Feature #17011
closed
Add keep-web wildcard DNS to salt
Added by Peter Amstutz about 4 years ago.
Updated over 3 years ago.
Estimated time:
(Total: 0.00 h)
Release relationship:
Auto
Description
Keep-web supports virtual hosts to securely serve inline content to the browser (otherwise, everything is forced to be download-only to maintain same-origin security). This is also necessary for our S3 API support, as the preferred way to refer to buckets is with the bucket name as the first part of the domain name.
For each cluster zzzzz that we control:
- Configure DNS for *.collections.zzzzz.arvadosapi.com to go to keep-web
- Get a wildcard DNS cert for *.collections.zzzzz.arvadosapi.com
- Set Services.WebDAV.ExternalURL to "https://*.collections.zzzzz.arvadosapi.com"
More information at https://doc.arvados.org/v2.1/api/keep-web-urls.html
- Status changed from New to In Progress
- Tracker changed from Bug to Feature
- Status changed from In Progress to New
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Category set to Deployment
- Assigned To set to Javier Bértoli
- Description updated (diff)
- Description updated (diff)
- Target version changed from 2020-11-04 Sprint to 2020-11-18
- Description updated (diff)
- Blocks Feature #17009: [keep-web] S3 API should accept bucket name as first component of domain name added
- Blocks Story #17109: Support keep-web URLs with collection the domain name added
- Assigned To changed from Javier Bértoli to Ward Vandewege
- Target version changed from 2020-11-18 to 2020-12-02 Sprint
- Status changed from New to In Progress
Ready for review at commit:be3507374c33090fb6023fb2c289df0a314c54de on branch 17011-add-letsencrypt-wildcard-support.
The changes have already been applied for ce8i5. The only thing that is not automated is the creation of the IAM role + policy for the account that does the DNS validation.
@cure, it LGTM, I think it's ready to merge.
- Story points changed from 8.0 to 1.0
The terraform piece is now ready for review at commit:38c129609533e85b289c04301a34dfdcf20ac86f on branch 17011-terraform-changes (terraform repo). Applied for ce8i5 only in this commit.
Once this is merged, I'll go around all our clusters and
- migrate their dns to route53 (if they haven't been yet)
- switch them to wildcard dns/ssl for keep-web
@cure, it LGTM.
migrate their dns to route53 (if they haven't been yet)
This was partially done on #16240, it might need an update (to see if any value changed) and finish the migration from corehost.
Javier Bértoli wrote:
@cure, it LGTM.
migrate their dns to route53 (if they haven't been yet)
This was partially done on #16240, it might need an update (to see if any value changed) and finish the migration from corehost.
Thanks, merged. Indeed, I picked up from there for ce8i5. Will do the rest.
Converted to Route53:
- ce8i5
- 9tee4
- su92l
- tb05z
- bd44f
Already on Route53:
Cleaned up so that terraform applies:
Created IAM role + policy:
Refactored IAM role + policy:
Enabled *.collections:
- ce8i5
- jutro
- lugli
- pirca
- tordo
- su92l
- 9tee4
- Target version changed from 2020-12-02 Sprint to 2020-12-16 Sprint
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by