diff --git a/CHANGELOG.md b/CHANGELOG.md
index 854fdb923570f242cae0d960ca0528095d074bc5..afbc5c984523e36a5a6908707380df9dcf21a934 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Removed
### Fixed
+## [1.3.4] - 2019-10-14
+
+### Added
+### Changed
+
+- use kube-lego for TLS certs for clarin(-dev).eurac.edu
+- disable k8s-internal secure TLS communication: getting rid of the necessity
+ to (re-)create valid/self-signed certs
+ Note: using HTTP over port 443 for internal communication (Shibboleth mishap)
+- add IdP metadata from CLARIN server later in docker build build
+- Some changes to the liveness probe / "cronjobs" (see #60)
+
+### Removed
+### Fixed
+
+- #62
+
## [1.3.3] - 2019-07-23
### Changed
@@ -105,7 +122,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
This is the first release. It all starts here.
-[Unreleased]:https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3.3...HEAD
+[Unreleased]:https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3.4...HEAD
+[1.3.4]: https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3.3...v1.3.4
[1.3.3]: https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3.2...v1.3.3
[1.3.2]: https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3.1...v1.3.2
[1.3.1]: https://gitlab.inf.unibz.it/commul/docker/clarin-dspace/compare/v1.3...v1.3.1
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 448338d1a619a8b1a184a111fc4971bc6cff05b1..166238416ef5920e27870983dba1f6b8877164c7 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -7,7 +7,7 @@
- [ ] (Optional) You can now deploy stable to dspace-dev (`./release.sh $VERSION_NUMBER-RC-$RCNUMBER`)
- [ ] Make sure that the stable branch is clean and all commits are pushed to origin
- [ ] `git checkout production`
-- [ ] `git checkout -b v$VERSION_NUMBER $HASHID -- .`
+- [ ] `git checkout -b $VERSION_NUMBER $HASHID`
The $HASHID being the commit were the last merge from stable happened (before clarindev2clarin.sh changes were committed)
- [ ] `git merge --no-ff stable`
- [ ] resolve conflicts (though there shouldn't be any) and commit
@@ -15,7 +15,7 @@
- [ ] Run the clarindev2clarin.sh script
- [ ] `git commit -a `
- [ ] `git checkout production`
-- [ ] `git merge v1.3-$VERSION_NUMBER`
+- [ ] `git merge $VERSION_NUMBER`
- [ ] resolve conflicts and commit
- [ ] `git tag -a $VERSION_NUMBER -s (-u $GPG_ID_HASH)` defaults to your default GPG key
- [ ] `git branch -d $VERSION_NUMBER`
diff --git a/clarin-dev2clarin.sh b/clarin-dev2clarin.sh
index aa543fc805742264a8e64654d790a6437ac4e20a..3005c28a2028f701eb31228376c9fa6f21f9111a 100755
--- a/clarin-dev2clarin.sh
+++ b/clarin-dev2clarin.sh
@@ -3,7 +3,7 @@
# outside the docker
perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/shibboleth2.xml
perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/local.properties
-perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/default-ssl
+perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/nginx.default.conf
perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/aai.js
perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/aai_config.js
diff --git a/dockerfiles/Dockerfile.nginx b/dockerfiles/Dockerfile.nginx
index 483c1b5e5e2a5c6535db7a9027ab8941f32279b6..64102ecff9879dfa413ec7560061b78588900970 100644
--- a/dockerfiles/Dockerfile.nginx
+++ b/dockerfiles/Dockerfile.nginx
@@ -76,8 +76,6 @@ RUN /tmp/shibboleth_sp_with_fastcgi.sh
# copy the init script
RUN cp /opt/shibboleth-sp-fastcgi/etc/shibboleth/shibd-debian /etc/init.d/shibd
RUN chmod a+x /etc/init.d/shibd
-# add IdP metadata from CLARIN server
-ADD https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml /opt/shibboleth-sp-fastcgi/var/cache/shibboleth/
# create the test secure folder and set up perl fastcgi
RUN mkdir /opt/nginx/html/secure
@@ -101,7 +99,7 @@ COPY commul-customization/php-fpm.conf /etc/php/7.0/fpm/
COPY commul-customization/php.ini /etc/php/7.0/fpm/
# copy over config files
-COPY commul-customization/default-ssl /opt/nginx/conf/
+COPY commul-customization/nginx.default.conf /opt/nginx/conf/
COPY commul-customization/nginx.conf /opt/nginx/conf/
COPY commul-customization/repository_auth /opt/nginx/conf/
COPY commul-customization/shibboleth2.xml /opt/shibboleth-sp-fastcgi/etc/shibboleth/
@@ -126,5 +124,7 @@ RUN yui-compressor -o aai.min.js aai.js
# COPY commul-customization/certs/clarin.key /etc/ssl/private/
# COPY commul-customization/certs/clarin_eurac_edu.crt /etc/ssl/certs/
+# add IdP metadata from CLARIN server
+ADD https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml /opt/shibboleth-sp-fastcgi/var/cache/shibboleth/
ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/dockerfiles/commul-customization/local.properties b/dockerfiles/commul-customization/local.properties
index e98083714e3c8662b0c8f46c6af3167d87f6015a..1e28fb5a407e74d4c5ab9c26df72567d2eeca593 100644
--- a/dockerfiles/commul-customization/local.properties
+++ b/dockerfiles/commul-customization/local.properties
@@ -128,7 +128,7 @@ mail.server.disabled = false
mail.server.username = ${MAIL_USER}
mail.server.password = ${MAIL_PASSWORD}
mail.server.port = 587
-mail.extraproperties = mail.smtp.starttls.enable=true
+mail.extraproperties = mail.smtp.starttls.enable=true,mail.smtp.ssl.protocols=TLSv1.2
# Eurac IAL: Contact information
diff --git a/dockerfiles/commul-customization/nginx.conf b/dockerfiles/commul-customization/nginx.conf
index f7d8c69263e368cf453d1a66ffe115429c990a84..affac0c069100ad41e1d1820ea4dfdc922727a45 100644
--- a/dockerfiles/commul-customization/nginx.conf
+++ b/dockerfiles/commul-customization/nginx.conf
@@ -65,5 +65,5 @@ http {
text/xml
text/x-component;
- include default-ssl;
+ include nginx.default.conf;
}
diff --git a/dockerfiles/commul-customization/default-ssl b/dockerfiles/commul-customization/nginx.default.conf
similarity index 87%
rename from dockerfiles/commul-customization/default-ssl
rename to dockerfiles/commul-customization/nginx.default.conf
index cc58810b8116fc1198c43f25ff5a1da4d99551bb..c9210e7f4d341e67eae4dd2c6da45abf288a899b 100644
--- a/dockerfiles/commul-customization/default-ssl
+++ b/dockerfiles/commul-customization/nginx.default.conf
@@ -4,9 +4,11 @@ upstream tomcats {
}
server {
- listen 80;
- listen [::]:80;
- server_name clarin.eurac.edu;
+ listen 443;
+ listen [::]:443;
+ server_name clarin-dev.eurac.edu localhost;
+
+ root /opt/nginx/html;
location /repository/oai {
@@ -22,29 +24,6 @@ server {
}
- location / {
- return 301 https://$server_name$request_uri;
- }
-}
-
-server {
- listen 443;
- server_name clarin.eurac.edu localhost;
-
- root /opt/nginx/html;
- index index.html index.htm;
-
- ssl on;
- ssl_certificate /etc/ssl/clarin/clarin_eurac_edu.crt;
- ssl_certificate_key /etc/ssl/clarin/clarin.key;
-
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers RC4:HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
- keepalive_timeout 70;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
-
add_header 'Access-Control-Allow-Origin' "*";
add_header 'Access-Control-Allow-Credentials' 'true';
@@ -81,10 +60,6 @@ server {
location / {
index index.html index.htm;
-
- if ($HTTP_X_SCHEME = "http") {
- rewrite ^ https://$http_host$request_uri permanent;
- }
}
location /php/aa-statistics.php {
diff --git a/dockerfiles/commul-customization/repository_auth b/dockerfiles/commul-customization/repository_auth
index 5c4246b2c0cc9c3f768fc6cde348b38a6999bb70..f535eb091b4b29d285f5689aafaaca5d913ad509 100644
--- a/dockerfiles/commul-customization/repository_auth
+++ b/dockerfiles/commul-customization/repository_auth
@@ -19,9 +19,11 @@ more_clear_input_headers
more_clear_input_headers 'affiliation' 'assurance' 'cn' 'eduPersonOrgUnitDN' 'eduPersonStudyiProgramme' 'eduPersonStudySubject' 'entitlement' 'eppn' 'givenName' 'mail' 'o' 'ou' 'persistent-id' 'sn' 'telephoneNumber' 'unscoped-affiliation';
# Require https and will redirect
-if ($https != "on") {
- return 301 https://$http_host$request_uri;
-}
+#if ($https != "on") {
+# return 301 https://$http_host$request_uri;
+#}
+# FIXME: reverse proxy-ing -> check connection params to revproxy and enforce
+# http->https i if *there* is no https.
shib_request /shibauthorizer;
shib_request_use_headers on;
diff --git a/dockerfiles/commul-customization/robots-clarin.txt b/dockerfiles/commul-customization/robots-clarin.txt
index d45d6e8e692245ee287be4af2c1cc46cfc438317..f4fe4fd3174b0028eb357ec186b4c90f97a17e5e 100644
--- a/dockerfiles/commul-customization/robots-clarin.txt
+++ b/dockerfiles/commul-customization/robots-clarin.txt
@@ -16,6 +16,8 @@ Disallow: /repository/xmlui/forgot
Disallow: /repository/xmlui/login
Disallow: /repository/xmlui/register
Disallow: /repository/xmlui/search-filter
+Disallow: /repository/*allzip$
+Disallow: /repository/oai/requeststripped
Disallow: /Shibboleth.sso
#
# Optionally uncomment the following line ONLY if sitemaps are working
diff --git a/dockerfiles/commul-customization/shibboleth2.xml b/dockerfiles/commul-customization/shibboleth2.xml
index d97f3191f5bdf5167a1ee87678e2aebe10c30b67..bfb95df294812013fc682b907c7b90fecb0ce3ff 100644
--- a/dockerfiles/commul-customization/shibboleth2.xml
+++ b/dockerfiles/commul-customization/shibboleth2.xml
@@ -23,11 +23,11 @@
-->
<RequestMapper type="XML">
<RequestMap>
- <Host name="clarin.eurac.edu"
- authType="shibboleth"
- requireSession="true"
- exportAssertion="true"
- redirectToSSL="443">
+ <Host name="clarin-dev.eurac.edu"
+ authType="shibboleth"
+ requireSession="true"
+ exportAssertion="true"
+ redirectToSSL="443">
<Path name="/secure" />
</Host>
@@ -35,10 +35,10 @@
</RequestMapper>
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults entityID="https://clarin.eurac.edu/Shibboleth.sso/Metadata"
- REMOTE_USER="eppn persistent-id targeted-id"
- sessionHook="/php/aa-statistics.php"
- cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
+ <ApplicationDefaults entityID="https://clarin-dev.eurac.edu/Shibboleth.sso/Metadata"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ sessionHook="/php/aa-statistics.php"
+ cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
@@ -50,13 +50,13 @@
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800"
- timeout="3600"
- relayState="ss:mem"
- checkAddress="false"
- handlerSSL="true"
- cookieProps="https"
- exportLocation="/GetAssertion"
- exportACL="127.0.0.1">
+ timeout="3600"
+ relayState="ss:mem"
+ checkAddress="false"
+ handlerSSL="false"
+ cookieProps="https"
+ exportLocation="/GetAssertion"
+ exportACL="127.0.0.1">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
@@ -65,8 +65,8 @@
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO
- discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
- SAML2 SAML1
+ discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
+ SAML2 SAML1
</SSO>
<!-- <SSO entityID="https://idp.eurac.edu/idp/shibboleth">
diff --git a/kubernetes/dspace-deployment.yaml b/kubernetes/dspace-deployment.yaml
index 79b7ddbb746d88e60d5c83158fb8b5767f3f740e..c1c750aa9ea1c50256eb5f2a816f26b7bb463157 100644
--- a/kubernetes/dspace-deployment.yaml
+++ b/kubernetes/dspace-deployment.yaml
@@ -18,6 +18,12 @@ spec:
labels:
io.kompose.service: dspace
spec:
+ initContainers:
+ - image: postgres
+ name: clarin-dspace-check-db-ready
+ command: ['sh', '-c',
+ 'until pg_isready -h postgres -p 5432;
+ do echo waiting for database; sleep 2; done;']
containers:
- env:
- name: DSPACE_USER
@@ -50,7 +56,7 @@ spec:
secretKeyRef:
key: mail.pass
name: dspace-secrets
- image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/dspace:1.3.3
+ image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/dspace:1.3.4-RC6
name: clarin-dspace
imagePullPolicy: Always
ports:
@@ -63,12 +69,12 @@ spec:
- mountPath: /opt/lindat-dspace/installation/assetstore
name: dspace-assetstore
livenessProbe:
- httpGet:
- host: clarin.eurac.edu
- path: /repository/xmlui/
- port: 443
- scheme: HTTPS
- initialDelaySeconds: 600
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - reply=$(curl -s -o /dev/null -w %{http_code} https://clarin-dev.eurac.edu/repository/xmlui/); if [ "$reply" -lt 200 -o "$reply" -ge 400 ]; then exit 1; fi; ps aux | grep -v grep | grep -E "sleep|timeout" && exit 0 || exit 1;
+ initialDelaySeconds: 900
periodSeconds: 15
timeoutSeconds: 3
restartPolicy: Always
diff --git a/kubernetes/dspace-ingress.yaml b/kubernetes/dspace-ingress.yaml
index a56804cdb171ceaa205f4c98df7d4b70ac1a2358..70a9c20765d23e569d0590ef233c77dc4ad83a2a 100644
--- a/kubernetes/dspace-ingress.yaml
+++ b/kubernetes/dspace-ingress.yaml
@@ -17,7 +17,7 @@ metadata:
if ($rewrite_https = 1) {
return 301 https://$server_name$request_uri;
}
- ingress.kubernetes.io/secure-backends: "true"
+ kubernetes.io/tls-acme: "true"
name: dspace-ingress
namespace: dspace
spec:
@@ -26,10 +26,19 @@ spec:
http:
paths:
- backend:
+ # we are deliberately misusing port:443 *without* SSL, i.e. *NO*
+ # ingress.kubernetes.io/secure-backends: "true"
+ # This will result in https:// redirectes generated from shibboleth
+ # later on (without the need to change http:// to https://)
+ # see https://github.com/nginx-shib/nginx-http-shibboleth/issues/22
+ #
+ # For a general overview for SP reverse proxy-ing
+ # see https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy
+ #
serviceName: nginx
servicePort: 443
path: /
tls:
- hosts:
- - clarin.eurac.edu
- secretName: host-tls-cert
+ - clarin-dev.eurac.edu
+ secretName: clarin-dev-eurac-edu-tls
diff --git a/kubernetes/nginx-deployment.yaml b/kubernetes/nginx-deployment.yaml
index fcc7be728a5579d8f5867940366169495c5b527e..2c731b9ffb4457e0ebe48c7c3384d100ea00b4e6 100644
--- a/kubernetes/nginx-deployment.yaml
+++ b/kubernetes/nginx-deployment.yaml
@@ -20,18 +20,18 @@ spec:
io.kompose.service: nginx
spec:
containers:
- - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/nginx:1.3.3
+ - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/nginx:1.3.4-RC6
imagePullPolicy: Always
name: clarin-nginx
ports:
- - containerPort: 80
- containerPort: 443
resources: {}
volumeMounts:
- mountPath: /opt/shibboleth-sp-fastcgi/etc/shibboleth/certs
name: nginx-shib-certs
- - mountPath: /etc/ssl/clarin
+ - mountPath: /etc/ssl/nginx
name: nginx-ssl-certs
+ readOnly: true
livenessProbe:
httpGet:
host: clarin.eurac.edu
@@ -44,6 +44,7 @@ spec:
imagePullSecrets:
- name: gitlab-scientificnet-org-registry
volumes:
+<<<<<<< HEAD
- cephfs:
monitors:
- 10.8.55.201:6789
@@ -56,6 +57,11 @@ spec:
name: client.fs.commul.admin
user: fs.commul.admin
name: nginx-ssl-certs
+=======
+ - name: nginx-ssl-certs
+ secret:
+ secretName: clarin-dev-eurac-edu-tls
+>>>>>>> stable
- cephfs:
monitors:
- 10.8.55.201:6789
diff --git a/kubernetes/nginx-service.yaml b/kubernetes/nginx-service.yaml
index 99b3bf8585a3e9c58c787878cf8a3fa9e1e4c5db..6cd9f0463d35fd4ffb64df1ff06db18b6cfc3710 100644
--- a/kubernetes/nginx-service.yaml
+++ b/kubernetes/nginx-service.yaml
@@ -11,9 +11,6 @@ metadata:
namespace: dspace
spec:
ports:
- - name: "80"
- port: 80
- targetPort: 80
- name: "443"
port: 443
targetPort: 443
diff --git a/kubernetes/postgres-deployment.yaml b/kubernetes/postgres-deployment.yaml
index 472a7d7aefb03893c9bbabb870838298c4cc9b00..ff06336dc4d2af13a62196aa5ef236dedfef8c8e 100644
--- a/kubernetes/postgres-deployment.yaml
+++ b/kubernetes/postgres-deployment.yaml
@@ -48,7 +48,7 @@ spec:
secretKeyRef:
key: dspace.utils.name
name: dspace-secrets
- image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/postgres:1.3.3
+ image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/postgres:1.3.4-RC6
imagePullPolicy: Always
name: clarin-postgres
resources: {}