From 31774cf7488679215b57b081637fd33d4ea455a8 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Thu, 25 Jul 2024 13:40:40 -0500 Subject: [PATCH] feat(bugs): move service behind load balancers (#393) * feat(bugs): move service behind load balancers * Update pillar/base/firewall/bugs.sls * fix(bugs): update misplaced role * fix(bugs): add missing settings * fix(bugs): split services into their own sections * chore(bugs): template out the trackers instead * feat(bugs): add template for smtp * chore(bugs): remove dupes and move consul configs * feat(bugs): add listens for smtp * fix: make unique the certs * feat: add unique ports per service for consul * feat: add unique ports per service for consul * fix: update variable * fix: all services use bugs cert * feat: utilize tls in bind * fix: import missing pillar data * fix: remove resurrected code after rebase * feat: add unique consul service configs * feat: open up ports for each service * fix: do not loop * chore: saltify method of getting bugs pillar data * fix: use proper iptables syntax * chore: rename service, move into existing loop, remove smtps * chore: move into correct area * fix: remove missed port definitions --- pillar/base/bugs.sls | 3 ++ pillar/base/firewall/bugs.sls | 9 ++-- pillar/base/haproxy.sls | 18 +++++++ pillar/base/tls.sls | 4 ++ pillar/dev/secrets/tls/certs/loadbalancer.sls | 52 +++++++++++++++++++ pillar/dev/top.sls | 2 + pillar/prod/top.sls | 1 + salt/bugs/config/nginx.conf.jinja | 46 ++++++++++++++++ salt/bugs/init.sls | 30 +++++++++++ salt/haproxy/config/haproxy.cfg.jinja | 6 +-- 10 files changed, 164 insertions(+), 7 deletions(-) diff --git a/pillar/base/bugs.sls b/pillar/base/bugs.sls index 30fe8a52..75b6635e 100644 --- a/pillar/base/bugs.sls +++ b/pillar/base/bugs.sls @@ -8,6 +8,7 @@ bugs: cpython: source: https://github.com/psf/bpo-tracker-cpython.git server_name: bugs.python.org + port: 9000 workers: 16 config: tracker: cpython @@ -37,6 +38,7 @@ bugs: jython: source: https://github.com/psf/bpo-tracker-jython.git server_name: bugs.jython.org + port: 9001 config: tracker: jython main__database: /srv/roundup/data/jython @@ -61,6 +63,7 @@ bugs: roundup: source: https://github.com/psf/bpo-tracker-roundup.git server_name: issues.roundup-tracker.org + port: 9002 config: tracker: roundup main__database: /srv/roundup/data/roundup diff --git a/pillar/base/firewall/bugs.sls b/pillar/base/firewall/bugs.sls index 60ef1f41..8336746e 100644 --- a/pillar/base/firewall/bugs.sls +++ b/pillar/base/firewall/bugs.sls @@ -1,3 +1,5 @@ +{% include "networking.sls" %} + firewall: http: port: 80 @@ -5,7 +7,6 @@ firewall: port: 443 smtp: port: 25 - smtps: - port: 587 - submission: - port: 465 + frontend-bugs: + port: 9000:9002 + source: *psf_internal_network \ No newline at end of file diff --git a/pillar/base/haproxy.sls b/pillar/base/haproxy.sls index 889a075d..de6a7f55 100644 --- a/pillar/base/haproxy.sls +++ b/pillar/base/haproxy.sls @@ -67,6 +67,14 @@ haproxy: verify_host: planet.psf.io check: "HEAD / HTTP/1.1\\r\\nHost:\\ planet.psf.io" + {% for tracker, config in salt["pillar.get"]("bugs:trackers", {}).items() %} + roundup-{{ tracker }}: + domains: + - {{ config['server_name'] }} + verify_host: bugs.psf.io + check: "HEAD / HTTP/1.1\\r\\nHost:\\ {{ config['server_name'] }}" + {% endfor %} + moin: domains: - wiki.python.org @@ -155,3 +163,13 @@ haproxy: extra: - timeout client 86400 - timeout server 86400 + + {# We can extend this for smtps/submission later #} + {% for (port, service, ssl) in [(25, "smtp", False)] %} + roundup-{{ service }}: + bind: :{{ port }} {% if ssl %} ssl crt /etc/ssl/private/bugs.python.org.pem {% endif %} + service: roundup-{{ service }} + extra: + - timeout client 30m + - timeout server 30m + {% endfor %} diff --git a/pillar/base/tls.sls b/pillar/base/tls.sls index 7de3c122..bc6b5aee 100644 --- a/pillar/base/tls.sls +++ b/pillar/base/tls.sls @@ -42,6 +42,10 @@ tls: roles: - planet + bugs.psf.io: + roles: + - bugs + postgresql.psf.io: roles: - postgresql diff --git a/pillar/dev/secrets/tls/certs/loadbalancer.sls b/pillar/dev/secrets/tls/certs/loadbalancer.sls index c8f5fea5..3ea4aa2c 100644 --- a/pillar/dev/secrets/tls/certs/loadbalancer.sls +++ b/pillar/dev/secrets/tls/certs/loadbalancer.sls @@ -417,3 +417,55 @@ tls: Pe93No9Ze0Jou4GsXmP2E1YY0i3jkCigmuVTQSrl85uxxHfHWNgr9OwN8ASoF9dp ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E= -----END CERTIFICATE----- + + bugs.python.org: | + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCSNloTX8Ut5t4v + M8MDD0gzrRWKFwcqDbvMa/JkK89hfoSfAnZwIHtZl+PTHCOXqU4WEMvYwSIcqVlD + bOfTDLklwFvMxwzj4/TJbXrHtPf6wFRQa2KUrewy+KcpZBERJcEhJ1PwRHe4bY+n + t4L+gDcRVoLmZXUpxasMeBHXD8ZqY9v7BXS2Z4qNnKu7/nABK7yR0DF/epYXxNPf + aGL8qEfXsWhc3278MCsipokYFOOVhVxPyJ0xny065L1lX51GChr6kSMNAdV6/Zju + vDMmFJp4AbZQ8ta/QdppGEe/cFDGg4VNpinlZ8vQJ01hTON9TxlJqG0oFDmplGCU + a+SFiLQLAgMBAAECggEANYChDnTdlPHlvNUOl7iIXayI9Lp/eyKCZYfcr04euVjQ + E9WVXGtuZ7b+fZpO5ejks4ta5Iqrvlwz10nrPN3rhEZy8SinbV7VjL28j4aHtaCa + WcEp1ikchPxbQvikjCdKGCUpgIK1Ym3pAuDSlOl6/SOwi7l1mZ8E+++V66IQo44w + cP+64sm4VIS3kVNhNxB619gXcmldo7N5fC7eF8K8wNnCXSlJA8BqrW/OAAUSl4Lp + rn7BkxSdcISejA/n9QoGkKOd6XZ7vzMV4hseFzisn9xGkRWx6zdZsfcuzeZ10p7E + pxNCA1g7l1xxYTUIDNBmMImtUsbIH0INXiu2MCXJbQKBgQDC9fb0ZJCJN8hpqb3+ + Zw1FxjNAs8eqTwaohc7H3n+DSeBLZi63wKe8gO1sPcvwFx2/8U6oQS9lo2xOaDuu + Fv4S57jIOoTIxt2Ax/eVTlGh/3EHXqACUQn/qXCdHLtO0sTnnr3WpA15Q8JrjTHU + RePRI2xqCTkC4e4GWBKN6fTwtwKBgQC//TbPlf949KI6scnh8foFXEepPelfhUl2 + zGj78stXSOkHJ9oYWNYVBH4lL7GrsYryr+6Ndr8Di7o45FD/iHBSMWfJluRDUH42 + yU3Ro54ECBBChI+9n+QUL9gUZBBfJgBDfiKHdbMrmD+IkD8QKFNHf7UdcgB/RG/+ + nFjzP08bTQKBgAVPX7eOWaVzIIFIP0WDlwf0ewbjHqgT2PGUG2q0M7LmuzYyhUk5 + 9RecR1swX7KdXpEQyHyqsdjJ17RXAHEgbTEkoJLLjTxOtk/AooytgmmwJGr399G4 + VVZiTg/pbWybLwPD/hWviDJqVwxI3zeR47+ZgGVu9N+QOcRwd6jn22UHAoGAdSTX + sMnhW7hI1G9us0KmP2cTAp0YLIRzUt1eoXx/vf5q0UbruDdcSO642Y/EZPKryXC3 + qfFuk4dKVTRah9CEWGJ05XgAR2Jx4JPru6KN4//Xi/6+hgFtdTPMMITtyGCzgHsS + Ln0OmecHvRfmosE4L0QpCpJo4z6q5zwWujVC23ECgYAi1r+27xBjVtSvsd7xkBfY + R2HpqcSHaMedQZ2DY/LU6OH5O1RxQsgeSYyiiHMjN9ij3IUv+JHcxaotcSUQIWEa + YJmAMhl5ZEfYzpMJ9PUQymN59AAGuTr2PYjc9fhZm5/EgpxC2cl/AR2nS3U19dwf + N5zICLLKa7f4hPvAFf33Lg== + -----END PRIVATE KEY----- + -----BEGIN CERTIFICATE----- + MIIDtTCCAp2gAwIBAgIUHTES3WH58IHxo9rMUzj/DeytPc8wDQYJKoZIhvcNAQEL + BQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMRIwEAYDVQQHDAlCZWF2ZXJ0 + b24xIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRUwEwYDVQQD + DAwqLnB5dGhvbi5vcmcwHhcNMjQwNzE3MTgyNTAxWhcNMzQwNzE1MTgyNTAxWjBq + MQswCQYDVQQGEwJVUzELMAkGA1UECAwCT1IxEjAQBgNVBAcMCUJlYXZlcnRvbjEj + MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xFTATBgNVBAMMDCou + cHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJI2WhNf + xS3m3i8zwwMPSDOtFYoXByoNu8xr8mQrz2F+hJ8CdnAge1mX49McI5epThYQy9jB + IhypWUNs59MMuSXAW8zHDOPj9Mltese09/rAVFBrYpSt7DL4pylkERElwSEnU/BE + d7htj6e3gv6ANxFWguZldSnFqwx4EdcPxmpj2/sFdLZnio2cq7v+cAErvJHQMX96 + lhfE099oYvyoR9exaFzfbvwwKyKmiRgU45WFXE/InTGfLTrkvWVfnUYKGvqRIw0B + 1Xr9mO68MyYUmngBtlDy1r9B2mkYR79wUMaDhU2mKeVny9AnTWFM431PGUmobSgU + OamUYJRr5IWItAsCAwEAAaNTMFEwHQYDVR0OBBYEFPJrXEC964Djv1KtiYGjRFpD + s8RvMB8GA1UdIwQYMBaAFPJrXEC964Djv1KtiYGjRFpDs8RvMA8GA1UdEwEB/wQF + MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGlJ+N5txBsBekRMkl2pGxUecihJWLXM + pwnXuhKswrsCpLiJlWijTWVBULfVn71rEfnMFNgdVn4i1TddgyK4cViHWZPBYcGd + SYbQK40xmLuIAJKM8uARdm99AmavKCH+ha6jFY8fZoU0+m51hOztXfGTIkLpLr2r + +0ydepkbAWqNH6NYNpUQKFxSlyTYvwaHUh0YzXMxgOj+foJCygyVnB/E7Fja92Ho + Pe93No9Ze0Jou4GsXmP2E1YY0i3jkCigmuVTQSrl85uxxHfHWNgr9OwN8ASoF9dp + ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E= + -----END CERTIFICATE----- \ No newline at end of file diff --git a/pillar/dev/top.sls b/pillar/dev/top.sls index 6f9bc192..9416f8e2 100644 --- a/pillar/dev/top.sls +++ b/pillar/dev/top.sls @@ -16,6 +16,7 @@ base: 'bugs': - match: nodegroup - bugs + - firewall.bugs 'cdn-logs': - match: nodegroup @@ -55,6 +56,7 @@ base: - firewall.loadbalancer - secrets.fastly - secrets.tls.certs.loadbalancer + - bugs 'mail': - match: nodegroup diff --git a/pillar/prod/top.sls b/pillar/prod/top.sls index 0a224e52..48835d3f 100644 --- a/pillar/prod/top.sls +++ b/pillar/prod/top.sls @@ -80,6 +80,7 @@ base: - ocsp - secrets.fastly - secrets.tls.certs.loadbalancer + - bugs 'mail': - match: nodegroup diff --git a/salt/bugs/config/nginx.conf.jinja b/salt/bugs/config/nginx.conf.jinja index 1c9fe206..d2122326 100644 --- a/salt/bugs/config/nginx.conf.jinja +++ b/salt/bugs/config/nginx.conf.jinja @@ -77,3 +77,49 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } + +server { + listen {{ port }} ssl; + server_name {{ server_name }}; + include mime.types; + + ssl_certificate /etc/ssl/private/bugs.psf.io.pem; + ssl_certificate_key /etc/ssl/private/bugs.psf.io.pem; + + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; + add_header X-Frame-Options "sameorigin"; + add_header X-Xss-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Permitted-Cross-Domain-Policies "none"; + + error_log /var/log/nginx/roundup-{{ tracker }}.error.log; + access_log /var/log/nginx/roundup-{{ tracker }}.access.log timed_combined_{{ tracker }}; + + root /srv/roundup/trackers/{{ tracker }}/; + + include conf.d/tracker-extras/{{ tracker }}*.conf; + + gzip on; + gzip_http_version 1.1; + gzip_proxied any; + gzip_min_length 500; + gzip_comp_level 6; # default comp_level is 1 + gzip_disable msie6; + gzip_types text/plain text/css + text/xml application/xml + text/javascript application/javascript + text/json application/json; + + location /@@file/ { + rewrite ^/@@file/(.*) /html/$1 break; + expires 1h; + } + + location / { + limit_req zone=limit-{{ tracker }} burst=5 nodelay; + proxy_pass http://tracker-{{ tracker }}/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} diff --git a/salt/bugs/init.sls b/salt/bugs/init.sls index 0b0ebfb3..3e3bde60 100644 --- a/salt/bugs/init.sls +++ b/salt/bugs/init.sls @@ -210,6 +210,22 @@ postfix: - file: /etc/postfix/virtual - file: /etc/postfix/reject_recipients +{# We can extend this for smtps/submission later #} +{% for (port, service) in [(25, "smtp")] %} +/etc/consul.d/roundup-{{ service }}.json: + file.managed: + - source: salt://consul/etc/service.jinja + - template: jinja + - context: + name: roundup-{{ service }} + port: {{ port }} + - user: root + - group: root + - mode: "0644" + - require: + - pkg: consul-pkgs +{% endfor %} + {% for tracker, config in pillar["bugs"]["trackers"].items() %} tracker-{{ tracker }}-database: postgres_database.present: @@ -312,9 +328,23 @@ tracker-{{ tracker }}-nginx-config: - context: tracker: {{ tracker }} server_name: {{ config.get('server_name') }} + port: {{ config.get('port') }} - require: - file: /etc/nginx/sites.d/ +/etc/consul.d/roundup-{{ tracker }}.json: + file.managed: + - source: salt://consul/etc/service.jinja + - template: jinja + - context: + name: roundup-{{ tracker }} + port: {{ config.get('port') }} + - user: root + - group: root + - mode: "0644" + - require: + - pkg: consul-pkgs + roundup-{{ tracker }}-backup: file.directory: - name: /backup/roundup/{{ tracker }} diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja index ea0ee706..19be725c 100644 --- a/salt/haproxy/config/haproxy.cfg.jinja +++ b/salt/haproxy/config/haproxy.cfg.jinja @@ -86,9 +86,9 @@ listen tls: bind :20006 ssl alpn h2,http/1.1 crt speed.pypy.org.pem bind :20007 ssl alpn h2,http/1.1 crt www.pycon.org.pem bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem - bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem - bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem - bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem + bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem + bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem + bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem mode http