Commit 80c79ec9 authored by Rafael Monnerat's avatar Rafael Monnerat

stack/caucase: Disable always failing promise

 The principle of deployment on slapos is once the instance is read to use the
 all the promises must work and buildout would stop to run for a while. This
 Promise is been disable because it assumes the user must use the instance first
 them the promise will be green, which can cause endless failure.

 This fail until user do something makes tests and resilience fail, as there is
 no automation to emulate a user take some action.

 This problem MUST be reimplemented on the current way, and not assume user will
 do any action. Others promises can be added into monitor (but not this one like this).
parent c84ab37e
...@@ -28,7 +28,7 @@ md5sum = a317d2f948cd3d16c860d05cc07ecf42 ...@@ -28,7 +28,7 @@ md5sum = a317d2f948cd3d16c860d05cc07ecf42
[template-caucase] [template-caucase]
filename = instance-caucase.cfg.jinja2.in filename = instance-caucase.cfg.jinja2.in
md5sum = b801dfe4212ff97dc29191e4610df3a3 md5sum = 1988d9c98c2331f49335a1b9a4c26026
[instance-caucase] [instance-caucase]
filename = instance.cfg.in filename = instance.cfg.in
......
...@@ -163,12 +163,14 @@ url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port} ...@@ -163,12 +163,14 @@ url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port}
http-url = ${ca-parameters:crl-external-url} http-url = ${ca-parameters:crl-external-url}
depends = depends =
${nginx-certificate-request:wrapper-path} ${nginx-certificate-request:wrapper-path}
${caucase-server-promise:filename}
${caucase-https-server-promise:filename} ${caucase-https-server-promise:filename}
${ca-nginx-graceful:output} ${ca-nginx-graceful:output}
${ca-certificate-renew-cron-entry:name} ${ca-certificate-renew-cron-entry:name}
${logrotate-ca-nginx:name} ${logrotate-ca-nginx:name}
# Disabled to be re-implemented.
# ${caucase-server-promise:filename}
[ca-certificate-renew-cron-entry] [ca-certificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries} cron-entries = ${cron:cron-entries}
...@@ -184,14 +186,17 @@ name = caucase-nginx-server ...@@ -184,14 +186,17 @@ name = caucase-nginx-server
log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log} log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1 post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
[caucase-server-promise] # This promise is disabled as it requires user to take action so the buildout
recipe = slapos.cookbook:check_url_available # will fail for way too long, and overload master. Please reimplement on a
path = ${directory:promises}/${:filename} # better way
filename = caucase-server-listening-on-tcp #[caucase-server-promise]
url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port} #recipe = slapos.cookbook:check_url_available
dash_path = {{ dash_executable_location }} #path = ${directory:promises}/${:filename}
curl_path = {{ curl_executable_location }} #filename = caucase-server-listening-on-tcp
#url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port}
#dash_path = {{ dash_executable_location }}
#curl_path = {{ curl_executable_location }}
#
[caucase-https-server-promise] [caucase-https-server-promise]
recipe = slapos.cookbook:check_url_available recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename} path = ${directory:promises}/${:filename}
......
  • I do not understand why this promise requires user action to work. Both http and https are supposed to become available without user intervention, with https only becomming available "shortly" after http as the former requires the latter to work to bootstrap its own certificate. So I also do not understand why you would only disable http promise but leave https promise enabled.

    /cc @alain.takoudjou

  • @vpelletier the promise don't require user action to work. This is a bug caused by the fact that the first login redirect to the configuration page which allow to set the password. But the page is disalowed in HTTP (only HTTPS is used for user interface with password). So went the password is not set promise in http redirect to admin/configure and return 404. See: https://lab.nexedi.com/nexedi/slapos/blob/master/stack/caucase/ca-nginx.conf.in#L74

    I wouldn't say that the promise require user action. Yes, user must set the password on first login but the promise is not supposed to fail because the password is not set. I'm thinking how to solve, a simpler solution is to change promise http url from http:[IPv6]:port -> http://[IPv6]:port/crt/ca.crt.pem so that there will be no redirection.

  • I like the idea of fetching the ca.crt, indeed.

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment