Add molecule configuration for nginx role #58
Conversation
Also expose and publish ports for nginx
set correct path to gunicorn don't install unnecessary packages
roles/nginx/templates/nginx_xnat.j2
Outdated
| server localhost:{{ nginx_upstream_port }}; | ||
| } | ||
|
|
||
| server { | ||
| listen {{ dicom_port }}; | ||
| listen {{ nginx_upstream_listen_port }}; |
There was a problem hiding this comment.
I wasn't sure what to call these variables, perhaps there's a better name?
There was a problem hiding this comment.
Variable names look fine to me. I wonder whether this role should XNAT agnostic though - maybe the template should live in the xnat role and here we provide a basic template of a reverse proxy conf (with TLS termination). This is how I would override for OMERO (rather than adding another conf here).
There was a problem hiding this comment.
yeah good point, I've tried to change it to make it more general now
| @@ -6,6 +6,7 @@ on: | |||
| - "roles/xnat_container_service/**" | |||
| - "playbooks/install_xnat.yml" | |||
| - "playbooks/install_container_service.yml" | |||
There was a problem hiding this comment.
| - "playbooks/install_container_service.yml" | |
| - "playbooks/install_container_service.yml" | |
| - "playbooks/molecule/*_xnat" |
There was a problem hiding this comment.
Do we need the above to catch changes to the molecule configuration?
There was a problem hiding this comment.
I think the molecule config changes should be included with the line below (- "playbooks/molecule/**/xnat/**")
| # Support for ipv6 | ||
| ipv6_enabled: false | ||
|
|
||
| # nginx config |
There was a problem hiding this comment.
Should this be in the web.yml group vars?
roles/nginx/README.md
Outdated
| | `nginx_group` | The OS group that will have ownership of the nginx service file and directory. Defaults to `root` | | ||
| | `nginx_log_folder` | The path to the nginx logs. Defaults to `/var/log/nginx` | | ||
| | `nginx_http_port` | The port to listen on for HTTP connections. Defaults to `80` | | ||
| | `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `80` | |
There was a problem hiding this comment.
| | `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `80` | | |
| | `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `443` | |
| @@ -12,6 +12,7 @@ firewalld_work_zone_open_services: | |||
| - http | |||
| - https | |||
| firewalld_public_zone_ports: | |||
| - "80" | |||
| - "8080" | |||
There was a problem hiding this comment.
Do we need to open 8080?
There was a problem hiding this comment.
nope, I've removed it
roles/nginx/README.md
Outdated
| | `nginx_http_port` | The port to listen on for HTTP connections. Defaults to `80` | | ||
| | `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `80` | | ||
| | `nginx_proxy_port` | The port to forward requests to. Defaults to `8080` (tomcat) | | ||
| | `nginx_root` | The path to search for static files. Defaults to `/usr/share/tomcat/webapps/ROOT` | |
There was a problem hiding this comment.
I know this is for convenience but I'm not sure about setting defaults for tomcat (or any specific web framework).
There was a problem hiding this comment.
yeah definitely, agreed
roles/nginx/README.md
Outdated
| | `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `80` | | ||
| | `nginx_proxy_port` | The port to forward requests to. Defaults to `8080` (tomcat) | | ||
| | `nginx_root` | The path to search for static files. Defaults to `/usr/share/tomcat/webapps/ROOT` | | ||
| | `nginx_conf_template` | The template to use for generating the NGINX config. See currently available [templates](templates/). Defaults to `nginx_xnat.j2`, which is used to configure NGINX as a reverse proxy for XNAT | |
There was a problem hiding this comment.
Again I'm not sure about having an XNAT default. Can we have a basic reverse proxy config?
roles/nginx/templates/nginx_xnat.j2
Outdated
| server localhost:{{ nginx_upstream_port }}; | ||
| } | ||
|
|
||
| server { | ||
| listen {{ dicom_port }}; | ||
| listen {{ nginx_upstream_listen_port }}; |
There was a problem hiding this comment.
Variable names look fine to me. I wonder whether this role should XNAT agnostic though - maybe the template should live in the xnat role and here we provide a basic template of a reverse proxy conf (with TLS termination). This is how I would override for OMERO (rather than adding another conf here).
and move nginx vars into web group
There was a problem hiding this comment.
Minor changes, looks good otherwise. I just had one additional question about the provisioner block in the base config files. If a role doesn't need to set any group vars or doesn't have a prepare.yml playbook we'll get an error. Should we move the provisioner block to the role/playbook molecule configs (although this would mean repetition since many of our roles do require group vars and a prepare playbook; doesn't have to be this PR).
roles/nginx/molecule/resources/inventory/group_vars/centos7.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Daniel Matthews <[email protected]>
I think if there's no prepare playbook then molecule just silently skips that stage rather than failing. Not sure about the group vars though - I can check that and open a separate PR if that is an issue |
Having a role without group vars definitely causes an error. I haven't tried having group vars and no prepare but would it skip if we've set a path but the file doesn't exist? Anyway, let's look at it separately. |
There was a problem hiding this comment.
Apologies to keep dragging this out, I spotted something I didn't ask last time. Also, I think we should just have the one template for the nginx conf. It looks like the only difference is the server block that sets the default_server in nginx_reverse_proxy_as_default.j2. This is the template that is used in the tests but it isn't the default. Perhaps it should be the default, renamed to nginx_reverse_proxy.j2?
|
|
||
| # nginx config | ||
| nginx_diffie_helman_size_bits: 2048 | ||
| nginx_conf_template: nginx_reverse_proxy_as_default.j2 |
There was a problem hiding this comment.
Sorry for confusion, and for not asking this in the last review, but why are we using nginx_reverse_proxy_as_default.j2 in the tests rather than nginx_reverse_proxy.j2?
| @@ -0,0 +1,7 @@ | |||
| --- | |||
| nginx_conf_template: nginx_reverse_proxy_as_default.j2 | |||
There was a problem hiding this comment.
Why not nginx_reverse_proxy.j2?
There was a problem hiding this comment.
it's the same issue @paddyroddy was having in #44 in nginx_reverse_proxy.j2 - there is an additional default server, so any traffic to hosts that do not match nginx_server_name are routed to this default server. So in the verify task for this role:
the host passed to nginx will be
localhost, and as this doesn't match nginx_server_name the request will be sent to the default server (which returns nothing). In the test we could set the correct host through a header (-H 'Host: {{.nginx_server_name }}'), and that would work fine. However, I don't think it's possible to do this in a web browser, so if we run the converge step locally we wouldn't be able to access the web UI. To get around this, @paddyroddy is currently setting the hostname for the webserver to be localhost
Co-authored-by: Daniel Matthews <[email protected]>
no worries! Sorry I should have explained what was going on earlier. Hopefully my comment above sheds some light on why the additional default server isn't used in the tests
Yeah that is probably a better idea. We could have an |
Remove nginx config template that doesn't define an additional default server This is now handled in one template witht he nginx_add_default_server variable
|
Can we do a release (soon)? |
Fixes #50
FIxes #51
Fixes #52
nginx_conf_templatevariable). Define one template:nginx_reverse_proxy.j2). A default server is created ifnginx_add_default_serveristruemirsg.infrastructure.install_xnatgroup vars with new variable names. At the inventory level ifnginx_use_ssl: true, we will need to set:nginx_server_cert_cache: ssl.server_certnginx_server_key_cache: ssl.server_keymirsg.infrastructure.nginx. This configures nginx as a reverse proxy for a Flask app running on a Gunicorn server. Include a verify playbook to check we can connect to the server from the localhost via nginxmirsg.infrastructure.install_xnat- the tomcat port was being published rather than the one for http connections, so nginx wasn't being used to connect from localhost even though it was configured. Add a verify playbook to check we can connect to the server from the localhost via nginx