Feature #17011
closed
Add keep-web wildcard DNS to salt
Description
Keep-web supports virtual hosts to securely serve inline content to the browser (otherwise, everything is forced to be download-only to maintain same-origin security). This is also necessary for our S3 API support, as the preferred way to refer to buckets is with the bucket name as the first part of the domain name.
For each cluster zzzzz that we control:
- Configure DNS for *.collections.zzzzz.arvadosapi.com to go to keep-web
- Get a wildcard DNS cert for *.collections.zzzzz.arvadosapi.com
- Set Services.WebDAV.ExternalURL to "https://*.collections.zzzzz.arvadosapi.com"
More information at https://doc.arvados.org/v2.1/api/keep-web-urls.html
Related issues
Updated by Peter Amstutz over 3 years ago
- Status changed from New to In Progress
Updated by Peter Amstutz over 3 years ago
- Status changed from In Progress to New
- Tracker changed from Bug to Feature
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-11-04 Sprint to 2020-11-18
Updated by Peter Amstutz over 3 years ago
- Blocks Feature #17009: [keep-web] S3 API should accept bucket name as first component of domain name added
Updated by Peter Amstutz over 3 years ago
- Blocks Idea #17109: Support keep-web URLs with collection the domain name added
Updated by Ward Vandewege over 3 years ago
- Assigned To changed from Javier Bértoli to Ward Vandewege
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-11-18 to 2020-12-02 Sprint
Updated by Ward Vandewege over 3 years ago
- Status changed from New to In Progress
I've gone through all the necessary steps on ce8i5 (see e.g. https://c28440adeb7421c5edc54d8fa31f16ed-114.collections.ce8i5.arvadosapi.com/_/cwl.output.json?disposition=inline), this configuration is now active there. Working on making the salt changes now.
Updated by Ward Vandewege over 3 years ago
Ready for review at commit:be3507374c33090fb6023fb2c289df0a314c54de on branch 17011-add-letsencrypt-wildcard-support.
The changes have already been applied for ce8i5. The only thing that is not automated is the creation of the IAM role + policy for the account that does the DNS validation.
Updated by Javier Bértoli over 3 years ago
- Story points set to 8.0
@cure, it LGTM, I think it's ready to merge.
Updated by Ward Vandewege over 3 years ago
The terraform piece is now ready for review at commit:38c129609533e85b289c04301a34dfdcf20ac86f on branch 17011-terraform-changes (terraform repo). Applied for ce8i5 only in this commit.
Once this is merged, I'll go around all our clusters and- migrate their dns to route53 (if they haven't been yet)
- switch them to wildcard dns/ssl for keep-web
Updated by Javier Bértoli over 3 years ago
@cure, it LGTM.
migrate their dns to route53 (if they haven't been yet)
This was partially done on #16240, it might need an update (to see if any value changed) and finish the migration from corehost.
Updated by Ward Vandewege over 3 years ago
Javier Bértoli wrote:
@cure, it LGTM.
migrate their dns to route53 (if they haven't been yet)
This was partially done on #16240, it might need an update (to see if any value changed) and finish the migration from corehost.
Thanks, merged. Indeed, I picked up from there for ce8i5. Will do the rest.
Updated by Ward Vandewege over 3 years ago
Converted to Route53:
- ce8i5
- 9tee4
- su92l
- tb05z
- bd44f
Already on Route53:
- jutro
- lugli
- pirca
- tordo
Cleaned up so that terraform applies:
- jutro
- lugli
- pirca
- lugli
Created IAM role + policy:
- ce8i5
- 9tee4
- su92l
Refactored IAM role + policy:
- jutro
- lugli
- pirca
- lugli
Enabled *.collections:
- ce8i5
- jutro
- lugli
- pirca
- tordo
- su92l
- 9tee4
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-12-02 Sprint to 2020-12-16 Sprint
Updated by Ward Vandewege over 3 years ago
- Status changed from In Progress to Resolved