Skip to content

staging: Deploy webapp in elastic infra

Antoine R. Dumont requested to merge migrate-staging-webapp into production

This deploys a webapp with a storage (with postgresql backend).

In effect, this aligns the current static staging webapp (with the endpoints behind basic http authentication).

This also:

  • adds a missing cronjob (syncmail-maps) and deploy it for the new webapp running in 'swh' namespace.
  • aligns the webapp-cassandra (with the same http endpoints behind authentication)
make swh-helm-diff
[swh] Comparing changes between branches production and migrate-staging-webapp (per environment)...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Switched to branch 'migrate-staging-webapp'
[swh] Generate config in migrate-staging-webapp branch for environment staging...
[swh] Generate config in migrate-staging-webapp branch for environment staging...
[swh] Generate config in migrate-staging-webapp branch for environment staging...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Switched to branch 'migrate-staging-webapp'
[swh] Generate config in migrate-staging-webapp branch for environment production...
[swh] Generate config in migrate-staging-webapp branch for environment production...
[swh] Generate config in migrate-staging-webapp branch for environment production...


------------- diff for environment staging namespace swh -------------

--- /tmp/swh-chart.swh.qOLA98PU/staging-swh.before      2023-10-17 17:23:03.165668555 +0200
+++ /tmp/swh-chart.swh.qOLA98PU/staging-swh.after       2023-10-17 17:23:03.897668146 +0200
@@ -4088,20 +4088,116 @@
     if [ -e "${DB_VERSION}" ]; then
       echo "Unable to find the code version"
       exit 1
     fi

     if [ "$DB_VERSION" -ne "$CODE_VERSION" ]; then
       echo "code and DB versions are different. Blocking the deployment"
       exit 1
     fi
 ---
+# Source: swh/templates/web/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: swh
+  name: web-configuration-template
+data:
+  config.yml.template: |
+    storage:
+      cls: remote
+      url: http://storage:5002
+    search:
+      cls: remote
+      url: http://search0.internal.staging.swh.network:5010
+    scheduler:
+      cls: remote
+      url: http://scheduler.internal.staging.swh.network
+    vault:
+      cls: remote
+      url: http://vault-rpc-ingress
+    indexer_storage:
+      cls: remote
+      url: http://storage1.internal.staging.swh.network:5007/
+    counters_backend: swh-counters
+    counters:
+      cls: remote
+      url: http://counters0.internal.staging.swh.network:5011/
+
+    secret_key: ${DJANGO_SECRET_KEY}
+    production_db:
+
+      host: db1.internal.staging.swh.network
+      port: 5432
+      name: swh-web
+      user: swh-web
+      password: ${POSTGRESQL_PASSWORD}
+    client_config:
+      sentry_dsn: ${SWH_SENTRY_DSN}
+    throttling:
+      cache_uri: memcached:11211
+      scopes:
+        swh_api:
+          exempted_networks:
+          - 10.42.0.0/16
+          - 10.43.0.0/16
+          - 192.168.130.0/24
+          limiter_rate:
+            default: 120/h
+        swh_vault_cooking:
+          exempted_networks:
+          - 10.42.0.0/16
+          - 10.43.0.0/16
+          - 192.168.130.0/24
+          limiter_rate:
+            GET: 60/m
+            default: 120/h
+        swh_api_origin_search:
+          limiter_rate:
+            default: 10/m
+        swh_api_origin_visit_latest:
+          limiter_rate:
+            default: 700/m
+        swh_save_origin:
+          limiter_rate:
+            POST: 10/h
+            default: 120/h
+    add_forge_now:
+      email_address: add-forge-now@webapp.staging.swh.network
+    allowed_hosts:
+    - webapp-postgresql.internal.staging.swh.network
+    content_display_max_size: 5242880
+    give:
+      public_key: ${GIVE_PUBLIC_KEY}
+      token: ${GIVE_PRIVATE_TOKEN}
+    history_counters_url: http://counters0.internal.staging.swh.network:5011/counters_history/history.json
+    instance_name: webapp-postgresql.internal.staging.swh.network
+    keycloak:
+      realm_name: SoftwareHeritageStaging
+      server_url: https://auth.softwareheritage.org/auth/
+    matomo: {}
+    search_config:
+      metadata_backend: swh-search
+    swh_extra_django_apps:
+    - swh.web.add_forge_now
+    - swh.web.archive_coverage
+    - swh.web.badges
+    - swh.web.banners
+    - swh.web.deposit
+    - swh.web.inbound_email
+    - swh.web.jslicenses
+    - swh.web.mailmap
+    - swh.web.metrics
+    - swh.web.save_code_now
+    - swh.web.save_origin_webhooks
+    - swh.web.vault
+---
 # Source: swh/charts/keda/templates/crds/crd-clustertriggerauthentications.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
   labels:
     app.kubernetes.io/name: keda-operator
     helm.sh/chart: keda-2.11.0
     app.kubernetes.io/component: operator
@@ -13723,20 +13819,39 @@
     app: prometheus-statsd-exporter
   ports:
     - name: statsd
       port: 9125
       targetPort: 9125
       protocol: UDP
     - name: http
       port: 9102
       targetPort: 9102
 ---
+# Source: swh/templates/web/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  namespace: swh
+spec:
+  type: ClusterIP
+  selector:
+    app: web
+  ports:
+    - port: 5004
+      targetPort: 5004
+      name: rpc
+
+    - port: 80
+      targetPort: 80
+      name: webstatic
+---
 # Source: swh/charts/keda/templates/manager/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: keda-operator
   namespace: default
   annotations:
     {}
   labels:
     app: keda-operator
@@ -21379,20 +21494,272 @@
           defaultMode: 0777
           items:
           - key: "config.yml.template"
             path: "config.yml.template"

       - name: toolbox-script-utils
         configMap:
           name: toolbox-script-utils
           defaultMode: 0555
 ---
+# Source: swh/templates/web/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: swh
+  name: web
+  labels:
+    app: web
+spec:
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: web
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+  template:
+    metadata:
+      labels:
+        app: web
+      annotations:
+        checksum/config: 809af0fb83e39a1b7f9356e53203fc239fa9483229ce1c40c0741d9a673cfe3d
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: swh/web
+                operator: In
+                values:
+                - "true"
+      priorityClassName: swh-frontend-rpc
+
+      initContainers:
+        - name: prepare-configuration
+          image: debian:bullseye
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+          env:
+
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: swh-postgresql-web-secrets
+                  key: postgres-swh-web-password
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+            - name: DJANGO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: swh-webapp-django-secret
+                  key: webapp-django-secret-key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+
+            - name: GIVE_PRIVATE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: web-give-secrets
+                  key: private-token
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+            - name: GIVE_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: web-give-secrets
+                  key: public-key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+            - name: SWH_SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: common-secrets
+                  key: web-sentry-dsn
+                  # 'name' secret should exist & include key
+                  # if the setting doesn't exist, sentry pushes will be disabled
+                  optional: false
+
+          volumeMounts:
+            - name: configuration
+              mountPath: /etc/swh
+            - name: configuration-template
+              mountPath: /etc/swh/configuration-template
+        - name: do-migration
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231010.1
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SWH_CONFIG_FILENAME
+              value: /etc/swh/config.yml
+          command:
+            - django-admin
+          args:
+            - migrate
+            - --settings=swh.web.settings.production
+          volumeMounts:
+            - name: configuration
+              mountPath: /etc/swh
+
+        - name: prepare-static
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231010.1
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - cp -r $PWD/.local/share/swh/web/static/ /usr/share/swh/web/static/
+          volumeMounts:
+          - name: static
+            mountPath: /usr/share/swh/web/static
+      containers:
+        - name: web
+          resources:
+            requests:
+              memory: 500Mi
+              cpu: 500m
+          image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231010.1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 5004
+              name: webapp
+          readinessProbe:
+            httpGet:
+              path: /
+              port: webapp
+              httpHeaders:
+                - name: Host
+                  value: webapp-postgresql.internal.staging.swh.network
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+            timeoutSeconds: 30
+          livenessProbe:
+            httpGet:
+              path: /
+              port: webapp
+              httpHeaders:
+                - name: Host
+                  value: webapp-postgresql.internal.staging.swh.network
+            initialDelaySeconds: 3
+            periodSeconds: 10
+            timeoutSeconds: 30
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - /opt/swh/entrypoint.sh
+          env:
+            - name: STATSD_HOST
+              value: prometheus-statsd-exporter
+            - name: STATSD_PORT
+              value: "9125"
+            - name: LOG_LEVEL
+              value: "INFO"
+            - name: SWH_CONFIG_FILENAME
+              value: /etc/swh/config.yml
+            - name: SWH_SENTRY_ENVIRONMENT
+              value: staging
+            - name: SWH_MAIN_PACKAGE
+              value: swh.web
+            - name: SWH_SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: common-secrets
+                  key: web-sentry-dsn
+                  # 'name' secret should exist & include key
+                  # if the setting doesn't exist, sentry pushes will be disabled
+                  optional: true
+            - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+              value: "true"
+
+            - name: DJANGO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: swh-webapp-django-secret
+                  key: webapp-django-secret-key
+                  # 'name' secret must exist & include that ^ key
+                  optional: false
+
+          volumeMounts:
+          - name: configuration
+            mountPath: /etc/swh
+            readOnly: true
+        - name: nginx
+          resources:
+            requests:
+              memory: 500Mi
+              cpu: 500m
+          image: nginx:bullseye
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: webstatic
+          readinessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          volumeMounts:
+            - name: static
+              mountPath: /usr/share/nginx/html
+      volumes:
+      - name: configuration
+        emptyDir: {}
+      - name: configuration-template
+        configMap:
+         name: web-configuration-template
+         items:
+         - key: "config.yml.template"
+           path: "config.yml.template"
+      - name: static
+        emptyDir: {}
+---
+# Source: swh/templates/web/autoscaling.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  namespace: swh
+  name: web
+  labels:
+    app: web
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: web
+  minReplicas: 2
+  maxReplicas: 3
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 50
+---
 # Source: swh/templates/scheduler/update-metrics-cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: scheduler-update-metrics-cronjob
 spec:
   # By default, every 4h at midnight
   schedule: "0/10 * * * *"
   jobTemplate:
     spec:
@@ -21474,20 +21841,264 @@
           - name: configuration
             emptyDir: {}
           - name: configuration-template
             configMap:
               name: scheduler-update-metrics-configuration-template
               items:
               - key: "config.yml.template"
                 path: "config.yml.template"
           restartPolicy: OnFailure
 ---
+# Source: swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: refresh-savecodenow-statuses-cronjob
+spec:
+  # By default, hourly at minute 15
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          priorityClassName: swh-frontend-rpc-workload
+
+          initContainers:
+            - name: prepare-configuration
+              image: debian:bullseye
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/bash
+              args:
+              - -c
+              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+              env:
+
+                - name: POSTGRESQL_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-postgresql-web-secrets
+                      key: postgres-swh-web-password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: DJANGO_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-webapp-django-secret
+                      key: webapp-django-secret-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: GIVE_PRIVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: private-token
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: GIVE_PUBLIC_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: public-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # 'name' secret should exist & include key
+                      # if the setting doesn't exist, sentry pushes will be disabled
+                      optional: true
+
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+              - name: configuration-template
+                mountPath: /etc/swh/configuration-template
+          containers:
+            - name: sync-mailmaps
+              resources:
+                requests:
+                  memory: 512Mi
+                  cpu: 500m
+              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231010.1
+              command:
+              - /opt/swh/entrypoint.sh
+              args:
+              # - shell
+              # - sleep
+              # - infinity
+              - refresh
+              env:
+                - name: STATSD_HOST
+                  value: prometheus-statsd-exporter
+                - name: STATSD_PORT
+                  value: "9125"
+                - name: SWH_CONFIG_FILENAME
+                  value: /etc/swh/config.yml
+                - name: LOG_LEVEL
+                  value: INFO
+                - name: SWH_SENTRY_ENVIRONMENT
+                  value: staging
+                - name: SWH_MAIN_PACKAGE
+                  value: swh.web
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # if the setting doesn't exist, sentry issue pushes will be disabled
+                      optional: false
+                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+                  value: "true"
+              imagePullPolicy: IfNotPresent
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+          volumes:
+          - name: configuration
+            emptyDir: {}
+          - name: configuration-template
+            configMap:
+              name: web-configuration-template
+              items:
+              - key: "config.yml.template"
+                path: "config.yml.template"
+          restartPolicy: OnFailure
+---
+# Source: swh/templates/web/sync-mailmaps-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-mailmaps-cronjob
+spec:
+  # By default, hourly at minute 15
+  schedule: "15 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          priorityClassName: swh-frontend-rpc-workload
+
+          initContainers:
+            - name: prepare-configuration
+              image: debian:bullseye
+              imagePullPolicy: IfNotPresent
+              command:
+              - /bin/bash
+              args:
+              - -c
+              - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
+              env:
+
+                - name: POSTGRESQL_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-postgresql-web-secrets
+                      key: postgres-swh-web-password
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: DJANGO_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: swh-webapp-django-secret
+                      key: webapp-django-secret-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+
+                - name: GIVE_PRIVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: private-token
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+                - name: GIVE_PUBLIC_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: web-give-secrets
+                      key: public-key
+                      # 'name' secret must exist & include that ^ key
+                      optional: false
+
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # 'name' secret should exist & include key
+                      # if the setting doesn't exist, sentry pushes will be disabled
+                      optional: true
+
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+              - name: configuration-template
+                mountPath: /etc/swh/configuration-template
+          containers:
+            - name: sync-mailmaps
+              resources:
+                requests:
+                  memory: 512Mi
+                  cpu: 500m
+              image: container-registry.softwareheritage.org/swh/infra/swh-apps/web:20231010.1
+              command:
+              - /opt/swh/entrypoint.sh
+              args:
+              # - shell
+              # - sleep
+              # - infinity
+              - refresh
+              env:
+                - name: STATSD_HOST
+                  value: prometheus-statsd-exporter
+                - name: STATSD_PORT
+                  value: "9125"
+                - name: SWH_CONFIG_FILENAME
+                  value: /etc/swh/config.yml
+                - name: LOG_LEVEL
+                  value: INFO
+                - name: SWH_SENTRY_ENVIRONMENT
+                  value: staging
+                - name: SWH_MAIN_PACKAGE
+                  value: swh.web
+                - name: SWH_SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: common-secrets
+                      key: web-sentry-dsn
+                      # if the setting doesn't exist, sentry issue pushes will be disabled
+                      optional: false
+                - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
+                  value: "true"
+              imagePullPolicy: IfNotPresent
+              volumeMounts:
+              - name: configuration
+                mountPath: /etc/swh
+          volumes:
+          - name: configuration
+            emptyDir: {}
+          - name: configuration-template
+            configMap:
+              name: web-configuration-template
+              items:
+              - key: "config.yml.template"
+                path: "config.yml.template"
+          restartPolicy: OnFailure
+---
 # Source: swh/templates/graphql/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: graphql-ingress-default
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24

     nginx.ingress.kubernetes.io/rewrite-target: /
@@ -21557,20 +22168,118 @@
     http:
       paths:
       - path: /scheduler_metrics/get
         pathType: Prefix
         backend:
           service:
             name: scheduler-rpc
             port:
               number: 5008
 ---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh
+  name: web-ingress-authenticated
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24
+
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+    # type of authentication
+    nginx.ingress.kubernetes.io/auth-type: basic
+    # an htpasswd file in the key auth within the secret
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+    # name of the secret that contains the user/password definitions
+    nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
+    # message to display with an appropriate context why the authentication is required
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+
+spec:
+  rules:
+  - host: webapp-postgresql.internal.staging.swh.network
+    http:
+      paths:
+      - path: /api/1/provenance/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/entity/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/content/[^/]+/symbol/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+  tls:
+  - hosts:
+    - webapp-postgresql.internal.staging.swh.network
+    secretName: swh-web-crt
+---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh
+  name: web-ingress-default
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24
+
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+
+spec:
+  rules:
+  - host: webapp-postgresql.internal.staging.swh.network
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /static
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 80
+
+  tls:
+  - hosts:
+    - webapp-postgresql.internal.staging.swh.network
+    secretName: swh-web-crt
+---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:
   labels:
     app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
     helm.sh/chart: keda-2.11.0
     app.kubernetes.io/component: operator
     app.kubernetes.io/managed-by: Helm


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.qOLA98PU/staging-swh-cassandra.before    2023-10-17 17:23:03.409668418 +0200
+++ /tmp/swh-chart.swh.qOLA98PU/staging-swh-cassandra.after     2023-10-17 17:23:04.141668009 +0200
@@ -20912,20 +20912,77 @@
           service:
             name: vault-rpc
             port:
               number: 5005
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
+  name: web-ingress-authenticated
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24
+
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+    # type of authentication
+    nginx.ingress.kubernetes.io/auth-type: basic
+    # an htpasswd file in the key auth within the secret
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+    # name of the secret that contains the user/password definitions
+    nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
+    # message to display with an appropriate context why the authentication is required
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+
+spec:
+  rules:
+  - host: webapp-cassandra.internal.staging.swh.network
+    http:
+      paths:
+      - path: /api/1/provenance/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/entity/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/content/[^/]+/symbol/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+  tls:
+  - hosts:
+    - webapp-cassandra.internal.staging.swh.network
+    secretName: swh-web-crt
+---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh-cassandra
   name: web-ingress-default
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"




------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.qOLA98PU/staging-swh-cassandra-next-version.before       2023-10-17 17:23:03.645668287 +0200
+++ /tmp/swh-chart.swh.qOLA98PU/staging-swh-cassandra-next-version.after        2023-10-17 17:23:04.369667881 +0200
@@ -20912,20 +20912,77 @@
           service:
             name: vault-rpc
             port:
               number: 5005
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
+  name: web-ingress-authenticated
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24
+
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+    # type of authentication
+    nginx.ingress.kubernetes.io/auth-type: basic
+    # an htpasswd file in the key auth within the secret
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+    # name of the secret that contains the user/password definitions
+    nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
+    # message to display with an appropriate context why the authentication is required
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+
+spec:
+  rules:
+  - host: webapp-cassandra-next-version.internal.staging.swh.network
+    http:
+      paths:
+      - path: /api/1/provenance/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/entity/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+      - path: /api/1/content/[^/]+/symbol/
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+
+  tls:
+  - hosts:
+    - webapp-cassandra-next-version.internal.staging.swh.network
+    secretName: swh-web-crt
+---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh-cassandra-next-version
   name: web-ingress-default
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"




------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

Refs. swh/infra/sysadm-environment#4780 (closed)

Refs. swh/infra/sysadm-environment#5095 (closed)

Edited by Antoine R. Dumont

Merge request reports

Loading