feat(bugs): move service behind load balancers (#393)

* feat(bugs): move service behind load balancers

* Update pillar/base/firewall/bugs.sls

* fix(bugs): update misplaced role

* fix(bugs): add missing settings

* fix(bugs): split services into their own sections

* chore(bugs): template out the trackers instead

* feat(bugs): add template for smtp

* chore(bugs): remove dupes and move consul configs

* feat(bugs): add listens for smtp

* fix: make unique the certs

* feat: add unique ports per service for consul

* feat: add unique ports per service for consul

* fix: update variable

* fix: all services use bugs cert

* feat: utilize tls in bind

* fix: import missing pillar data

* fix: remove resurrected code after rebase

* feat: add unique consul service configs

* feat: open up ports for each service

* fix: do not loop

* chore: saltify method of getting bugs pillar data

* fix: use proper iptables syntax

* chore: rename service, move into existing loop, remove smtps

* chore: move into correct area

* fix: remove missed port definitions

Author: JacobCoffee

pillar/base/bugs.sls

@@ -8,6 +8,7 @@ bugs:
     cpython:
       source: https://github.com/psf/bpo-tracker-cpython.git
       server_name: bugs.python.org
+      port: 9000
       workers: 16
       config:
           tracker: cpython
@@ -37,6 +38,7 @@ bugs:
     jython:
       source: https://github.com/psf/bpo-tracker-jython.git
       server_name: bugs.jython.org
+      port: 9001
       config:
           tracker: jython
           main__database: /srv/roundup/data/jython
@@ -61,6 +63,7 @@ bugs:
     roundup:
       source: https://github.com/psf/bpo-tracker-roundup.git
       server_name: issues.roundup-tracker.org
+      port: 9002
       config:
           tracker: roundup
           main__database: /srv/roundup/data/roundup

pillar/base/firewall/bugs.sls

@@ -1,11 +1,12 @@
+{% include "networking.sls" %}
+
 firewall:
   http:
     port: 80
   https:
     port: 443
   smtp:
     port: 25
-  smtps:
-    port: 587
-  submission:
-    port: 465
+  frontend-bugs:
+    port: 9000:9002
+    source: *psf_internal_network

pillar/base/haproxy.sls

@@ -67,6 +67,14 @@ haproxy:
       verify_host: planet.psf.io
       check: "HEAD / HTTP/1.1\\r\\nHost:\\ planet.psf.io"
 
+    {% for tracker, config in salt["pillar.get"]("bugs:trackers", {}).items() %}
+    roundup-{{ tracker }}:
+      domains:
+        - {{ config['server_name'] }}
+      verify_host: bugs.psf.io
+      check: "HEAD / HTTP/1.1\\r\\nHost:\\ {{ config['server_name'] }}"
+    {% endfor %}
+
     moin:
       domains:
         - wiki.python.org
@@ -155,3 +163,13 @@ haproxy:
       extra:
         - timeout client 86400
         - timeout server 86400
+
+    {# We can extend this for smtps/submission later #}
+    {% for (port, service, ssl) in [(25, "smtp", False)] %}
+    roundup-{{ service }}:
+      bind: :{{ port }} {% if ssl %} ssl crt /etc/ssl/private/bugs.python.org.pem {% endif %}
+      service: roundup-{{ service }}
+      extra:
+        - timeout client 30m
+        - timeout server 30m
+    {% endfor %}

pillar/base/tls.sls

@@ -42,6 +42,10 @@ tls:
       roles:
         - planet
 
+    bugs.psf.io:
+      roles:
+        - bugs
+
     postgresql.psf.io:
       roles:
         - postgresql

pillar/dev/secrets/tls/certs/loadbalancer.sls

@@ -417,3 +417,55 @@ tls:
       Pe93No9Ze0Jou4GsXmP2E1YY0i3jkCigmuVTQSrl85uxxHfHWNgr9OwN8ASoF9dp
       ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E=
       -----END CERTIFICATE-----
+
+    bugs.python.org: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCSNloTX8Ut5t4v
+      M8MDD0gzrRWKFwcqDbvMa/JkK89hfoSfAnZwIHtZl+PTHCOXqU4WEMvYwSIcqVlD
+      bOfTDLklwFvMxwzj4/TJbXrHtPf6wFRQa2KUrewy+KcpZBERJcEhJ1PwRHe4bY+n
+      t4L+gDcRVoLmZXUpxasMeBHXD8ZqY9v7BXS2Z4qNnKu7/nABK7yR0DF/epYXxNPf
+      aGL8qEfXsWhc3278MCsipokYFOOVhVxPyJ0xny065L1lX51GChr6kSMNAdV6/Zju
+      vDMmFJp4AbZQ8ta/QdppGEe/cFDGg4VNpinlZ8vQJ01hTON9TxlJqG0oFDmplGCU
+      a+SFiLQLAgMBAAECggEANYChDnTdlPHlvNUOl7iIXayI9Lp/eyKCZYfcr04euVjQ
+      E9WVXGtuZ7b+fZpO5ejks4ta5Iqrvlwz10nrPN3rhEZy8SinbV7VjL28j4aHtaCa
+      WcEp1ikchPxbQvikjCdKGCUpgIK1Ym3pAuDSlOl6/SOwi7l1mZ8E+++V66IQo44w
+      cP+64sm4VIS3kVNhNxB619gXcmldo7N5fC7eF8K8wNnCXSlJA8BqrW/OAAUSl4Lp
+      rn7BkxSdcISejA/n9QoGkKOd6XZ7vzMV4hseFzisn9xGkRWx6zdZsfcuzeZ10p7E
+      pxNCA1g7l1xxYTUIDNBmMImtUsbIH0INXiu2MCXJbQKBgQDC9fb0ZJCJN8hpqb3+
+      Zw1FxjNAs8eqTwaohc7H3n+DSeBLZi63wKe8gO1sPcvwFx2/8U6oQS9lo2xOaDuu
+      Fv4S57jIOoTIxt2Ax/eVTlGh/3EHXqACUQn/qXCdHLtO0sTnnr3WpA15Q8JrjTHU
+      RePRI2xqCTkC4e4GWBKN6fTwtwKBgQC//TbPlf949KI6scnh8foFXEepPelfhUl2
+      zGj78stXSOkHJ9oYWNYVBH4lL7GrsYryr+6Ndr8Di7o45FD/iHBSMWfJluRDUH42
+      yU3Ro54ECBBChI+9n+QUL9gUZBBfJgBDfiKHdbMrmD+IkD8QKFNHf7UdcgB/RG/+
+      nFjzP08bTQKBgAVPX7eOWaVzIIFIP0WDlwf0ewbjHqgT2PGUG2q0M7LmuzYyhUk5
+      9RecR1swX7KdXpEQyHyqsdjJ17RXAHEgbTEkoJLLjTxOtk/AooytgmmwJGr399G4
+      VVZiTg/pbWybLwPD/hWviDJqVwxI3zeR47+ZgGVu9N+QOcRwd6jn22UHAoGAdSTX
+      sMnhW7hI1G9us0KmP2cTAp0YLIRzUt1eoXx/vf5q0UbruDdcSO642Y/EZPKryXC3
+      qfFuk4dKVTRah9CEWGJ05XgAR2Jx4JPru6KN4//Xi/6+hgFtdTPMMITtyGCzgHsS
+      Ln0OmecHvRfmosE4L0QpCpJo4z6q5zwWujVC23ECgYAi1r+27xBjVtSvsd7xkBfY
+      R2HpqcSHaMedQZ2DY/LU6OH5O1RxQsgeSYyiiHMjN9ij3IUv+JHcxaotcSUQIWEa
+      YJmAMhl5ZEfYzpMJ9PUQymN59AAGuTr2PYjc9fhZm5/EgpxC2cl/AR2nS3U19dwf
+      N5zICLLKa7f4hPvAFf33Lg==
+      -----END PRIVATE KEY-----
+      -----BEGIN CERTIFICATE-----
+      MIIDtTCCAp2gAwIBAgIUHTES3WH58IHxo9rMUzj/DeytPc8wDQYJKoZIhvcNAQEL
+      BQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMRIwEAYDVQQHDAlCZWF2ZXJ0
+      b24xIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRUwEwYDVQQD
+      DAwqLnB5dGhvbi5vcmcwHhcNMjQwNzE3MTgyNTAxWhcNMzQwNzE1MTgyNTAxWjBq
+      MQswCQYDVQQGEwJVUzELMAkGA1UECAwCT1IxEjAQBgNVBAcMCUJlYXZlcnRvbjEj
+      MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xFTATBgNVBAMMDCou
+      cHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJI2WhNf
+      xS3m3i8zwwMPSDOtFYoXByoNu8xr8mQrz2F+hJ8CdnAge1mX49McI5epThYQy9jB
+      IhypWUNs59MMuSXAW8zHDOPj9Mltese09/rAVFBrYpSt7DL4pylkERElwSEnU/BE
+      d7htj6e3gv6ANxFWguZldSnFqwx4EdcPxmpj2/sFdLZnio2cq7v+cAErvJHQMX96
+      lhfE099oYvyoR9exaFzfbvwwKyKmiRgU45WFXE/InTGfLTrkvWVfnUYKGvqRIw0B
+      1Xr9mO68MyYUmngBtlDy1r9B2mkYR79wUMaDhU2mKeVny9AnTWFM431PGUmobSgU
+      OamUYJRr5IWItAsCAwEAAaNTMFEwHQYDVR0OBBYEFPJrXEC964Djv1KtiYGjRFpD
+      s8RvMB8GA1UdIwQYMBaAFPJrXEC964Djv1KtiYGjRFpDs8RvMA8GA1UdEwEB/wQF
+      MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGlJ+N5txBsBekRMkl2pGxUecihJWLXM
+      pwnXuhKswrsCpLiJlWijTWVBULfVn71rEfnMFNgdVn4i1TddgyK4cViHWZPBYcGd
+      SYbQK40xmLuIAJKM8uARdm99AmavKCH+ha6jFY8fZoU0+m51hOztXfGTIkLpLr2r
+      +0ydepkbAWqNH6NYNpUQKFxSlyTYvwaHUh0YzXMxgOj+foJCygyVnB/E7Fja92Ho
+      Pe93No9Ze0Jou4GsXmP2E1YY0i3jkCigmuVTQSrl85uxxHfHWNgr9OwN8ASoF9dp
+      ogsOBi74M0k7Ihp96JK6lUXTY+WnlJ3C9FZdByeXq6O4HLhgq5jug7E=
+      -----END CERTIFICATE-----

pillar/dev/top.sls

@@ -16,6 +16,7 @@ base:
   'bugs':
     - match: nodegroup
     - bugs
+    - firewall.bugs
 
   'cdn-logs':
     - match: nodegroup
@@ -55,6 +56,7 @@ base:
     - firewall.loadbalancer
     - secrets.fastly
     - secrets.tls.certs.loadbalancer
+    - bugs
 
   'mail':
     - match: nodegroup

pillar/prod/top.sls

@@ -80,6 +80,7 @@ base:
     - ocsp
     - secrets.fastly
     - secrets.tls.certs.loadbalancer
+    - bugs
 
   'mail':
     - match: nodegroup

salt/bugs/config/nginx.conf.jinja

@@ -77,3 +77,49 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
 }
+
+server {
+  listen {{ port }} ssl;
+  server_name {{ server_name }};
+  include mime.types;
+
+  ssl_certificate /etc/ssl/private/bugs.psf.io.pem;
+  ssl_certificate_key /etc/ssl/private/bugs.psf.io.pem;
+
+  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+  add_header X-Frame-Options "sameorigin";
+  add_header X-Xss-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Permitted-Cross-Domain-Policies "none";
+
+  error_log /var/log/nginx/roundup-{{ tracker }}.error.log;
+  access_log /var/log/nginx/roundup-{{ tracker }}.access.log timed_combined_{{ tracker }};
+
+  root /srv/roundup/trackers/{{ tracker }}/;
+
+  include conf.d/tracker-extras/{{ tracker }}*.conf;
+
+  gzip              on;
+  gzip_http_version 1.1;
+  gzip_proxied      any;
+  gzip_min_length   500;
+  gzip_comp_level   6;  # default comp_level is 1
+  gzip_disable      msie6;
+  gzip_types        text/plain text/css
+                    text/xml application/xml
+                    text/javascript application/javascript
+                    text/json application/json;
+
+  location /@@file/ {
+    rewrite ^/@@file/(.*) /html/$1 break;
+    expires 1h;
+  }
+
+  location / {
+    limit_req zone=limit-{{ tracker }} burst=5 nodelay;
+    proxy_pass http://tracker-{{ tracker }}/;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
+}

salt/bugs/init.sls

@@ -210,6 +210,22 @@ postfix:
       - file: /etc/postfix/virtual
       - file: /etc/postfix/reject_recipients
 
+{# We can extend this for smtps/submission later #}
+{% for (port, service) in [(25, "smtp")] %}
+/etc/consul.d/roundup-{{ service }}.json:
+  file.managed:
+    - source: salt://consul/etc/service.jinja
+    - template: jinja
+    - context:
+        name: roundup-{{ service }}
+        port: {{ port }}
+    - user: root
+    - group: root
+    - mode: "0644"
+    - require:
+      - pkg: consul-pkgs
+{% endfor %}
+
 {% for tracker, config in pillar["bugs"]["trackers"].items() %}
 tracker-{{ tracker }}-database:
   postgres_database.present:
@@ -312,9 +328,23 @@ tracker-{{ tracker }}-nginx-config:
     - context:
         tracker: {{ tracker }}
         server_name: {{ config.get('server_name') }}
+        port: {{ config.get('port') }}
     - require:
       - file: /etc/nginx/sites.d/
 
+/etc/consul.d/roundup-{{ tracker }}.json:
+  file.managed:
+    - source: salt://consul/etc/service.jinja
+    - template: jinja
+    - context:
+        name: roundup-{{ tracker }}
+        port: {{ config.get('port') }}
+    - user: root
+    - group: root
+    - mode: "0644"
+    - require:
+      - pkg: consul-pkgs
+
 roundup-{{ tracker }}-backup:
   file.directory:
     - name: /backup/roundup/{{ tracker }}

salt/haproxy/config/haproxy.cfg.jinja

@@ -86,9 +86,9 @@ listen tls:
     bind :20006 ssl alpn h2,http/1.1 crt speed.pypy.org.pem
     bind :20007 ssl alpn h2,http/1.1 crt www.pycon.org.pem
     bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem
-    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem
-    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem
-    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem
+    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
 
     mode http