Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9347960
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
12 KB
Subscribers
None
View Options
diff --git a/manifests/swh/deploy/webapp.pp b/manifests/swh/deploy/webapp.pp
index 7bcfaaaf..e014d20d 100644
--- a/manifests/swh/deploy/webapp.pp
+++ b/manifests/swh/deploy/webapp.pp
@@ -1,260 +1,227 @@
# WebApp deployment
class profile::swh::deploy::webapp {
$conf_directory = lookup('swh::deploy::webapp::conf_directory')
$conf_file = lookup('swh::deploy::webapp::conf_file')
$user = lookup('swh::deploy::webapp::user')
$group = lookup('swh::deploy::webapp::group')
$webapp_config = lookup('swh::deploy::webapp::config')
$conf_log_dir = lookup('swh::deploy::webapp::conf::log_dir')
$backend_listen_host = lookup('swh::deploy::webapp::backend::listen::host')
$backend_listen_port = lookup('swh::deploy::webapp::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
$backend_workers = lookup('swh::deploy::webapp::backend::workers')
$backend_http_keepalive = lookup('swh::deploy::webapp::backend::http_keepalive')
$backend_http_timeout = lookup('swh::deploy::webapp::backend::http_timeout')
$backend_reload_mercy = lookup('swh::deploy::webapp::backend::reload_mercy')
$swh_packages = ['python3-swh.web']
$static_dir = '/usr/lib/python3/dist-packages/swh/web/static'
$varnish_http_port = lookup('varnish::http_port')
$vhost_name = lookup('swh::deploy::webapp::vhost::name')
$vhost_port = lookup('apache::http_port')
$vhost_aliases = lookup('swh::deploy::webapp::vhost::aliases')
$vhost_docroot = lookup('swh::deploy::webapp::vhost::docroot')
$vhost_basic_auth_file = "${conf_directory}/http_auth"
$vhost_basic_auth_content = lookup('swh::deploy::webapp::vhost::basic_auth_content', String, 'first', '')
$vhost_ssl_port = lookup('apache::https_port')
$vhost_ssl_protocol = lookup('swh::deploy::webapp::vhost::ssl_protocol')
$vhost_ssl_honorcipherorder = lookup('swh::deploy::webapp::vhost::ssl_honorcipherorder')
$vhost_ssl_cipher = lookup('swh::deploy::webapp::vhost::ssl_cipher')
$locked_endpoints = lookup('swh::deploy::webapp::locked_endpoints', Array, 'unique')
$endpoint_directories = $locked_endpoints.map |$endpoint| {
{ path => "^${endpoint}",
provider => 'locationmatch',
auth_type => 'Basic',
auth_name => 'Software Heritage development',
auth_user_file => $vhost_basic_auth_file,
auth_require => 'valid-user',
}
}
include ::gunicorn
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
notify => Service['gunicorn-swh-webapp'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
file {$conf_log_dir:
ensure => directory,
owner => 'root',
group => $group,
mode => '0770',
}
file {$vhost_docroot:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @webapp_config.to_yaml %>\n"),
notify => Service['gunicorn-swh-webapp'],
}
::gunicorn::instance {'swh-webapp':
ensure => enabled,
user => $user,
group => $group,
executable => 'swh.web.wsgi:application',
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
}
}
include ::profile::apache::common
include ::apache::mod::proxy
include ::apache::mod::headers
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
serveraliases => $vhost_aliases,
port => $vhost_port,
docroot => $vhost_docroot,
proxy_pass => [
{ path => '/static',
url => '!',
},
{ path => '/robots.txt',
url => '!',
},
{ path => '/favicon.ico',
url => '!',
},
{ path => '/',
url => "http://${backend_listen_address}/",
},
],
directories => [
{ path => '/api',
provider => 'location',
allow => 'from all',
satisfy => 'Any',
headers => ['add Access-Control-Allow-Origin "*"'],
},
{ path => $static_dir,
options => ['-Indexes'],
},
] + $endpoint_directories,
aliases => [
{ alias => '/static',
path => $static_dir,
},
{ alias => '/robots.txt',
path => "${static_dir}/robots.txt",
},
],
require => [
File[$vhost_basic_auth_file],
],
}
$ssl_cert_names = ['star_softwareheritage_org', 'star_internal_softwareheritage_org']
include ::profile::hitch
each($ssl_cert_names) |$ssl_cert_name| {
realize(::Profile::Hitch::Ssl_cert[$ssl_cert_name])
}
include ::profile::varnish
::profile::varnish::vhost {$vhost_name:
aliases => $vhost_aliases,
hsts_max_age => lookup('strict_transport_security::max_age'),
}
if $endpoint_directories {
file {$vhost_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => $vhost_basic_auth_content,
}
} else {
file {$vhost_basic_auth_file:
ensure => absent,
}
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-webapp http redirect on ${::fqdn}":
service_name => 'swh webapp http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $varnish_http_port,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp https on ${::fqdn}":
service_name => 'swh webapp',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp https certificate ${::fqdn}":
service_name => 'swh webapp https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
- @@::icinga2::object::service {"swh-webapp counters ${::fqdn}":
- service_name => 'swh webapp counters',
- import => ['generic-service'],
- host_name => $::fqdn,
- check_command => 'http',
- vars => {
- http_address => $vhost_name,
- http_vhost => $vhost_name,
- http_port => $vhost_ssl_port,
- http_uri => '/api/1/stat/counters/',
- http_ssl => true,
- http_string => '\"content\":'
- },
- target => $icinga_checks_file,
- tag => 'icinga2::exported',
- }
-
- @@::icinga2::object::service {"swh-webapp content known ${::fqdn}":
- service_name => 'swh webapp content known',
- import => ['generic-service'],
- host_name => $::fqdn,
- check_command => 'http',
- vars => {
- http_address => $vhost_name,
- http_vhost => $vhost_name,
- http_port => $vhost_ssl_port,
- http_uri => '/api/1/content/known/search/',
- http_ssl => true,
- http_post => 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02',
- http_string => '\"found\":true',
- },
- target => $icinga_checks_file,
- tag => 'icinga2::exported',
- }
+ include ::profile::swh::deploy::webapp::icinga_checks
}
diff --git a/manifests/swh/deploy/webapp/icinga_checks.pp b/manifests/swh/deploy/webapp/icinga_checks.pp
new file mode 100644
index 00000000..2b6b62c0
--- /dev/null
+++ b/manifests/swh/deploy/webapp/icinga_checks.pp
@@ -0,0 +1,89 @@
+class profile::swh::deploy::webapp::icinga_checks {
+ $vhost_name = $::profile::swh::deploy::webapp::vhost_name
+ $vhost_ssl_port = $::profile::swh::deploy::webapp::vhost_ssl_port
+ $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
+
+ $checks = {
+ 'counters' => {
+ http_uri => '/api/1/stat/counters/',
+ http_string => '\"content\":',
+ },
+ 'content known' => {
+ http_uri => '/api/1/content/known/search/',
+ http_post => 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02',
+ http_string => '\"found\":true',
+ },
+ 'content end to end' => {
+ http_uri => '/browse/content/4dfc4478b1d5f7388b298fdfc06802485bdeae0c/',
+ http_string => 'PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2',
+ },
+ 'directory end to end' => {
+ http_uri => '/browse/directory/977fc4b98c0e85816348cebd3b12026407c368b6/',
+ http_linespan => true,
+ http_expect_body_regex => 'Doc.*Grammar.*Include.*Lib.*Mac.*Misc.*Modules.*Objects.*PC.*PCbuild.*LICENSE.*README.rst',
+ },
+ 'revision end to end' => {
+ http_uri => '/browse/revision/f1b94134a4b879bc55c3dacdb496690c8ebdc03f/',
+ http_linespan => true,
+ http_expect_body_regex => join([
+ '-:"Allocate the output vlc pictures with dimensions padded,.*',
+ 'as requested by the decoder \\\\(for alignments\\\\)."'
+ ]),
+ },
+ 'release end to end' => {
+ http_uri => '/browse/release/a9b7e3f1eada90250a6b2ab2ef3e0a846cb16831/',
+ http_linespan => true,
+ http_expect_body_regex => join([
+ '-:"Linux 4.9-rc8.*',
+ '/revision/3e5de27e940d00d8d504dfb96625fb654f641509/"'
+ ]),
+ },
+ 'snapshot end to end' => {
+ http_uri => '/browse/snapshot/baebc2109e4a2ec22a1129a3859647e191d04df4/branches/',
+ http_linespan => true,
+ http_expect_body_regex => join([
+ '-:"',
+ join([
+ 'buster/main/4.13.13-1',
+ 'buster/main/4.14.12-2',
+ 'buster/main/4.14.13-1',
+ 'buster/main/4.14.17-1',
+ 'buster/main/4.15.4-1',
+ 'buster/main/4.9.65-3',
+ 'experimental/main/4.10~rc6-1~exp2',
+ 'jessie-backports/main/3.16.39-1',
+ 'jessie-backports/main/4.7.8-1~bpo8\\\\+1',
+ 'jessie-backports/main/4.9.18-1~bpo8\\\\+1',
+ 'jessie-backports/main/4.9.65-3\\\\+deb9u1~bpo8\\\\+1',
+ 'jessie-backports/main/4.9.65-3\\\\+deb9u2~bpo8\\\\+1',
+ 'jessie-kfreebsd/main/3.16.7-ckt9-2',
+ 'jessie-proposed-updates/main/3.16.51-3',
+ 'jessie-proposed-updates/main/3.16.51-3\\\\+deb8u1',
+ 'jessie-updates/main/3.16.51-3',
+ 'jessie/main/3.16.43-1',
+ 'jessie/main/3.16.51-2',
+ 'jessie/main/3.16.7-ckt2-1',
+ 'jessie/main/3.16.7-ckt20-1\\\\+deb8u3',
+ ], '.*'),
+ '"',
+ ]),
+ }
+ }
+
+ each($checks) |$name, $args| {
+ @@::icinga2::object::service {"swh-webapp ${name} ${::fqdn}":
+ service_name => "swh webapp ${name}",
+ import => ['generic-service'],
+ host_name => $::fqdn,
+ check_command => 'http',
+ vars => {
+ http_address => $vhost_name,
+ http_vhost => $vhost_name,
+ http_port => $vhost_ssl_port,
+ http_ssl => true,
+ } + $args,
+ target => $icinga_checks_file,
+ tag => 'icinga2::exported',
+ }
+ }
+}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Jul 4 2025, 6:05 PM (4 w, 5 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3214378
Attached To
rSPSITE puppet-swh-site
Event Timeline
Log In to Comment