From 928c15e956263ebb565919367c13fe4a30026df3 Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Mon, 21 May 2018 21:39:48 -0400 Subject: [PATCH] helm: Convert the SSO server to be served over SSL. No issue # Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- arvados/config/api-server/application.yml | 2 +- arvados/config/sso/nginx.conf | 40 +++++++++++++++++++++-- arvados/templates/sso-deployment.yaml | 10 ++++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/arvados/config/api-server/application.yml b/arvados/config/api-server/application.yml index 08a87c5..385c64c 100644 --- a/arvados/config/api-server/application.yml +++ b/arvados/config/api-server/application.yml @@ -42,7 +42,7 @@ common: # sso-provider). sso_app_secret: app_secret sso_app_id: arvados-server - sso_provider_url: http://{{ .Values.externalIP }}:3002 + sso_provider_url: https://{{ .Values.externalIP }}:3002 # If this is not false, HTML requests at the API server's root URL # are redirected to this location, and it is provided in the text of diff --git a/arvados/config/sso/nginx.conf b/arvados/config/sso/nginx.conf index 9b5340e..76d6530 100644 --- a/arvados/config/sso/nginx.conf +++ b/arvados/config/sso/nginx.conf @@ -3,8 +3,8 @@ # SPDX-License-Identifier: Apache-2.0 server { - listen 0.0.0.0:3002; - server_name insecure-sso; + listen 127.0.0.1:9000; + server_name localhost-sso; root /var/www/arvados-sso/current/public; index index.html index.htm index.php; @@ -12,4 +12,40 @@ server { passenger_enabled on; # If you're using RVM, uncomment the line below. passenger_ruby /usr/local/rvm/wrappers/default/ruby; + + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; +} + +upstream sso { + server 127.0.0.1:9000 fail_timeout=10s; +} + +proxy_http_version 1.1; + +server { + listen 0.0.0.0:3002 ssl; + server_name public-sso; + + ssl on; + ssl_certificate /etc/ssl/certs/sso.pem; + ssl_certificate_key /etc/ssl/private/sso.key; + + index index.html index.htm index.php; + # `client_max_body_size` should match the corresponding setting in + # the API server's Nginx configuration. + client_max_body_size 128m; + + location / { + proxy_pass http://sso; + proxy_redirect off; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } } diff --git a/arvados/templates/sso-deployment.yaml b/arvados/templates/sso-deployment.yaml index 507c482..c591204 100644 --- a/arvados/templates/sso-deployment.yaml +++ b/arvados/templates/sso-deployment.yaml @@ -53,7 +53,17 @@ spec: - name: sso-configmap mountPath: /init-scripts/92-init-client.sh subPath: 92-init-client.sh + - name: ssl-configmap + mountPath: /etc/ssl/certs/sso.pem + subPath: cert + - name: ssl-configmap + mountPath: /etc/ssl/private/sso.key + subPath: key + volumes: - name: sso-configmap configMap: name: arvados-sso-configmap + - name: ssl-configmap + configMap: + name: ssl-configmap -- 2.30.2