Commit 84b817cd authored by Jérome Perrin's avatar Jérome Perrin

software/metabase: version up 0.47.0

because this metabase now needs SNI properly configured, which means
that the backend must know the frontend domain name and can not be
accessed by its IP address, we stop serving https on IPv6 directly from
metabase's embedded jetty and reconfigure it to serve http on IPv4 and
add an haproxy instance to serve https on IPv6. This is just an
"internal" change because the external IP will be same and the
certificate is still a self-signed one for now.

references:
 - https://github.com/metabase/metabase/issues/29660
 - https://discourse.metabase.com/t/http-error-400-invalid-sni-when-upgrading-from-0-45-3-to-0-46-0/24599/8
parent aa73db58
[instance-profile] [instance-profile]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 685e7b371768f6977896d7214fd379f1 md5sum = 0d50ed911a41b76b952b63d37853c3a4
...@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $ ...@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $
environment = environment =
MB_EMOJI_IN_LOGS=false MB_EMOJI_IN_LOGS=false
MB_JETTY_HOST=$${:ip} MB_JETTY_HOST=$${:ip}
MB_JETTY_PORT=$${:-http-port} MB_JETTY_PORT=$${:port}
MB_JETTY_SSL_PORT=$${:port}
MB_JETTY_SSL=true
MB_JETTY_SSL_KEYSTORE=$${metabase-keystore:file}
MB_JETTY_SSL_KEYSTORE_PASSWORD=$${metabase-keystore:password}
MB_DB_TYPE=postgres MB_DB_TYPE=postgres
MB_DB_DBNAME=$${postgresql:dbname} MB_DB_DBNAME=$${postgresql:dbname}
MB_DB_PORT=$${postgresql:port} MB_DB_PORT=$${postgresql:port}
...@@ -62,68 +58,57 @@ environment = ...@@ -62,68 +58,57 @@ environment =
hash-existing-files = hash-existing-files =
$${buildout:directory}/software_release/buildout.cfg $${buildout:directory}/software_release/buildout.cfg
ip = $${instance-parameter:ipv6-random} ip = $${instance-parameter:ipv4-random}
port = 8443 port = 18080
# XXX It does not seem we can prevent metabase to also listen on http, so we
# give it an http port, but don't use it.
-http-port = 18080
hostname = [$${:ip}]
scheme = https
url = $${:scheme}://$${:hostname}:$${:port}
promises = promises =
$${metabase-promise:name} $${metabase-promise:name}
[metabase-promise] [metabase-frontend-certificate]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-instance:url}/api/session/properties
[metabase-keystore-password]
recipe = slapos.cookbook:generate.password
[metabase-keystore]
recipe = plone.recipe.command recipe = plone.recipe.command
stop-on-error = true
command = command =
if [ -f $${:file} ] if [ ! -e $${:cert-file} ]
then then
# XXX password used to be "insecure", but we changed to proper password. ${openssl-output:openssl} req -x509 -nodes -days 3650 \
# We try to list the store with the new password and if it fail we change -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
# the keystore password. -newkey rsa -keyout $${:cert-file} \
if ! ${java:location}/bin/keytool \ -out $${:cert-file}
-list \
-keystore "$${:file}" \
-storepass "$${:password}"
then
echo "Migrating keystore password" && \
${java:location}/bin/keytool \
-storepasswd \
-keystore "$${:file}" \
-storepass insecure \
-new "$${:password}" && \
echo "Migrating certificate key password" && \
${java:location}/bin/keytool \
-keypasswd \
-alias "$${:alias}" \
-keypass insecure \
-new "$${:password}" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi
else
${java:location}/bin/keytool \
-genkeypair \
-alias "$${:alias}" \
-keyalg RSA \
-keypass "$${:password}" \
-dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi fi
file = $${directory:etc}/.metabase_keystore update-command = $${:command}
password = $${metabase-keystore-password:passwd} cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
alias = metabase common-name = $${metabase-frontend-config:ip}
location =
$${:cert-file}
[metabase-frontend-config]
recipe = slapos.recipe.template:jinja2
url = ${stack-haproxy-default-backend-config:target}
output = $${directory:etc}/$${:_buildout_section_name_}
context =
key pidfile :pidfile
key content :content
content =
listen app
log global
bind $${:ip}:$${:port} ssl crt $${metabase-frontend-certificate:cert-file} alpn h2,http/1.1
server app $${metabase-instance:ip}:$${metabase-instance:port}
pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
ip = $${instance-parameter:ipv6-random}
port = 8443
[metabase-frontend]
recipe = slapos.cookbook:wrapper
wrapper-path = $${directory:services}/$${:_buildout_section_name_}
command-line =
${haproxy:location}/sbin/haproxy -f $${metabase-frontend-config:output}
url = https://[$${metabase-frontend-config:ip}]:$${metabase-frontend-config:port}
[metabase-promise]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-frontend:url}/api/session/properties
[postgresql-password] [postgresql-password]
recipe = slapos.cookbook:generate.password recipe = slapos.cookbook:generate.password
...@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries ...@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries
srv = $${buildout:directory}/srv srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin bin = $${buildout:directory}/bin
tmp = $${buildout:directory}/tmp tmp = $${buildout:directory}/tmp
run = $${buildout:directory}/run
service = $${:etc}/service service = $${:etc}/service
srv-metabase = $${:srv}/metabase srv-metabase = $${:srv}/metabase
srv-backup = $${:srv}/backup srv-backup = $${:srv}/backup
...@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig ...@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig
[publish-connection-parameter] [publish-connection-parameter]
recipe = slapos.cookbook:publish recipe = slapos.cookbook:publish
url = $${metabase-instance:url} url = $${metabase-frontend:url}
backup-crontab = $${postgresql-backup-crontab-entry:name} backup-crontab = $${postgresql-backup-crontab-entry:name}
restore-backup-script = $${postgresql-restore-backup:wrapper-path} restore-backup-script = $${postgresql-restore-backup:wrapper-path}
...@@ -6,6 +6,7 @@ extends = ...@@ -6,6 +6,7 @@ extends =
../../component/java/buildout.cfg ../../component/java/buildout.cfg
../../component/postgresql/buildout.cfg ../../component/postgresql/buildout.cfg
../../component/dcron/buildout.cfg ../../component/dcron/buildout.cfg
../../stack/haproxy/default-backend.cfg
../../stack/slapos.cfg ../../stack/slapos.cfg
buildout.hash.cfg buildout.hash.cfg
../../stack/monitor/buildout.cfg ../../stack/monitor/buildout.cfg
...@@ -19,8 +20,8 @@ parts = ...@@ -19,8 +20,8 @@ parts =
[metabase.jar] [metabase.jar]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = https://downloads.metabase.com/v0.45.4.2/metabase.jar url = https://downloads.metabase.com/v0.47.0/metabase.jar
md5sum = 67ed24b3a77b6f87844fc8bf22471f36 md5sum = b81c71668a2177d89690730fabd85d9e
[instance-profile] [instance-profile]
recipe = slapos.recipe.template recipe = slapos.recipe.template
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment