From 4f78e1f6fc72f302ef3dc77202de921f70b6c957 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Tue, 3 Jul 2018 15:40:38 -0500 Subject: [PATCH] Drive apache proxy configuration via values templates This proposes defining the apache proxy hosts entirely via values templates. While complicated on its face, this gives flexibility by allowing the ability to define the desired authentication mechanism via values templates. These options can range from using http basic auth for development purposes to defining more complex ldap configurations without a need to modify the chart directly Change-Id: Ief1b6890444ff90cc9c0ca872087af74836c0771 Signed-off-by: Pete Birley --- elasticsearch/templates/bin/_apache.sh.tpl | 4 +- elasticsearch/templates/configmap-etc.yaml | 6 +- .../templates/deployment-client.yaml | 20 -- .../etc/_elasticsearch-host.conf.tpl | 34 ---- elasticsearch/templates/etc/_httpd.conf.tpl | 189 ------------------ elasticsearch/values.yaml | 98 ++++++++- kibana/templates/bin/_apache.sh.tpl | 6 + kibana/templates/configmap-etc.yaml | 6 +- kibana/templates/deployment.yaml | 24 +-- kibana/templates/etc/_httpd.conf.tpl | 189 ------------------ kibana/templates/etc/_kibana-host.conf.tpl | 31 --- kibana/values.yaml | 98 ++++++++- nagios/templates/bin/_apache.sh.tpl | 4 +- nagios/templates/configmap-etc.yaml | 6 +- nagios/templates/deployment.yaml | 20 -- nagios/templates/etc/_httpd.conf.tpl | 189 ------------------ nagios/templates/etc/_nagios-host.conf.tpl | 29 --- nagios/values.yaml | 98 ++++++++- 18 files changed, 303 insertions(+), 748 deletions(-) delete mode 100644 elasticsearch/templates/etc/_elasticsearch-host.conf.tpl delete mode 100644 elasticsearch/templates/etc/_httpd.conf.tpl delete mode 100644 kibana/templates/etc/_httpd.conf.tpl delete mode 100644 kibana/templates/etc/_kibana-host.conf.tpl delete mode 100644 nagios/templates/etc/_httpd.conf.tpl delete mode 100644 nagios/templates/etc/_nagios-host.conf.tpl diff --git a/elasticsearch/templates/bin/_apache.sh.tpl b/elasticsearch/templates/bin/_apache.sh.tpl index cbba386da..6f8aaa8e2 100644 --- a/elasticsearch/templates/bin/_apache.sh.tpl +++ b/elasticsearch/templates/bin/_apache.sh.tpl @@ -30,9 +30,9 @@ function start () { rm -f /etc/httpd/logs/httpd.pid if [ -f /usr/local/apache2/conf/.htpasswd ]; then - htpasswd -b /usr/local/apache2/conf/.htpasswd $ELASTICSEARCH_USERNAME $ELASTICSEARCH_PASSWORD + htpasswd -b /usr/local/apache2/conf/.htpasswd "$ELASTICSEARCH_USERNAME" "$ELASTICSEARCH_PASSWORD" else - htpasswd -cb /usr/local/apache2/conf/.htpasswd $ELASTICSEARCH_USERNAME $ELASTICSEARCH_PASSWORD + htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ELASTICSEARCH_USERNAME" "$ELASTICSEARCH_PASSWORD" fi #Launch Apache on Foreground diff --git a/elasticsearch/templates/configmap-etc.yaml b/elasticsearch/templates/configmap-etc.yaml index cd1ea37d2..17e1065c5 100644 --- a/elasticsearch/templates/configmap-etc.yaml +++ b/elasticsearch/templates/configmap-etc.yaml @@ -27,10 +27,6 @@ kind: ConfigMap metadata: name: elasticsearch-etc data: - httpd.conf: | -{{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - elasticsearch-host.conf: | -{{- tuple .Values.conf.apache.host "etc/_elasticsearch-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} elasticsearch.yml: | {{ toYaml .Values.conf.elasticsearch.config | indent 4 }} log4j2.properties: | @@ -39,4 +35,6 @@ data: {{ toYaml .Values.conf.curator.action_file | indent 4 }} config.yml: | {{ toYaml .Values.conf.curator.config | indent 4 }} +#NOTE(portdirect): this must be last, to work round helm ~2.7 bug. +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} {{- end }} diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index 51733ddaf..60088e7d1 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -128,8 +128,6 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 env: - - name: ELASTICSEARCH_PORT - value: {{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - name: ELASTICSEARCH_USERNAME valueFrom: secretKeyRef: @@ -140,18 +138,6 @@ spec: secretKeyRef: name: {{ $esUserSecret }} key: ELASTICSEARCH_PASSWORD - - name: LDAP_URL - value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} - - name: BIND_DN - valueFrom: - secretKeyRef: - name: {{ $esUserSecret }} - key: BIND_DN - - name: BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $esUserSecret }} - key: BIND_PASSWORD volumeMounts: - name: elasticsearch-bin mountPath: /tmp/apache.sh @@ -161,12 +147,6 @@ spec: mountPath: /usr/local/apache2/conf/httpd.conf subPath: httpd.conf readOnly: true - - name: pod-etc-apache - mountPath: /usr/local/apache2/conf/sites-enabled - - name: elasticsearch-etc - mountPath: /usr/local/apache2/conf/sites-enabled/elasticsearch-host.conf - subPath: elasticsearch-host.conf - readOnly: true - name: elasticsearch-client {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.client | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} diff --git a/elasticsearch/templates/etc/_elasticsearch-host.conf.tpl b/elasticsearch/templates/etc/_elasticsearch-host.conf.tpl deleted file mode 100644 index 0b5e0f092..000000000 --- a/elasticsearch/templates/etc/_elasticsearch-host.conf.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - - - ProxyRequests On - ProxyPreserveHost On - - ProxyPass http://localhost:${ELASTICSEARCH_PORT}/ - ProxyPassReverse http://localhost:${ELASTICSEARCH_PORT}/ - - - AuthName "Elasticsearch" - AuthType Basic - AuthBasicProvider file ldap - AuthUserFile /usr/local/apache2/conf/.htpasswd - AuthLDAPBindDN ${BIND_DN} - AuthLDAPBindPassword ${BIND_PASSWORD} - AuthLDAPURL ${LDAP_URL} - Require valid-user - - diff --git a/elasticsearch/templates/etc/_httpd.conf.tpl b/elasticsearch/templates/etc/_httpd.conf.tpl deleted file mode 100644 index 19af85523..000000000 --- a/elasticsearch/templates/etc/_httpd.conf.tpl +++ /dev/null @@ -1,189 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "logs/access_log" -# with ServerRoot set to "/usr/local/apache2" will be interpreted by the -# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" -# will be interpreted as '/logs/access_log'. - -ServerRoot "/usr/local/apache2" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -LoadModule mpm_event_module modules/mod_mpm_event.so -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_user_module modules/mod_authz_user.so -LoadModule authz_core_module modules/mod_authz_core.so -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule ldap_module modules/mod_ldap.so -LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -LoadModule filter_module modules/mod_filter.so -LoadModule proxy_html_module modules/mod_proxy_html.so -LoadModule log_config_module modules/mod_log_config.so -LoadModule env_module modules/mod_env.so -LoadModule headers_module modules/mod_headers.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so -LoadModule proxy_module modules/mod_proxy.so -LoadModule proxy_connect_module modules/mod_proxy_connect.so -LoadModule proxy_http_module modules/mod_proxy_http.so -LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -LoadModule unixd_module modules/mod_unixd.so -LoadModule status_module modules/mod_status.so -LoadModule autoindex_module modules/mod_autoindex.so - - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User daemon -Group daemon - - - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog /dev/stderr - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - CustomLog /dev/stdout common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog /dev/stdout combined - - -# -# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied - # backend servers which have lingering "httpoxy" defects. - # 'Proxy' request header is undefined by the IETF, not listed by IANA - # - RequestHeader unset Proxy early - - -# Virtual hosts -Include conf/sites-enabled/*.conf - -# Configure mod_proxy_html to understand HTML4/XHTML1 - -Include conf/extra/proxy-html.conf - diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 94b63613f..ebd6adad8 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -176,9 +176,101 @@ secrets: user: elasticsearch-admin-creds conf: - apache: - httpd: null - elasticsearch_host: null + httpd: | + ServerRoot "/usr/local/apache2" + + Listen 80 + + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authn_file_module modules/mod_authn_file.so + LoadModule authn_core_module modules/mod_authn_core.so + LoadModule authz_host_module modules/mod_authz_host.so + LoadModule authz_groupfile_module modules/mod_authz_groupfile.so + LoadModule authz_user_module modules/mod_authz_user.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_basic_module modules/mod_auth_basic.so + LoadModule ldap_module modules/mod_ldap.so + LoadModule authnz_ldap_module modules/mod_authnz_ldap.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule proxy_html_module modules/mod_proxy_html.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_connect_module modules/mod_proxy_connect.so + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule proxy_balancer_module modules/mod_proxy_balancer.so + LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + LoadModule slotmem_plain_module modules/mod_slotmem_plain.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + + + User daemon + Group daemon + + + + AllowOverride none + Require all denied + + + + Require all denied + + + ErrorLog /dev/stderr + + LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + CustomLog /dev/stdout common + + CustomLog /dev/stdout combined + + + + AllowOverride None + Options None + Require all granted + + + + RequestHeader unset Proxy early + + + + Include conf/extra/proxy-html.conf + + + + + ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + + + AuthName "Elasticsearch" + AuthType Basic + AuthBasicProvider file ldap + AuthUserFile /usr/local/apache2/conf/.htpasswd + AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }} + AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }} + AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} + Require valid-user + + init: max_map_count: 262144 curator: diff --git a/kibana/templates/bin/_apache.sh.tpl b/kibana/templates/bin/_apache.sh.tpl index e80ead098..6f8aaa8e2 100644 --- a/kibana/templates/bin/_apache.sh.tpl +++ b/kibana/templates/bin/_apache.sh.tpl @@ -29,6 +29,12 @@ function start () { # Apache gets grumpy about PID files pre-existing rm -f /etc/httpd/logs/httpd.pid + if [ -f /usr/local/apache2/conf/.htpasswd ]; then + htpasswd -b /usr/local/apache2/conf/.htpasswd "$ELASTICSEARCH_USERNAME" "$ELASTICSEARCH_PASSWORD" + else + htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ELASTICSEARCH_USERNAME" "$ELASTICSEARCH_PASSWORD" + fi + #Launch Apache on Foreground exec httpd -DFOREGROUND } diff --git a/kibana/templates/configmap-etc.yaml b/kibana/templates/configmap-etc.yaml index 09cf679ce..93742d7c2 100644 --- a/kibana/templates/configmap-etc.yaml +++ b/kibana/templates/configmap-etc.yaml @@ -22,10 +22,8 @@ kind: ConfigMap metadata: name: kibana-etc data: - httpd.conf: | -{{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - kibana-host.conf: | -{{- tuple .Values.conf.apache.host "etc/_kibana-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} kibana.yml: | {{ toYaml .Values.conf.kibana | indent 4 }} +#NOTE(portdirect): this must be last, to work round helm ~2.7 bug. +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} {{- end }} diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml index 903d7bd43..adb4521c5 100644 --- a/kibana/templates/deployment.yaml +++ b/kibana/templates/deployment.yaml @@ -65,30 +65,16 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 env: - - name: KIBANA_PORT - value: {{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: KIBANA_USERNAME + - name: ELASTICSEARCH_USERNAME valueFrom: secretKeyRef: name: {{ $esUserSecret }} key: ELASTICSEARCH_USERNAME - - name: KIBANA_PASSWORD + - name: ELASTICSEARCH_PASSWORD valueFrom: secretKeyRef: name: {{ $esUserSecret }} key: ELASTICSEARCH_PASSWORD - - name: LDAP_URL - value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} - - name: BIND_DN - valueFrom: - secretKeyRef: - name: {{ $esUserSecret }} - key: BIND_DN - - name: BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $esUserSecret }} - key: BIND_PASSWORD volumeMounts: - name: kibana-bin mountPath: /tmp/apache.sh @@ -98,12 +84,6 @@ spec: mountPath: /usr/local/apache2/conf/httpd.conf subPath: httpd.conf readOnly: true - - name: pod-etc-apache - mountPath: /usr/local/apache2/conf/sites-enabled - - name: kibana-etc - mountPath: /usr/local/apache2/conf/sites-enabled/kibana-host.conf - subPath: kibana-host.conf - readOnly: true - name: kibana {{ tuple $envAll "kibana" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.kibana | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} diff --git a/kibana/templates/etc/_httpd.conf.tpl b/kibana/templates/etc/_httpd.conf.tpl deleted file mode 100644 index 19af85523..000000000 --- a/kibana/templates/etc/_httpd.conf.tpl +++ /dev/null @@ -1,189 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "logs/access_log" -# with ServerRoot set to "/usr/local/apache2" will be interpreted by the -# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" -# will be interpreted as '/logs/access_log'. - -ServerRoot "/usr/local/apache2" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -LoadModule mpm_event_module modules/mod_mpm_event.so -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_user_module modules/mod_authz_user.so -LoadModule authz_core_module modules/mod_authz_core.so -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule ldap_module modules/mod_ldap.so -LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -LoadModule filter_module modules/mod_filter.so -LoadModule proxy_html_module modules/mod_proxy_html.so -LoadModule log_config_module modules/mod_log_config.so -LoadModule env_module modules/mod_env.so -LoadModule headers_module modules/mod_headers.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so -LoadModule proxy_module modules/mod_proxy.so -LoadModule proxy_connect_module modules/mod_proxy_connect.so -LoadModule proxy_http_module modules/mod_proxy_http.so -LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -LoadModule unixd_module modules/mod_unixd.so -LoadModule status_module modules/mod_status.so -LoadModule autoindex_module modules/mod_autoindex.so - - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User daemon -Group daemon - - - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog /dev/stderr - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - CustomLog /dev/stdout common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog /dev/stdout combined - - -# -# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied - # backend servers which have lingering "httpoxy" defects. - # 'Proxy' request header is undefined by the IETF, not listed by IANA - # - RequestHeader unset Proxy early - - -# Virtual hosts -Include conf/sites-enabled/*.conf - -# Configure mod_proxy_html to understand HTML4/XHTML1 - -Include conf/extra/proxy-html.conf - diff --git a/kibana/templates/etc/_kibana-host.conf.tpl b/kibana/templates/etc/_kibana-host.conf.tpl deleted file mode 100644 index a58e00bd7..000000000 --- a/kibana/templates/etc/_kibana-host.conf.tpl +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - - - - ProxyPass http://localhost:${KIBANA_PORT}/ - ProxyPassReverse http://localhost:${KIBANA_PORT}/ - - - AuthName "Kibana" - AuthType Basic - AuthBasicProvider ldap - AuthLDAPBindDN ${BIND_DN} - AuthLDAPBindPassword ${BIND_PASSWORD} - AuthLDAPURL ${LDAP_URL} - Require valid-user - - diff --git a/kibana/values.yaml b/kibana/values.yaml index 6feb36067..761ee2243 100644 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -103,9 +103,101 @@ dependencies: service: elasticsearch conf: - apache: - httpd: null - kibana_host: null + httpd: | + ServerRoot "/usr/local/apache2" + + Listen 80 + + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authn_file_module modules/mod_authn_file.so + LoadModule authn_core_module modules/mod_authn_core.so + LoadModule authz_host_module modules/mod_authz_host.so + LoadModule authz_groupfile_module modules/mod_authz_groupfile.so + LoadModule authz_user_module modules/mod_authz_user.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_basic_module modules/mod_auth_basic.so + LoadModule ldap_module modules/mod_ldap.so + LoadModule authnz_ldap_module modules/mod_authnz_ldap.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule proxy_html_module modules/mod_proxy_html.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_connect_module modules/mod_proxy_connect.so + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule proxy_balancer_module modules/mod_proxy_balancer.so + LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + LoadModule slotmem_plain_module modules/mod_slotmem_plain.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + + + User daemon + Group daemon + + + + AllowOverride none + Require all denied + + + + Require all denied + + + ErrorLog /dev/stderr + + LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + CustomLog /dev/stdout common + + CustomLog /dev/stdout combined + + + + AllowOverride None + Options None + Require all granted + + + + RequestHeader unset Proxy early + + + + Include conf/extra/proxy-html.conf + + + + + ProxyPass http://localhost:{{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + ProxyPassReverse http://localhost:{{ tuple "kibana" "internal" "kibana" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + + + AuthName "Kibana" + AuthType Basic + AuthBasicProvider file ldap + AuthUserFile /usr/local/apache2/conf/.htpasswd + AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }} + AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }} + AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} + Require valid-user + + kibana: elasticsearch: pingTimeout: 1500 diff --git a/nagios/templates/bin/_apache.sh.tpl b/nagios/templates/bin/_apache.sh.tpl index b55925f5d..bcb0344fd 100644 --- a/nagios/templates/bin/_apache.sh.tpl +++ b/nagios/templates/bin/_apache.sh.tpl @@ -30,9 +30,9 @@ function start () { rm -f /etc/httpd/logs/httpd.pid if [ -f /usr/local/apache2/conf/.htpasswd ]; then - htpasswd -b /usr/local/apache2/conf/.htpasswd $NAGIOSADMIN_USER $NAGIOSADMIN_PASS + htpasswd -b /usr/local/apache2/conf/.htpasswd "$NAGIOSADMIN_USER" "$NAGIOSADMIN_PASS" else - htpasswd -cb /usr/local/apache2/conf/.htpasswd $NAGIOSADMIN_USER $NAGIOSADMIN_PASS + htpasswd -cb /usr/local/apache2/conf/.htpasswd "$NAGIOSADMIN_USER" "$NAGIOSADMIN_PASS" fi #Launch Apache on Foreground diff --git a/nagios/templates/configmap-etc.yaml b/nagios/templates/configmap-etc.yaml index 1864ad01c..6503b84a3 100644 --- a/nagios/templates/configmap-etc.yaml +++ b/nagios/templates/configmap-etc.yaml @@ -22,10 +22,6 @@ kind: ConfigMap metadata: name: nagios-etc data: - httpd.conf: | -{{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - nagios-host.conf: | -{{- tuple .Values.conf.apache.host "etc/_nagios-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} cgi.cfg: |+ {{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.cgi | indent 4 }} nagios.cfg: |+ @@ -37,4 +33,6 @@ data: {{- tuple "hostgroup" .Values.conf.nagios.host_groups | include "nagios.utils.object_definition" | indent 4 }} {{- tuple "command" .Values.conf.nagios.commands | include "nagios.utils.object_definition" | indent 4 }} {{- tuple "service" .Values.conf.nagios.services | include "nagios.utils.object_definition" | indent 4 }} +#NOTE(portdirect): this must be last, to work round helm ~2.7 bug. +{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }} {{- end }} diff --git a/nagios/templates/deployment.yaml b/nagios/templates/deployment.yaml index 0e057b507..9abda5160 100644 --- a/nagios/templates/deployment.yaml +++ b/nagios/templates/deployment.yaml @@ -98,10 +98,6 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 env: - - name: NAGIOS_PORT - value: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: LDAP_URL - value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} - name: NAGIOSADMIN_USER valueFrom: secretKeyRef: @@ -112,16 +108,6 @@ spec: secretKeyRef: name: {{ $nagiosUserSecret }} key: NAGIOSADMIN_PASS - - name: BIND_DN - valueFrom: - secretKeyRef: - name: {{ $nagiosUserSecret }} - key: BIND_DN - - name: BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $nagiosUserSecret }} - key: BIND_PASSWORD volumeMounts: - name: nagios-bin mountPath: /tmp/apache.sh @@ -131,12 +117,6 @@ spec: mountPath: /usr/local/apache2/conf/httpd.conf subPath: httpd.conf readOnly: true - - name: pod-etc-apache - mountPath: /usr/local/apache2/conf/sites-enabled - - name: nagios-etc - mountPath: /usr/local/apache2/conf/sites-enabled/nagios-host.conf - subPath: nagios-host.conf - readOnly: true - name: nagios {{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} diff --git a/nagios/templates/etc/_httpd.conf.tpl b/nagios/templates/etc/_httpd.conf.tpl deleted file mode 100644 index 19af85523..000000000 --- a/nagios/templates/etc/_httpd.conf.tpl +++ /dev/null @@ -1,189 +0,0 @@ -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "logs/access_log" -# with ServerRoot set to "/usr/local/apache2" will be interpreted by the -# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" -# will be interpreted as '/logs/access_log'. - -ServerRoot "/usr/local/apache2" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -LoadModule mpm_event_module modules/mod_mpm_event.so -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_user_module modules/mod_authz_user.so -LoadModule authz_core_module modules/mod_authz_core.so -LoadModule access_compat_module modules/mod_access_compat.so -LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule ldap_module modules/mod_ldap.so -LoadModule authnz_ldap_module modules/mod_authnz_ldap.so -LoadModule reqtimeout_module modules/mod_reqtimeout.so -LoadModule filter_module modules/mod_filter.so -LoadModule proxy_html_module modules/mod_proxy_html.so -LoadModule log_config_module modules/mod_log_config.so -LoadModule env_module modules/mod_env.so -LoadModule headers_module modules/mod_headers.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so -LoadModule proxy_module modules/mod_proxy.so -LoadModule proxy_connect_module modules/mod_proxy_connect.so -LoadModule proxy_http_module modules/mod_proxy_http.so -LoadModule proxy_balancer_module modules/mod_proxy_balancer.so -LoadModule slotmem_shm_module modules/mod_slotmem_shm.so -LoadModule slotmem_plain_module modules/mod_slotmem_plain.so -LoadModule unixd_module modules/mod_unixd.so -LoadModule status_module modules/mod_status.so -LoadModule autoindex_module modules/mod_autoindex.so - - -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User daemon -Group daemon - - - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog /dev/stderr - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - CustomLog /dev/stdout common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog /dev/stdout combined - - -# -# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied - # backend servers which have lingering "httpoxy" defects. - # 'Proxy' request header is undefined by the IETF, not listed by IANA - # - RequestHeader unset Proxy early - - -# Virtual hosts -Include conf/sites-enabled/*.conf - -# Configure mod_proxy_html to understand HTML4/XHTML1 - -Include conf/extra/proxy-html.conf - diff --git a/nagios/templates/etc/_nagios-host.conf.tpl b/nagios/templates/etc/_nagios-host.conf.tpl deleted file mode 100644 index 4e51aff17..000000000 --- a/nagios/templates/etc/_nagios-host.conf.tpl +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - - - - ProxyPass http://localhost:${NAGIOS_PORT}/ - ProxyPassReverse http://localhost:${NAGIOS_PORT}/ - - - AuthName "Nagios" - AuthType Basic - AuthBasicProvider file ldap - AuthUserFile /usr/local/apache2/conf/.htpasswd - AuthLDAPBindDN ${BIND_DN} - AuthLDAPBindPassword ${BIND_PASSWORD} - AuthLDAPURL ${LDAP_URL} - Require valid-user - - diff --git a/nagios/values.yaml b/nagios/values.yaml index 05e463007..870b07ada 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -198,9 +198,101 @@ manifests: service_ingress: true conf: - apache: - httpd: null - elasticsearch_host: null + httpd: | + ServerRoot "/usr/local/apache2" + + Listen 80 + + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authn_file_module modules/mod_authn_file.so + LoadModule authn_core_module modules/mod_authn_core.so + LoadModule authz_host_module modules/mod_authz_host.so + LoadModule authz_groupfile_module modules/mod_authz_groupfile.so + LoadModule authz_user_module modules/mod_authz_user.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_basic_module modules/mod_auth_basic.so + LoadModule ldap_module modules/mod_ldap.so + LoadModule authnz_ldap_module modules/mod_authnz_ldap.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule proxy_html_module modules/mod_proxy_html.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_connect_module modules/mod_proxy_connect.so + LoadModule proxy_http_module modules/mod_proxy_http.so + LoadModule proxy_balancer_module modules/mod_proxy_balancer.so + LoadModule slotmem_shm_module modules/mod_slotmem_shm.so + LoadModule slotmem_plain_module modules/mod_slotmem_plain.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + + + User daemon + Group daemon + + + + AllowOverride none + Require all denied + + + + Require all denied + + + ErrorLog /dev/stderr + + LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + CustomLog /dev/stdout common + + CustomLog /dev/stdout combined + + + + AllowOverride None + Options None + Require all granted + + + + RequestHeader unset Proxy early + + + + Include conf/extra/proxy-html.conf + + + + + ProxyPass http://localhost:{{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + ProxyPassReverse http://localhost:{{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/ + + + AuthName "Nagios" + AuthType Basic + AuthBasicProvider file ldap + AuthUserFile /usr/local/apache2/conf/.htpasswd + AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }} + AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }} + AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} + Require valid-user + + nagios: contacts: - notifying_contact: