From: Tom Clegg <tom@tomclegg.ca>
Date: Thu, 30 Jul 2020 15:30:08 +0000 (-0400)
Subject: 16306: Fixup nginx in arvados-boot production mode.
X-Git-Tag: 2.2.0~141^2~52
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/75d050ab135619fcefecbfa32aaad4dab33e7588

16306: Fixup nginx in arvados-boot production mode.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---

diff --git a/cmd/arvados-dev/docker-boot.sh b/cmd/arvados-dev/docker-boot.sh
index 0b9874295c..7eca33e799 100755
--- a/cmd/arvados-dev/docker-boot.sh
+++ b/cmd/arvados-dev/docker-boot.sh
@@ -40,11 +40,18 @@ tmpdir=$(mktemp -d)
 version=$(git describe --tag --dirty)
 
 declare -a volargs=()
-for srcdir in "$@"; do
-    echo >&2 "building $srcdir..."
-    (cd $srcdir && GOBIN=$tmpdir go install -ldflags "-X git.arvados.org/arvados.git/lib/cmd.version=${version} -X main.version=${version}")
-    cmd="$(basename "$srcdir")"
-    volargs+=(-v "$tmpdir/$cmd:/var/lib/arvados/bin/$cmd:ro")
+for inject in "$@"; do
+    case "$inject" in
+        nginx.conf)
+            volargs+=(-v "$(pwd)/sdk/python/tests/$inject:/var/lib/arvados/share/$inject:ro")
+            ;;
+        *)
+            echo >&2 "building $inject..."
+            (cd $inject && GOBIN=$tmpdir go install -ldflags "-X git.arvados.org/arvados.git/lib/cmd.version=${version} -X main.version=${version}")
+            cmd="$(basename "$inject")"
+            volargs+=(-v "$tmpdir/$cmd:/var/lib/arvados/bin/$cmd:ro")
+            ;;
+    esac
 done
 
 osbase=debian:10
diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index c1da7d18d1..a7c09a7227 100644
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -69,7 +69,13 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
 		}
 		vars[cmpt.varname+"SSLPORT"] = port
 	}
-	tmpl, err := ioutil.ReadFile(filepath.Join(super.SourcePath, "sdk", "python", "tests", "nginx.conf"))
+	var conftemplate string
+	if super.ClusterType == "production" {
+		conftemplate = "/var/lib/arvados/share/nginx.conf"
+	} else {
+		conftemplate = filepath.Join(super.SourcePath, "sdk", "python", "tests", "nginx.conf")
+	}
+	tmpl, err := ioutil.ReadFile(conftemplate)
 	if err != nil {
 		return err
 	}
diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go
index 5f92a65692..51f5c8bfd2 100644
--- a/lib/boot/supervisor.go
+++ b/lib/boot/supervisor.go
@@ -252,7 +252,7 @@ func (super *Supervisor) run(cfg *arvados.Config) error {
 	}
 	if super.ClusterType != "test" {
 		tasks = append(tasks,
-			runServiceCommand{name: "dispatch-cloud", svc: super.cluster.Services.Controller},
+			runServiceCommand{name: "dispatch-cloud", svc: super.cluster.Services.DispatchCloud},
 			runGoProgram{src: "services/keep-balance", svc: super.cluster.Services.Keepbalance},
 		)
 	}
diff --git a/lib/install/deps.go b/lib/install/deps.go
index 3f19aa1a82..c5596d1046 100644
--- a/lib/install/deps.go
+++ b/lib/install/deps.go
@@ -486,6 +486,15 @@ rm ${zip}
 				return 1
 			}
 		}
+
+		// Copy assets from source tree to /var/lib/arvados/share
+		cmd := exec.Command("install", "-v", "-t", "/var/lib/arvados/share", filepath.Join(inst.SourcePath, "sdk/python/tests/nginx.conf"))
+		cmd.Stdout = stdout
+		cmd.Stderr = stderr
+		err = cmd.Run()
+		if err != nil {
+			return 1
+		}
 	}
 
 	return 0
diff --git a/lib/install/init.go b/lib/install/init.go
index 6d4f197576..ca8d4da924 100644
--- a/lib/install/init.go
+++ b/lib/install/init.go
@@ -170,6 +170,8 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
         user: arvados
         password: {{printf "%q" .PostgreSQLPassword}}
     SystemRootToken: {{printf "%q" ( .RandomHex 50 )}}
+    TLS:
+      Insecure: true
     Volumes:
       {{.ClusterID}}-nyw5e-000000000000000:
         Driver: Directory
diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf
index 85b4f5b37b..cdca68dd67 100644
--- a/sdk/python/tests/nginx.conf
+++ b/sdk/python/tests/nginx.conf
@@ -16,12 +16,28 @@ http {
   fastcgi_temp_path "{{TMPDIR}}";
   uwsgi_temp_path "{{TMPDIR}}";
   scgi_temp_path "{{TMPDIR}}";
+  upstream controller {
+    server {{LISTENHOST}}:{{CONTROLLERPORT}};
+  }
+  server {
+    listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
+    server_name controller ~.*;
+    ssl_certificate "{{SSLCERT}}";
+    ssl_certificate_key "{{SSLKEY}}";
+    location  / {
+      proxy_pass http://controller;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
+    }
+  }
   upstream arv-git-http {
     server {{LISTENHOST}}:{{GITPORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{GITSSLPORT}} ssl default_server;
-    server_name arv-git-http;
+    listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
+    server_name arv-git-http git.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -36,8 +52,8 @@ http {
     server {{LISTENHOST}}:{{KEEPPROXYPORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl default_server;
-    server_name keepproxy;
+    listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
+    server_name keepproxy keep.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -55,8 +71,8 @@ http {
     server {{LISTENHOST}}:{{KEEPWEBPORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl default_server;
-    server_name keep-web;
+    listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
+    server_name keep-web collections.* ~\.collections\.;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -75,8 +91,8 @@ http {
     server {{LISTENHOST}}:{{HEALTHPORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl default_server;
-    server_name health;
+    listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
+    server_name health health.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -91,8 +107,8 @@ http {
     }
   }
   server {
-    listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl default_server;
-    server_name keep-web-dl ~.*;
+    listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl;
+    server_name keep-web-dl download.* ~.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -111,8 +127,8 @@ http {
     server {{LISTENHOST}}:{{WSPORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{WSSSLPORT}} ssl default_server;
-    server_name websocket;
+    listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
+    server_name websocket ws.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -129,8 +145,8 @@ http {
     server {{LISTENHOST}}:{{WORKBENCH1PORT}};
   }
   server {
-    listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl default_server;
-    server_name workbench1;
+    listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
+    server_name workbench1 workbench.*;
     ssl_certificate "{{SSLCERT}}";
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
@@ -141,20 +157,4 @@ http {
       proxy_redirect off;
     }
   }
-  upstream controller {
-    server {{LISTENHOST}}:{{CONTROLLERPORT}};
-  }
-  server {
-    listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl default_server;
-    server_name controller;
-    ssl_certificate "{{SSLCERT}}";
-    ssl_certificate_key "{{SSLKEY}}";
-    location  / {
-      proxy_pass http://controller;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto https;
-      proxy_redirect off;
-    }
-  }
 }