production/web-archive: Activate TLS on webhooks ingress only (!384) · Merge requests · Platform / Infrastructure / CI CD / Helm charts for swh packages

Guillaume Samson requested to merge endpoint_ingress into production Apr 15, 2024

Currently here is the endpoint of the svix application origin.visit:

swh@webhooks-origin-visit-status-7b58454949-64nwq:~$ swh webhooks -C $SWH_CONFIG_FILENAME endpoint list origin.visit
INFO:httpx:HTTP Request: GET https://svix.internal.softwareheritage.org/api/v1/event-type/origin.visit/ "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: GET https://svix.internal.softwareheritage.org/api/v1/app/21dacaea-7e38-5e52-80af-4d926f0c43d1/endpoint/?order=descending "HTTP/1.1 200 OK"
https://archive.softwareheritage.org/save/origin/visit/webhook/

This is the only tls termination available.
It would be much more efficient not to go through moma.

swh@swh-toolbox-855c5dcf89-kpqw6:~$ for i in archive-dynamic.internal archive.internal archive;do echo ---;dig +noall +answer "${i}.softwareheritage.org";done
---
archive-dynamic.internal.softwareheritage.org. 30 IN CNAME k8s-archive-production-rke2.internal.softwareheritage.org.
k8s-archive-production-rke2.internal.softwareheritage.org. 30 IN A 192.168.100.139
---
archive.internal.softwareheritage.org. 30 IN CNAME moma.internal.softwareheritage.org.
moma.internal.softwareheritage.org. 30 IN A     192.168.100.31
---
archive.softwareheritage.org. 30 IN     A       128.93.166.15

I don't known if we can enable TLS on all web-archive ingresses, so theses modifications activate TLS only on the webhooks ingress.

helm diff

./swh/helm-diff.sh
[swh] Comparing changes between branches production and endpoint_ingress (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/endpoint_ingress'.
[swh] Generate config in endpoint_ingress branch for environment staging...
[swh] Generate config in endpoint_ingress branch for environment staging...
[swh] Generate config in endpoint_ingress branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/endpoint_ingress'.
[swh] Generate config in endpoint_ingress branch for environment production...
[swh] Generate config in endpoint_ingress branch for environment production...
[swh] Generate config in endpoint_ingress branch for environment production...


------------- diff for environment staging namespace swh -------------

No differences


------------- diff for environment staging namespace swh-cassandra -------------

No differences


------------- diff for environment staging namespace swh-cassandra-next-version -------------

No differences


------------- diff for environment production namespace swh -------------

--- /tmp/swh-chart.swh.mt43WdEb/production-swh.before	2024-04-15 16:39:31.945059869 +0200
+++ /tmp/swh-chart.swh.mt43WdEb/production-swh.after	2024-04-15 16:39:32.477067063 +0200
@@ -26861,20 +26861,23 @@
 metadata:
   namespace: swh
   name: web-archive-ingress-webhooks
   labels:
     app: web-archive
     endpoint-definition: webhooks
   annotations:
     nginx.ingress.kubernetes.io/service-upstream: "true"
     nginx.ingress.kubernetes.io/whitelist-source-range: 128.93.166.2/32,192.168.100.0/24
     kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
 
 spec:
   rules:
   - host: archive.softwareheritage.org
     http:
       paths:
       - path: /save/origin/visit/webhook
         pathType: Prefix
         backend:
           service:
@@ -26907,20 +26910,28 @@
   - host: archive-dynamic.internal.softwareheritage.org
     http:
       paths:
       - path: /save/origin/visit/webhook
         pathType: Prefix
         backend:
           service:
             name: web-archive
             port:
               number: 5004
+      
+  tls:
+  - hosts:
+    - archive.softwareheritage.org
+    - base.softwareheritage.org
+    - archive.internal.softwareheritage.org
+    - archive-dynamic.internal.softwareheritage.org
+    secretName: swh-web-crt
 ---
 # Source: swh/templates/cookers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/listers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/loaders/deployment.yaml
 # if defined at the "typed" loader level
 # otherwise use the global image is defined First this needs to replace - in


------------- diff for environment production namespace swh-cassandra -------------

No differences
./helm-diff.sh cluster-configuration
[cluster-configuration] Comparing changes between branches production and endpoint_ingress...
Your branch is up to date with 'origin/production'.
[cluster-configuration] Generate config in production branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/endpoint_ingress'.
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in endpoint_ingress branch for cluster-configuration/values/test-staging-rke2.yaml...


------------- diff for cluster-configuration/values/admin-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/archive-production-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/archive-staging-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/gitlab-production.yaml -------------

No differences


------------- diff for cluster-configuration/values/gitlab-staging.yaml -------------

No differences


------------- diff for cluster-configuration/values/rancher.yaml -------------

No differences


------------- diff for cluster-configuration/values/test-staging-rke2.yaml -------------

No differences
./helm-diff.sh cluster-components
[cluster-components] Comparing changes between branches production and endpoint_ingress...
Your branch is up to date with 'origin/production'.
[cluster-components] Generate config in production branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/endpoint_ingress'.
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in endpoint_ingress branch for cluster-components/values/test-staging-rke2.yaml...


------------- diff for cluster-components/values/admin-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/archive-production-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/archive-staging-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/gitlab-production.yaml -------------

No differences


------------- diff for cluster-components/values/gitlab-staging.yaml -------------

No differences


------------- diff for cluster-components/values/minikube.yaml -------------

No differences


------------- diff for cluster-components/values/rancher.yaml -------------

No differences


------------- diff for cluster-components/values/test-staging-rke2.yaml -------------

No differences
./helm-diff.sh software-stories
[software-stories] Comparing changes between branches production and endpoint_ingress...
Your branch is up to date with 'origin/production'.
[software-stories] Generate config in production branch for software-stories/values/minikube.yaml...
[software-stories] Generate config in production branch for software-stories/values/production.yaml...
[software-stories] Generate config in production branch for software-stories/values/staging.yaml...
Your branch is up to date with 'origin/endpoint_ingress'.
[software-stories] Generate config in endpoint_ingress branch for software-stories/values/minikube.yaml...
[software-stories] Generate config in endpoint_ingress branch for software-stories/values/production.yaml...
[software-stories] Generate config in endpoint_ingress branch for software-stories/values/staging.yaml...


------------- diff for software-stories/values/minikube.yaml -------------

No differences


------------- diff for software-stories/values/production.yaml -------------

No differences


------------- diff for software-stories/values/staging.yaml -------------

No differences
cat helm-diff.sh >helm-diff 
chmod a+x helm-diff

Then we could use archive-dynamic.internal.softwareheritage.org as a svix endpoint.

Edited Apr 15, 2024 by Guillaume Samson

production/web-archive: Activate TLS on webhooks ingress only

Merge request reports