XXX: Make more global specialised frontend input schema

software/rapid-cdn/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = ea7349c63a1117e145f50c50586f79be
+md5sum = cc5235722643381092f54e610947caed
 
 [profile-common]
 filename = instance-common.cfg.in
@@ -22,15 +22,15 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-frontend]
 filename = instance-frontend.cfg.in
-md5sum = 4f2f4e8cdf7a066729c9f368c03efe89
+md5sum = 42899067d1aeed2a8a7ff63ba57a4ce5
 
 [profile-master]
 filename = instance-master.cfg.in
-md5sum = 86fcd72199d9e3311a3db83ba93f5dac
+md5sum = 291f73c3782040d02fd56a46f61c201b
 
 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = d19d7cd3b73bb7de12eea8d50a6f69c8
+md5sum = 8c5291a3f88c6fa2534c2e146cead39b
 
 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in
@@ -126,16 +126,20 @@ md5sum = f7262223975640d7200bdf9e99dd79e4
 
 [instance-input-schema]
 filename = instance-input-schema.json
-md5sum = 65ea4031d0fd2a43ce7820b0120ae8ce
+md5sum = f6f2d12f17ce384c157152d906376fef
 
 [instance-frontend-input-schema]
 filename = instance-frontend-input-schema.json
-md5sum = 7ea0adf6f9802e103f7ce9f553be293c
+md5sum = ff4cc869771cd10f625fa5bf384bb5e3
 
 [instance-frontend-user-input-schema]
 filename = instance-frontend-user-input-schema.json
-md5sum = 5a769d54caa1caf6873c610ceb1e094e
+md5sum = d897536234eab5c17550e2d6e7ae4e71
+
+[instance-frontend-global-input-schema]
+filename = instance-frontend-global-input-schema.json
+md5sum = 7392c5fe6eecc490f9c5e777d446cc04
 
 [instance-input-schema]
 filename = instance-input-schema.json
-md5sum = 65ea4031d0fd2a43ce7820b0120ae8ce
+md5sum = f6f2d12f17ce384c157152d906376fef

software/rapid-cdn/instance-frontend-global-input-schema.json

+{
+  "$schema": "http://json-schema.org/draft-04/schema",
+  "properties": {
+    "enable-http2": {
+      "title": "Enable HTTP2",
+      "default": true,
+      "description": "Enables HTTP2 on the node.",
+      "type": "boolean"
+    },
+    "enable-http3": {
+      "title": "Enable HTTP3",
+      "default": false,
+      "description": "Enables HTTP3 on the node.",
+      "type": "boolean"
+    },
+    "ciphers": {
+      "title": "Ordered whitespace separated list of ciphers",
+      "type": "string",
+      "textarea": true,
+      "default": "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA AES256-SHA AES128-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA"
+    },
+    "ram-cache-size": {
+      "default": "1G",
+      "title": "Size of RAM cache on each node (bytes)",
+      "description": "The value can be provided with suffix 'K', 'M', 'G'",
+      "type": "string"
+    },
+    "disk-cache-size": {
+      "default": "8G",
+      "title": "Size of disk cache on each node (bytes)",
+      "description": "The value can be provided with suffix 'K', 'M', 'G'",
+      "type": "string"
+    },
+    "authenticate-to-backend": {
+      "default": false,
+      "description": "If set to true the frontend certificate will be used as authentication certificate to the backend. Note: backend might have to know the frontend CA, available with 'backend-client-caucase-url'.",
+      "title": "Authenticate to backend",
+      "type": "boolean"
+    },
+    "request-timeout": {
+      "default": 600,
+      "description": "Timeout for HTTP requests.",
+      "title": "HTTP Request timeout in seconds",
+      "type": "integer"
+    },
+    "backend-connect-timeout": {
+      "default": 5,
+      "description": "Time in seconds for establishing connection to the backend.",
+      "title": "Timeout for backend connection (seconds)",
+      "type": "integer"
+    },
+    "backend-connect-retries": {
+      "default": 3,
+      "description": "Amount of retries to connect to the backend. The amount of backend-connect-timeout*backend-connect-retries seconds will be spent to connect to the backend.",
+      "title": "Amount of retries to connect to the backend.",
+      "type": "integer"
+    },
+    "re6st-verification-url": {
+      "description": "Url to verify if the internet and/or re6stnet is working.",
+      "title": "Test Verification URL",
+      "type": "string"
+    },
+    "expert": {
+      "title": "Expert Frontend Node Global parameters",
+      "description": "Unusual expert global parameters for the frontend node",
+      "type": "object",
+      "properties": {
+        "advertised-http3-port": {
+          "default": 443,
+          "title": "Advertised HTTP3 port",
+          "description": "As most common deloyment is using iptables for port redirection and in case of udp it is advertising to the process it's bind port instead of the really connected to, it's required to manually set this port for the whole cluster. Can be precisely set on each node by -frontend-i-config-http3-port",
+          "type": "integer"
+        },
+        "frontend-haproxy-http-port": {
+          "default": 8080,
+          "title": "Frontend HAProxy HTTP port",
+          "type": "integer"
+        },
+        "frontend-haproxy-https-port": {
+          "default": 4443,
+          "title": "Frontend HAProxy HTTPS port",
+          "type": "integer"
+        },
+        "backend-haproxy-http-port": {
+          "default": 21080,
+          "title": "Backend HAProxy HTTP port",
+          "type": "integer"
+        },
+        "backend-haproxy-https-port": {
+          "default": 21443,
+          "title": "Backend HAProxy HTTPS port",
+          "type": "integer"
+        },
+        "backend-haproxy-statistic-port": {
+          "default": 21444,
+          "title": "Backend HAProxy statistic HTTP port",
+          "type": "integer"
+        },
+        "slave-introspection-https-port": {
+          "default": 22443,
+          "title": "Backend HAProxy statistic HTTPS port",
+          "type": "integer"
+        },
+        "trafficserver-port": {
+          "default": 23432,
+          "title": "TrafficServer port",
+          "type": "integer"
+        },
+        "monitor-httpd-port": {
+          "default": 8196,
+          "title": "Monitor HTTPD port",
+          "type": "integer"
+        },
+        "legacy-enable-http3-string": {
+          "default": false,
+          "title": "Legacy: Sent enable-http3 as string to outdated nodes",
+          "type": "boolean"
+        },
+        "rotate-num": {
+          "default": 4000,
+          "title": "Amount of daily log rotations",
+          "type": "integer"
+        }
+      }
+    }
+  },
+  "title": "Input Parameters",
+  "type": "object"
+}

software/rapid-cdn/instance-frontend-input-schema.json

@@ -29,10 +29,6 @@
       "type": "string",
       "title": "Domain"
     },
-    "re6st-verification-url": {
-      "type": "string",
-      "title": "re6st-verification-url"
-    },
     "monitor-cors-domain": {
       "type": "string",
       "title": "Monitor CORS Domain"

software/rapid-cdn/instance-frontend-user-input-schema.json

@@ -6,106 +6,36 @@
       "description": "This parameter allows to select to which Compute Node this node will be allocated to.",
       "type": "string"
     },
-    "enable-http2": {
-      "title": "Enable HTTP2",
-      "default": true,
-      "description": "Enables HTTP2 on the node.",
-      "type": "boolean"
-    },
-    "enable-http3": {
-      "title": "Enable HTTP3",
-      "default": false,
-      "description": "Enables HTTP3 on the node.",
-      "type": "boolean"
-    },
-    "ram-cache-size": {
-      "default": "1G",
-      "title": "Size of RAM cache on each node (bytes)",
-      "description": "The value can be provided with suffix 'K', 'M', 'G'",
-      "type": "string"
-    },
-    "disk-cache-size": {
-      "default": "8G",
-      "title": "Size of disk cache on each node (bytes)",
-      "description": "The value can be provided with suffix 'K', 'M', 'G'",
-      "type": "string"
-    },
-    "software-url": {
-      "title": "Software Release URL",
-      "description": "Software Release URL used to on this frontend node, defaults to cluster Software Release URL.",
-      "type": "string"
-    },
-    "state": {
-      "default": "started",
-      "title": "State of the frontend node",
-      "description": "It can be mostly used to destroy (collect) not needed nodes.",
-      "type": "string",
-      "enum": [
-        "started",
-        "stopped",
-        "destroyed"
-      ]
+    "global": {
+      "title": "Frontend Node configuration to override globals",
+      "allOf": [ { "$ref": "./instance-frontend-global-input-schema.json" } ],
+      "type": "object"
     },
     "expert": {
       "title": "Expert Frontend Node parameters",
       "description": "Unusual expert parameters for the frontend node",
       "type": "object",
       "properties": {
-        "rotate-num": {
-          "default": 4000,
-          "title": "Amount of daily log rotations",
-          "type": "integer"
-        },
-        "advertised-http3-port": {
-          "default": 443,
-          "title": "Advertised HTTP3 port",
-          "description": "As most common deloyment is using iptables for port redirection and in case of udp it is advertising to the process it's bind port instead of the really connected to, it's required to manually set this port for the whole cluster. Can be precisely set on each node by -frontend-i-config-http3-port",
-          "type": "integer"
-        },
-        "frontend-haproxy-http-port": {
-          "default": 8080,
-          "title": "Frontend HAProxy HTTP port",
-          "type": "integer"
-        },
-        "frontend-haproxy-https-port": {
-          "default": 4443,
-          "title": "Frontend HAProxy HTTPS port",
-          "type": "integer"
-        },
-        "backend-haproxy-http-port": {
-          "default": 21080,
-          "title": "Backend HAProxy HTTP port",
-          "type": "integer"
-        },
-        "backend-haproxy-https-port": {
-          "default": 21443,
-          "title": "Backend HAProxy HTTPS port",
-          "type": "integer"
-        },
-        "backend-haproxy-statistic-port": {
-          "default": 21444,
-          "title": "Backend HAProxy statistic port",
-          "type": "integer"
-        },
-        "slave-introspection-https-port": {
-          "default": 22443,
-          "title": "Backend HAProxy statistic port",
-          "type": "integer"
-        },
-        "trafficserver-port": {
-          "default": 23432,
-          "title": "TrafficServer port",
-          "type": "integer"
+        "software-url": {
+          "title": "Software Release URL",
+          "description": "Software Release URL used to on this frontend node, defaults to cluster Software Release URL.",
+          "type": "string"
+        },
+        "state": {
+          "default": "started",
+          "title": "State of the frontend node",
+          "description": "It can be mostly used to destroy (collect) not needed nodes.",
+          "type": "string",
+          "enum": [
+            "started",
+            "stopped",
+            "destroyed"
+          ]
         },
         "legacy-enable-http3-string": {
           "default": false,
           "title": "Legacy: Sent enable-http3 as string to outdated nodes",
           "type": "boolean"
-        },
-        "monitor-httpd-port": {
-          "default": 8196,
-          "title": "Monitor HTTPD port",
-          "type": "integer"
         }
       }
     }

software/rapid-cdn/instance-frontend.cfg.in

 {% import "caucase" as caucase with context %}
+{%- do instance_parameter_dict['configuration'].setdefault('user', {}) %}
 {%- do instance_parameter_dict['configuration']['user'].setdefault('expert', {}) %}
-{%- set HTTP3_PORT = instance_parameter_dict['configuration']['user']['expert'].get('advertised-http3-port', FRONTEND_USER_DEFAULTS['expert']['advertised-http3-port']) %}
-{%- set FRONTEND_HTTP3 = instance_parameter_dict['configuration']['user'].get('enable-http3', FRONTEND_USER_DEFAULTS['enable-http3']) %}
+{%- do instance_parameter_dict['configuration']['user'].setdefault('global', {}) %}
+{%- do instance_parameter_dict['configuration']['user']['global'].setdefault('expert', {}) %}
+{%- set HTTP3_PORT = instance_parameter_dict['configuration']['user']['global']['expert'].get('advertised-http3-port', FRONTEND_GLOBAL_DEFAULTS['expert']['advertised-http3-port']) %}
+{%- set FRONTEND_HTTP3 = instance_parameter_dict['configuration']['user']['global'].get('enable-http3', FRONTEND_GLOBAL_DEFAULTS['enable-http3']) %}
 {%- if FRONTEND_HTTP3 %}
 {%-   set FRONTEND_HAPROXY_EXECUTABLE = software_parameter_dict['haproxy_quic_executable'] %}
 {%- else %}
@@ -188,7 +191,7 @@ single-custom-personal = dynamic-custom-personal-profile-slave-list:output
 [frontend-configuration]
 ip-access-certificate = ${self-signed-ip-access:certificate}
 slave-introspection-configuration = ${directory:etc}/slave-introspection-httpd-nginx.conf
-slave-introspection-https-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('slave-introspection-https-port', FRONTEND_USER_DEFAULTS['expert']['slave-introspection-https-port']) }}
+slave-introspection-https-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('slave-introspection-https-port', FRONTEND_GLOBAL_DEFAULTS['expert']['slave-introspection-https-port']) }}
 slave-introspection-secure_access = ${slave-introspection-frontend:connection-secure_access}
 
 [self-signed-ip-access]
@@ -400,8 +403,8 @@ extra-context =
 ## Configuration passed by section
     section frontend_directory frontend-directory
     section configuration configuration
-    section FRONTEND_DEFAULTS FRONTEND_DEFAULTS
     section FRONTEND_USER_DEFAULTS FRONTEND_USER_DEFAULTS
+    section FRONTEND_GLOBAL_DEFAULTS FRONTEND_GLOBAL_DEFAULTS
     section frontend_haproxy_configuration frontend-haproxy-configuration
     section backend_haproxy_configuration backend-haproxy-configuration
     section instance_parameter_dict instance-parameter-section
@@ -452,7 +455,7 @@ hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 <= logrotate-entry-base
 name = frontend-haproxy
 log = ${frontend-haproxy-rsyslogd-config:log-file}
-rotate-num = {{ instance_parameter_dict['configuration']['user']['expert'].get('rotate-num', FRONTEND_USER_DEFAULTS['expert']['rotate-num']) }}
+rotate-num = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('rotate-num', FRONTEND_GLOBAL_DEFAULTS['expert']['rotate-num']) }}
 # Note: Slaves do not define their own reload, as this would be repeated,
 #       because sharedscripts work per entry, and each slave needs its own
 #       olddir
@@ -472,8 +475,8 @@ frontend-graceful-command = ${frontend-haproxy-validate:output} && kill -USR2 $(
 not-found-file = {{ software_parameter_dict['template_not_found_html'] }}
 master-certificate = ${frontend-directory:master-autocert-dir}/master.pem
 self-signed-fallback-certificate = ${self-signed-fallback-access:certificate}
-http-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('frontend-haproxy-http-port', FRONTEND_USER_DEFAULTS['expert']['frontend-haproxy-http-port']) }}
-https-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('frontend-haproxy-https-port', FRONTEND_USER_DEFAULTS['expert']['frontend-haproxy-https-port']) }}
+http-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('frontend-haproxy-http-port', FRONTEND_GLOBAL_DEFAULTS['expert']['frontend-haproxy-http-port']) }}
+https-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('frontend-haproxy-https-port', FRONTEND_GLOBAL_DEFAULTS['expert']['frontend-haproxy-https-port']) }}
 # Communication with ATS
 cache-port = ${trafficserver-variable:input-port}
 # slave instrspection
@@ -540,10 +543,10 @@ hostname = ${slap-configuration:instance-title}
 plugin-config =
 ip-allow-config = src_ip=0.0.0.0-255.255.255.255 action=ip_allow
 cache-path = ${trafficserver-directory:cache-path}
-disk-cache-size = {{ instance_parameter_dict['configuration']['user'].get('disk-cache-size', FRONTEND_USER_DEFAULTS['disk-cache-size']) }}
-ram-cache-size = {{ instance_parameter_dict['configuration']['user'].get('ram-cache-size', FRONTEND_USER_DEFAULTS['ram-cache-size']) }}
+disk-cache-size = {{ instance_parameter_dict['configuration']['user']['global'].get('disk-cache-size', FRONTEND_GLOBAL_DEFAULTS['disk-cache-size']) }}
+ram-cache-size = {{ instance_parameter_dict['configuration']['user']['global'].get('ram-cache-size', FRONTEND_GLOBAL_DEFAULTS['ram-cache-size']) }}
 templates-dir = {{ software_parameter_dict['trafficserver'] }}/etc/trafficserver/body_factory
-request-timeout = {{ instance_parameter_dict['configuration'].get('request-timeout', FRONTEND_DEFAULTS['request-timeout'])}}
+request-timeout = {{ instance_parameter_dict['configuration']['user']['global'].get('request-timeout', FRONTEND_GLOBAL_DEFAULTS['request-timeout']) }}
 version-hash = ${version-hash:value}
 node-id = ${frontend-node-id:value}
 
@@ -802,8 +805,8 @@ file = ${directory:etc}/backend-haproxy.cfg
 pid-file = ${directory:run}/backend-haproxy.pid
 log-socket = ${backend-haproxy-rsyslogd-config:log-socket}
 graceful-command = ${backend-haproxy-validate:output} && kill -USR2 $(cat ${:pid-file})
-http-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('backend-haproxy-http-port', FRONTEND_USER_DEFAULTS['expert']['backend-haproxy-http-port']) }}
-https-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('backend-haproxy-https-port', FRONTEND_USER_DEFAULTS['expert']['backend-haproxy-https-port']) }}
+http-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('backend-haproxy-http-port', FRONTEND_GLOBAL_DEFAULTS['expert']['backend-haproxy-http-port']) }}
+https-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('backend-haproxy-https-port', FRONTEND_GLOBAL_DEFAULTS['expert']['backend-haproxy-https-port']) }}
 # Caucase related configuration
 caucase-url = {{ instance_parameter_dict['configuration']['backend-client-caucase-url'] }}
 ca-certificate = ${backend-client-login-config:ca-certificate}
@@ -813,7 +816,7 @@ csr = ${backend-client-caucase-updater-csr:csr}
 crl = ${backend-client-login-config:crl}
 # the statistic page
 statistic-certificate = ${self-signed-ip-access:certificate}
-statistic-port = {{  instance_parameter_dict['configuration']['user']['expert'].get('backend-haproxy-statistic-port', FRONTEND_USER_DEFAULTS['expert']['backend-haproxy-statistic-port']) }}
+statistic-port = {{  instance_parameter_dict['configuration']['user']['global']['expert'].get('backend-haproxy-statistic-port', FRONTEND_GLOBAL_DEFAULTS['expert']['backend-haproxy-statistic-port']) }}
 statistic-username = ${monitor-instance-parameter:username}
 statistic-password = ${monitor-htpasswd:passwd}
 statistic-identification = {{ instance_parameter_dict['instance-title'] + ' @ ' + instance_parameter_dict['configuration']['cluster-identification'] }}
@@ -860,7 +863,7 @@ extra-context =
 <= logrotate-entry-base
 name = backend-haproxy
 log = ${backend-haproxy-rsyslogd-config:log-file}
-rotate-num = {{ instance_parameter_dict['configuration']['user']['expert'].get('rotate-num', FRONTEND_USER_DEFAULTS['expert']['rotate-num']) }}
+rotate-num = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('rotate-num', FRONTEND_GLOBAL_DEFAULTS['expert']['rotate-num']) }}
 # Note: Slaves do not define their own reload, as this would be repeated,
 #       because sharedscripts work per entry, and each slave needs its own
 #       olddir
@@ -958,7 +961,7 @@ hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 # Note: Workaround for monitor stack, which uses monitor-httpd-port parameter
 #       directly, and in our case it can come from the network, thus resulting
 #       with need to strip !py!'u'
-monitor-httpd-port = {{ instance_parameter_dict['configuration']['user']['expert'].get('monitor-httpd-port', FRONTEND_USER_DEFAULTS['expert']['monitor-httpd-port']) }}
+monitor-httpd-port = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('monitor-httpd-port', FRONTEND_GLOBAL_DEFAULTS['expert']['monitor-httpd-port']) }}
 password = {{ instance_parameter_dict['configuration']['monitor-password'] }}
 
 [monitor-conf-parameters]
@@ -994,7 +997,7 @@ context =
 <= monitor-promise-base
 promise = check_url_available
 name = re6st-connectivity.py
-config-url = {{ instance_parameter_dict['configuration']['re6st-verification-url'] }}
+config-url = {{ instance_parameter_dict['configuration']['user']['global'].get('re6st-verification-url', FRONTEND_GLOBAL_DEFAULTS['re6st-verification-url']) }}
 
 [slave-introspection-frontend]
 <= slap-connection
@@ -1095,7 +1098,7 @@ config-port = ${frontend-configuration:slave-introspection-https-port}
 <= logrotate-entry-base
 name = slave-introspection
 log = ${frontend-haproxy-configuration:slave-introspection-access-log} ${frontend-haproxy-configuration:slave-introspection-error-log}
-rotate-num = {{ instance_parameter_dict['configuration']['user']['expert'].get('rotate-num', FRONTEND_USER_DEFAULTS['expert']['rotate-num']) }}
+rotate-num = {{ instance_parameter_dict['configuration']['user']['global']['expert'].get('rotate-num', FRONTEND_GLOBAL_DEFAULTS['expert']['rotate-num']) }}
 post = kill -USR2 $(cat ${frontend-haproxy-configuration:slave-introspection-pid-file})
 delaycompress =
 
@@ -1127,13 +1130,13 @@ config-state = empty
 {{ key }} = {{ dumps(value) }}
 {%- endfor %}
 
-[FRONTEND_DEFAULTS]
-{% for key, value in FRONTEND_DEFAULTS.items() %}
+[FRONTEND_USER_DEFAULTS]
+{% for key, value in FRONTEND_USER_DEFAULTS.items() %}
 {{ key }} = {{ dumps(value) }}
 {%- endfor %}
 
-[FRONTEND_USER_DEFAULTS]
-{% for key, value in FRONTEND_USER_DEFAULTS.items() %}
+[FRONTEND_GLOBAL_DEFAULTS]
+{% for key, value in FRONTEND_GLOBAL_DEFAULTS.items() %}
 {{ key }} = {{ dumps(value) }}
 {%- endfor %}
 

software/rapid-cdn/instance-input-schema.json

@@ -3,17 +3,6 @@
   "title": "Input Parameters",
   "type": "object",
   "properties": {
-    "frontend-node-dict": {
-      "title": "Frontend Node configuration",
-      "description": "The name used here will be reference of the node, used in the request, so changing it will result with new allocation. Note: This can be used while migrating clusters by using caddy-frontend-N.",
-      "patternProperties": {
-        ".*": {
-          "allOf": [ { "$ref": "./instance-frontend-user-input-schema.json" } ]
-        }
-      },
-      "type": "object",
-      "default": {}
-    },
     "domain": {
       "description": "Domain used to generate automatic hostnames for slaves. For example 'example.com' will result with slave hostname 'slaveref.example.com'.",
       "format": "idn-hostname",
@@ -21,24 +10,6 @@
       "type": "string",
       "default": "example.org"
     },
-    "request-timeout": {
-      "default": 600,
-      "description": "Timeout for HTTP requests.",
-      "title": "HTTP Request timeout in seconds",
-      "type": "integer"
-    },
-    "backend-connect-timeout": {
-      "default": 5,
-      "description": "Time in seconds for establishing connection to the backend.",
-      "title": "Timeout for backend connection (seconds)",
-      "type": "integer"
-    },
-    "backend-connect-retries": {
-      "default": 3,
-      "description": "Amount of retries to connect to the backend. The amount of backend-connect-timeout*backend-connect-retries seconds will be spent to connect to the backend.",
-      "title": "Amount of retries to connect to the backend.",
-      "type": "integer"
-    },
     "automatic-internal-kedifa-caucase-csr": {
       "default": true,
       "description": "Automatically signs CSRs sent to KeDiFa's caucase, based on CSR comparison.",
@@ -51,24 +22,29 @@
       "title": "Automatic Internal Backend Client's Caucase CSR",
       "type": "boolean"
     },
-    "ciphers": {
-      "title": "Ordered whitespace separated list of ciphers",
-      "type": "string",
-      "textarea": true,
-      "default": "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA AES256-SHA AES128-SHA ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA"
-    },
-    "authenticate-to-backend": {
-      "default": false,
-      "description": "If set to true the frontend certificate will be used as authentication certificate to the backend. Note: backend might have to know the frontend CA, available with 'backend-client-caucase-url'.",
-      "title": "Authenticate to backend",
-      "type": "boolean"
-    },
     "certificate-chain": {
       "description": "SSL Certificate chain to be used. It shall start with a certificate, optionally intermediate certificates and end with a key. Deprecated: please use master-key-upload-url.",
       "textarea": true,
       "title": "[DEPRECATED] Certificate chain",
       "type": "string"
     },
+    "frontend-global": {
+      "title": "Frontend Node Global Parameters",
+      "description": "Default parameters for each frontend node, which can be then fine tuned on each configuration.",
+      "allOf": [ { "$ref": "./instance-frontend-global-input-schema.json" } ],
+      "type": "object"
+    },
+    "frontend-node-dict": {
+      "title": "Frontend Node configuration",
+      "description": "Frontend node setup object to setup the cluster exactly as wanted. The name used here will be reference of the node, used in the request, so changing it will result with new allocation. Note: This can be used while migrating clusters by using caddy-frontend-N.",
+      "patternProperties": {
+        ".*": {
+          "allOf": [ { "$ref": "./instance-frontend-user-input-schema.json" } ]
+        }
+      },
+      "type": "object",
+      "default": {}
+    },
     "expert": {
       "title": "Expert parameters",
       "type": "object",
@@ -88,11 +64,6 @@
           "title": "Monitor CORS Domains",
           "type": "string"
         },
-        "re6st-verification-url": {
-          "description": "Url to verify if the internet and/or re6stnet is working.",
-          "title": "Test Verification URL",
-          "type": "string"
-        },
         "rotate-num": {
           "default": 4000,
           "title": "Amount of daily log rotations",

software/rapid-cdn/instance-master.cfg.in

@@ -288,12 +288,6 @@ return = slave-instance-information-list monitor-base-url backend-client-csr-url
         'backend-client-caucase-url': CAUCASE_URL,
         'cluster-identification': instance_parameter_dict['root-instance-title'],
         'extra_slave_instance_list': sorted(AUTHORIZED_SLAVE_LIST, key=operator_module.itemgetter('slave_reference')),
-        're6st-verification-url': instance_parameter_dict['configuration']['expert'].get('re6st-verification-url', CLUSTER_DEFAULTS['expert']['re6st-verification-url']),
-        'backend-connect-timeout': instance_parameter_dict['configuration'].get('backend-connect-timeout', CLUSTER_DEFAULTS['backend-connect-timeout']),
-        'backend-connect-retries': instance_parameter_dict['configuration'].get('backend-connect-retries', CLUSTER_DEFAULTS['backend-connect-retries']),
-        'request-timeout': instance_parameter_dict['configuration'].get('request-timeout', CLUSTER_DEFAULTS['request-timeout']),
-        'ciphers': instance_parameter_dict['configuration'].get('ciphers', CLUSTER_DEFAULTS['ciphers']),
-        'authenticate-to-backend': instance_parameter_dict['configuration'].get('authenticate-to-backend', CLUSTER_DEFAULTS['authenticate-to-backend']),
         'slave-kedifa-information': '${request-kedifa:connection-slave-kedifa-information}',
         'kedifa-caucase-url': '${request-kedifa:connection-caucase-url}',
         'master-key-download-url': '${request-kedifa:connection-master-key-download-url}',

software/rapid-cdn/instance-slave-list.cfg.in

@@ -230,9 +230,9 @@ context =
     (
       '' ~ slave_instance.get(
         'enable-http2',
-        configuration['user'].get(
+        configuration['user']['global'].get(
           'enable-http2',
-          FRONTEND_USER_DEFAULTS['enable-http2']
+          FRONTEND_GLOBAL_DEFAULTS['enable-http2']
         )
       )
     ).lower() in TRUE_VALUES) %}

software/rapid-cdn/instance.cfg.in

@@ -77,14 +77,14 @@ init =
 <= schema-json-to-default
 input = {{ software_parameter_dict['instance_slave_input_schema'] }}
 
-[instance-frontend-default]
-<= schema-json-to-default
-input = {{ software_parameter_dict['instance_frontend_input_schema'] }}
-
 [instance-frontend-user-default]
 <= schema-json-to-default
 input = {{ software_parameter_dict['instance_frontend_user_input_schema'] }}
 
+[instance-frontend-global-default]
+<= schema-json-to-default
+input = {{ software_parameter_dict['instance_frontend_global_input_schema'] }}
+
 [instance-default]
 <= schema-json-to-default
 input = {{ software_parameter_dict['instance_input_schema'] }}
@@ -97,8 +97,8 @@ extra-context =
   import furl_module furl
   raw software_type single-custom-personal
   key SLAVE_DEFAULTS instance-slave-default:defaults
-  key FRONTEND_DEFAULTS instance-frontend-default:defaults
   key FRONTEND_USER_DEFAULTS instance-frontend-user-default:defaults
+  key FRONTEND_GLOBAL_DEFAULTS instance-frontend-global-default:defaults
 
 [dynamic-profile-master]
 < = jinja2-template-base
@@ -112,6 +112,8 @@ extra-context =
     import validators_module validators
     import software_module software
     key CLUSTER_DEFAULTS instance-default:defaults
+    key FRONTEND_USER_DEFAULTS instance-frontend-user-default:defaults
+    key FRONTEND_GLOBAL_DEFAULTS instance-frontend-global-default:defaults
     key SLAVE_DEFAULTS instance-slave-default:defaults
 
 [dynamic-profile-kedifa]

software/rapid-cdn/software.cfg

@@ -100,6 +100,7 @@ template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
 instance_slave_input_schema = ${instance-slave-input-schema:target}
 instance_frontend_input_schema = ${instance-frontend-input-schema:target}
 instance_frontend_user_input_schema = ${instance-frontend-user-input-schema:target}
+instance_frontend_global_input_schema = ${instance-frontend-global-input-schema:target}
 instance_input_schema = ${instance-input-schema:target}
 
 # directories
@@ -223,6 +224,9 @@ output = ${buildout:directory}/template-wrapper.cfg
 [instance-frontend-user-input-schema]
 <=download-profile
 
+[instance-frontend-global-input-schema]
+<=download-profile
+
 [instance-input-schema]
 <=download-profile