import (
"context"
"fmt"
+ "io/ioutil"
+ "os/exec"
"path"
)
events {
}
http {
- access_log {{keyOrDefault "service/gateway/access_log" "/var/log/arvados/gateway.log" | toJSON}} combined;
- upstream arv-git-http {
- server localhost:{{GITPORT}};
+ access_log {{keyOrDefault "arvados/service/gateway/access_log" "/var/log/arvados/gateway.log" | toJSON}} combined;
+ upstream git-httpd {
+ {{service "arvados-git-http"}}
+ server {{.Address}}:{{.Port}};
+ {{end}}
}
server {
- {{if keyExists"service/gateway/ports/tlsGit"}}
- listen *:{{key "service/gateway/ports/tlsGit"}} ssl default_server;
+ {{if keyExists "arvados/port/tlsGit"}}
+ listen *:{{key "arvados/port/tlsGit"}} ssl default_server;
{{end}}
- listen *:{{keyOrDefault "service/gateway/ports/tlsGateway" 443}} ssl;
- server_name git.{{key "service/gateway/domain"}};
- ssl_certificate {{SSLCERT}};
- ssl_certificate_key {{SSLKEY}};
+ listen *:{{keyOrDefault "arvados/port/tlsGateway" 443}} ssl;
+ server_name git.{{key "arvados/service/gateway/domain"}};
+ ssl_certificate {{key "arvados/service/gateway/pki/certPath"}};
+ ssl_certificate_key {{key "arvados/service/gateway/pki/keyPath"}};
location / {
- proxy_pass http://arv-git-http;
+ proxy_pass http://git-httpd;
}
}
- upstream keepproxy {
- server localhost:{{KEEPPROXYPORT}};
+ upstream keep-proxy {
+ {{service "arvados-keepproxy"}}
+ server {{.Address}}:{{.Port}};
+ {{end}}
}
server {
- listen *:{{KEEPPROXYSSLPORT}} ssl default_server;
- server_name _;
- ssl_certificate {{SSLCERT}};
- ssl_certificate_key {{SSLKEY}};
+ {{if keyExists "arvados/port/tlsKeepProxy"}}
+ listen *:{{key "arvados/port/tlsKeepProxy"}} ssl default_server;
+ {{end}}
+ listen *:{{keyOrDefault "arvados/port/tlsGateway" 443}} ssl;
+ server_name keep.{{key "arvados/service/gateway/domain"}};
+ ssl_certificate {{key "arvados/service/gateway/pki/certPath"}};
+ ssl_certificate_key {{key "arvados/service/gateway/pki/keyPath"}};
location / {
- proxy_pass http://keepproxy;
+ proxy_pass http://keep-proxy;
}
}
upstream keep-web {
- server localhost:{{KEEPWEBPORT}};
- }
- server {
- listen *:{{KEEPWEBSSLPORT}} ssl default_server;
- server_name ~^(?<request_host>.*)$;
- ssl_certificate {{SSLCERT}};
- ssl_certificate_key {{SSLKEY}};
- location / {
- proxy_pass http://keep-web;
- proxy_set_header Host $request_host:{{KEEPWEBPORT}};
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
+ {{service "arvados-keep-web"}}
+ server {{.Address}}:{{.Port}};
+ {{end}}
}
server {
- listen *:{{KEEPWEBDLSSLPORT}} ssl default_server;
- server_name ~.*;
- ssl_certificate {{SSLCERT}};
- ssl_certificate_key {{SSLKEY}};
+ {{if keyExists "arvados/port/tlsKeepWeb"}}
+ listen *:{{key "arvados/port/tlsKeepWeb"}} ssl default_server;
+ {{end}}
+ listen *:{{keyOrDefault "arvados/port/tlsGateway" 443}} ssl;
+ server_name download.{{key "arvados/service/gateway/domain"}}
+ collections.{{key "arvados/service/gateway/domain"}}
+ *.collections.{{key "arvados/service/gateway/domain"}}
+ ~.*--collections.{{key "arvados/service/gateway/domain"}};
+ *.collections.{{key "arvados/service/gateway/domain"}};
+ ssl_certificate {{key "arvados/service/gateway/pki/certPath"}};
+ ssl_certificate_key {{key "arvados/service/gateway/pki/keyPath"}};
location / {
proxy_pass http://keep-web;
- proxy_set_header Host download:{{KEEPWEBPORT}};
+ proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_redirect //download:{{KEEPWEBPORT}}/ https://$host:{{KEEPWEBDLSSLPORT}}/;
}
}
upstream ws {
- server localhost:{{WSPORT}};
+ {{service "arvados-ws"}}
+ server {{.Address}}:{{.Port}};
+ {{end}}
}
server {
- listen *:{{WSSPORT}} ssl default_server;
- server_name ~^(?<request_host>.*)$;
- ssl_certificate {{SSLCERT}};
- ssl_certificate_key {{SSLKEY}};
+ {{if keyExists "arvados/port/tlsWS"}}
+ listen *:{{key "arvados/port/tlsWS"}} ssl default_server;
+ {{end}}
+ listen *:{{keyOrDefault "arvados/port/tlsGateway" 443}} ssl;
+ server_name ws.{{key "arvados/service/gateway/domain"}};
+ ssl_certificate {{key "arvados/service/gateway/pki/certPath"}};
+ ssl_certificate_key {{key "arvados/service/gateway/pki/keyPath"}};
location / {
proxy_pass http://ws;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
- proxy_set_header Host $request_host:{{WSPORT}};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
return err
}
- cfgPath := path.Join(cfg.DataDir, "gateway.consul-template.hcl")
- if err = atomicWriteJSON(cfgPath+".ctmpl", map[string]interface{}{
+ consulCfg := path.Join(cfg.DataDir, "gateway.consul-template.hcl")
+ if err = atomicWriteJSON(consulCfg+".ctmpl", map[string]interface{}{
+ "exec": map[string]interface{}{
+ "reload_signal": "SIGHUP",
+ },
"consul": map[string]interface{}{
"address": fmt.Sprintf("0.0.0.0:%d", cfg.Ports.ConsulHTTP),
},
return err
}
- tmplPath := path.Join(cfg.DataDir, "gateway.nginx.conf")
- if err = atomicWriteFile(tmplPath+".ctmpl", []byte(ngb.tmpl), 0644); err != nil {
+ nginxCfg := path.Join(cfg.DataDir, "gateway.nginx.conf")
+ if err = atomicWriteFile(nginxCfg+".ctmpl", []byte(ngb.tmpl), 0644); err != nil {
+ return err
+ }
+
+ if err := (&osPackage{
+ Debian: "nginx",
+ }).Boot(ctx); err != nil {
+ return err
+ }
+
+ nginxBin, err := exec.LookPath("nginx")
+ if err != nil {
return err
}
- return Series{
- &osPackage{
- Debian: "nginx",
+ return (&supervisedService{
+ name: ngb.name,
+ cmd: path.Join(cfg.UsrDir, "bin", "consul-template"),
+ args: []string{
+ "-config=" + consulCfg,
+ "-template=" + nginxCfg + ".ctmpl:" + nginxCfg,
+ "-exec",
+ "nginx",
+ "-g", "error_log stderr info;",
+ "-g", "pid " + path.Join(cfg.DataDir, "nginx.pid") + ";",
+ "-c", nginxCfg,
},
- &supervisedService{
- name: ngb.name,
- cmd: path.Join(cfg.UsrDir, "bin", "consul-template"),
- args: []string{
- "-config=" + cfgPath,
- "-template=" + tmplPath + ".ctmpl:" + tmplPath,
- "-exec",
- "nginx",
- },
- env: map[string]string{
- "VAULT_TOKEN": rootToken,
- },
+ env: map[string]string{
+ "VAULT_TOKEN": rootToken,
},
- }.Boot(ctx)
+ }).Boot(ctx)
}