From: "Owen W. Taylor" otaylor@fishsoup.net
This is an initial attempt to create a configuration for flatpak-indexer to replace regindexer and add an image delta capability. The config here is derived from a working openshift configuration, but is untested in this form.
See: https://pagure.io/fedora-infrastructure/issue/9272
Open questions:
How to propagate content to the registry.fedoraproject.org reverse proxy ========================================================================
Currently the regindexer-generated content is rsync'ed from sundries to fedora-web/registry. How should this be done with flatpak-indexer running as an openshift app? Some possibilities that come to mind:
- Run a rsyncd within the openshift app (either as a separate deploymentconfig or as a sidecar to the indexer) and expose a route to it internally in Fedora infrastructure.
- Run a web server within the openshift app, expose a route to it internally in Fedora infrasturcture, and reverse proxy the content on fedora-web/registry instead of rsync'ing it.
- Write the content onto a netapp volume, and mount that volume RO either on a host running rsyncd or directly on fedora-web/registry.
What to use for a redis image =============================
Redis is used for caching and communication between the components. What redis image should be used?
registry.redhat.io/rhel8/redis-5 needs configuration of a subscription docker.io/library/redis:5 centos/redis-5-centos7 don't rely on such images currently Custom Dockerfile image built from fedora:32 how would rebuilds be triggered?
For the two other images needed here, I used ubi8 images - which aren't currently used elsewhere, but are presumably ok.
How to handle identifying versions to build for staging/production ==================================================================
I see that most openshift applications simply use 'staging'/'production' tags in the upstream repo, while a few take the approach of having specific hashes checked into the infrastructure ansible repository.
Is the upstream tag approach considered sufficiently secure? (Making the service write a malicious index could allow causing users to upgrade to arbitrary application binaries.)
Owen W. Taylor (1): Add a flatpak-indexer openshift service
playbooks/openshift-apps/flatpak-indexer.yml | 56 +++++ .../reversepassproxy.registry-generic.conf | 34 ++- .../flatpak-indexer/files/imagestream.yml | 52 +++++ .../flatpak-indexer/files/service.yml | 16 ++ .../flatpak-indexer/files/storage.yml | 24 ++ .../flatpak-indexer/templates/buildconfig.yml | 84 +++++++ .../flatpak-indexer/templates/configmap.yml | 98 ++++++++ .../templates/deploymentconfig.yml | 221 ++++++++++++++++++ .../flatpak-indexer/templates/secret.yml | 11 + roles/regindexer/build/tasks/main.yml | 21 -- roles/regindexer/build/templates/config.yaml | 74 ------ 11 files changed, 584 insertions(+), 107 deletions(-) create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml delete mode 100644 roles/regindexer/build/tasks/main.yml delete mode 100644 roles/regindexer/build/templates/config.yaml
From: "Owen W. Taylor" otaylor@fishsoup.net
flatpak-indexer replaces regindexer for creating an index of Fedora Flatpaks. It adds an additional capability
Add a new openshift namespace: flatpak-indexer, with three deploymentconfigs in it:
- flatpak-indexer: generates the index - flatpak-indexer-differ: worker(s) to run the expensive tardiff operation - redis: used for cache and communication between indexer and differ
The staging version of the indexer targets the *production* bodhi/koji/registry, since we don't have useful Flatpak content in staging. This could be changed.
The registry reverse proxy configuration is updated to a slightly different set of generated indexes (the 'annotations' indexes for F31 and older are now suffixed with -annotations, and the 'labels' indexes unsuffixed.)
Signed-off-by: Owen W. Taylor otaylor@fishsoup.net --- playbooks/openshift-apps/flatpak-indexer.yml | 56 +++++ .../reversepassproxy.registry-generic.conf | 34 ++- .../flatpak-indexer/files/imagestream.yml | 52 +++++ .../flatpak-indexer/files/service.yml | 16 ++ .../flatpak-indexer/files/storage.yml | 24 ++ .../flatpak-indexer/templates/buildconfig.yml | 84 +++++++ .../flatpak-indexer/templates/configmap.yml | 98 ++++++++ .../templates/deploymentconfig.yml | 221 ++++++++++++++++++ .../flatpak-indexer/templates/secret.yml | 11 + roles/regindexer/build/tasks/main.yml | 21 -- roles/regindexer/build/templates/config.yaml | 74 ------ 11 files changed, 584 insertions(+), 107 deletions(-) create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml delete mode 100644 roles/regindexer/build/tasks/main.yml delete mode 100644 roles/regindexer/build/templates/config.yaml
diff --git a/playbooks/openshift-apps/flatpak-indexer.yml b/playbooks/openshift-apps/flatpak-indexer.yml new file mode 100644 index 000000000..c70d50f11 --- /dev/null +++ b/playbooks/openshift-apps/flatpak-indexer.yml @@ -0,0 +1,56 @@ +- name: make the app be real + hosts: os_masters_stg[0] + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: openshift/project + app: flatpak-indexer + description: Fedora Flatpak Indexer apps + appowners: + - otaylor + + - role: openshift/object + app: flatpak-indexer + template: secret.yml + objectname: secret.yml + + - role: openshift/object + app: flatpak-indexer + file: imagestream.yml + objectname: imagestream.yml + + - role: openshift/object + app: flatpak-indexer + template: buildconfig.yml + objectname: buildconfig.yml + + - role: openshift/object + app: flatpak-indexer + file: storage.yml + objectname: storage.yml + + - role: openshift/object + app: flatpak-indexer + template: configmap.yml + objectname: configmap.yml + + - role: openshift/start-build + app: flatpak-indexer + # This will trigger the main build via a imageChange trigger + buildname: flatpak-indexer-tardiff-build + + - role: openshift/object + app: flatpak-indexer + file: service.yml + objectname: service.yml + + - role: openshift/object + app: flatpak-indexer + template: deploymentconfig.yml + objectname: deploymentconfig.yml diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf index e41bdcf7e..e9d359697 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf @@ -32,37 +32,37 @@ RewriteRule ^/v2/(.*)$ http://oci-registry01:5000/v2/$1 [P,L] {% endif %} RewriteRule ^/v2/(.*)$ http://localhost:10048/v2/$1 [P,L]
-RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &tag=testing RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+) RewriteRule "^/index/static$" /index/flatpak-testing-%1.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &tag=testing RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+) -RewriteRule "^/index/static$" /index/flatpak-testing-%1-labels.json [L,PT] +RewriteRule "^/index/static$" /index/flatpak-testing-%1-annotations.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+) RewriteRule "^/index/static$" /index/flatpak-%1.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &architecture=([^&]+) -RewriteRule "^/index/static$" /index/flatpak-%1-labels.json [L,PT] +RewriteRule "^/index/static$" /index/flatpak-%1-annotations.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &tag=testing RewriteRule "^/index/static$" /index/flatpak-testing.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteCond "&%{QUERY_STRING}" &tag=testing -RewriteRule "^/index/static$" /index/flatpak-testing-labels.json [L,PT] +RewriteRule "^/index/static$" /index/flatpak-testing-annotations.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 RewriteRule "^/index/static$" /index/flatpak.json [L,PT]
-RewriteCond "&%{QUERY_STRING}" &label(%3A|:)org.flatpak.ref(%3A|:)exists=1 -RewriteRule "^/index/static$" /index/flatpak-labels.json [L,PT] +RewriteCond "&%{QUERY_STRING}" &annotation(%3A|:)org.flatpak.ref(%3A|:)exists=1 +RewriteRule "^/index/static$" /index/flatpak-annotations.json [L,PT]
DocumentRoot /srv/web/registry-index/
@@ -87,6 +87,7 @@ SSLOptions +FakeBasicAuth
Alias "/index/" "/srv/web/registry-index/index/" Alias "/app-icons/" "/srv/web/registry-index/icons/" +Alias "/deltas/" "/srv/web/registry-index/deltas/"
<Directory “/srv/web/registry-index/index/"> Options +FollowSymLinks @@ -106,3 +107,12 @@ Alias "/app-icons/" "/srv/web/registry-index/icons/" Options +Indexes Require all granted </Directory> + +<Directory "/srv/web/registry-index/deltas/"> + ExpiresActive on + ExpiresDefault "access plus 1 year" + + AllowOverride None + Options +Indexes + Require all granted +</Directory> diff --git a/roles/openshift-apps/flatpak-indexer/files/imagestream.yml b/roles/openshift-apps/flatpak-indexer/files/imagestream.yml new file mode 100644 index 000000000..a9d0b0cfd --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/files/imagestream.yml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +kind: ImageStream +metadata: + name: flatpak-indexer + labels: + build: flatpak-indexer +--- +apiVersion: v1 +kind: ImageStream +metadata: + name: flatpak-indexer-tardiff + labels: + build: flatpak-indexer-tardiff +--- +apiVersion: v1 +kind: ImageStream +metadata: + name: ubi8-go-toolset + labels: + build: flatpak-indexer + spec: + lookupPolicy: + local: false + tags: + - name: latest + from: + kind: DockerImage + name: registry.access.redhat.com/ubi8/go-toolset:latest + importPolicy: + scheduled: true + referencePolicy: + type: Source +--- +apiVersion: v1 +kind: ImageStream +metadata: + name: ubi8-python-38 + labels: + build: flatpak-indexer + spec: + lookupPolicy: + local: false + tags: + - name: latest + from: + kind: DockerImage + name: registry.access.redhat.com/ubi8/python-38:latest + importPolicy: + scheduled: true + referencePolicy: + type: Source diff --git a/roles/openshift-apps/flatpak-indexer/files/service.yml b/roles/openshift-apps/flatpak-indexer/files/service.yml new file mode 100644 index 000000000..8408b6dd1 --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/files/service.yml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + name: redis +spec: + ports: + - name: 6379-tcp + port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app: redis + deploymentconfig: redis diff --git a/roles/openshift-apps/flatpak-indexer/files/storage.yml b/roles/openshift-apps/flatpak-indexer/files/storage.yml new file mode 100644 index 000000000..8384d5e5f --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/files/storage.yml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: flatpak-indexer-storage +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: "" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: flatpak-indexer-redis-storage +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: "" diff --git a/roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml b/roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml new file mode 100644 index 000000000..c0d277f59 --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml @@ -0,0 +1,84 @@ +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + app: flatpak-indexer + name: flatpak-indexer-tardiff-build +spec: + output: + to: + kind: ImageStreamTag + name: flatpak-indexer-tardiff:latest + runPolicy: Serial + source: + contextDir: differ + git: + uri: https://github.com/owtaylor/flatpak-indexer.git +{% if env == 'staging' %} + ref: "staging" +{% else %} + ref: "production" +{% endif %} + type: Git + strategy: + dockerStrategy: + from: + kind: ImageStreamTag + name: ubi8-go-toolset:latest + noCache: true + type: Docker + triggers: + - type: ConfigChange + - type: ImageChange + imageChange: {} +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + app: flatpak-indexer + name: flatpak-indexer-build +spec: + output: + to: + kind: ImageStream + name: flatpak-indexer-tardiff:latest + postCommit: + command: + - tools/test.sh + runPolicy: Serial + source: + images: + - from: + kind: ImageStreamTag + name: flatpak-indexer-tardiff:latest + paths: + - destinationDir: bin + sourcePath: /opt/app-root/tar-diff + - destinationDir: bin + sourcePath: /usr/bin/time + git: + uri: https://pagure.io/flatpak-indexer.git +{% if env == 'staging' %} + ref: "staging" +{% else %} + ref: "production" +{% endif %} + type: Git + strategy: + sourceStrategy: + env: + - name: FLATPAK_INDEXER_UPDATE_TEST_DATA + value: "1" + from: + kind: ImageStreamTag + name: ubi8-python-38:latest + type: Source + triggers: + - type: ConfigChange + - type: ImageChange + imageChange: + from: + kind: ImageStreamTag + name: flatpak-indexer-tardiff:latest diff --git a/roles/openshift-apps/flatpak-indexer/templates/configmap.yml b/roles/openshift-apps/flatpak-indexer/templates/configmap.yml new file mode 100644 index 000000000..5c238c884 --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/templates/configmap.yml @@ -0,0 +1,98 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: indexer-config +data: + config.yaml: |- + redis_url: ${REDIS_URL} + redis_password: ${REDIS_PASSWORD} + koji_config: fedora + deltas_dir: ${OUTPUT_DIR}/deltas/ + icons_dir: ${OUTPUT_DIR}/icons/ +{% if env == 'staging' %} + deltas_uri: https://registry%7B%7B env_suffix }}fedoraproject.org/deltas/ + icons_uri: https://registry%7B%7B env_suffix }}fedoraproject.org/app-icons/ +{% else %} + deltas_uri: https://cdn.registry.fedoraproject.org/deltas/ + icons_uri: https://cdn.registry.fedoraproject.org/app-icons/ +{% endif %} + daemon: + update_interval: 1800 + registries: + fedora: + public_url: https://registry.fedoraproject.org/ + datasource: fedora + force_flatpak_token: true + indexes: + latest: + output: ${OUTPUT_DIR}/fedora/flatpak-latest.json + registry: fedora + tag: latest + bodhi_status: stable + extract_icons: True + delta_keep_days: 30 + latest-annotations: + output: ${OUTPUT_DIR}/fedora/flatpak-latest-annotations.json + registry: fedora + tag: latest + bodhi_status: stable + extract_icons: True + delta_keep_days: 30 + flatpak_annotations: True + latest-amd64: + output: ${OUTPUT_DIR}/fedora/flatpak-latest-amd64.json + registry: fedora + architecture: amd64 + tag: latest + bodhi_status: stable + extract_icons: True + delta_keep_days: 30 + latest-amd64-annotations: + output: ${OUTPUT_DIR}/fedora/flatpak-latest-amd64-annotations.json + registry: fedora + architecture: amd64 + tag: latest + bodhi_status: stable + extract_icons: True + delta_keep_days: 30 + flatpak_annotations: True + testing: + output: ${OUTPUT_DIR}/fedora/flatpak-testing.json + registry: fedora + tag: testing + bodhi_status: testing + extract_icons: True + testing-annotations: + output: ${OUTPUT_DIR}/fedora/flatpak-testing-annotations.json + registry: fedora + tag: testing + bodhi_status: testing + extract_icons: True + flatpak_annotations: True + testing-amd64: + output: ${OUTPUT_DIR}/fedora/flatpak-testing-amd64.json + registry: fedora + architecture: amd64 + tag: testing + bodhi_status: testing + extract_icons: True + testing-amd64-annotations: + output: ${OUTPUT_DIR}/fedora/flatpak-testing-amd64-annotations.json + registry: fedora + architecture: amd64 + tag: testing + bodhi_status: testing + extract_icons: True + flatpak_annotations: True +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: koji-conf +data: + koji.conf: |- + [fedora] + server = https://koji.fedoraproject.org/kojihub + weburl = https://koji.fedoraproject.org/koji + topurl = https://kojipkgs.fedoraproject.org/ diff --git a/roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml b/roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml new file mode 100644 index 000000000..23f15fdd6 --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml @@ -0,0 +1,221 @@ +--- +kind: DeploymentConfig +apiVersion: apps.openshift.io/v1 +metadata: + labels: + app: flatpak-indexer + name: flatpak-indexer +spec: + replicas: 1 + selector: + app: flatpak-indexer + deploymentconfig: flatpak-indexer + strategy: + activeDeadlineSeconds: 21600 + resources: {} + rollingParams: + intervalSeconds: 1 + maxSurge: 25% + maxUnavailable: 25% + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + labels: + app: flatpak-indexer + deploymentconfig: flatpak-indexer + spec: + containers: + - env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-password + key: password + - name: REDIS_URL + value: redis://redis.flatpak.svc.cluster.local:6379 + image: flatpak-indexer:latest + name: flatpak-indexer + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + volumeMounts: + - mountPath: /etc/flatpak-indexer + name: indexer-config-volume + readOnly: true + - mountPath: /etc/koji.conf + name: koji-conf-volume + readOnly: true + - mountPath: /var/www/flatpaks + name: index-output-volume + - mountPath: /etc/tls/flatpak-indexer + name: flatpak-indexer-crt-volume + dnsPolicy: ClusterFirst + restartPolicy: Always + volumes: + - configMap: + defaultMode: 420 + name: indexer-config + name: indexer-config-volume + - configMap: + defaultMode: 420 + name: koji-conf + name: koji-conf-volume + - name: index-output-volume + persistentVolumeClaim: + claimName: flatpak-indexer-storage + test: false + triggers: + - type: ConfigChange + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - flatpak-indexer-differ + from: + kind: ImageStreamTag + name: flatpak-indexer:latest +--- +kind: DeploymentConfig +apiVersion: apps.openshift.io/v1 +metadata: + labels: + app: flatpak-indexer-differ + name: flatpak-indexer-differ +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + app: flatpak-indexer-differ + deploymentconfig: flatpak-indexer-differ + strategy: + activeDeadlineSeconds: 21600 + resources: {} + rollingParams: + intervalSeconds: 1 + maxSurge: 25% + maxUnavailable: 25% + timeoutSeconds: 600 + updatePeriodSeconds: 1 + type: Rolling + template: + metadata: + labels: + app: flatpak-indexer-differ + deploymentconfig: flatpak-indexer-differ + spec: + containers: + - env: + - name: FLATPAK_INDEXER_COMMAND + value: differ + - name: REDISCLI_AUTH + valueFrom: + secretKeyRef: + name: redis-password + key: password + - name: REDIS_URL + value: redis://redis.flatpak.svc.cluster.local:6379 + image: flatpak-indexer:latest + name: flatpak-indexer-differ + ports: + - containerPort: 8080 + protocol: TCP + resources: + requests: + cpu: 2 + memory: 1Gi + limits: + cpu: 2 + memory: 3Gi + volumeMounts: + - mountPath: /etc/flatpak-indexer + name: indexer-config-volume + readOnly: true + - mountPath: /var/www/flatpaks + name: index-output-volume + dnsPolicy: ClusterFirst + restartPolicy: Always + volumes: + - configMap: + defaultMode: 420 + name: indexer-config + name: indexer-config-volume + - name: index-output-volume + persistentVolumeClaim: + claimName: flatpak-indexer-storage + test: false + triggers: + - type: ConfigChange + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - flatpak-indexer-differ + from: + kind: ImageStreamTag + name: flatpak-indexer:latest +--- +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + labels: + app: redis + name: redis +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + app: redis + deploymentconfig: redis + strategy: + activeDeadlineSeconds: 21600 + # Recreate so that the old pod is stopped before the new pod is created. + # Could also use a StatefulSet + type: Recreate + template: + metadata: + labels: + app: redis + deploymentconfig: redis + spec: + containers: + - env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-password + key: password + image: rhel8/redis-5 + imagePullPolicy: Always + livenessProbe: + exec: + command: ['redis-cli', 'ping'] + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: redis + ports: + - containerPort: 6379 + protocol: TCP + readinessProbe: + exec: + command: ['redis-cli', 'ping'] + failureThreshold: 3 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + volumeMounts: + - mountPath: /var/lib/redis/data + name: redis-data-volume + dnsPolicy: ClusterFirst + restartPolicy: Always + volumes: + - name: redis-data-volume + persistentVolumeClaim: + claimName: flatpak-indexer-redis-storage + test: false diff --git a/roles/openshift-apps/flatpak-indexer/templates/secret.yml b/roles/openshift-apps/flatpak-indexer/templates/secret.yml new file mode 100644 index 000000000..c53a6ce4e --- /dev/null +++ b/roles/openshift-apps/flatpak-indexer/templates/secret.yml @@ -0,0 +1,11 @@ +--- +kind: Secret +apiVersion: v1 +metadata: + name: redis-password +data: +{% if env == 'staging' %} + password: {{ stg_flatpak_indexer_redis_password }} +{% else %} + password: {{ prod_flatpak_indexer_redis_password }} +{% endif %} diff --git a/roles/regindexer/build/tasks/main.yml b/roles/regindexer/build/tasks/main.yml deleted file mode 100644 index c60c87e6a..000000000 --- a/roles/regindexer/build/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: install needed packages - package: name=regindexer state=installed - tags: - - packages - - regindexer - -- name: make sure regindexer owns it's own files - file: path=/var/lib/regindexer recurse=yes owner=regindexer group=regindexer - tags: - - regindexer - -- name: Install config.yaml file - template: src=config.yaml dest=/etc/regindexer/config.yaml - tags: - - regindexer - -- name: enable service - service: name=regindexer state=started enabled=true - tags: - - regindexer diff --git a/roles/regindexer/build/templates/config.yaml b/roles/regindexer/build/templates/config.yaml deleted file mode 100644 index 7b30290f8..000000000 --- a/roles/regindexer/build/templates/config.yaml +++ /dev/null @@ -1,74 +0,0 @@ -icons_dir: /var/lib/regindexer/icons/ -icons_uri: /app-icons/ -indexes: - flatpak: - output: /var/lib/regindexer/index/flatpak.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['latest'] - required_annotations: ['org.flatpak.ref'] - skip_flatpak_labels: True - extract_icons: True - flatpak_labels: - output: /var/lib/regindexer/index/flatpak-labels.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['latest'] - required_labels: ['org.flatpak.ref'] - skip_flatpak_annotations: True - extract_icons: True - flatpak_testing: - output: /var/lib/regindexer/index/flatpak-testing.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['testing'] - required_annotations: ['org.flatpak.ref'] - skip_flatpak_labels: True - extract_icons: True - flatpak_testing_labels: - output: /var/lib/regindexer/index/flatpak-testing-labels.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['testing'] - required_labels: ['org.flatpak.ref'] - skip_flatpak_annotations: True - extract_icons: True - flatpak_amd64: - output: /var/lib/regindexer/index/flatpak-amd64.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['latest'] - required_annotations: ['org.flatpak.ref'] - architectures: ['amd64'] - skip_flatpak_labels: True - extract_icons: True - flatpak_amd64_labels: - output: /var/lib/regindexer/index/flatpak-amd64-labels.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['latest'] - required_labels: ['org.flatpak.ref'] - architectures: ['amd64'] - skip_flatpak_annotations: True - extract_icons: True - flatpak_testing_amd64: - output: /var/lib/regindexer/index/flatpak-testing-amd64.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['testing'] - required_annotations: ['org.flatpak.ref'] - architectures: ['amd64'] - skip_flatpak_labels: True - extract_icons: True - flatpak_testing_amd64_labels: - output: /var/lib/regindexer/index/flatpak-testing-amd64-labels.json - registry: https://registry%7B%7B env_suffix }}.fedoraproject.org - registry_public: / - tags: ['testing'] - required_labels: ['org.flatpak.ref'] - architectures: ['amd64'] - skip_flatpak_annotations: True - extract_icons: True -daemon: - topic_prefix: org.fedoraproject - environment: "{{ fedmsg_env }}"
MIssed that https://pagure.io/Fedora-Infra/ansible now exists. I'll post the next version there as a pull-request, but unless anybody requests otherwise, I'll leave this here for now, since the questions in my cover letter are probably better on the mailing list anyways.
Thanks, Owen
On Fri, Sep 11, 2020 at 2:49 PM Owen Taylor otaylor@redhat.com wrote:
From: "Owen W. Taylor" otaylor@fishsoup.net
This is an initial attempt to create a configuration for flatpak-indexer to replace regindexer and add an image delta capability. The config here is derived from a working openshift configuration, but is untested in this form.
See: https://pagure.io/fedora-infrastructure/issue/9272
Open questions:
How to propagate content to the registry.fedoraproject.org reverse proxy
Currently the regindexer-generated content is rsync'ed from sundries to fedora-web/registry. How should this be done with flatpak-indexer running as an openshift app? Some possibilities that come to mind:
Run a rsyncd within the openshift app (either as a separate deploymentconfig or as a sidecar to the indexer) and expose a route to it internally in Fedora infrastructure.
Run a web server within the openshift app, expose a route to it internally in Fedora infrasturcture, and reverse proxy the content on fedora-web/registry instead of rsync'ing it.
Write the content onto a netapp volume, and mount that volume RO either on a host running rsyncd or directly on fedora-web/registry.
What to use for a redis image
Redis is used for caching and communication between the components. What redis image should be used?
registry.redhat.io/rhel8/redis-5 needs configuration of a subscription docker.io/library/redis:5 centos/redis-5-centos7 don't rely on such images currently Custom Dockerfile image built from fedora:32 how would rebuilds be triggered?
For the two other images needed here, I used ubi8 images - which aren't currently used elsewhere, but are presumably ok.
How to handle identifying versions to build for staging/production
I see that most openshift applications simply use 'staging'/'production' tags in the upstream repo, while a few take the approach of having specific hashes checked into the infrastructure ansible repository.
Is the upstream tag approach considered sufficiently secure? (Making the service write a malicious index could allow causing users to upgrade to arbitrary application binaries.)
Owen W. Taylor (1): Add a flatpak-indexer openshift service
playbooks/openshift-apps/flatpak-indexer.yml | 56 +++++ .../reversepassproxy.registry-generic.conf | 34 ++- .../flatpak-indexer/files/imagestream.yml | 52 +++++ .../flatpak-indexer/files/service.yml | 16 ++ .../flatpak-indexer/files/storage.yml | 24 ++ .../flatpak-indexer/templates/buildconfig.yml | 84 +++++++ .../flatpak-indexer/templates/configmap.yml | 98 ++++++++ .../templates/deploymentconfig.yml | 221 ++++++++++++++++++ .../flatpak-indexer/templates/secret.yml | 11 + roles/regindexer/build/tasks/main.yml | 21 -- roles/regindexer/build/templates/config.yaml | 74 ------ 11 files changed, 584 insertions(+), 107 deletions(-) create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml delete mode 100644 roles/regindexer/build/tasks/main.yml delete mode 100644 roles/regindexer/build/templates/config.yaml
-- 2.28.0 _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
On Fri, Sep 11, 2020 at 02:48:03PM -0400, Owen Taylor wrote:
From: "Owen W. Taylor" otaylor@fishsoup.net
This is an initial attempt to create a configuration for flatpak-indexer to replace regindexer and add an image delta capability. The config here is derived from a working openshift configuration, but is untested in this form.
Sorry this has languished so long. ;(
Open questions:
How to propagate content to the registry.fedoraproject.org reverse proxy
Currently the regindexer-generated content is rsync'ed from sundries to fedora-web/registry. How should this be done with flatpak-indexer running as an openshift app? Some possibilities that come to mind:
Run a rsyncd within the openshift app (either as a separate deploymentconfig or as a sidecar to the indexer) and expose a route to it internally in Fedora infrastructure.
Run a web server within the openshift app, expose a route to it internally in Fedora infrasturcture, and reverse proxy the content on fedora-web/registry instead of rsync'ing it.
Write the content onto a netapp volume, and mount that volume RO either on a host running rsyncd or directly on fedora-web/registry.
I think the last one is the easiest here. We can just mount the volume on sundries and re-use the existing rsync setup to deploy it out to proxies. I would imagine the volume could be very small?
So basically: - make small netapp volume - mount on sundries - mount in the openshift pod - pod writes content out, sundries rsyncs it to proxies.
What to use for a redis image
Redis is used for caching and communication between the components. What redis image should be used?
registry.redhat.io/rhel8/redis-5 needs configuration of a subscription docker.io/library/redis:5 centos/redis-5-centos7 don't rely on such images currently Custom Dockerfile image built from fedora:32 how would rebuilds be triggered?
I wonder, would it be possible to use rabbitmq instead? Then we could just use our existing cluster?
If thats not possble/easy, I guess I would go with a fedora:latest image, rebuilt on us deploying, or manually when we want to rebuild?
For the two other images needed here, I used ubi8 images - which aren't currently used elsewhere, but are presumably ok.
Yeah, I would think that would be fine.
How to handle identifying versions to build for staging/production
I see that most openshift applications simply use 'staging'/'production' tags in the upstream repo, while a few take the approach of having specific hashes checked into the infrastructure ansible repository.
Is the upstream tag approach considered sufficiently secure? (Making the service write a malicious index could allow causing users to upgrade to arbitrary application binaries.)
Well, I think it's fine as long as we control/monitor the upstream repos here. If the upstream repo updates, we should know who did it and why?
I'm perfectly fine also with the hash...
kevin --
Owen W. Taylor (1): Add a flatpak-indexer openshift service
playbooks/openshift-apps/flatpak-indexer.yml | 56 +++++ .../reversepassproxy.registry-generic.conf | 34 ++- .../flatpak-indexer/files/imagestream.yml | 52 +++++ .../flatpak-indexer/files/service.yml | 16 ++ .../flatpak-indexer/files/storage.yml | 24 ++ .../flatpak-indexer/templates/buildconfig.yml | 84 +++++++ .../flatpak-indexer/templates/configmap.yml | 98 ++++++++ .../templates/deploymentconfig.yml | 221 ++++++++++++++++++ .../flatpak-indexer/templates/secret.yml | 11 + roles/regindexer/build/tasks/main.yml | 21 -- roles/regindexer/build/templates/config.yaml | 74 ------ 11 files changed, 584 insertions(+), 107 deletions(-) create mode 100644 playbooks/openshift-apps/flatpak-indexer.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/imagestream.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/service.yml create mode 100644 roles/openshift-apps/flatpak-indexer/files/storage.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/buildconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/configmap.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/deploymentconfig.yml create mode 100644 roles/openshift-apps/flatpak-indexer/templates/secret.yml delete mode 100644 roles/regindexer/build/tasks/main.yml delete mode 100644 roles/regindexer/build/templates/config.yaml
-- 2.28.0 _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
infrastructure@lists.fedoraproject.org