add nginx configurations for the odf-console #305
Conversation
odf-console uses nginx for serving the UI assests. Add its configuration from the operator instead of build time. Signed-off-by: SanjalKatiyar <sanjaldhir@gmail.com>
generated output of "make bundle" command. Signed-off-by: SanjalKatiyar <sanjaldhir@gmail.com>
| worker_processes auto; | ||
| error_log /var/log/nginx/error.log; | ||
| pid /run/nginx.pid; | ||
|
|
||
| # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. | ||
| include /usr/share/nginx/modules/*.conf; | ||
|
|
||
| events { | ||
| worker_connections 1024; | ||
| } | ||
|
|
||
| http { | ||
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
| '$status $body_bytes_sent "$http_referer" ' | ||
| '"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
|
||
| access_log /var/log/nginx/access.log main; | ||
|
|
||
| sendfile on; | ||
| tcp_nopush on; | ||
| tcp_nodelay on; | ||
| keepalive_timeout 65; | ||
| types_hash_max_size 4096; | ||
|
|
||
| include /etc/nginx/mime.types; | ||
| default_type application/octet-stream; | ||
|
|
||
| # Load modular configuration files from the /etc/nginx/conf.d directory. | ||
| # See http://nginx.org/en/docs/ngx_core_module.html#include | ||
| # for more information. | ||
| include /opt/app-root/etc/nginx.d/*.conf; |
There was a problem hiding this comment.
these are the default nginx configurations, these were used earlier as well (before the changes introduced by this PR): https://pastebin.com/ksX21dsr
There was a problem hiding this comment.
check above link for entire configuration file that was used...
| server { | ||
| listen 9001 ssl; | ||
| listen [::]:9001 ssl; | ||
| ssl_certificate /var/serving-cert/tls.crt; | ||
| ssl_certificate_key /var/serving-cert/tls.key; | ||
| location / { | ||
| root /opt/app-root/src; | ||
| } | ||
| location /compatibility/ { | ||
| root /opt/app-root/src; | ||
| } | ||
| error_page 500 502 503 504 /50x.html; | ||
| location = /50x.html { | ||
| root /usr/share/nginx/html; | ||
| } | ||
| ssi on; | ||
| add_header Last-Modified $date_gmt; | ||
| add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; | ||
| if_modified_since off; | ||
| expires off; | ||
| etag off; | ||
| } |
There was a problem hiding this comment.
odf-console related custom configurations...
There was a problem hiding this comment.
@SanjalKatiyar I see that this is the same config (server section) that we have in the plugin repo, so we should ensure both remain in sync, right?
There was a problem hiding this comment.
we will eventually remove it from odf-console and add them from here...
There was a problem hiding this comment.
no need to read default.conf during build after this PR (we need small change in build Dockerfile as well)...
|
/test odf-operator-e2e-aws |
I know the problem, I will get it fixed once #304 is merged |
|
/test odf-operator-e2e-aws |
1 similar comment
|
/test odf-operator-e2e-aws |
|
Need to update build Dockerfile once this is merged... |
|
@bipuladh PTAL. |
|
/approve |
|
/lgtm |
|
/assign @iamniting |
|
/cherrypick release-4.13 |
|
@SanjalKatiyar: once the present PR merges, I will cherry-pick it on top of release-4.13 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alfonsomthd, bipuladh, iamniting, SanjalKatiyar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@SanjalKatiyar: new pull request created: #306 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes required as per BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2139785
Resolves 4 issues:
/etc/nginx/nginx.conf: https://pastebin.com/ksX21dsr) and we did not had any control over that config earlier. Now all the nginx configurations (nginx's default and custom config for odf-console) are added via a ConfigMap created by odf-operator, so everything is under our control.Also, now removed the port 8080 which was never needed and never used.
readOnlyRootFilesystem: truespec for the odf-console pod, but on adding it is causing the UI's pod to go into an error state because nginx needs to create some files in pod's filesystem for its functioning but don't have access to do so (if we set this attribute), hence pod is never getting into "Running" status.This PR adds the foundation for enabling us to be able to add the changes to fix this CVE (will send a follow-up PR for that).
Possible improvement ?
Currently for BZ#2139785 (if this PR gets merged), once odf-console pod errors due to ipv6 address issue, user will have to perform following operations (we will keep documentation team in loop):
odf-console-nginx-conf(introduced as part of this PR).listen [::]:9001 ssl;--># listen [::]:9001 ssl;.Once done they will be able to see the UI once again as the pod will now be in
runningstate.We can automate this process so that user don;t have to take manual steps to resolve the issue.
Pro: no manual intervention needed.
Cons:
P0) use-case or something which is generally faced by users (rare).controllerto keep a watch on resources which has nothing to do with ODF or storage, but are purely infra related.IPv4/IPv6 dual-stack networkingwhere we can just watch overnetwork.config.openshift.io clusterCR (https://docs.openshift.com/container-platform/4.12/networking/ovn_kubernetes_network_provider/converting-to-dual-stack.html)...here we are disabling ipv6 addressing on the node's kernel level (https://access.redhat.com/solutions/5513111)... not sure if it is good idea to keep a watch for such changes.