diff --git a/manifests/swh/deploy/webapp.pp b/manifests/swh/deploy/webapp.pp index 7bcfaaaf..e014d20d 100644 --- a/manifests/swh/deploy/webapp.pp +++ b/manifests/swh/deploy/webapp.pp @@ -1,260 +1,227 @@ # WebApp deployment class profile::swh::deploy::webapp { $conf_directory = lookup('swh::deploy::webapp::conf_directory') $conf_file = lookup('swh::deploy::webapp::conf_file') $user = lookup('swh::deploy::webapp::user') $group = lookup('swh::deploy::webapp::group') $webapp_config = lookup('swh::deploy::webapp::config') $conf_log_dir = lookup('swh::deploy::webapp::conf::log_dir') $backend_listen_host = lookup('swh::deploy::webapp::backend::listen::host') $backend_listen_port = lookup('swh::deploy::webapp::backend::listen::port') $backend_listen_address = "${backend_listen_host}:${backend_listen_port}" $backend_workers = lookup('swh::deploy::webapp::backend::workers') $backend_http_keepalive = lookup('swh::deploy::webapp::backend::http_keepalive') $backend_http_timeout = lookup('swh::deploy::webapp::backend::http_timeout') $backend_reload_mercy = lookup('swh::deploy::webapp::backend::reload_mercy') $swh_packages = ['python3-swh.web'] $static_dir = '/usr/lib/python3/dist-packages/swh/web/static' $varnish_http_port = lookup('varnish::http_port') $vhost_name = lookup('swh::deploy::webapp::vhost::name') $vhost_port = lookup('apache::http_port') $vhost_aliases = lookup('swh::deploy::webapp::vhost::aliases') $vhost_docroot = lookup('swh::deploy::webapp::vhost::docroot') $vhost_basic_auth_file = "${conf_directory}/http_auth" $vhost_basic_auth_content = lookup('swh::deploy::webapp::vhost::basic_auth_content', String, 'first', '') $vhost_ssl_port = lookup('apache::https_port') $vhost_ssl_protocol = lookup('swh::deploy::webapp::vhost::ssl_protocol') $vhost_ssl_honorcipherorder = lookup('swh::deploy::webapp::vhost::ssl_honorcipherorder') $vhost_ssl_cipher = lookup('swh::deploy::webapp::vhost::ssl_cipher') $locked_endpoints = lookup('swh::deploy::webapp::locked_endpoints', Array, 'unique') $endpoint_directories = $locked_endpoints.map |$endpoint| { { path => "^${endpoint}", provider => 'locationmatch', auth_type => 'Basic', auth_name => 'Software Heritage development', auth_user_file => $vhost_basic_auth_file, auth_require => 'valid-user', } } include ::gunicorn package {$swh_packages: ensure => latest, require => Apt::Source['softwareheritage'], notify => Service['gunicorn-swh-webapp'], } file {$conf_directory: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_log_dir: ensure => directory, owner => 'root', group => $group, mode => '0770', } file {$vhost_docroot: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_file: ensure => present, owner => 'root', group => $group, mode => '0640', content => inline_template("<%= @webapp_config.to_yaml %>\n"), notify => Service['gunicorn-swh-webapp'], } ::gunicorn::instance {'swh-webapp': ensure => enabled, user => $user, group => $group, executable => 'swh.web.wsgi:application', settings => { bind => $backend_listen_address, workers => $backend_workers, worker_class => 'sync', timeout => $backend_http_timeout, graceful_timeout => $backend_reload_mercy, keepalive => $backend_http_keepalive, } } include ::profile::apache::common include ::apache::mod::proxy include ::apache::mod::headers ::apache::vhost {"${vhost_name}_non-ssl": servername => $vhost_name, serveraliases => $vhost_aliases, port => $vhost_port, docroot => $vhost_docroot, proxy_pass => [ { path => '/static', url => '!', }, { path => '/robots.txt', url => '!', }, { path => '/favicon.ico', url => '!', }, { path => '/', url => "http://${backend_listen_address}/", }, ], directories => [ { path => '/api', provider => 'location', allow => 'from all', satisfy => 'Any', headers => ['add Access-Control-Allow-Origin "*"'], }, { path => $static_dir, options => ['-Indexes'], }, ] + $endpoint_directories, aliases => [ { alias => '/static', path => $static_dir, }, { alias => '/robots.txt', path => "${static_dir}/robots.txt", }, ], require => [ File[$vhost_basic_auth_file], ], } $ssl_cert_names = ['star_softwareheritage_org', 'star_internal_softwareheritage_org'] include ::profile::hitch each($ssl_cert_names) |$ssl_cert_name| { realize(::Profile::Hitch::Ssl_cert[$ssl_cert_name]) } include ::profile::varnish ::profile::varnish::vhost {$vhost_name: aliases => $vhost_aliases, hsts_max_age => lookup('strict_transport_security::max_age'), } if $endpoint_directories { file {$vhost_basic_auth_file: ensure => present, owner => 'root', group => 'www-data', mode => '0640', content => $vhost_basic_auth_content, } } else { file {$vhost_basic_auth_file: ensure => absent, } } $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' @@::icinga2::object::service {"swh-webapp http redirect on ${::fqdn}": service_name => 'swh webapp http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_port => $varnish_http_port, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"swh-webapp https on ${::fqdn}": service_name => 'swh webapp', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_port => $vhost_ssl_port, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"swh-webapp https certificate ${::fqdn}": service_name => 'swh webapp https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_port => $vhost_ssl_port, http_ssl => true, http_sni => true, http_certificate => 60, }, target => $icinga_checks_file, tag => 'icinga2::exported', } - @@::icinga2::object::service {"swh-webapp counters ${::fqdn}": - service_name => 'swh webapp counters', - import => ['generic-service'], - host_name => $::fqdn, - check_command => 'http', - vars => { - http_address => $vhost_name, - http_vhost => $vhost_name, - http_port => $vhost_ssl_port, - http_uri => '/api/1/stat/counters/', - http_ssl => true, - http_string => '\"content\":' - }, - target => $icinga_checks_file, - tag => 'icinga2::exported', - } - - @@::icinga2::object::service {"swh-webapp content known ${::fqdn}": - service_name => 'swh webapp content known', - import => ['generic-service'], - host_name => $::fqdn, - check_command => 'http', - vars => { - http_address => $vhost_name, - http_vhost => $vhost_name, - http_port => $vhost_ssl_port, - http_uri => '/api/1/content/known/search/', - http_ssl => true, - http_post => 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02', - http_string => '\"found\":true', - }, - target => $icinga_checks_file, - tag => 'icinga2::exported', - } + include ::profile::swh::deploy::webapp::icinga_checks } diff --git a/manifests/swh/deploy/webapp/icinga_checks.pp b/manifests/swh/deploy/webapp/icinga_checks.pp new file mode 100644 index 00000000..2b6b62c0 --- /dev/null +++ b/manifests/swh/deploy/webapp/icinga_checks.pp @@ -0,0 +1,89 @@ +class profile::swh::deploy::webapp::icinga_checks { + $vhost_name = $::profile::swh::deploy::webapp::vhost_name + $vhost_ssl_port = $::profile::swh::deploy::webapp::vhost_ssl_port + $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' + + $checks = { + 'counters' => { + http_uri => '/api/1/stat/counters/', + http_string => '\"content\":', + }, + 'content known' => { + http_uri => '/api/1/content/known/search/', + http_post => 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02', + http_string => '\"found\":true', + }, + 'content end to end' => { + http_uri => '/browse/content/4dfc4478b1d5f7388b298fdfc06802485bdeae0c/', + http_string => 'PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2', + }, + 'directory end to end' => { + http_uri => '/browse/directory/977fc4b98c0e85816348cebd3b12026407c368b6/', + http_linespan => true, + http_expect_body_regex => 'Doc.*Grammar.*Include.*Lib.*Mac.*Misc.*Modules.*Objects.*PC.*PCbuild.*LICENSE.*README.rst', + }, + 'revision end to end' => { + http_uri => '/browse/revision/f1b94134a4b879bc55c3dacdb496690c8ebdc03f/', + http_linespan => true, + http_expect_body_regex => join([ + '-:"Allocate the output vlc pictures with dimensions padded,.*', + 'as requested by the decoder \\\\(for alignments\\\\)."' + ]), + }, + 'release end to end' => { + http_uri => '/browse/release/a9b7e3f1eada90250a6b2ab2ef3e0a846cb16831/', + http_linespan => true, + http_expect_body_regex => join([ + '-:"Linux 4.9-rc8.*', + '/revision/3e5de27e940d00d8d504dfb96625fb654f641509/"' + ]), + }, + 'snapshot end to end' => { + http_uri => '/browse/snapshot/baebc2109e4a2ec22a1129a3859647e191d04df4/branches/', + http_linespan => true, + http_expect_body_regex => join([ + '-:"', + join([ + 'buster/main/4.13.13-1', + 'buster/main/4.14.12-2', + 'buster/main/4.14.13-1', + 'buster/main/4.14.17-1', + 'buster/main/4.15.4-1', + 'buster/main/4.9.65-3', + 'experimental/main/4.10~rc6-1~exp2', + 'jessie-backports/main/3.16.39-1', + 'jessie-backports/main/4.7.8-1~bpo8\\\\+1', + 'jessie-backports/main/4.9.18-1~bpo8\\\\+1', + 'jessie-backports/main/4.9.65-3\\\\+deb9u1~bpo8\\\\+1', + 'jessie-backports/main/4.9.65-3\\\\+deb9u2~bpo8\\\\+1', + 'jessie-kfreebsd/main/3.16.7-ckt9-2', + 'jessie-proposed-updates/main/3.16.51-3', + 'jessie-proposed-updates/main/3.16.51-3\\\\+deb8u1', + 'jessie-updates/main/3.16.51-3', + 'jessie/main/3.16.43-1', + 'jessie/main/3.16.51-2', + 'jessie/main/3.16.7-ckt2-1', + 'jessie/main/3.16.7-ckt20-1\\\\+deb8u3', + ], '.*'), + '"', + ]), + } + } + + each($checks) |$name, $args| { + @@::icinga2::object::service {"swh-webapp ${name} ${::fqdn}": + service_name => "swh webapp ${name}", + import => ['generic-service'], + host_name => $::fqdn, + check_command => 'http', + vars => { + http_address => $vhost_name, + http_vhost => $vhost_name, + http_port => $vhost_ssl_port, + http_ssl => true, + } + $args, + target => $icinga_checks_file, + tag => 'icinga2::exported', + } + } +}