Merge pull request #472 from CodeNow/SAN-4260-remove-hipache

add https to navi, remove userland hipache

Author: anandkumarpatel

ansible/group_vars/all.yml

@@ -126,7 +126,8 @@ mongo_hosts: "{% for host in groups['mongodb'] %}{{ hostvars[host]['ansible_defa
 
 # navi
 navi_host_address: "{{ hostvars[groups['navi'][0]]['ansible_default_ipv4']['address'] }}"
-navi_port: 3567
+navi_http_port: 3567
+navi_https_port: 443
 navi_rollbar_token: 719269e87b9b42848472542a8b2059ae
 
 # neo4j

ansible/group_vars/alpha-api-base.yml

@@ -32,7 +32,7 @@ api_base_container_envs: >-
   -e MONGO_KEY=/opt/ssl/mongodb-client/key.pem
   -e MONGO_REPLSET_NAME={{ api_mongo_replset_name }}
   -e MONGO=mongodb://{{ api_mongo_auth }}@{{ mongo_hosts }}/{{ api_mongo_database }}
-  -e NAVI_HOST=http://{{ navi_host_address }}:{{ navi_port }}
+  -e NAVI_HOST=http://{{ navi_host_address }}:{{ navi_http_port }}
   -e NEO4J={{ api_neo4j_protocol }}{{ api_neo4j_auth }}@{{ neo4j_host_address }}:{{ api_neo4j_port }}
   {% if api_new_relic_app_name is defined %} -e NEW_RELIC_APP_NAME={{ api_new_relic_app_name }} {% endif %}
   {% if api_new_relic_app_name is defined %} -e NEW_RELIC_LICENSE_KEY={{ new_relic_license_key }} {% endif %}

ansible/group_vars/alpha-navi.yml

@@ -3,13 +3,16 @@ name: navi
 container_image: registry.runnable.com/runnable/{{ name }}
 container_tag: "{{ git_branch }}"
 repo: git@github.com:CodeNow/{{ name }}.git
-hosted_ports: [ "{{ navi_port }}" ]
+hosted_ports: [ "{{ navi_http_port }}", "{{ navi_https_port }}" ]
 node_version: "4.2.4"
 npm_version: "2.8.3"
 
 redis_ca_cert_path: /opt/ssl/{{ name }}/redis/ca.pem
+content_domain_certs: /opt/ssl/{{ user_content_domain }}
+
 container_envs: >
   -e API_URL={{ api_url }}
+  -e CERT_PATH={{ content_domain_certs }}
   -e COOKIE_DOMAIN=.{{ user_content_domain }}
   -e COOKIE_SECRET={{ navi_cookie_secret }}
   -e DATADOG_HOST={{ datadog_host_address }}
@@ -18,12 +21,9 @@ container_envs: >
   -e ENABLE_LRU_CACHE=1
   -e ERROR_URL=http://{{ detention_host_address }}:{{ detention_port }}
   -e HTTP_PORT={{ hosted_ports[0] }}
+  -e HTTPS_PORT={{ hosted_ports[1] }}
   -e LOG_LEVEL_STDOUT=trace
   -e MONGO=mongodb://{{ navi_mongo_host_address }}:{{ navi_mongo_port }}/{{ navi_mongo_database }}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_APP_NAME={{ navi_new_relic_app_name }} {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LICENSE_KEY={{ new_relic_license_key }} {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LOG_LEVEL=fatal {% endif %}
-  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_NO_CONFIG_FILE=true {% endif %}
   -e NODE_ENV={{ node_env }}
   -e RABBITMQ_HOSTNAME={{ rabbit_host_address }}
   -e RABBITMQ_PASSWORD={{ rabbit_password }}
@@ -32,12 +32,18 @@ container_envs: >
   -e REDIS_CACERT={{ redis_ca_cert_path }}
   -e REDIS_IPADDRESS={{ redis_host_address }}
   -e REDIS_PORT={{ redis_tls_port }}
-  {% if navi_intercom_app_id is defined %} -e INTERCOM_APP_ID={{ navi_intercom_app_id }} {% endif %}
   {% if navi_intercom_api_key is defined %} -e INTERCOM_API_KEY={{ navi_intercom_api_key }} {% endif %}
+  {% if navi_intercom_app_id is defined %} -e INTERCOM_APP_ID={{ navi_intercom_app_id }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_APP_NAME={{ navi_new_relic_app_name }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LICENSE_KEY={{ new_relic_license_key }} {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_LOG_LEVEL=fatal {% endif %}
+  {% if navi_new_relic_app_name is defined %} -e NEW_RELIC_NO_CONFIG_FILE=true {% endif %}
 
 container_run_opts: >
   -h {{ name }}
   -d
   -p {{ hosted_ports[0] }}:{{ hosted_ports[0] }}
+  -p {{ hosted_ports[1] }}:{{ hosted_ports[1] }}
   -v {{ redis_ca_cert_path }}:{{ redis_ca_cert_path }}
+  -v {{ content_domain_certs }}:{{ content_domain_certs }}
   {{ container_envs }}

ansible/group_vars/ec2_sg.yml

@@ -17,7 +17,8 @@ https_port: 443
 ip_all: "0.0.0.0/0"
 krain_port: 3100
 named_port: 53
-navi_port: 3567
+navi_http_port: 3567
+navi_https_port: 443
 neo4j_port: 7473
 neo4j_tls_port: 7474
 redis_port: 6379

ansible/navi.yml

@@ -13,5 +13,6 @@
     rollbar_token: "{{ navi_rollbar_token }}"
     tags: [ notify ]
   - { role: builder, tags: [ build ] }
+  - { role: content-domain-certs }
   - { role: tls-server-ca, ca_dest: "{{ redis_ca_cert_path }}" }
   - { role: container_kill_start }

ansible/roles/content-domain-certs/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: make sure cert directory is in place
+  tags: [ certs ]
+  become: true
+  file:
+    dest: /opt/ssl/{{ user_content_domain }}
+    state: directory
+
+- name: put certs in place
+  tags: [ certs ]
+  become: true
+  copy:
+    src: "{{ user_content_domain }}/{{ item }}"
+    dest: /opt/ssl/{{ user_content_domain }}/{{ item }}
+    mode: 0400
+    owner: root
+    group: root
+  with_items:
+  - ca.pem
+  - key.pem
+  - cert.pem

ansible/roles/ec2/sg_configure/tasks/main.yml

@@ -222,8 +222,12 @@
         to_port: "{{ sshd_port }}"
         group_id: "{{ sg_bastion }}"
       - proto: tcp
-        from_port: "{{ navi_port }}"
-        to_port: "{{ navi_port }}"
+        from_port: "{{ navi_http_port }}"
+        to_port: "{{ navi_http_port }}"
+        group_id: "{{ sg_hipache }}"
+      - proto: tcp
+        from_port: "{{ navi_https_port }}"
+        to_port: "{{ navi_https_port }}"
         group_id: "{{ sg_hipache }}"
 
 - name: Neo4J SG