Skip to content

deposit: Expose static data and add authentication on private api endpoints

Antoine R. Dumont requested to merge deposit-complete-chart into staging
  • Prepare and expose static data through nginx
  • Add /1/private api part behind http authentication (through nginx too)

This matches what's currently done in static infra. Apache is in charge of both the static data and http authentication of the private api (after the rp).

With this, the (sidecar) nginx pod is in charge of this.

make swh-helm-diff 
[swh] Comparing changes between branches production and deposit-complete-chart (per environment)...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Switched to branch 'deposit-complete-chart'
[swh] Generate config in deposit-complete-chart branch for environment staging...
[swh] Generate config in deposit-complete-chart branch for environment staging...
[swh] Generate config in deposit-complete-chart branch for environment staging...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Switched to branch 'deposit-complete-chart'
[swh] Generate config in deposit-complete-chart branch for environment production...
[swh] Generate config in deposit-complete-chart branch for environment production...
[swh] Generate config in deposit-complete-chart branch for environment production...


------------- diff for environment staging namespace swh -------------

No differences


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.Mg2c3YbA/staging-swh-cassandra.before    2023-11-14 16:41:50.789380478 +0100
+++ /tmp/swh-chart.swh.Mg2c3YbA/staging-swh-cassandra.after     2023-11-14 16:41:51.485380143 +0100
@@ -14952,20 +14952,31 @@
                 secretKeyRef:
                   name: common-secrets
                   key: deposit-sentry-dsn
                   optional: false

           volumeMounts:
             - name: configuration
               mountPath: /etc/swh
             - name: configuration-template
               mountPath: /etc/swh/configuration-template
+        - name: prepare-static-folder
+          static: container-registry.softwareheritage.org/swh/infra/swh-apps/deposit:20231109.1
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+          args:
+            - -c
+            - cp -r $PWD/.local/share/swh/deposit/static/ /usr/share/swh/deposit/static/
+          volumeMounts:
+          - name: static
+            mountPath: /usr/share/swh/deposit/static
       containers:
         - name: deposit
           resources:
             requests:
               memory: 500Mi
               cpu: 500m
           image: container-registry.softwareheritage.org/swh/infra/swh-apps/deposit:20231109.1
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5006
@@ -15029,21 +15040,49 @@
                   key: deposit-django-secret-key
                   # 'name' secret must exist & include that ^ key
                   optional: false

           volumeMounts:
           - name: configuration
             mountPath: /etc/swh
             readOnly: true
           - name: localstorage
             mountPath: /tmp
+        - name: nginx
+          resources:
+            requests:
+              memory: 500Mi
+              cpu: 500m
+          image: nginx:bullseye
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: webstatic
+          readinessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: static/robots.txt
+              port: webstatic
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          volumeMounts:
+            - name: static
+              mountPath: /usr/share/nginx/html
       volumes:
+      - name: static
+        emptyDir: {}
       - name: localstorage
         emptyDir: {}
       - name: configuration
         emptyDir: {}
       - name: configuration-template
         configMap:
          name: deposit-configuration-template
          items:
          - key: "deposit_settings.yaml.template"
            path: "deposit_settings.yaml.template"
@@ -22820,20 +22859,60 @@
       name: cpu
       target:
         type: Utilization
         averageUtilization: 50
 ---
 # Source: swh/templates/deposit/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
+  name: deposit-ingress-authenticated
+  annotations:
+
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+
+    # type of authentication
+    nginx.ingress.kubernetes.io/auth-type: basic
+    # an htpasswd file in the key auth within the secret
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+    # name of the secret that contains the user/password definitions
+    nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/deposit-auth-secrets
+    # message to display with an appropriate context why the authentication is required
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+
+spec:
+  rules:
+  - host: deposit.staging.swh.network
+    http:
+      paths:
+      - path: /1/private/
+        pathType: Prefix
+        backend:
+          service:
+            name: deposit
+            port:
+              number: 5006
+
+  tls:
+  - hosts:
+    - deposit.staging.swh.network
+    secretName: swh-deposit-crt
+---
+# Source: swh/templates/deposit/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh-cassandra
   name: deposit-ingress-default
   annotations:

     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/ssl-redirect: "false"


 spec:
@@ -22842,20 +22921,28 @@
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: deposit
             port:
               number: 5006

+      - path: /static
+        pathType: Prefix
+        backend:
+          service:
+            name: deposit
+            port:
+              number: 80
+
   tls:
   - hosts:
     - deposit.staging.swh.network
     secretName: swh-deposit-crt
 ---
 # Source: swh/templates/graphql/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra


------------- diff for environment staging namespace swh-cassandra-next-version -------------

No differences


------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

Refs. swh/infra/sysadm-environment#5129 (closed)

Edited by Antoine R. Dumont

Merge request reports