X-Git-Url: https://git.arvados.org/arvados-formula.git/blobdiff_plain/e7c928cfe2440560febe442928694171c8dcafa0..aea99ea5eafb8d2256a6441a72021eaf9db7cbb2:/test/salt/pillar/examples/nginx_webshell_configuration.sls

diff --git a/test/salt/pillar/examples/nginx_webshell_configuration.sls b/test/salt/pillar/examples/nginx_webshell_configuration.sls
index 4a59cc5..d228715 100644
--- a/test/salt/pillar/examples/nginx_webshell_configuration.sls
+++ b/test/salt/pillar/examples/nginx_webshell_configuration.sls
@@ -1,19 +1,48 @@
 ---
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This parameter will be used here to generate a list of upstreams and vhosts.
+# This dict is here for convenience and should be managed some other way, but the
+# different ways of orchestration that can be used for this are outside the scope
+# of this formula and their examples.
+# These upstreams should match those defined in `arvados:cluster:resources:virtual_machines`
+{% set webshell_virtual_machines = {
+  'shell1': {
+    'name': 'webshell1',
+    'backend': '1.2.3.4',
+    'port': 4200,
+  },
+  'shell.internal': {},
+  'webshell3': {
+    'backend': '4.3.2.1',
+    'port': 4500,
+  }
+}
+%}
+
 ### NGINX
 nginx:
   ### SERVER
   server:
     config:
-
       ### STREAMS
       http:
-        upstream webshell_upstream:
-          - server: '127.0.0.2:4200 fail_timeout=10s'
+        {%- for vm, params in webshell_virtual_machines.items() %}
+          {%- set vm_name = params.name | default(vm) %}
+          {%- set vm_backend = params.backend | default(vm_name) %}
+          {%- set vm_port = params.port | default(4200) %}
+
+        upstream {{ vm_name }}_upstream:
+          - server: '{{ vm_backend }}:{{ vm_port }} fail_timeout=10s'
+
+        {%- endfor %}
 
   ### SITES
   servers:
     managed:
-      arvados_webshell_default:
+      arvados_webshell_default.conf:
         enabled: true
         overwrite: true
         config:
@@ -26,17 +55,21 @@ nginx:
             - location /:
               - return: '301 https://$host$request_uri'
 
-      arvados_webshell_ssl:
+      arvados_webshell_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: webshell.fixme.example.net
             - listen:
               - 443 http2 ssl
             - index: index.html index.htm
-            - location /shell.fixme.example.net:
-              - proxy_pass: 'http://webshell_upstream'
+            {%- for vm, params in webshell_virtual_machines.items() %}
+              {%- set vm_name = params.name | default(vm) %}
+            - location /{{ vm_name }}:
+              - proxy_pass: 'http://{{ vm_name }}_upstream'
               - proxy_read_timeout: 90
               - proxy_connect_timeout: 90
               - proxy_set_header: 'Host $http_host'
@@ -63,9 +96,9 @@ nginx:
                 - add_header: "'Access-Control-Allow-Origin' '*'"
                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
-
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/snakeoil.conf'
+            {%- endfor %}
+            - include: 'snippets/ssl_hardening_default.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/webshell.fixme.example.net.error.log