Serve planetpython.org via haproxy instead of direct (#391)

ewdurbin · web-flow · commit b00decc32ce3 · 2024-07-17T14:42:01.000-04:00
* planet: planet.psf.io internal cert

* planet: bind port 9000 for internal http

* planet: open port 9000 to internal network

* planet: register internal http service with consul

* planet: serve from haproxy loadbalancer

* planet: install a cert on the load balancer for planetpython.org

also refresh our dummy cert since it is nearly 10 years old 💀
diff --git a/pillar/base/firewall/planet.sls b/pillar/base/firewall/planet.sls
@@ -0,0 +1,6 @@
+{% include "networking.sls" %}
+
+firewall:
+  frontend-planet:
+    port: 9000
+    source: *psf_internal_network
diff --git a/pillar/base/haproxy.sls b/pillar/base/haproxy.sls
@@ -60,6 +60,13 @@ haproxy:
       extra:
         - http-request replace-header Host ^.*$ pythonsoftwarefoundation.applytojob.com
 
+    planet:
+      domains:
+        - planetpython.org
+        - www.planetpython.org
+      verify_host: planet.psf.io
+      check: "HEAD / HTTP/1.1\\r\\nHost:\\ planet.psf.io"
+
     pypy-web:
       domains:
         - www.pypy.org
diff --git a/pillar/base/tls.sls b/pillar/base/tls.sls
@@ -38,6 +38,10 @@ tls:
       roles:
         - moin
 
+    planet.psf.io:
+      roles:
+        - planet
+
     postgresql.psf.io:
       roles:
         - postgresql
diff --git a/pillar/dev/secrets/tls/certs/loadbalancer.sls b/pillar/dev/secrets/tls/certs/loadbalancer.sls
diff --git a/pillar/dev/top.sls b/pillar/dev/top.sls
@@ -66,6 +66,7 @@ base:
     - match: nodegroup
     - planet
     - firewall.http
+    - firewall.planet
 
   'salt-master':
     - match: nodegroup
diff --git a/pillar/prod/top.sls b/pillar/prod/top.sls
@@ -100,6 +100,7 @@ base:
     - match: nodegroup
     - planet
     - firewall.http
+    - firewall.planet
 
   'pypy-web':
     - match: nodegroup
diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja
@@ -87,9 +87,9 @@ listen tls:
     bind :20007 ssl alpn h2,http/1.1 crt www.pycon.org.pem
     bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem
     bind :20009 ssl alpn h2,http/1.1 crt pypy.org.pem
-    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem
-    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem
-    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem
+    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem crt planetpython.org
+    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem crt planetpython.org
+    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt www.pycon.org.pem crt jython.org.pem crt pypy.org.pem crt salt-public.psf.io.pem crt planetpython.org
 
     mode http
 
diff --git a/salt/planet/config/nginx.planet.conf.jinja b/salt/planet/config/nginx.planet.conf.jinja
@@ -25,6 +25,17 @@ server {
     root /srv/{{ site }}/;
 }
 
+server {
+    listen 9000 ssl;
+    server_name {{ site }};
+    error_log /var/log/nginx/{{ site }}.error.log;
+    access_log /var/log/nginx/{{ site }}.access.log;
+    ssl_certificate /etc/ssl/private/planet.psf.io.pem;
+    ssl_certificate_key /etc/ssl/private/planet.psf.io.pem;
+
+    root /srv/{{ site }}/;
+}
+
 {% for domain in info.get("subject_alternative_names", []) %}
 server {
     server_name {{ domain }};
diff --git a/salt/planet/init.sls b/salt/planet/init.sls
@@ -20,6 +20,19 @@ planet-user:
     - require:
       - file: /etc/nginx/sites.d/
 
+/etc/consul.d/service-planet.json:
+  file.managed:
+    - source: salt://consul/etc/service.jinja
+    - template: jinja
+    - context:
+        name: planet
+        port: 9000
+    - user: root
+    - group: root
+    - mode: "0644"
+    - require:
+      - pkg: consul-pkgs
+
 lego_bootstrap:
   cmd.run:
     - name: /usr/local/bin/lego -a --email="infrastructure-staff@python.org" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['planet']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --path /etc/lego --key-type ec256 run
