Remove docker-setup-specific contents of apache-git-http-backend
The purpose of this project is to provide a Kubernetes setup for Gerrit.
Out of historical reasons the container images maintained by this
project were built in a way to also support running a similar setup
in docker. This causes a lot of additional effort and also adds contents
to the containers that are not used in the Kubernetes context, which
makes them larger and potentially more insecure than need be.
This change removes the start-script and the script validating the
filesystem. It removes the declaration of exposed ports in the
Dockerfile, since this is not mandatory and depending whether HTTPS or
HTTP is activated, the unused port should not be exposed. It removes the
custom entrypoint in the Kubernetes setup and moves the disabling of
unused protocol to the start-script listening to environment variables.
The fallback creation of the certificates and .htpasswd-file the start
script was removed, since due to mounting the secret into the directory
it is configured as readonly by Kubernetes. Rather the helm chart
requires the corresponding values to be set.
Change-Id: Ib9e562e08d2bf8c2f0d8136ca5e0eb13512320ca
diff --git a/container-images/apache-git-http-backend/Dockerfile b/container-images/apache-git-http-backend/Dockerfile
index 6cac131..0253697 100644
--- a/container-images/apache-git-http-backend/Dockerfile
+++ b/container-images/apache-git-http-backend/Dockerfile
@@ -3,8 +3,7 @@
# Install apache2
RUN apt-get update && \
apt-get -y install \
- apache2 \
- apache2-utils && \
+ apache2 && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
a2enmod \
@@ -26,14 +25,13 @@
RUN sed -i -e 's/APACHE_RUN_USER=www-data/APACHE_RUN_USER=gerrit/' /etc/apache2/envvars && \
sed -i -e 's/APACHE_RUN_GROUP=www-data/APACHE_RUN_GROUP=users/' /etc/apache2/envvars
-COPY tools/* /var/tools/
+COPY tools/start /var/tools/start
COPY tools/create_repo.sh /var/cgi/create_repo.sh
-# Allow incoming traffic
-EXPOSE 80
-EXPOSE 443
-
-VOLUME ["/var/gerrit/git", "/var/apache/credentials", "/var/log/apache2"]
+RUN mkdir -p /var/gerrit/git && \
+ mkdir -p /var/log/apache2 && \
+ chown -R gerrit:users /var/gerrit/git && \
+ chown -R gerrit:users /var/log/apache2
# Start
-ENTRYPOINT ["/bin/bash", "-c", "/var/tools/verify_fs_permissions && /var/tools/start"]
+ENTRYPOINT ["/var/tools/start"]
diff --git a/container-images/apache-git-http-backend/README.md b/container-images/apache-git-http-backend/README.md
index 67df3ed..8272b34 100644
--- a/container-images/apache-git-http-backend/README.md
+++ b/container-images/apache-git-http-backend/README.md
@@ -18,21 +18,14 @@
downported to 2.16
* `tools/start`: start script, configures and starts Apache
webserver
-* `start`: start script for testing image using Docker
## Setup and Configuration
* install Apache webserver
* configure Apache for http and/or https
* install cgi script
-* open ports for incoming traffic
* map volumes
## Start
-* verify filesystem permissions. In Kubernetes this is done using a
- [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
- It is used to set the filesystem group of mounted volumes to 100 (users),
- which is used by the gerrit-user in the containers. Thereby it is ensured
- that the volumes have rw-permissions for the gerrit-user.
-* start Apache git-http backend via start script `/var/tools/start`
+* start Apache git-http backend via start script `/var/tools/start`
diff --git a/container-images/apache-git-http-backend/start b/container-images/apache-git-http-backend/start
deleted file mode 100755
index e25fe84..0000000
--- a/container-images/apache-git-http-backend/start
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-MODE=$1 && shift
-NAME=$1 && shift
-SITE=$1 && shift
-ENABLE_HTTP=$1 && shift
-REGISTRY=$1 && shift
-TAG=$1 && shift
-OWNER_UID=$1 && shift
-OWNER_GID=$1 && shift
-ENV=$1 && shift
-
-create_dir "$SITE/log_apache2" $OWNER_UID $OWNER_GID
-
-docker run $MODE \
- -h $(hostname -f) \
- --name ${NAME} \
- -p 8080:80 \
- -p 8081:443 \
- -v $SITE/git:/var/gerrit/git \
- -v $SITE/etc:/var/apache/credentials \
- -v $SITE/log_apache2:/var/log/apache2 \
- $ENV \
- $ENABLE_HTTP \
- ${REGISTRY}k8sgerrit/${NAME}:${TAG}
diff --git a/container-images/apache-git-http-backend/tools/start b/container-images/apache-git-http-backend/tools/start
index 80dd3b8..da4758b 100755
--- a/container-images/apache-git-http-backend/tools/start
+++ b/container-images/apache-git-http-backend/tools/start
@@ -1,26 +1,12 @@
#!/bin/bash
-if test ! -f /var/apache/credentials/server.crt ;then
- openssl genrsa -des3 -passout pass:secret \
- -out /var/apache/credentials/server.pass.key 2048
- openssl rsa -passin pass:secret -in /var/apache/credentials/server.pass.key \
- -out /var/apache/credentials/server.key
- rm /var/apache/credentials/server.pass.key
- openssl req -new -key /var/apache/credentials/server.key \
- -out /var/apache/credentials/server.csr -subj "/C=DE/O=Gerrit/CN=localhost"
- openssl x509 -req -days 365 -in /var/apache/credentials/server.csr \
- -signkey /var/apache/credentials/server.key \
- -out /var/apache/credentials/server.crt
- echo "Created a self-signed certificate in /var/apache/credentials/server.crt"
-fi
-
-if [ -z "$ENABLE_HTTP" ] || [ "$ENABLE_HTTP" = "false" ] ;then
+if [ "$DISABLE_HTTP" = "true" ] ;then
rm /etc/apache2/sites-enabled/git-http-backend.conf
fi
-if test ! -f /var/apache/credentials/.htpasswd ;then
- htpasswd -cdb /var/apache/credentials/.htpasswd gerrit secret
+if [ "$DISABLE_HTTPS" = "true" ] ;then
+ rm /etc/apache2/sites-enabled/git-https-backend.conf
fi
/etc/init.d/apache2 start \
- && tail -F -q -n +1 /var/log/apache2/*.log
\ No newline at end of file
+ && tail -F -q -n +1 /var/log/apache2/*.log
diff --git a/container-images/apache-git-http-backend/tools/verify_fs_permissions b/container-images/apache-git-http-backend/tools/verify_fs_permissions
deleted file mode 100755
index bf449c6..0000000
--- a/container-images/apache-git-http-backend/tools/verify_fs_permissions
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-gerrit_uid=$(id -u gerrit)
-gerrit_gid=$(cut -d: -f3 < <(getent group users))
-
-for dir in /var/gerrit/* /var/apache/credentials /var/log/apache2; do
- /var/tools/validate_site.sh $dir $gerrit_uid $gerrit_gid || exit 1
-done
\ No newline at end of file
diff --git a/helm-charts/gerrit-slave/templates/git-backend.deployment.yaml b/helm-charts/gerrit-slave/templates/git-backend.deployment.yaml
index a1e5092..328beea 100644
--- a/helm-charts/gerrit-slave/templates/git-backend.deployment.yaml
+++ b/helm-charts/gerrit-slave/templates/git-backend.deployment.yaml
@@ -27,19 +27,15 @@
- name: apache-git-http-backend
imagePullPolicy: {{ .Values.images.imagePullPolicy }}
image: {{ template "registry" . }}{{ .Values.gitBackend.image }}:{{ .Values.images.version }}
- command:
- - bin/bash
- - -c
- args:
- - |
- {{ if eq .Values.gitBackend.service.https.enabled false -}}
- rm /etc/apache2/sites-enabled/git-https-backend.conf
- {{- end }}
- {{ if eq .Values.gitBackend.service.http.enabled false -}}
- rm /etc/apache2/sites-enabled/git-http-backend.conf
- {{- end }}
- /etc/init.d/apache2 start \
- && tail -F -q -n +1 /var/log/apache2/*.log
+ env:
+ {{ if eq .Values.gitBackend.service.https.enabled false -}}
+ - name: DISABLE_HTTPS
+ value: "true"
+ {{- end }}
+ {{ if eq .Values.gitBackend.service.http.enabled false -}}
+ - name: DISABLE_HTTP
+ value: "true"
+ {{- end }}
ports:
- containerPort: 80
- containerPort: 443
@@ -66,4 +62,4 @@
claimName: {{ .Release.Name }}-apache-logs-pvc
{{ else -}}
emptyDir: {}
- {{- end }}
\ No newline at end of file
+ {{- end }}
diff --git a/helm-charts/gerrit-slave/templates/git-backend.secrets.yaml b/helm-charts/gerrit-slave/templates/git-backend.secrets.yaml
index f69608a..34b3552 100644
--- a/helm-charts/gerrit-slave/templates/git-backend.secrets.yaml
+++ b/helm-charts/gerrit-slave/templates/git-backend.secrets.yaml
@@ -9,10 +9,10 @@
release: {{ .Release.Name }}
data:
{{ with .Values.gitBackend -}}
- .htpasswd: {{ .credentials.htpasswd | b64enc }}
+ .htpasswd: {{ required "A .htpasswd-file is required for the git backend." .credentials.htpasswd | b64enc }}
{{ if .service.https.enabled -}}
- server.key: {{ .service.https.key | b64enc }}
- server.crt: {{ .service.https.cert | b64enc }}
+ server.key: {{ required "A SSL key is required, if HTTPS is enabled for the git backend service." .service.https.key | b64enc }}
+ server.crt: {{ required "A SSL certificate is required, if HTTPS is enabled for the git backend service." .service.https.cert | b64enc }}
{{- end }}
{{- end }}
type: Opaque
@@ -33,4 +33,4 @@
tls.crt: {{ .cert | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/start b/start
index 19a7485..dee0388 100755
--- a/start
+++ b/start
@@ -73,9 +73,6 @@
docker rm ${NAME} >/dev/null 2>&1
case "$NAME" in
-apache-git-http-backend)
- container-images/$NAME/start "$MODE" "$NAME" "$SITE" "$ENABLE_HTTP" "$REGISTRY" "$TAG" "$OWNER_UID" "$OWNER_GID" "$ENV"
- ;;
gerrit-master)
container-images/$NAME/start "$MODE" "$NAME" "$SITE" "$REGISTRY" "$TAG" "$OWNER_UID" "$OWNER_GID" "$ENV"
