From 7ac929023489141c6f0e29139fb311fc954e957b Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Wed, 7 Sep 2022 15:31:51 +0200
Subject: [PATCH 01/10] Updating Route handling to comply with *.cern.ch or
other custom domains
---
controllers/drupalsite_resources.go | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 77ad8597..ea91801d 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -24,6 +24,8 @@ import (
"io/ioutil"
"math/rand"
"net/url"
+ "path"
+ "regexp"
"strconv"
"time"
@@ -1487,9 +1489,25 @@ func serviceForDrupalSite(currentobject *corev1.Service, d *webservicesv1a1.Drup
// routeForDrupalSite returns a route object
func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalSite, Url string) error {
addOwnerRefToObject(currentobject, asOwner(d))
- currentobject.Spec.TLS = &routev1.TLSConfig{
- InsecureEdgeTerminationPolicy: "Redirect",
- Termination: "edge",
+ if currentobject.Annotations == nil {
+ currentobject.Annotations = map[string]string{}
+ }
+ if currentobject.Labels == nil {
+ currentobject.Labels = map[string]string{}
+ }
+ // If the route we are trying to create is not covered by the wildcard certificate
+ // (Those being '*.web.cern.ch' or '*.cern'`, we also include "*.webtest.cern.ch" but not ".*app.cern.ch" nor ".*docs.cern.ch" as these are not expected to be used on Drupal)
+ // we add an annotation so the Openshift-acme creates one certificate for us,
+ // more info on the Openshift-acme: https://gitlab.cern.ch/paas-tools/okd4-deployment/openshift-acme
+ // MR with change: https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/merge_requests/188
+ matchesSupportedDomains, _ := regexp.MatchString(".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch", Url)
+ if !(matchesSupportedDomains) {
+ currentobject.Annotations["kubernetes.io/tls-acme"] = "true"
+ } else {
+ currentobject.Spec.TLS = &routev1.TLSConfig{
+ InsecureEdgeTerminationPolicy: "Redirect",
+ Termination: "edge",
+ }
}
currentobject.Spec.To = routev1.RouteTargetReference{
Kind: "Service",
--
GitLab
From 167af81a5ac1d4c6e560166ab7f839815882fe21 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Fri, 5 May 2023 09:27:15 +0200
Subject: [PATCH 02/10] Updating Regex to be received as input for domains
covered by the provided certificate
---
chart/drupalsite-operator/values.yaml | 2 ++
controllers/drupalsite_controller.go | 2 ++
controllers/drupalsite_resources.go | 41 +++++++++++++++++++++------
main.go | 2 +-
4 files changed, 38 insertions(+), 9 deletions(-)
diff --git a/chart/drupalsite-operator/values.yaml b/chart/drupalsite-operator/values.yaml
index b7450610..40385322 100644
--- a/chart/drupalsite-operator/values.yaml
+++ b/chart/drupalsite-operator/values.yaml
@@ -33,3 +33,5 @@ drupalsiteOperator:
clusterName: {}
easystartBackupName: ""
veleroBackupStorageLocation: "default"
+ # By default we set everything, because then there's no certificate applies
+ wildcardDelegatedDomainsRegex: ".*"
diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index 83e81745..5ad915f6 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -84,6 +84,8 @@ var (
SupportedDrupalVersionName string
// VeleroBackupStorageLocation refers to the name of the Velero backupStorageLocation to be used
VeleroBackupStorageLocation string
+ // WildcardDelegatedDomainsRegex refers to the pattern of subdomains that are covered by the included certificate
+ WildcardDelegatedDomainsRegex string
)
// DrupalSiteReconciler reconciles a DrupalSite object
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index ea91801d..4f34037b 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -217,6 +217,26 @@ ensureResourceX ensure the requested resource is created, with the following val
- backup_schedule: Velero Schedule for scheduled backups of the drupalSite
- tekton_extra_perm_rbac: ClusterRoleBinding for tekton tasks
- gitlab_trigger_secret: Secret for Gitlab trigger config in buildconfig
+ - pvc_drupal: PersistentVolume for the drupalsite
+ - site_install_job: Kubernetes Job for the drush ensure-site-install
+ - clone_job: Kubernetes Job for cloning a drupal site
+ - easystart_taskrun: Taskrun for restoring easystart backup
+ - is_base: ImageStream for sitebuilder-base
+ - is_s2i: ImageStream for S2I sitebuilder
+ - bc_s2i: BuildConfig for S2I sitebuilder
+ - deploy_drupal: <moved to `ensureDrupalDeployment`>
+ - svc_nginx: Service for Nginx
+ - cm_php: ConfigMap for PHP-FPM
+ - cm_nginx_global: ConfigMap for Nginx global settings (performance)
+ - cm_settings: ConfigMap for `settings.php`
+ - cm_php_cli: ConfigMap for 'config.ini' for PHP CLI
+ - route: Route for the drupalsite
+ - oidc_return_uri: Redirection URI for OIDC
+ - dbod_cr: DBOD custom resource to establish database & respective connection for the drupalsite
+ - webdav_secret: Secret with credential for WebDAV
+ - backup_schedule: Velero Schedule for scheduled backups of the drupalSite
+ - tekton_extra_perm_rbac: ClusterRoleBinding for tekton tasks
+ - gitlab_trigger_secret: Secret for Gitlab trigger config in buildconfig
*/
func (r *DrupalSiteReconciler) ensureResourceX(ctx context.Context, d *webservicesv1a1.DrupalSite, resType string, log logr.Logger) (transientErr reconcileError) {
switch resType {
@@ -1486,7 +1506,7 @@ func serviceForDrupalSite(currentobject *corev1.Service, d *webservicesv1a1.Drup
return nil
}
-// routeForDrupalSite returns a route object
+// routeForDrupalSite returns a route object with expected values
func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalSite, Url string) error {
addOwnerRefToObject(currentobject, asOwner(d))
if currentobject.Annotations == nil {
@@ -1495,20 +1515,25 @@ func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalS
if currentobject.Labels == nil {
currentobject.Labels = map[string]string{}
}
+ if currentobject.Spec.TLS == nil {
+ currentobject.Spec.TLS = &routev1.TLSConfig{}
+ }
+ if currentobject.Spec.Port == nil {
+ currentobject.Spec.Port = &routev1.RoutePort{}
+ }
// If the route we are trying to create is not covered by the wildcard certificate
- // (Those being '*.web.cern.ch' or '*.cern'`, we also include "*.webtest.cern.ch" but not ".*app.cern.ch" nor ".*docs.cern.ch" as these are not expected to be used on Drupal)
// we add an annotation so the Openshift-acme creates one certificate for us,
+ // As of May 2023 this is the expected pattern:
+ // https://gitlab.cern.ch/paas-tools/okd4-install/-/blob/master/chart/templates/_shared_subdomains_regex.tpl
// more info on the Openshift-acme: https://gitlab.cern.ch/paas-tools/okd4-deployment/openshift-acme
// MR with change: https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/merge_requests/188
- matchesSupportedDomains, _ := regexp.MatchString(".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch", Url)
+ matchesSupportedDomains, _ := regexp.MatchString(WildcardDelegatedDomainsRegex, Url)
if !(matchesSupportedDomains) {
currentobject.Annotations["kubernetes.io/tls-acme"] = "true"
- } else {
- currentobject.Spec.TLS = &routev1.TLSConfig{
- InsecureEdgeTerminationPolicy: "Redirect",
- Termination: "edge",
- }
}
+ currentobject.Spec.TLS.InsecureEdgeTerminationPolicy = "Redirect"
+ currentobject.Spec.TLS.Termination = "edge"
+ currentobject.Spec.Port.TargetPort = intstr.FromInt(8080),
currentobject.Spec.To = routev1.RouteTargetReference{
Kind: "Service",
Name: d.Name,
diff --git a/main.go b/main.go
index 651a25f9..7b7e3520 100644
--- a/main.go
+++ b/main.go
@@ -95,7 +95,7 @@ func main() {
// The variable name is set here: https://gitlab.cern.ch/drupal/paas/cern-drupal-distribution/-/blob/master/supporteddrupalversions/chart/templates/supported-drupal-versions.yaml
flag.StringVar(&controllers.SupportedDrupalVersionName, "supported-drupal-version-name", "supported-drupal-versions", "The name of the resource used cluster-wide for supported drupal versions")
flag.StringVar(&controllers.VeleroBackupStorageLocation, "velero-backup-storage-location", "default", "The name of the backupStorageLocation to be used for Velero Schedules created by the controller")
- flag.StringVar(&websiteImagePullPolicyString, "websiteImagePullPolicy", "IfNotPresent", "The default image pull policy for deployed pods. We avoid 'Always' as it makes us more vulnerable to container registry downtime.")
+ flag.StringVar(&controllers.WildcardDelegatedDomainsRegex, "wildcardDelegatedDomainsRegex", "", "Regex pattern for wildcard delegated domains")
opts := zap.Options{
Development: false,
}
--
GitLab
From 94012bc8fb7ff0f99ad3dab137a53e15ad83611f Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Mon, 22 May 2023 14:14:05 +0200
Subject: [PATCH 03/10] removed typo
---
controllers/drupalsite_resources.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 4f34037b..b262646a 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -1533,7 +1533,7 @@ func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalS
}
currentobject.Spec.TLS.InsecureEdgeTerminationPolicy = "Redirect"
currentobject.Spec.TLS.Termination = "edge"
- currentobject.Spec.Port.TargetPort = intstr.FromInt(8080),
+ currentobject.Spec.Port.TargetPort = intstr.FromInt(8080)
currentobject.Spec.To = routev1.RouteTargetReference{
Kind: "Service",
Name: d.Name,
--
GitLab
From e159abee338c6841fa6f583cd365d2380728ccf1 Mon Sep 17 00:00:00 2001
From: Francisco Barros <francisco.borges.aurindo.barros@cern.ch>
Date: Mon, 22 May 2023 14:16:30 +0200
Subject: [PATCH 04/10] Updated comment
---
controllers/drupalsite_resources.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index b262646a..963e61a1 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -1506,7 +1506,7 @@ func serviceForDrupalSite(currentobject *corev1.Service, d *webservicesv1a1.Drup
return nil
}
-// routeForDrupalSite returns a route object with expected values
+// routeForDrupalSite updates a route object with expected values
func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalSite, Url string) error {
addOwnerRefToObject(currentobject, asOwner(d))
if currentobject.Annotations == nil {
--
GitLab
From ab4df564343d02e4c5cade415f51f6d07f543d50 Mon Sep 17 00:00:00 2001
From: Jack Henschel <jack.henschel@cern.ch>
Date: Wed, 16 Aug 2023 10:28:08 +0200
Subject: [PATCH 05/10] Apply 2 suggestion(s) to 2 file(s)
---
controllers/drupalsite_controller.go | 2 +-
main.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index 5ad915f6..72464db4 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -84,7 +84,7 @@ var (
SupportedDrupalVersionName string
// VeleroBackupStorageLocation refers to the name of the Velero backupStorageLocation to be used
VeleroBackupStorageLocation string
- // WildcardDelegatedDomainsRegex refers to the pattern of subdomains that are covered by the included certificate
+ // WildcardDelegatedDomainsRegex refers to the pattern of subdomains that are covered by CERN's wildcard certificate (*.web.cern.ch etc.)
WildcardDelegatedDomainsRegex string
)
diff --git a/main.go b/main.go
index 7b7e3520..60dc3900 100644
--- a/main.go
+++ b/main.go
@@ -95,7 +95,7 @@ func main() {
// The variable name is set here: https://gitlab.cern.ch/drupal/paas/cern-drupal-distribution/-/blob/master/supporteddrupalversions/chart/templates/supported-drupal-versions.yaml
flag.StringVar(&controllers.SupportedDrupalVersionName, "supported-drupal-version-name", "supported-drupal-versions", "The name of the resource used cluster-wide for supported drupal versions")
flag.StringVar(&controllers.VeleroBackupStorageLocation, "velero-backup-storage-location", "default", "The name of the backupStorageLocation to be used for Velero Schedules created by the controller")
- flag.StringVar(&controllers.WildcardDelegatedDomainsRegex, "wildcardDelegatedDomainsRegex", "", "Regex pattern for wildcard delegated domains")
+ flag.StringVar(&controllers.WildcardDelegatedDomainsRegex, "wildcardDelegatedDomainsRegex", "", "Regex pattern for domains covered by wildcard certificate")
opts := zap.Options{
Development: false,
}
--
GitLab
From 18db03c169ba54fd2b95b7bfa653c9b1d4fac0b8 Mon Sep 17 00:00:00 2001
From: Christina Petala <cpetala@lxplus807.cern.ch>
Date: Wed, 26 Jun 2024 15:22:18 +0200
Subject: [PATCH 06/10] first iteration of updating
wildcardDelegatedDomainsRegex
---
chart/drupalsite-operator/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/drupalsite-operator/values.yaml b/chart/drupalsite-operator/values.yaml
index 40385322..510251d1 100644
--- a/chart/drupalsite-operator/values.yaml
+++ b/chart/drupalsite-operator/values.yaml
@@ -34,4 +34,4 @@ drupalsiteOperator:
easystartBackupName: ""
veleroBackupStorageLocation: "default"
# By default we set everything, because then there's no certificate applies
- wildcardDelegatedDomainsRegex: ".*"
+ wildcardDelegatedDomainsRegex: ".*.cern.ch|.*.cern"
--
GitLab
From 13798bcad8f2c481e988201f7964c4e616a942d7 Mon Sep 17 00:00:00 2001
From: "cristina.petala" <cristina.petala@trasys.gr>
Date: Wed, 26 Jun 2024 17:29:27 +0300
Subject: [PATCH 07/10] removed path
---
controllers/drupalsite_resources.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 963e61a1..2f2c26c2 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -24,7 +24,7 @@ import (
"io/ioutil"
"math/rand"
"net/url"
- "path"
+ //"path"
"regexp"
"strconv"
"time"
--
GitLab
From eaf1b09f081eb18476a501ad8d968af8eee5d97e Mon Sep 17 00:00:00 2001
From: "cristina.petala" <cristina.petala@trasys.gr>
Date: Thu, 27 Jun 2024 09:36:59 +0300
Subject: [PATCH 08/10] added domains for dev in regex
---
chart/drupalsite-operator/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/drupalsite-operator/values.yaml b/chart/drupalsite-operator/values.yaml
index 510251d1..92873407 100644
--- a/chart/drupalsite-operator/values.yaml
+++ b/chart/drupalsite-operator/values.yaml
@@ -34,4 +34,4 @@ drupalsiteOperator:
easystartBackupName: ""
veleroBackupStorageLocation: "default"
# By default we set everything, because then there's no certificate applies
- wildcardDelegatedDomainsRegex: ".*.cern.ch|.*.cern"
+ wildcardDelegatedDomainsRegex: ".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch"
--
GitLab
From 4879a872fdf8dbeaabdd4d7f227ee221d4f6d1c0 Mon Sep 17 00:00:00 2001
From: "cristina.petala" <cristina.petala@trasys.gr>
Date: Mon, 1 Jul 2024 10:14:09 +0300
Subject: [PATCH 09/10] use regex directly on function routeForDrupalSite
---
controllers/drupalsite_resources.go | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 2f2c26c2..fe2f1fd7 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -24,7 +24,6 @@ import (
"io/ioutil"
"math/rand"
"net/url"
- //"path"
"regexp"
"strconv"
"time"
@@ -1527,8 +1526,8 @@ func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalS
// https://gitlab.cern.ch/paas-tools/okd4-install/-/blob/master/chart/templates/_shared_subdomains_regex.tpl
// more info on the Openshift-acme: https://gitlab.cern.ch/paas-tools/okd4-deployment/openshift-acme
// MR with change: https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/merge_requests/188
- matchesSupportedDomains, _ := regexp.MatchString(WildcardDelegatedDomainsRegex, Url)
- if !(matchesSupportedDomains) {
+ matchesSupportedDomains, _ := regexp.MatchString(".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch", Url)
+ if !matchesSupportedDomains {
currentobject.Annotations["kubernetes.io/tls-acme"] = "true"
}
currentobject.Spec.TLS.InsecureEdgeTerminationPolicy = "Redirect"
--
GitLab
From 72dccc4f6620c6d81134e062d7cc7fcdb64b69af Mon Sep 17 00:00:00 2001
From: "cristina.petala" <cristina.petala@trasys.gr>
Date: Mon, 1 Jul 2024 16:08:35 +0300
Subject: [PATCH 10/10] using variable again and updating manager-deploy
---
chart/drupalsite-operator/templates/manager-deploy.yaml | 1 +
controllers/drupalsite_resources.go | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/chart/drupalsite-operator/templates/manager-deploy.yaml b/chart/drupalsite-operator/templates/manager-deploy.yaml
index 887b9396..a514f9ea 100644
--- a/chart/drupalsite-operator/templates/manager-deploy.yaml
+++ b/chart/drupalsite-operator/templates/manager-deploy.yaml
@@ -35,6 +35,7 @@ spec:
- --easystart-backup-name={{.Values.drupalsiteOperator.easystartBackupName}}
- --supported-drupal-version-name={{.Values.drupalsiteOperator.supportedDrupalVersionName}}
- --velero-backup-storage-location={{.Values.drupalsiteOperator.veleroBackupStorageLocation}}
+ - --wildcardDelegatedDomainsRegex={{.Values.drupalsiteOperator.wildcardDelegatedDomainsRegex}}
command:
- /manager
image: {{ .Values.image | quote }}
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index fe2f1fd7..64e116bc 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -1526,7 +1526,7 @@ func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalS
// https://gitlab.cern.ch/paas-tools/okd4-install/-/blob/master/chart/templates/_shared_subdomains_regex.tpl
// more info on the Openshift-acme: https://gitlab.cern.ch/paas-tools/okd4-deployment/openshift-acme
// MR with change: https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/merge_requests/188
- matchesSupportedDomains, _ := regexp.MatchString(".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch", Url)
+ matchesSupportedDomains, _ := regexp.MatchString(WildcardDelegatedDomainsRegex, Url)
if !matchesSupportedDomains {
currentobject.Annotations["kubernetes.io/tls-acme"] = "true"
}
--
GitLab