Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct container plugin apache header rewrite #356

Merged
merged 1 commit into from
Sep 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion manifests/plugin/container.pp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@
String $location_prefix = '/pulpcore_registry',
String $registry_version_path = '/v2/',
) {
# This is like pulpcore::apache's value, but slightly different
$api_default_request_headers = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this?

https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader says

set
The request header is set, replacing any previous header with this name

So while the content of the file is changed, the behavior should not?

(Unless the cn map is empty)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CN map contains "if" expressions. My understanding is the first line 100% certain clears it. Then IF the cert's CN equals something, it sets the header.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, so the flow is:

  • use unset to remove any header by that name, wherever it comes from
  • use set to set it to the CN (if there is a CN!)
  • use set to set it to admin (if the expression matches, resetting a possibly previously set CN-based name)

I honestly see no reason (ever) to set the CN-based remote user, as such user just doesn't exist in Pulp (in our deployment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added in #186 #105, but I don't really see a reason for it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My vote: don't add this complexity (same variable name, different values) back in, it's confusing as hell.
Do the releases we need to do.

Drop CN-stuff in an 11.x

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we then include 11.x in the upcoming releases? I'd actually feel more comfortable if we only had the explicit unset and explicit mapping.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure…

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw, I tested the current (two-set) config with theforeman/forklift#1853 and it pushes containers fine, so 🤷‍♀️

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm leaning to merging this now as is because it keeps it minimal and then resolve it properly in the next release cycle.

"unset ${pulpcore::apache::remote_user_environ_header}",
]

$context = {
'directories' => [
{
Expand All @@ -19,7 +24,7 @@
'url' => "${pulpcore::apache::api_base_url}${registry_version_path}",
},
],
'request_headers' => $pulpcore::apache::api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
'request_headers' => $api_default_request_headers + $pulpcore::apache::api_additional_request_headers,
},
],
'proxy_pass' => [
Expand Down
13 changes: 13 additions & 0 deletions spec/classes/plugin_container_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,19 @@
is_expected.to contain_pulpcore__apache__fragment('plugin-container')
is_expected.not_to contain_apache__vhost__fragment('pulpcore-http-plugin-container')
is_expected.to contain_apache__vhost__fragment('pulpcore-https-plugin-container')
.with_vhost('pulpcore-https')
.with_priority('10')
.with_content(<<APACHE_CONFIG)

<Location "/pulpcore_registry/v2/">
RequestHeader unset REMOTE_USER
ProxyPass unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
ProxyPassReverse unix:///run/pulpcore-api.sock|http://pulpcore-api/v2/
</Location>

ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/container/
APACHE_CONFIG
end
end
end
Expand Down
Loading