Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ED-3079: deploy nginx to support cors for s3 compatible object storage #3915

Merged
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
nginx-cors
Signed-off-by: Deepak Devadathan <deepak.devadathan@oracle.com>
  • Loading branch information
ddevadat committed Oct 30, 2023
commit 59ab291ac66cac6e403ac4c45ecce26a497afbf1
7 changes: 7 additions & 0 deletions ansible/provision_nginx_cors.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
- hosts: kp
become: true
vars_files:
- ['{{inventory_dir}}/secrets.yml', 'secrets/{{env}}.yml']
roles:
- nginx-cors
5 changes: 5 additions & 0 deletions ansible/roles/nginx-cors/handlers/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: Restart Nginx
service:
name: nginx
state: restarted
24 changes: 24 additions & 0 deletions ansible/roles/nginx-cors/tasks/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
- name: Install Nginx
apt:
name: nginx
state: present
notify: Restart Nginx

- name: Copy ssl cert file
template:
src: ssl_cert.j2
dest: /etc/nginx/ssl_cert.pem
notify: Restart Nginx

- name: Copy ssl cert key file
template:
src: ssl_cert_key.j2
dest: /etc/nginx/ssl_cert_key.pem
notify: Restart Nginx

- name: Copy Nginx configuration file
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart Nginx
60 changes: 60 additions & 0 deletions ansible/roles/nginx-cors/templates/nginx.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@

server {

resolver 127.0.0.53;
root /var/www/html;

server_name files.{{domain_name}}; # managed by Certbot
client_max_body_size 0;

location / {
# handle cors and allow all
if ($request_method = OPTIONS ) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, OPTIONS, PATCH, POST, PUT, HEAD";
add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept, Accept-Encoding, Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method, Cache-Control, DNT, User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type";
add_header Access-Control-Allow-Credentials "true";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}

proxy_set_header Host "{{ cloud_storage_url | replace('https://', '') }}";
# remove any CORS header from backend OSS S3
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Allow-Credentials;

# inject our own CORS header to allow what we wanted
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Expose-Headers 'Content-Length,Content-Range,Connection,opc-client-info,opc-request-id' always;
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods "GET,OPTIONS,PATCH,POST,PUT,HEAD" always;
add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Authorization, Content-Type, user-id, Accept,Accept-Encoding,Accept-Language, Access-Control-Request-Headers, Access-Control-Request-Method,Cache-Control,DNT,Host,Origin,Pragma,Referer,User-Agent, X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, Amz-Expires, X-Amz-SignedHeaders, X-Amz-Signature, x-ms-blob-type" always;
#
add_header Referer "";
# if get request, trim the query string
if ($request_method = GET ) {
proxy_pass {{cloud_storage_url}}$uri;
}
# pass everything to backend OSS S3
proxy_pass {{cloud_storage_url}};
}

listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_cert.pem;
ssl_certificate_key /etc/nginx/ssl_cert_key.pem;

}

server {
if ($host = files.{{domain_name}}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name files.{{domain_name}};
return 404; # managed by Certbot
}
1 change: 1 addition & 0 deletions ansible/roles/nginx-cors/templates/ssl_cert.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
"{{ core_vault_proxy_site_crt }}"
1 change: 1 addition & 0 deletions ansible/roles/nginx-cors/templates/ssl_cert_key.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
"{{ core_vault_proxy_site_key }}"
51 changes: 51 additions & 0 deletions pipelines/provision/nginx-cors/Jenkinsfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
@Library('deploy-conf') _
node() {
try {
String ANSI_GREEN = "\u001B[32m"
String ANSI_NORMAL = "\u001B[0m"
String ANSI_BOLD = "\u001B[1m"
String ANSI_RED = "\u001B[31m"
String ANSI_YELLOW = "\u001B[33m"

stage('checkout public repo') {
folder = new File("$WORKSPACE/.git")
if (folder.exists())
{
println "Found .git folder. Clearing it.."
sh'git clean -fxd'
}
checkout scm
}

ansiColor('xterm') {
stage('deploy'){
values = [:]
currentWs = sh(returnStdout: true, script: 'pwd').trim()
envDir = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-3].trim()
module = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-2].trim()
jobName = sh(returnStdout: true, script: "echo $JOB_NAME").split('/')[-1].trim()
ansiblePlaybook = "${currentWs}/ansible/provision_nginx_cors.yml"
ansibleExtraArgs = "--vault-password-file /var/lib/jenkins/secrets/vault-pass"
values.put('currentWs', currentWs)
values.put('env', envDir)
values.put('module', module)
values.put('jobName', jobName)
values.put('ansiblePlaybook', ansiblePlaybook)
values.put('ansibleExtraArgs', ansibleExtraArgs)
println values
ansible_playbook_run(values)
currentBuild.result = 'SUCCESS'
currentBuild.description = "Private: ${params.private_branch}, Public: ${params.branch_or_tag}"
}
}
summary()
}
catch (err) {
currentBuild.result = 'FAILURE'
throw err
}
finally {
slack_notify(currentBuild.result)
email_notify()
}
}