PR#1682: Add Flatpak Cache as a OpenShift app - fedora-infra/ansible

fedora-infra / ansible

#1682 Add Flatpak Cache as a OpenShift app

Merged 4 months ago by kevin. Opened 6 months ago by leo.

fedora-infra/ leo/ansible openshift_flatpak_proxy into main

Switch from Varnish to Squid

Leo Puvilland • 4 months ago

9269704

Add Flatpak Cache as a OpenStack app

Leo Puvilland • 4 months ago

0beee27

playbooks/openshift-apps/flatpak-cache.yml

file added

+81

		`@@ -0,0 +1,81 @@`
		`+ - name: make the app be real`
		`+ # hosts: os_control_stg[0]:os_control[0]`
		`+ hosts: os_control_stg[0]`
		`+ user: root`
		`+ gather_facts: False`
		`+`
		`+ vars_files:`
		`+ - /srv/web/infra/ansible/vars/global.yml`
		`+ - /srv/private/ansible/vars.yml`
		`+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`
		`+`
		`+ vars:`
		`+`
		`+ roles:`
		`+ - role: openshift/project`
		`+ app: flatpak-cache`
		`+ description: "Flatpak Cache"`
		`+ appowners:`
		`+ - leo`
		`+ - kevin`
		`+ - adamwill`
		`+ tags:`
		`+ - apply-appowners`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ file: imagestream.yml`
		`+ objectname: imagestream.yml`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ template: buildconfig.yml`
		`+ objectname: buildconfig.yml`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ file: storage.yml`
		`+ objectname: storage.yml`
		`+`
		`+ - role: openshift/secret-file`
		`+ app: flatpak-cache`
		`+ secret_name: flatpak-cache-ca`
		`+ key: ca.crt`
		`+ privatefile: "flatpak-cache-certs/{{env}}/pki/ca.crt"`
		`+`
		`+ - role: openshift/secret-file`
		`+ app: flatpak-cache`
		`+ secret_name: flatpak-cache-key`
		`+ key: ca.key`
		`+ privatefile: "flatpak-cache-certs/{{env}}/pki/ca.key"`
		`+`
		`+ - role: openshift/secret-file`
		`+ app: flatpak-cache`
		`+ secret_name: flatpak-cache-dhparam`
		`+ key: dh.pem`
		`+ privatefile: "flatpak-cache-certs/{{env}}/pki/dh.pem"`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ template: configmap.yml`
		`+ objectname: configmap.yml`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ file: service.yml`
		`+ objectname: service.yml`
		`+`
		`+ # Routes`
		`+ - role: openshift/route`
		`+ app: flatpak-cache`
		`+ routename: web`
		`+ host: "flatpak-cache.apps.ocp{{ env_suffix }}.fedoraproject.org"`
		`+ servicename: web`
		`+ serviceport: web`
		`+ annotations:`
		`+ haproxy.router.openshift.io/timeout: 5m`
		`+`
		`+ - role: openshift/object`
		`+ app: flatpak-cache`
		`+ template: deployment.yml`
		`+ objectname: deployment.yml`

roles/openshift-apps/flatpak-cache/files/imagestream.yml

file added

+10

		`@@ -0,0 +1,10 @@`
		`+ apiVersion: image.openshift.io/v1`
		`+ items:`
		`+ - apiVersion: image.openshift.io/v1`
		`+ kind: ImageStream`
		`+ metadata:`
		`+ name: flatpak-cache`
		`+ labels:`
		`+ build: flatpak-cache`
		`+ kind: List`
		`+ metadata: {}`

roles/openshift-apps/flatpak-cache/files/service.yml

file added

+15

		`@@ -0,0 +1,15 @@`
		`+ apiVersion: v1`
		`+ kind: Service`
		`+ metadata:`
		`+ name: flatpak-cache`
		`+ labels:`
		`+ app: flatpak-cache`
		`+ service: flatpak-cache`
		`+ namespace: flatpak-cache`
		`+ spec:`
		`+ ports:`
		`+ - name: web`
		`+ port: 80`
		`+ targetPort: 3128`
		`+ selector:`
		`+ deploymentconfig: flatpak-cache`

roles/openshift-apps/flatpak-cache/files/storage.yml

file added

+11

		`@@ -0,0 +1,11 @@`
		`+ apiVersion: v1`
		`+ kind: PersistentVolumeClaim`
		`+ metadata:`
		`+ name: data`
		`+ spec:`
		`+ accessModes:`
		`+ - ReadWriteMany`
		`+ resources:`
		`+ requests:`
		`+ storage: 20Gi`
		`+ storageClassName: ocs-storagecluster-cephfs`

roles/openshift-apps/flatpak-cache/templates/buildconfig.yml

file added

+42

		`@@ -0,0 +1,42 @@`
		`+ ---`
		`+ apiVersion: build.openshift.io/v1`
		`+ items:`
		`+ - apiVersion: build.openshift.io/v1`
		`+ kind: BuildConfig`
		`+ metadata:`
		`+ labels:`
		`+ build: flatpak-cache-build`
		`+ name: flatpak-cache-build`
		`+ spec:`
		`+ runPolicy: Serial`
		`+ source:`
		`+ dockerfile: \|-`
		`+ FROM fedora:39`
		`+ LABEL \`
		`+ name="flatpak-cache" \`
		`+ vendor="Fedora Infrastructure" \`
		`+ license="MIT"`
		`+ RUN dnf install -y \`
		`+ gettext \`
		`+ hostname \`
		`+ nss_wrapper \`
		`+ bind-utils \`
		`+ squid && \`
		`+ dnf autoremove -y && \`
		`+ dnf clean all -y`
		`+ RUN mkdir -p /var/spool/squid`
		`+ EXPOSE 80`
		`+ type: Dockerfile`
		`+ strategy:`
		`+ type: Docker`
		`+ dockerStrategy:`
		`+ noCache: true`
		`+ output:`
		`+ to:`
		`+ kind: ImageStreamTag`
		`+ name: flatpak-cache:latest`
		`+ triggers:`
		`+ - type: ImageChange`
		`+ - type: ConfigChange`
		`+ kind: List`
		`+ metadata: {}`

roles/openshift-apps/flatpak-cache/templates/configmap.yml

file added

+17

		`@@ -0,0 +1,17 @@`
		`+ {% macro load_file(filename) %}{% include filename %}{%- endmacro -%}`
		`+ ---`
		`+ apiVersion: v1`
		`+ kind: List`
		`+ metadata: {}`
		`+ items:`
		`+ - apiVersion: v1`
		`+ kind: ConfigMap`
		`+ metadata:`
		`+ name: flatpak-cache-configmap`
		`+ labels:`
		`+ app: flatpak-cache`
		`+ data:`
		`+ flatpak-cache.vcl: \|-`
		`+ {{ load_file('squid.conf') \| indent(6) }}`
		`+ start.sh: \|-`
		`+ {{ load_file('start.sh') \| indent(6) }}`

roles/openshift-apps/flatpak-cache/templates/deployment.yml

file added

+73

		`@@ -0,0 +1,73 @@`
		`+ - apiVersion: apps/v1`
		`+ kind: Deployment`
		`+ metadata:`
		`+ labels:`
		`+ app: flatpak-cache`
		`+ app.kubernetes.io/component: flatpak-cache`
		`+ app.kubernetes.io/instance: flatpak-cache`
		`+ app.kubernetes.io/name: flatpak-cache`
		`+ app.kubernetes.io/part-of: flatpak-cache-app`
		`+ name: flatpak-cache`
		`+ spec:`
		`+ progressDeadlineSeconds: 600`
		`+ replicas: 1`
		`+ revisionHistoryLimit: 10`
		`+ selector:`
		`+ matchLabels:`
		`+ app: flatpak-cache`
		`+ strategy:`
		`+ type: Recreate`
		`+ template:`
		`+ metadata:`
		`+ creationTimestamp: null`
		`+ labels:`
		`+ app: flatpak-cache`
		`+ deployment: flatpak-cache`
		`+ spec:`
		`+ containers:`
		`+ - env:`
		`+ volumeMounts:`
		`+ - name: config-volume`
		`+ mountPath: /etc/squid`
		`+ readOnly: true`
		`+ - name: data`
		`+ mountPath: /srv`
		`+ - name: flatpak-cache-ca-volume`
		`+ mountPath: /etc/pki/squid/ca`
		`+ readOnly: true`
		`+ - name: flatpak-cache-key-volume`
		`+ mountPath: /etc/pki/squid/key`
		`+ readOnly: true`
		`+ - name: flatpak-cache-dhparam`
		`+ mountPath: /etc/pki/squid/dhparam`
		`+ readOnly: true`
		`+ imagePullPolicy: Always`
		`+ name: flatpak-cache`
		`+ command:`
		`+ - bash`
		`+ args:`
		`+ - /etc/squid/start.sh`
		`+ resources: {}`
		`+ terminationMessagePath: /dev/termination-log`
		`+ terminationMessagePolicy: File`
		`+ dnsPolicy: ClusterFirst`
		`+ restartPolicy: Always`
		`+ schedulerName: default-scheduler`
		`+ securityContext: {}`
		`+ terminationGracePeriodSeconds: 30`
		`+ volumes:`
		`+ - name: config-volume`
		`+ configMap:`
		`+ name: flatpak-cache-configmap`
		`+ - name: data`
		`+ persistentVolumeClaim:`
		`+ claimName: data`
		`+ - name: flatpak-cache-ca-volume`
		`+ secret:`
		`+ secretName: flatpak-cache-ca`
		`+ - name: flatpak-cache-key-volume`
		`+ secret:`
		`+ secretName: flatpak-cache-key`
		`+ - name: flatpak-cache-dhparam-volume`
		`+ secret:`
		`+ secretName: flatpak-cache-dhparam`

roles/openshift-apps/flatpak-cache/templates/squid.conf

file added

+53

		`@@ -0,0 +1,53 @@`
		`+ acl openqa src 10.3.174.21-10.3.174.64`
		`+`
		`+ acl SSL_ports port 443`
		`+ acl Safe_ports port 80 443`
		`+ acl CONNECT method CONNECT`
		`+`
		`+ acl intermediate_fetching transaction_initiator certificate-fetching`
		`+ http_access allow intermediate_fetching`
		`+`
		`+ # Deny requests to certain unsafe ports`
		`+ http_access deny !Safe_ports`
		`+`
		`+ # Deny CONNECT to other than secure SSL ports`
		`+ http_access deny CONNECT !SSL_ports`
		`+`
		`+ # Only allow cachemgr access from openqa`
		`+ http_access allow openqa`
		`+`
		`+ # Only cache flathub`
		`+ acl cacheDomain dstdomain dl.flathub.org`
		`+ cache deny !cacheDomain`
		`+`
		`+ # And finally deny all other access to this proxy`
		`+ http_access deny all`
		`+`
		`+`
		`+ http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca/ca.crt tls-key=/etc/pki/squid/key/ca.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/pki/squid/dhparam/dh.pem`
		`+`
		`+ sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 20MB`
		`+ sslcrtd_children 5`
		`+ ssl_bump server-first all`
		`+ ssl_bump stare all`
		`+ sslproxy_cert_error deny all`
		`+`
		`+ # Uncomment and adjust the following to add a disk cache directory.`
		`+ maximum_object_size 6 GB`
		`+ cache_dir ufs /srv/squid 20000 16 256`
		`+`
		`+ # Leave coredumps in the first cache dir`
		`+ coredump_dir /var/spool/squid`
		`+`
		`+ #`
		`+ # Add any of your own refresh_pattern entries above these.`
		`+ #`
		`+ refresh_pattern -i dl.flathub.org\/.* 1440 20% 10080 override-expire ignore-no-cache ignore-no-store ignore-private`
		`+ refresh_pattern . 0 20% 4320`
		`+`
		`+`
		`+ # <Client IP> <Username> [<Local Time>] "<Request Method> <Request URL> HTTP/<Protocol Version> <Response Status Code> \`
		`+ # <Sent reply size (with hdrs)> <Referer> <User Agent> <Squid Request Status>:<Squid Hierarchy Status>`
		`+ logformat combined %>a %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh`
		`+ access_log /var/log/squid/squid.log squid`
		`+ access_log /var/log/squid/access.log combined`
		`\ No newline at end of file`

roles/openshift-apps/flatpak-cache/templates/start.sh

file added

		`@@ -0,0 +1,3 @@`
		`+ exec squid`
		`+ --foreground`
		`+ -f /etc/squid/squid.conf`
		`\ No newline at end of file`

leo commented 6 months ago

This should implement a flatpak cache with varnish on openshift.

rebased onto b91fa5b6c055a27586b860d60c0aaef4e4d7a5ec

6 months ago

rebased onto 7e432f9be859012627ac2e7398c52d44ee7885cb

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/90d7c499e2914be4b99b17213a4b1612

fi-ansible-lint-diff : SUCCESS in 5m 38s
fi-yamllint-diff : SUCCESS in 4m 05s

fche commented 6 months ago

(openshift not openstack)

leo commented 6 months ago

Good catch... I keep confusing the two ;)

rebased onto b35d9f3a135f8e23d88e73a6eab45ea51caae937

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/efc9419d3ddf44de9b9fc6eadedfa198

fi-ansible-lint-diff : SUCCESS in 4m 19s
fi-yamllint-diff : SUCCESS in 3m 11s

rebased onto 17744913d45b3f0d7733f64702c8602c0ed5beae

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/58dbdd2879d7472cab624b08b411c3bf

fi-ansible-lint-diff : SUCCESS in 4m 30s
fi-yamllint-diff : SUCCESS in 3m 08s

rebased onto ef9157a60a70e348d894b7d0799806153941866f

6 months ago

rebased onto ef9157a60a70e348d894b7d0799806153941866f

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/368a55e1b3a94df890880a589951b397

fi-ansible-lint-diff : SUCCESS in 6m 04s
fi-yamllint-diff : SUCCESS in 2m 54s

darknao commented on line 5 of roles/openshift-apps/flatpak-cache/templates/start.sh 6 months ago

OpenShift containers run as non-root user. It's unlikely that you'll be able to bind port 80 inside that container. You might need to pick one > 1024.

rebased onto 9269502c4a3ff16b553f5a346f34e70ce308f607

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/4eb2645841fe4f2a80f8c20a14ef0c6c

fi-ansible-lint-diff : SUCCESS in 4m 09s
fi-yamllint-diff : SUCCESS in 3m 38s

rebased onto 5f93d8172e77ee405f89175aa3ad2773e3929186

6 months ago

zuul commented 6 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/9cf14a6ba6ab40ca8b3cb6cd7f53b34a

fi-ansible-lint-diff : SUCCESS in 5m 17s
fi-yamllint-diff : SUCCESS in 3m 05s

rebased onto 0990e44a7e95f68c030f656c78cde2c7870d860d

5 months ago

zuul commented 5 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/9e1136876a7249a8877a88e1363f5a81

fi-ansible-lint-diff : SUCCESS in 5m 26s
fi-yamllint-diff : SUCCESS in 3m 51s

kevin commented 5 months ago

So, not bad... but two items (one trivial, the other much harder):

minor:
* Probibly don't need 20G for the storage. varnish doesn't use disk, it's a memory cache, so it would all be in memory...

major:
tls is going to bite us here. ;(
http://dl.flathub.org seems to redirect to https://dl.flathub.org so perhaps we need to deal with https here? Also, we probibly don't want to pull http accross the net because we can't be too sure it wasn't tampered with. ;(

I can't recall if it's just as simple as changing port 80/443 and using https here, or if we need to do more in varnish to trust the cert, etc?

kevin commented 5 months ago

So, not bad... but two items (one trivial, the other much harder):

minor:
* Probibly don't need 20G for the storage. varnish doesn't use disk, it's a memory cache, so it would all be in memory...

I can't recall if it's just as simple as changing port 80/443 and using https here, or if we need to do more in varnish to trust the cert, etc?

1 new commit added