Hashar has uploaded a new change for review. https://gerrit.wikimedia.org/r/71968
Change subject: contint: publish Zuul git repositories ...................................................................... contint: publish Zuul git repositories When running jobs on slaves, we need the Zuul reference it crafts. This can be done by publishing them with git-http-backend bound to the URL http://integration.wikimedia.org/zuul/git/ This is limited to the internal network for now, I do not think there is any public needs for them. Also it is done over HTTP instead of HTTPS to save up a bit of SSL processing. Change-Id: I0248003dc3564d4d2fce63f962517a0220b36300 --- M modules/contint/manifests/website.pp R modules/contint/templates/apache/integration.wikimedia.org.erb 2 files changed, 31 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/68/71968/1 diff --git a/modules/contint/manifests/website.pp b/modules/contint/manifests/website.pp index 8c830fa..4c103fb 100644 --- a/modules/contint/manifests/website.pp +++ b/modules/contint/manifests/website.pp @@ -34,10 +34,10 @@ # Apache configuration for integration.wikimedia.org file { '/etc/apache2/sites-available/integration.wikimedia.org': - mode => '0444', - owner => 'root', - group => 'root', - source => 'puppet:///modules/contint/apache/integration.wikimedia.org', + mode => '0444', + owner => 'root', + group => 'root', + content => 'contint/apache/integration.wikimedia.org.erb', } apache_site { 'integration.wikimedia.org': name => 'integration.wikimedia.org', diff --git a/modules/contint/files/apache/integration.wikimedia.org b/modules/contint/templates/apache/integration.wikimedia.org.erb similarity index 67% rename from modules/contint/files/apache/integration.wikimedia.org rename to modules/contint/templates/apache/integration.wikimedia.org.erb index 27e7fa1..c1509c1 100644 --- a/modules/contint/files/apache/integration.wikimedia.org +++ b/modules/contint/templates/apache/integration.wikimedia.org.erb @@ -1,6 +1,6 @@ ##################################################################### ### THIS FILE IS MANAGED BY PUPPET -### puppet:///modules/contint/apache/integration.wikimedia.org +### contint module templates/apache/integration.wikimedia.org.erb ##################################################################### # vim: filetype=apache @@ -12,8 +12,31 @@ ErrorLog /var/log/apache2/integration_error.log CustomLog /var/log/apache2/integration_access.log vhost_combined - # Force Jenkins request through HTTPS - Redirect permanent / https://integration.wikimedia.org/ + # Force any request to HTTPS except the Zuul git repository + RedirectMatch permanent ^/((?!(zuul\/git).*) https://integration.wikimedia.org/$1 + + # Publish Zuul git repositories + # + # This let Jenkins slaves the possibility to fetch git references crafted + # by Zuul. + + SetEnv GIT_PROJECT_ROOT <%= scope.lookupvar("zuul::git_dir") %> + # Allow access to any repository: + SetEnv GIT_HTTP_EXPORT_ALL + + # Rewrites borrowed from OpenStack Zuul configuration + AliasMatch ^/zuul/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ <%= scope.lookupvar("zuul::git_dir") %>/$1 + AliasMatch ^/zuul/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ <%= scope.lookupvar("zuul::git_dir") %>/$1 + ScriptAlias /zuul/git/ /usr/lib/git-core/git-http-backend + + # Restrict access to internal network + <Directory <%= scope.lookupvar("zuul::git_dir") %>> + Order Deny,Allow + Deny from all + Allow from 10.0.0.0/8 + Allow from 127.0.0.1 + </Directory> + </VirtualHost> <VirtualHost *:443> @@ -81,4 +104,5 @@ <Directory /srv/org/wikimedia/integration/nightly/mediawiki/core> IndexOrderDefault Descending Date </Directory> + </VirtualHost> -- To view, visit https://gerrit.wikimedia.org/r/71968 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0248003dc3564d4d2fce63f962517a0220b36300 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
