Merge "nodepool-builder: Add webserver"

.zuul.yaml

@@ -841,6 +841,7 @@
           label: ubuntu-bionic
     vars:
       run_playbooks:
+        - playbooks/service-letsencrypt.yaml
         - playbooks/service-nodepool.yaml
         - playbooks/remote_puppet_else.yaml
     files:

inventory/groups.yaml

@@ -65,15 +65,16 @@ groups:
   kubernetes:
     - opendev-k8s*.opendev.org
   letsencrypt:
+    - files[0-9]*.open*.org
+    - gitea[0-9]*.opendev.org
     - graphite01.opendev.org
     - insecure-ci-registry[0-9]*.opendev.org
     - mirror[0-9]*.opendev.org
-    - files[0-9]*.open*.org
+    - nb[0-9]*.opendev.org
     - review-dev[0-9]*.open*.org
     - review[0-9]*.open*.org
     - static.openstack.org
     - static[0-9]*.opendev.org
-    - gitea[0-9]*.opendev.org
     - zuul[0-9]*.open*.org
   logstash:
     - logstash[0-9]*.open*.org

playbooks/roles/letsencrypt-create-certs/handlers/main.yaml

@@ -171,6 +171,9 @@
 - name: letsencrypt updated gitea99-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
 
+- name: letsencrypt updated nb01-test-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
 # We split out handlers for each gitea host as handlers should be run in order
 # This allows us to do a rolling restart of the gitea backends.
 - name: letsencrypt updated gitea01-main

playbooks/roles/nodepool-builder/handlers/main.yaml

@@ -0,0 +1,4 @@
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted

playbooks/roles/nodepool-builder/tasks/main.yaml

@@ -10,6 +10,9 @@
     - '/opt/nodepool_dib'
     - '/var/log/nodepool/builds'
 
+- name: Setup webserver
+  include_tasks: webserver.yaml
+
 - name: Ensure /etc/nodepool-builder-compose directory
   file:
     state: directory

playbooks/roles/nodepool-builder/tasks/webserver.yaml

@@ -0,0 +1,33 @@
+- name: Install Apache
+  package:
+    name:
+      - apache2
+      - apache2-utils
+    state: present
+
+- name: Apache 2 ssl module
+  apache2_module:
+    state: present
+    name: ssl
+
+- name: Rewrite module
+  apache2_module:
+    state: present
+    name: rewrite
+
+- name: Create virtualhost
+  template:
+    src: vhost.conf.j2
+    dest: /etc/apache2/sites-available/001-nb.conf
+
+- name: Disable default site
+  command: a2dissite 000-default.conf
+  args:
+    removes: /etc/apache2/sites-enabled/000-default.conf
+
+- name: Enable mirror virtual host
+  command: a2ensite 001-nb
+  args:
+    creates: /etc/apache2/sites-enabled/001-nb.conf
+  notify:
+    - restart apache2

playbooks/roles/nodepool-builder/templates/vhost.conf.j2

@@ -0,0 +1,61 @@
+<VirtualHost *:80>
+  ServerName {{ inventory_hostname }}
+
+  ErrorLog /var/log/apache2/nodepool_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/nodepool_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ inventory_hostname }}/
+
+</VirtualHost>
+
+
+<VirtualHost *:443>
+  ServerName nb01.openstack.org
+
+  SSLEngine on
+
+  SSLCertificateFile      /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
+
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  DocumentRoot /var/log/nodepool/builds
+  <Directory /var/log/nodepool/builds>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  # Allow access to image files
+  Alias /images /opt/nodepool_dib
+  <Directory /opt/nodepool_dib>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+    # Only allow access to the qcow2 files as they are smallest
+    <FilesMatch ".+\.(vhd|raw)(\.(md5|sha256))?$">
+      Require all denied
+    </FilesMatch>
+  </Directory>
+  # Exclude the dib build dir as well.
+  <Directory /opt/nodepool_dib/*.d/>
+    Require all denied
+  </Directory>
+
+  AddType text/plain .log
+  <IfModule mod_deflate.c>
+      SetOutputFilter DEFLATE
+  </IfModule>
+
+  ErrorLog /var/log/apache2/nodepool_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/nodepool_access.log combined
+  ServerSignature Off
+
+</VirtualHost>

playbooks/zuul/templates/host_vars/nb01-test.opendev.org.yaml.j2

@@ -1 +1,5 @@
+letsencrypt_certs:
+  nb01-test-main:
+    - nb01-test.opendev.org
+
 nodepool_base_install_zookeeper: True

testinfra/test_nodepool.py

@@ -38,3 +38,15 @@ def test_builder_container_running(host):
 
     cmd = host.run("podman ps -a --format '{{ .Names }}'")
     assert 'nodepool-builder-compose_nodepool-builder_1' in cmd.stdout
+
+def test_builder_webserver_running(host):
+    if host.backend.get_hostname() != 'nb01-test.opendev.org':
+        pytest.skip()
+
+    apache = host.service('apache2')
+    assert apache.is_running
+
+    cmd = host.run('curl --insecure '
+                   '--resolve nb01-test.opendev.org:443:127.0.0.1 '
+                   'https://nb01-test.opendev.org/')
+    assert 'Index of /' in cmd.stdout