software/metabase: version up 0.47.0

because this metabase now needs SNI properly configured, which means that the backend must know the frontend domain name and can not be accessed by its IP address, we stop serving https on IPv6 directly from metabase's embedded jetty and reconfigure it to serve http on IPv4 and add an haproxy instance to serve https on IPv6. This is just an "internal" change because the external IP will be same and the certificate is still a self-signed one for now. references: - https://github.com/metabase/metabase/issues/29660 - https://discourse.metabase.com/t/http-error-400-invalid-sni-when-upgrading-from-0-45-3-to-0-46-0/24599/8

software/metabase: version up 0.47.0
because this metabase now needs SNI properly configured, which means that the backend must know the frontend domain name and can not be accessed by its IP address, we stop serving https on IPv6 directly from metabase's embedded jetty and reconfigure it to serve http on IPv4 and add an haproxy instance to serve https on IPv6. This is just an "internal" change because the external IP will be same and the certificate is still a self-signed one for now. references: - https://github.com/metabase/metabase/issues/29660 - https://discourse.metabase.com/t/http-error-400-invalid-sni-when-upgrading-from-0-45-3-to-0-46-0/24599/8
84b817cd · Jérome Perrin · aa73db58 · 84b817cd · 84b817cd · 84b817cd
Commit 84b817cd authored Aug 17, 2023 by Jérome Perrin
3 changed files
--- a/software/metabase/buildout.hash.cfg
+++ b/software/metabase/buildout.hash.cfg
 [instance-profile]
 filename = instance.cfg.in
-md5sum = 685e7b371768f6977896d7214fd379f1
+md5sum = 0d50ed911a41b76b952b63d37853c3a4
--- a/software/metabase/instance.cfg.in
+++ b/software/metabase/instance.cfg.in
@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $
 environment =
  MB_EMOJI_IN_LOGS=false
  MB_JETTY_HOST=$${:ip}
-  MB_JETTY_PORT=$${:-http-port}
-  MB_JETTY_SSL_PORT=$${:port}
-  MB_JETTY_SSL=true
-  MB_JETTY_SSL_KEYSTORE=$${metabase-keystore:file}
-  MB_JETTY_SSL_KEYSTORE_PASSWORD=$${metabase-keystore:password}
+  MB_JETTY_PORT=$${:port}
  MB_DB_TYPE=postgres
  MB_DB_DBNAME=$${postgresql:dbname}
  MB_DB_PORT=$${postgresql:port}
@@ -62,68 +58,57 @@ environment =
 hash-existing-files =
  $${buildout:directory}/software_release/buildout.cfg

-ip = $${instance-parameter:ipv6-random}
-port = 8443
-# XXX It does not seem we can prevent metabase to also listen on http, so we
-# give it an http port, but don't use it.
-http-port = 18080
-hostname = [$${:ip}]
-scheme = https
-url = $${:scheme}://$${:hostname}:$${:port}
+ip = $${instance-parameter:ipv4-random}
+port = 18080
 promises =
  $${metabase-promise:name}

-[metabase-promise]
-<= monitor-promise-base
-promise = check_url_available
-name = $${:_buildout_section_name_}.py
-config-url= $${metabase-instance:url}/api/session/properties
-
-[metabase-keystore-password]
-recipe = slapos.cookbook:generate.password
-
-[metabase-keystore]
+[metabase-frontend-certificate]
 recipe = plone.recipe.command
-stop-on-error = true
 command =
-  if [ -f $${:file} ]
+  if [ ! -e $${:cert-file} ]
  then
-    # XXX password used to be "insecure", but we changed to proper password.
-    # We try to list the store with the new password and if it fail we change
-    # the keystore password.
-    if ! ${java:location}/bin/keytool \
-      -list \
-      -keystore "$${:file}" \
-      -storepass "$${:password}"
-    then
-      echo "Migrating keystore password" && \
-      ${java:location}/bin/keytool \
-        -storepasswd \
-        -keystore "$${:file}" \
-        -storepass insecure \
-        -new "$${:password}" && \
-      echo "Migrating certificate key password" && \
-      ${java:location}/bin/keytool \
-        -keypasswd \
-        -alias "$${:alias}" \
-        -keypass insecure \
-        -new "$${:password}" \
-        -keystore "$${:file}" \
-        -storepass "$${:password}"
-    fi
-  else
-    ${java:location}/bin/keytool \
-      -genkeypair \
-      -alias "$${:alias}" \
-      -keyalg RSA \
-      -keypass "$${:password}" \
-      -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-      -keystore "$${:file}" \
-      -storepass "$${:password}"
+    ${openssl-output:openssl} req -x509 -nodes -days 3650 \
+      -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
+      -newkey rsa -keyout $${:cert-file} \
+      -out $${:cert-file}
  fi
-file = $${directory:etc}/.metabase_keystore
-password = $${metabase-keystore-password:passwd}
-alias = metabase
+update-command = $${:command}
+cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
+common-name = $${metabase-frontend-config:ip}
+location =
+  $${:cert-file}
+
+[metabase-frontend-config]
+recipe = slapos.recipe.template:jinja2
+url = ${stack-haproxy-default-backend-config:target}
+output = $${directory:etc}/$${:_buildout_section_name_}
+context =
+  key pidfile :pidfile
+  key content :content
+content =
+  listen app
+  log global
+  bind $${:ip}:$${:port} ssl crt $${metabase-frontend-certificate:cert-file} alpn h2,http/1.1
+  server app $${metabase-instance:ip}:$${metabase-instance:port}
+
+pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
+ip = $${instance-parameter:ipv6-random}
+port = 8443
+
+[metabase-frontend]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${directory:services}/$${:_buildout_section_name_}
+command-line =
+  ${haproxy:location}/sbin/haproxy -f $${metabase-frontend-config:output}
+
+url = https://[$${metabase-frontend-config:ip}]:$${metabase-frontend-config:port}
+
+[metabase-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = $${:_buildout_section_name_}.py
+config-url= $${metabase-frontend:url}/api/session/properties

 [postgresql-password]
 recipe = slapos.cookbook:generate.password
@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries
 srv = $${buildout:directory}/srv
 bin = $${buildout:directory}/bin
 tmp = $${buildout:directory}/tmp
+run = $${buildout:directory}/run
 service = $${:etc}/service
 srv-metabase = $${:srv}/metabase
 srv-backup = $${:srv}/backup
@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig

 [publish-connection-parameter]
 recipe = slapos.cookbook:publish
-url = $${metabase-instance:url}
+url = $${metabase-frontend:url}
 backup-crontab = $${postgresql-backup-crontab-entry:name}
 restore-backup-script = $${postgresql-restore-backup:wrapper-path}
--- a/software/metabase/software.cfg
+++ b/software/metabase/software.cfg
@@ -6,6 +6,7 @@ extends =
    ../../component/java/buildout.cfg
    ../../component/postgresql/buildout.cfg
    ../../component/dcron/buildout.cfg
+    ../../stack/haproxy/default-backend.cfg
    ../../stack/slapos.cfg
    buildout.hash.cfg
    ../../stack/monitor/buildout.cfg
@@ -19,8 +20,8 @@ parts =

 [metabase.jar]
 recipe = slapos.recipe.build:download
-url = https://downloads.metabase.com/v0.45.4.2/metabase.jar
-md5sum = 67ed24b3a77b6f87844fc8bf22471f36
+url = https://downloads.metabase.com/v0.47.0/metabase.jar
+md5sum = b81c71668a2177d89690730fabd85d9e

 [instance-profile]
 recipe = slapos.recipe.template