 index 0000000000..65afc1b05a --- /dev/null +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -0,0 +1,205 @@ +#jinja2:lstrip_blocks: True + +namespace: {{ namespace }} +merge_domain_status: {{ merge_domain_status | lower }} +service: + annotations: {{nginx_public_ingress_service_annotations | d('') | to_json}} + type: {{ nginx_public_ingress_type | default('LoadBalancer') }} + {% if nginx_public_ingress_ip is defined %} + nginx_public_ingress_ip: {{ nginx_public_ingress_ip }} + {% endif %} + ports: + - port: 80 + name: http + targetPort: 80 + nodePort: 31385 + - port: 443 + name: https + targetPort: 443 + nodePort: 31395 + +{% if nginx_volumes is defined and nginx_volumes %} +volumes: {{ nginx_volumes.volumes | to_json }} +volumeMounts: {{ nginx_volumes.volumeMounts | to_json }} +{% endif %} + +imagepullsecrets: {{ imagepullsecrets }} +dockerhub: {{ dockerhub }} + +resources: + requests: + cpu: {{proxy_cpu_req|default('100m')}} + memory: {{proxy_mem_req|default('100Mi')}} + limits: + cpu: {{proxy_cpu_limit|default('1')}} + memory: {{proxy_mem_limit|default('1024Mi')}} + +repository: {{proxy_repository|default('proxy')}} +image_tag: {{ image_tag }} +replicaCount: {{nginx_cors_public_replicacount|default(1)}} + +proxyconfig: |- + {% if proto=='https' %} + server { + if ($host = files.{{domain_name}}) { + return 301 https://$host$request_uri; + } + listen 80 ; + listen [::]:80 ; + server_name files.{{domain_name}}; + return 404; + } + {% endif %} + server { + {% if proto=='http' %} + listen 80; + listen [::]:80; + {% else %} + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/secrets/site.crt; + ssl_certificate_key /etc/secrets/site.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + {% endif %} + server_name files.{{domain_name}}; + client_max_body_size 0; + resolver 127.0.0.53; + root /var/www/html; + resolver {{ kube_dns_ip }} valid=30s; + + location / { + # handle cors and allow all + if ($request_method = OPTIONS ) { + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD"; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type"; + add_header Access-Control-Allow-Credentials "true"; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + + proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}"; + # remove any CORS header from backend OSS S3 + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Methods; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Credentials; + + # inject our own CORS header to allow what we wanted + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; + # + add_header Referer ""; + # if get request, trim the query string + if ($request_method = GET ) { + proxy_pass {{cloud_storage_url}}$uri; + } + # pass everything to backend OSS S3 + proxy_pass {{cloud_storage_url}}; + } + +nginxconfig: | + user nginx; + worker_processes {{nginx_worker_processes | d("auto")}}; + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + events { + worker_connections 10000; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + resolver {{ kube_dns_ip }} valid=30s; + lua_load_resty_core off; + log_format main '{{ nginx_client_public_ip_header | d('$remote_addr') }} - $remote_user [$time_local] ' + '"$request" $status $request_length $body_bytes_sent' + ' $request_time $upstream_response_time $pipe' + ' "$http_referer" "$http_user_agent" "$sb_request_id"' + ' "$http_x_device_id" "$http_x_channel_id" "$http_x_app_id"' + ' "$http_x_app_ver" "$http_x_session_id" {{nginx_additional_log_fields | default("")}}'; + access_log /var/log/nginx/access.log main; + # Shared dictionary to store metrics + lua_shared_dict prometheus_metrics 100M; + lua_package_path "/etc/nginx/lua_modules/?.lua"; + # Defining request_id + # If the client send request_id it should be preffered over the default one + map $http_x_request_id $sb_request_id { + default $http_x_request_id; + '' $request_id; + } + # Defining upstream cache status for nginx metrics + map $upstream_cache_status $cache_status { + default $upstream_cache_status; + '' "NONE"; + } + map $http_accept $dial_upstream_host { + default player; + application/ld+json kong; + } + # Defining metrics + init_worker_by_lua_block { + prometheus = require("prometheus").init("prometheus_metrics") + metric_requests = prometheus:counter( + "nginx_http_requests_total", "Number of HTTP requests", {"host", "status", "request_method", "cache_status"}) + metric_latency = prometheus:histogram( + "nginx_http_request_duration_seconds", "HTTP request latency", {"host"}) + metric_connections = prometheus:gauge( + "nginx_http_connections", "Number of HTTP connections", {"state"}) + } + log_by_lua_block { + metric_requests:inc(1, {ngx.var.server_name, ngx.var.status, ngx.var.request_method, ngx.var.cache_status }) + metric_latency:observe(tonumber(ngx.var.request_time), {ngx.var.server_name}) + } + header_filter_by_lua_block { + ngx.header["server"] = nil + } + sendfile on; + #tcp_nopush on; + client_max_body_size 60M; + keepalive_timeout 65s; + keepalive_requests 200; + # Nginx connection limit per ip + limit_conn_zone $binary_remote_addr zone=limitbyaddr:10m; + limit_conn_status 429; + include /etc/nginx/defaults.d/*.conf; + include /etc/nginx/conf.d/*.conf; + + } + + +compressionConfig: |- + # Compression + gzip on; + gzip_comp_level 5; + gzip_min_length 256; # 256Bytes + gzip_proxied any; + gzip_vary on; + # Content types for compression + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + ; + + From f6bae51a515090112a3a839f88b8157839e01a8f Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 10:00:34 +1100 Subject: [PATCH 06/20] test Signed-off-by: Deepak Devadathan --- .../core/nginx-cors-public/templates/deployment.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml index b06ab60cff..56630dfdad 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml +++ b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml @@ -11,10 +11,6 @@ spec: selector: matchLabels: app: nginx-cors-public - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 25% template: metadata: annotations: From f1e31ec6ae85df0b9055fb84b8dab675f026c168 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 12:57:28 +1100 Subject: [PATCH 07/20] corrected proxy conf Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 65afc1b05a..48fa4c6149 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -102,7 +102,7 @@ proxyconfig: |- # pass everything to backend OSS S3 proxy_pass {{cloud_storage_url}}; } - + } nginxconfig: | user nginx; worker_processes {{nginx_worker_processes | d("auto")}}; From e6aef2663bb5e9aba0cdf40d36ac3b3e63d61364 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:04:58 +1100 Subject: [PATCH 08/20] corrected syntax Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 48fa4c6149..0a54042700 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -95,14 +95,17 @@ proxyconfig: |- add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; # add_header Referer ""; + proxy_pass {{cloud_storage_url}}; + # if get request, trim the query string if ($request_method = GET ) { proxy_pass {{cloud_storage_url}}$uri; } - # pass everything to backend OSS S3 - proxy_pass {{cloud_storage_url}}; - } + + + } } + nginxconfig: | user nginx; worker_processes {{nginx_worker_processes | d("auto")}}; From 750347572ff75c16492e2ac31bf22a503dd51fd5 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:10:09 +1100 Subject: [PATCH 09/20] changed nodeport Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 0a54042700..df6815ccf2 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -12,11 +12,11 @@ service: - port: 80 name: http targetPort: 80 - nodePort: 31385 + nodePort: 31384 - port: 443 name: https targetPort: 443 - nodePort: 31395 + nodePort: 31394 {% if nginx_volumes is defined and nginx_volumes %} volumes: {{ nginx_volumes.volumes | to_json }} From 0fba1183ab26979a924e353c2145487c01375f0e Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:12:28 +1100 Subject: [PATCH 10/20] removed duplicate Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index df6815ccf2..f192c1d02b 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -64,7 +64,6 @@ proxyconfig: |- {% endif %} server_name files.{{domain_name}}; client_max_body_size 0; - resolver 127.0.0.53; root /var/www/html; resolver {{ kube_dns_ip }} valid=30s; From fede97b3b7125787110aa135c31498a003ebc3c4 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:13:23 +1100 Subject: [PATCH 11/20] nodeport change Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index f192c1d02b..46f0f77fd6 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -12,11 +12,11 @@ service: - port: 80 name: http targetPort: 80 - nodePort: 31384 + nodePort: 31385 - port: 443 name: https targetPort: 443 - nodePort: 31394 + nodePort: 31395 {% if nginx_volumes is defined and nginx_volumes %} volumes: {{ nginx_volumes.volumes | to_json }} From 54565b7811227a8ebcc27034f7035668f50835b8 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:13:58 +1100 Subject: [PATCH 12/20] nodeport change Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 46f0f77fd6..141fa88519 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -12,11 +12,11 @@ service: - port: 80 name: http targetPort: 80 - nodePort: 31385 + nodePort: 31383 - port: 443 name: https targetPort: 443 - nodePort: 31395 + nodePort: 31393 {% if nginx_volumes is defined and nginx_volumes %} volumes: {{ nginx_volumes.volumes | to_json }} From e3c39879d72cb8e06f2ae615881953e20b8469c8 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:19:11 +1100 Subject: [PATCH 13/20] changed public ip Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 141fa88519..94dfae8947 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -5,8 +5,8 @@ merge_domain_status: {{ merge_domain_status | lower }} service: annotations: {{nginx_public_ingress_service_annotations | d('') | to_json}} type: {{ nginx_public_ingress_type | default('LoadBalancer') }} - {% if nginx_public_ingress_ip is defined %} - nginx_public_ingress_ip: {{ nginx_public_ingress_ip }} + {% if nginx_cors_public_ip is defined %} + nginx_public_ingress_ip: {{ nginx_cors_public_ip }} {% endif %} ports: - port: 80 From ab4fec85a0e212cd078f70088b9e736fca253a27 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 13:20:09 +1100 Subject: [PATCH 14/20] test Signed-off-by: Deepak Devadathan --- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 94dfae8947..5cdf87c339 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -12,11 +12,11 @@ service: - port: 80 name: http targetPort: 80 - nodePort: 31383 + nodePort: 31382 - port: 443 name: https targetPort: 443 - nodePort: 31393 + nodePort: 31392 {% if nginx_volumes is defined and nginx_volumes %} volumes: {{ nginx_volumes.volumes | to_json }} From e5942748d0b797fedd609f946425d83f6242458a Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 14:03:57 +1100 Subject: [PATCH 15/20] removed nginx-cors ansible roles Signed-off-by: Deepak Devadathan --- ansible/provision_nginx_cors.yml | 7 --- ansible/roles/nginx-cors/handlers/main.yaml | 5 -- ansible/roles/nginx-cors/tasks/main.yaml | 24 -------- .../roles/nginx-cors/templates/nginx.conf.j2 | 59 ------------------- .../roles/nginx-cors/templates/ssl_cert.j2 | 1 - .../nginx-cors/templates/ssl_cert_key.j2 | 1 - pipelines/provision/nginx-cors/Jenkinsfile | 51 ---------------- 7 files changed, 148 deletions(-) delete mode 100644 ansible/provision_nginx_cors.yml delete mode 100644 ansible/roles/nginx-cors/handlers/main.yaml delete mode 100644 ansible/roles/nginx-cors/tasks/main.yaml delete mode 100644 ansible/roles/nginx-cors/templates/nginx.conf.j2 delete mode 100644 ansible/roles/nginx-cors/templates/ssl_cert.j2 delete mode 100644 ansible/roles/nginx-cors/templates/ssl_cert_key.j2 delete mode 100644 pipelines/provision/nginx-cors/Jenkinsfile diff --git a/ansible/provision_nginx_cors.yml b/ansible/provision_nginx_cors.yml deleted file mode 100644 index de45dc904a..0000000000 --- a/ansible/provision_nginx_cors.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: lp-redis - become: true - vars_files: - - ['{{inventory_dir}}/secrets.yml', 'secrets/{{env}}.yml'] - roles: - - nginx-cors diff --git a/ansible/roles/nginx-cors/handlers/main.yaml b/ansible/roles/nginx-cors/handlers/main.yaml deleted file mode 100644 index 72d2e28067..0000000000 --- a/ansible/roles/nginx-cors/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart Nginx - service: - name: nginx - state: restarted diff --git a/ansible/roles/nginx-cors/tasks/main.yaml b/ansible/roles/nginx-cors/tasks/main.yaml deleted file mode 100644 index 2c78dd25ec..0000000000 --- a/ansible/roles/nginx-cors/tasks/main.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Install Nginx - apt: - name: nginx - state: present - notify: Restart Nginx - -- name: Copy ssl cert file - template: - src: ssl_cert.j2 - dest: /etc/nginx/ssl_cert.pem - notify: Restart Nginx - -- name: Copy ssl cert key file - template: - src: ssl_cert_key.j2 - dest: /etc/nginx/ssl_cert_key.pem - notify: Restart Nginx - -- name: Copy Nginx configuration file - template: - src: nginx.conf.j2 - dest: /etc/nginx/conf.d/nginx-cors.conf - notify: Restart Nginx diff --git a/ansible/roles/nginx-cors/templates/nginx.conf.j2 b/ansible/roles/nginx-cors/templates/nginx.conf.j2 deleted file mode 100644 index fffb70b803..0000000000 --- a/ansible/roles/nginx-cors/templates/nginx.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -server { - - resolver 127.0.0.53; - root /var/www/html; - - server_name files.{{domain_name}}; # managed by Certbot - client_max_body_size 0; - - location / { - # handle cors and allow all - if ($request_method = OPTIONS ) { - add_header Access-Control-Allow-Origin *; - add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD"; - add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type"; - add_header Access-Control-Allow-Credentials "true"; - add_header Content-Length 0; - add_header Content-Type text/plain; - return 204; - } - - proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}"; - # remove any CORS header from backend OSS S3 - proxy_hide_header Access-Control-Allow-Origin; - proxy_hide_header Access-Control-Allow-Methods; - proxy_hide_header Access-Control-Allow-Headers; - proxy_hide_header Access-Control-Allow-Credentials; - - # inject our own CORS header to allow what we wanted - add_header Access-Control-Allow-Credentials "true" always; - add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always; - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always; - add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; - # - add_header Referer ""; - # if get request, trim the query string - if ($request_method = GET ) { - proxy_pass {{cloud_storage_url}}$uri; - } - # pass everything to backend OSS S3 - proxy_pass {{cloud_storage_url}}; - } - - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - ssl_certificate /etc/nginx/ssl_cert.pem; - ssl_certificate_key /etc/nginx/ssl_cert_key.pem; - -} - -server { - if ($host = files.{{domain_name}}) { - return 301 https://$host$request_uri; - } # managed by Certbot - listen 80 ; - listen [::]:80 ; - server_name files.{{domain_name}}; - return 404; # managed by Certbot -} \ No newline at end of file diff --git a/ansible/roles/nginx-cors/templates/ssl_cert.j2 b/ansible/roles/nginx-cors/templates/ssl_cert.j2 deleted file mode 100644 index 8bf149cd2c..0000000000 --- a/ansible/roles/nginx-cors/templates/ssl_cert.j2 +++ /dev/null @@ -1 +0,0 @@ -"{{ core_vault_proxy_site_crt }}" \ No newline at end of file diff --git a/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 b/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 deleted file mode 100644 index 0304b123e1..0000000000 --- a/ansible/roles/nginx-cors/templates/ssl_cert_key.j2 +++ /dev/null @@ -1 +0,0 @@ -"{{ core_vault_proxy_site_key }}" \ No newline at end of file diff --git a/pipelines/provision/nginx-cors/Jenkinsfile b/pipelines/provision/nginx-cors/Jenkinsfile deleted file mode 100644 index ea2b9203e1..0000000000 --- a/pipelines/provision/nginx-cors/Jenkinsfile +++ /dev/null @@ -1,51 +0,0 @@ -@Library('deploy-conf') _ -node() { - try { - String ANSI_GREEN = "\u001B[32m" - String ANSI_NORMAL = "\u001B[0m" - String ANSI_BOLD = "\u001B[1m" - String ANSI_RED = "\u001B[31m" - String ANSI_YELLOW = "\u001B[33m" - - stage('checkout public repo') { - folder = new File("$WORKSPACE/.git") - if (folder.exists()) - { - println "Found .git folder. Clearing it.." - sh'git clean -fxd' - } - checkout scm - } - - ansiColor('xterm') { - stage('deploy'){ - values = [:] - currentWs = sh(returnStdout: true, script: 'pwd').trim() - envDir = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-3].trim() - module = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-2].trim() - jobName = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-1].trim() - ansiblePlaybook = "${currentWs}/ansible/provision_nginx_cors.yml" - ansibleExtraArgs = "--vault-password-file /var/lib/jenkins/secrets/vault-pass" - values.put('currentWs', currentWs) - values.put('env', envDir) - values.put('module', module) - values.put('jobName', jobName) - values.put('ansiblePlaybook', ansiblePlaybook) - values.put('ansibleExtraArgs', ansibleExtraArgs) - println values - ansible_playbook_run(values) - currentBuild.result = 'SUCCESS' - currentBuild.description = "Private: ${params.private_branch}, Public: ${params.branch_or_tag}" - } - } - summary() - } - catch (err) { - currentBuild.result = 'FAILURE' - throw err - } - finally { - slack_notify(currentBuild.result) - email_notify() - } -} From ecdbe27805f32fa847d28cad4b50599cf93243eb Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 14:06:59 +1100 Subject: [PATCH 16/20] added jenkins job for nginx-cors-public deployment Signed-off-by: Deepak Devadathan --- .../jobs/nginx-cors-public/config.xml | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml diff --git a/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml b/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml new file mode 100644 index 0000000000..fa3e603cd7 --- /dev/null +++ b/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml @@ -0,0 +1,149 @@ + + + + + hudson.model.ParametersDefinitionProperty + com.sonyericsson.rebuild.RebuildSettings + + + + + false + + + + -1 + 10 + -1 + 2 + + + + + false + false + + + + + absolute_job_path + <font color=dimgray size=2><b>Do not change this value! The metadata.json will be copied from this job.</b></font> + ArtifactUpload/dev/Core/Proxy + false + + + image_tag + <font color=red size=2><b>CAUTION: If the value is blank, image tag will be taken from the latest metadata.json.</b></font> + + false + + + private_branch + + choice-parameter-2544395024638227 + 1 + + true + + + + true + + + nginx-cors-public + Deploy/dev/Kubernetes/nginx-cors-public + + + ET_FORMATTED_HTML + true + + + branch_or_tag + + choice-parameter-2620434998790477 + 1 + + true + + + + true + + + nginx-cors-public + Deploy/dev/Kubernetes/nginx-cors-public + + + ET_FORMATTED_HTML + true + + + role_name + + + + helm-deploy + sunbird-deploy + + + + + + + 0 + 0 + + false + project + false + + + + + + + + + + 2 + + + https://github.com/project-sunbird/sunbird-devops.git + + + + + ${branch_or_tag} + + + false + + + + true + false + + 0 + false + + + + kubernetes/pipelines/deploy_core/Jenkinsfile + false + + + false + \ No newline at end of file From da5b01bfe04ff75765bd19163b27238e76bf9bef Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Tue, 31 Oct 2023 15:01:58 +1100 Subject: [PATCH 17/20] updated variable in values.j2 Signed-off-by: Deepak Devadathan --- .../core/nginx-cors-public/templates/deployment.yaml | 4 ++-- kubernetes/helm_charts/core/nginx-cors-public/values.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml index 56630dfdad..28a558bb17 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml +++ b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml @@ -74,8 +74,8 @@ spec: selector: app: nginx-cors-public type: {{ .Values.service.type }} -{{- if and .Values.service.nginx_public_ingress_ip (ne .Values.service.type "NodePort") }} - loadBalancerIP: {{ .Values.service.nginx_public_ingress_ip }} +{{- if and .Values.service.nginx_cors_public_ip (ne .Values.service.type "NodePort") }} + loadBalancerIP: {{ .Values.service.nginx_cors_public_ip }} {{- end }} ports: {{ toYaml .Values.service.ports | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 index 5cdf87c339..3168f506b4 100644 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 @@ -6,7 +6,7 @@ service: annotations: {{nginx_public_ingress_service_annotations | d('') | to_json}} type: {{ nginx_public_ingress_type | default('LoadBalancer') }} {% if nginx_cors_public_ip is defined %} - nginx_public_ingress_ip: {{ nginx_cors_public_ip }} + nginx_cors_public_ip: {{ nginx_cors_public_ip }} {% endif %} ports: - port: 80 From dd7bcb63001a2126b8c9475dad323e63e39dbcb4 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Wed, 1 Nov 2023 10:43:59 +1100 Subject: [PATCH 18/20] testing public ingress along with s3 cors Signed-off-by: Deepak Devadathan --- .../templates/configMap.yaml | 2 + .../core/nginx-public-ingress/values.j2 | 68 +++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml b/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml index 0f7f0dcc16..3992332ca6 100644 --- a/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml +++ b/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml @@ -6,6 +6,8 @@ metadata: data: proxy-default.conf: | {{ .Values.proxyconfig | indent 4 }} + cors-proxy-default.conf: | +{{ .Values.corsproxyconfig | indent 4 }} compression.conf: | {{ .Values.compressionConfig | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 index e325f5d339..992654f0e8 100644 --- a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 +++ b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 @@ -64,6 +64,74 @@ resources: repository: {{proxy_repository|default('proxy')}} image_tag: {{ image_tag }} +corsproxyconfig: |- + {% if proto=='https' %} + server { + if ($host = files.{{domain_name}}) { + return 301 https://$host$request_uri; + } + listen 80 ; + listen [::]:80 ; + server_name files.{{domain_name}}; + return 404; + } + {% endif %} + server { + {% if proto=='http' %} + listen 80; + listen [::]:80; + {% else %} + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/secrets/site.crt; + ssl_certificate_key /etc/secrets/site.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + {% endif %} + server_name files.{{domain_name}}; + client_max_body_size 0; + root /var/www/html; + resolver {{ kube_dns_ip }} valid=30s; + + location / { + # handle cors and allow all + if ($request_method = OPTIONS ) { + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD"; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type"; + add_header Access-Control-Allow-Credentials "true"; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + + proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}"; + # remove any CORS header from backend OSS S3 + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Access-Control-Allow-Methods; + proxy_hide_header Access-Control-Allow-Headers; + proxy_hide_header Access-Control-Allow-Credentials; + + # inject our own CORS header to allow what we wanted + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always; + add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; + # + add_header Referer ""; + proxy_pass {{cloud_storage_url}}; + + # if get request, trim the query string + if ($request_method = GET ) { + proxy_pass {{cloud_storage_url}}$uri; + } + + + } + } + + proxyconfig: |- {% if proto=='https' %} server { From be9708545ab9925555b2a270ab337009e17335b6 Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Wed, 1 Nov 2023 11:14:17 +1100 Subject: [PATCH 19/20] testing with condition for csp Signed-off-by: Deepak Devadathan --- .../core/nginx-public-ingress/templates/configMap.yaml | 2 ++ kubernetes/helm_charts/core/nginx-public-ingress/values.j2 | 1 + 2 files changed, 3 insertions(+) diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml b/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml index 3992332ca6..3a04ccb80c 100644 --- a/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml +++ b/kubernetes/helm_charts/core/nginx-public-ingress/templates/configMap.yaml @@ -6,8 +6,10 @@ metadata: data: proxy-default.conf: | {{ .Values.proxyconfig | indent 4 }} +{{- if eq .Values.csp "oci" }} cors-proxy-default.conf: | {{ .Values.corsproxyconfig | indent 4 }} +{{- end }} compression.conf: | {{ .Values.compressionConfig | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 index 992654f0e8..11e33d70c4 100644 --- a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 +++ b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 @@ -1,6 +1,7 @@ #jinja2:lstrip_blocks: True namespace: {{ namespace }} +csp: {{cloud_service_provider}} merge_domain_status: {{ merge_domain_status | lower }} service: annotations: {{nginx_public_ingress_service_annotations | d('') | to_json}} From c6cc43cb4a2bca2917323620b1e5767c33165b9c Mon Sep 17 00:00:00 2001 From: Deepak Devadathan Date: Wed, 1 Nov 2023 17:11:25 +1100 Subject: [PATCH 20/20] removed nginx-cors-public Signed-off-by: Deepak Devadathan --- .../jobs/nginx-cors-public/config.xml | 149 ------------- .../core/nginx-cors-public/.helmignore | 22 -- .../core/nginx-cors-public/Chart.yaml | 21 -- .../nginx-cors-public/templates/_helpers.tpl | 63 ------ .../templates/configMap.yaml | 20 -- .../templates/deployment.yaml | 81 ------- .../core/nginx-cors-public/values.j2 | 207 ------------------ 7 files changed, 563 deletions(-) delete mode 100644 deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/.helmignore delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml delete mode 100644 kubernetes/helm_charts/core/nginx-cors-public/values.j2 diff --git a/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml b/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml deleted file mode 100644 index fa3e603cd7..0000000000 --- a/deploy/jenkins/jobs/Deploy/jobs/dev/jobs/Kubernetes/jobs/nginx-cors-public/config.xml +++ /dev/null @@ -1,149 +0,0 @@ - - - - - hudson.model.ParametersDefinitionProperty - com.sonyericsson.rebuild.RebuildSettings - - - - - false - - - - -1 - 10 - -1 - 2 - - - - - false - false - - - - - absolute_job_path - <font color=dimgray size=2><b>Do not change this value! The metadata.json will be copied from this job.</b></font> - ArtifactUpload/dev/Core/Proxy - false - - - image_tag - <font color=red size=2><b>CAUTION: If the value is blank, image tag will be taken from the latest metadata.json.</b></font> - - false - - - private_branch - - choice-parameter-2544395024638227 - 1 - - true - - - - true - - - nginx-cors-public - Deploy/dev/Kubernetes/nginx-cors-public - - - ET_FORMATTED_HTML - true - - - branch_or_tag - - choice-parameter-2620434998790477 - 1 - - true - - - - true - - - nginx-cors-public - Deploy/dev/Kubernetes/nginx-cors-public - - - ET_FORMATTED_HTML - true - - - role_name - - - - helm-deploy - sunbird-deploy - - - - - - - 0 - 0 - - false - project - false - - - - - - - - - - 2 - - - https://github.com/project-sunbird/sunbird-devops.git - - - - - ${branch_or_tag} - - - false - - - - true - false - - 0 - false - - - - kubernetes/pipelines/deploy_core/Jenkinsfile - false - - - false - \ No newline at end of file diff --git a/kubernetes/helm_charts/core/nginx-cors-public/.helmignore b/kubernetes/helm_charts/core/nginx-cors-public/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml b/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml deleted file mode 100644 index 429f940d82..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v2 -name: nginx-cors-public -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. -appVersion: 1.16.0 diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl b/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl deleted file mode 100644 index 0af5bc238a..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/templates/_helpers.tpl +++ /dev/null @@ -1,63 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "nginx-public-ingress.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "nginx-public-ingress.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "nginx-public-ingress.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "nginx-public-ingress.labels" -}} -helm.sh/chart: {{ include "nginx-public-ingress.chart" . }} -{{ include "nginx-public-ingress.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "nginx-public-ingress.selectorLabels" -}} -app.kubernetes.io/name: {{ include "nginx-public-ingress.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "nginx-public-ingress.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "nginx-public-ingress.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml deleted file mode 100644 index ba70de2a1c..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/templates/configMap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: proxy-cors-default - namespace: {{ .Values.namespace }} -data: - proxy-default.conf: | -{{ .Values.proxyconfig | indent 4 }} - compression.conf: | -{{ .Values.compressionConfig | indent 4 }} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-cors-conf - namespace: {{ .Values.namespace }} -data: - nginx.conf: | -{{ .Values.nginxconfig | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml b/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml deleted file mode 100644 index 28a558bb17..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-cors-public - namespace: {{ .Values.namespace }} - annotations: - reloader.stakater.com/auto: "true" -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: nginx-cors-public - template: - metadata: - annotations: - nginxRolloutID: {{ randAlphaNum 5 | quote }} # Restart nginx after every deployment - fluentbit.io/parser: nginx2 - labels: - app: nginx-cors-public - spec: - # Running nginx with custom config -{{- if .Values.imagepullsecrets }} - imagePullSecrets: - - name: {{ .Values.imagepullsecrets }} -{{- end }} - volumes: - - name: tls - secret: - secretName: ingress-cert - - name: proxy-config - configMap: - name: proxy-cors-default - - name: nginx-config - configMap: - name: nginx-cors-conf -{{- if .Values.volumes }} -{{ toYaml .Values.volumes | indent 8 }} -{{- end }} - containers: - - name: nginx-public - image: "{{ .Values.dockerhub }}/{{ .Values.repository }}:{{ .Values.image_tag }}" - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - name: tls - mountPath: /etc/secrets - readOnly: true - - name: proxy-config - mountPath: /etc/nginx/defaults.d - - name: nginx-config - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf -{{- if .Values.volumeMounts }} -{{ toYaml .Values.volumeMounts | indent 10 }} -{{- end }} - ports: - - containerPort: 80 - name: http - - containerPort: 443 - name: https ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-cors-public - namespace: {{ .Values.namespace }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - externalTrafficPolicy: Local - selector: - app: nginx-cors-public - type: {{ .Values.service.type }} -{{- if and .Values.service.nginx_cors_public_ip (ne .Values.service.type "NodePort") }} - loadBalancerIP: {{ .Values.service.nginx_cors_public_ip }} -{{- end }} - ports: -{{ toYaml .Values.service.ports | indent 4 }} diff --git a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 b/kubernetes/helm_charts/core/nginx-cors-public/values.j2 deleted file mode 100644 index 3168f506b4..0000000000 --- a/kubernetes/helm_charts/core/nginx-cors-public/values.j2 +++ /dev/null @@ -1,207 +0,0 @@ -#jinja2:lstrip_blocks: True - -namespace: {{ namespace }} -merge_domain_status: {{ merge_domain_status | lower }} -service: - annotations: {{nginx_public_ingress_service_annotations | d('') | to_json}} - type: {{ nginx_public_ingress_type | default('LoadBalancer') }} - {% if nginx_cors_public_ip is defined %} - nginx_cors_public_ip: {{ nginx_cors_public_ip }} - {% endif %} - ports: - - port: 80 - name: http - targetPort: 80 - nodePort: 31382 - - port: 443 - name: https - targetPort: 443 - nodePort: 31392 - -{% if nginx_volumes is defined and nginx_volumes %} -volumes: {{ nginx_volumes.volumes | to_json }} -volumeMounts: {{ nginx_volumes.volumeMounts | to_json }} -{% endif %} - -imagepullsecrets: {{ imagepullsecrets }} -dockerhub: {{ dockerhub }} - -resources: - requests: - cpu: {{proxy_cpu_req|default('100m')}} - memory: {{proxy_mem_req|default('100Mi')}} - limits: - cpu: {{proxy_cpu_limit|default('1')}} - memory: {{proxy_mem_limit|default('1024Mi')}} - -repository: {{proxy_repository|default('proxy')}} -image_tag: {{ image_tag }} -replicaCount: {{nginx_cors_public_replicacount|default(1)}} - -proxyconfig: |- - {% if proto=='https' %} - server { - if ($host = files.{{domain_name}}) { - return 301 https://$host$request_uri; - } - listen 80 ; - listen [::]:80 ; - server_name files.{{domain_name}}; - return 404; - } - {% endif %} - server { - {% if proto=='http' %} - listen 80; - listen [::]:80; - {% else %} - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - ssl_certificate /etc/secrets/site.crt; - ssl_certificate_key /etc/secrets/site.key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; - {% endif %} - server_name files.{{domain_name}}; - client_max_body_size 0; - root /var/www/html; - resolver {{ kube_dns_ip }} valid=30s; - - location / { - # handle cors and allow all - if ($request_method = OPTIONS ) { - add_header Access-Control-Allow-Origin *; - add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD"; - add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type"; - add_header Access-Control-Allow-Credentials "true"; - add_header Content-Length 0; - add_header Content-Type text/plain; - return 204; - } - - proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}"; - # remove any CORS header from backend OSS S3 - proxy_hide_header Access-Control-Allow-Origin; - proxy_hide_header Access-Control-Allow-Methods; - proxy_hide_header Access-Control-Allow-Headers; - proxy_hide_header Access-Control-Allow-Credentials; - - # inject our own CORS header to allow what we wanted - add_header Access-Control-Allow-Credentials "true" always; - add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always; - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always; - add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always; - # - add_header Referer ""; - proxy_pass {{cloud_storage_url}}; - - # if get request, trim the query string - if ($request_method = GET ) { - proxy_pass {{cloud_storage_url}}$uri; - } - - - } - } - -nginxconfig: | - user nginx; - worker_processes {{nginx_worker_processes | d("auto")}}; - error_log /var/log/nginx/error.log warn; - pid /var/run/nginx.pid; - events { - worker_connections 10000; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - resolver {{ kube_dns_ip }} valid=30s; - lua_load_resty_core off; - log_format main '{{ nginx_client_public_ip_header | d('$remote_addr') }} - $remote_user [$time_local] ' - '"$request" $status $request_length $body_bytes_sent' - ' $request_time $upstream_response_time $pipe' - ' "$http_referer" "$http_user_agent" "$sb_request_id"' - ' "$http_x_device_id" "$http_x_channel_id" "$http_x_app_id"' - ' "$http_x_app_ver" "$http_x_session_id" {{nginx_additional_log_fields | default("")}}'; - access_log /var/log/nginx/access.log main; - # Shared dictionary to store metrics - lua_shared_dict prometheus_metrics 100M; - lua_package_path "/etc/nginx/lua_modules/?.lua"; - # Defining request_id - # If the client send request_id it should be preffered over the default one - map $http_x_request_id $sb_request_id { - default $http_x_request_id; - '' $request_id; - } - # Defining upstream cache status for nginx metrics - map $upstream_cache_status $cache_status { - default $upstream_cache_status; - '' "NONE"; - } - map $http_accept $dial_upstream_host { - default player; - application/ld+json kong; - } - # Defining metrics - init_worker_by_lua_block { - prometheus = require("prometheus").init("prometheus_metrics") - metric_requests = prometheus:counter( - "nginx_http_requests_total", "Number of HTTP requests", {"host", "status", "request_method", "cache_status"}) - metric_latency = prometheus:histogram( - "nginx_http_request_duration_seconds", "HTTP request latency", {"host"}) - metric_connections = prometheus:gauge( - "nginx_http_connections", "Number of HTTP connections", {"state"}) - } - log_by_lua_block { - metric_requests:inc(1, {ngx.var.server_name, ngx.var.status, ngx.var.request_method, ngx.var.cache_status }) - metric_latency:observe(tonumber(ngx.var.request_time), {ngx.var.server_name}) - } - header_filter_by_lua_block { - ngx.header["server"] = nil - } - sendfile on; - #tcp_nopush on; - client_max_body_size 60M; - keepalive_timeout 65s; - keepalive_requests 200; - # Nginx connection limit per ip - limit_conn_zone $binary_remote_addr zone=limitbyaddr:10m; - limit_conn_status 429; - include /etc/nginx/defaults.d/*.conf; - include /etc/nginx/conf.d/*.conf; - - } - - -compressionConfig: |- - # Compression - gzip on; - gzip_comp_level 5; - gzip_min_length 256; # 256Bytes - gzip_proxied any; - gzip_vary on; - # Content types for compression - gzip_types - application/atom+xml - application/javascript - application/json - application/ld+json - application/manifest+json - application/rss+xml - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - ; - -