diff --git a/apache-mod-mellon/templates/apache-config-httpd.yaml b/apache-mod-mellon/templates/apache-config-httpd.yaml new file mode 100644 index 0000000..9362134 --- /dev/null +++ b/apache-mod-mellon/templates/apache-config-httpd.yaml @@ -0,0 +1,255 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + labels: + {{- include "apache-mod-mellon.labels" . | nindent 4 }}-apache + name: {{ include "apache-mod-mellon.fullname" . }}-httpd +data: + httpd.conf: | + ServerRoot "/usr/local/apache2" + Listen 80 + + # + # Dynamic Shared Object (DSO) Support + # + # To be able to use the functionality of a module which was built as a DSO you + # have to place corresponding `LoadModule' lines at this location so the + # directives contained in it are actually available _before_ they are used. + # Statically compiled modules (those listed by `httpd -l') do not need + # to be loaded here. + # + # Example: + # LoadModule foo_module modules/mod_foo.so + LoadModule auth_mellon_module modules/mod_auth_mellon.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + LoadModule dir_module modules/mod_dir.so + + + # + # If you wish httpd to run as a different user or group, you must run + # httpd as root initially and it will switch. + # + # User/Group: The name (or #number) of the user/group to run httpd as. + # It is usually good practice to create a dedicated user and group for + # running httpd, as with most system services. + # + User www-data + Group www-data + + + + # 'Main' server configuration + # + # The directives in this section set up the values used by the 'main' + # server, which responds to any requests that aren't handled by a + # definition. These values also provide defaults for + # any containers you may define later in the file. + # + # All of these directives may appear inside containers, + # in which case these default settings will be overridden for the + # virtual host being defined. + # + + # + # ServerAdmin: Your address, where problems with the server should be + # e-mailed. This address appears on some server-generated pages, such + # as error documents. e.g. admin@your-domain.com + # + ServerAdmin you@example.com + + # + # ServerName gives the name and port that the server uses to identify itself. + # This can often be determined automatically, but we recommend you specify + # it explicitly to prevent problems during startup. + # + # If your host doesn't have a registered DNS name, enter its IP address here. + # + #ServerName www.example.com:80 + + # + # Deny access to the entirety of your server's filesystem. You must + # explicitly permit access to web content directories in other + # blocks below. + # + + AllowOverride none + Require all denied + + + # + # Note that from this point forward you must specifically allow + # particular features to be enabled - so if something's not working as + # you might expect, make sure that you have specifically enabled it + # below. + # + + # + # DocumentRoot: The directory out of which you will serve your + # documents. By default, all requests are taken from this directory, but + # symbolic links and aliases may be used to point to other locations. + # + DocumentRoot "/usr/local/apache2/htdocs" + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + + # + # DirectoryIndex: sets the file that Apache will serve if a directory + # is requested. + # + + DirectoryIndex index.html + + + # + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + # + + Require all denied + + + # + # ErrorLog: The location of the error log file. + # If you do not specify an ErrorLog directive within a + # container, error messages relating to that virtual host will be + # logged here. If you *do* define an error logfile for a + # container, that host's errors will be logged there and not here. + # + ErrorLog /proc/self/fd/2 + + # + # LogLevel: Control the number of messages logged to the error_log. + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + # + LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + CustomLog /proc/self/fd/1 common + + + + Options -Indexes + + MellonEnable "info" + MellonSecureCookie On + MellonUser eppn + MellonMergeEnvVars On + MellonSubjectConfirmationDataAddressCheck Off + MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key + MellonSPCertFile /etc/mod-mellon-config/mellon.cert + MellonSPentityId {{ .Values.mellon_config.entity_id }} + MellonOrganizationName "{{ .Values.mellon_config.organization_url }}" + MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}" + MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml + MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}" + MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem + MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem + MellonProbeDiscoveryTimeout 1 + MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}" + MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}" + MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}" + MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}" + MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}" + MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}" + + MellonEndpointPath /mellon + + # it is this proxy's responsability to make sure the value of these headers are legit + # See a list of headers used by geOrchestra here: + # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67 + RequestHeader unset sec-georchestra-preauthenticated + RequestHeader unset sec-mellon-name-id + RequestHeader unset sec-username + RequestHeader unset sec-name + RequestHeader unset sec-givenname + RequestHeader unset sec-email + RequestHeader unset sec-org + RequestHeader unset sec-proxy + RequestHeader unset sec-user + RequestHeader unset sec-organization + RequestHeader unset sec-userid + RequestHeader unset sec-lastupdated + RequestHeader unset sec-roles + RequestHeader unset sec-firstname + RequestHeader unset sec-lastname + RequestHeader unset sec-tel + RequestHeader unset sec-orgid + RequestHeader unset sec-orgname + RequestHeader unset sec-org-lastupdated + RequestHeader unset imp-roles + RequestHeader unset imp-username + + {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')" + {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')" + {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')" + {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')" + {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')" + {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')" + {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')" + + {{- if .Values.georchestra_proxypass_endpoint -}} + ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}" + ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}" + ProxyPreserveHost On + {{- end }} + + RewriteEngine on + RewriteCond %{QUERY_STRING} ^$ + RewriteCond %{REQUEST_METHOD} =GET + RewriteCond %{REQUEST_URI} ^/login$ + RewriteRule /login /login/mellon [R,L] + RewriteCond %{ENV:MELLON_NAME_ID} !^$ + RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }} + + + + + AuthType Mellon + MellonEnable auth + Require valid-user + RewriteEngine on + RewriteRule (.*) / [R] + \ No newline at end of file diff --git a/apache-mod-mellon/templates/apache-config-virtualhost.yaml b/apache-mod-mellon/templates/apache-config-virtualhost.yaml deleted file mode 100644 index 5d14f5a..0000000 --- a/apache-mod-mellon/templates/apache-config-virtualhost.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - labels: - {{- include "apache-mod-mellon.labels" . | nindent 4 }}-apache - name: {{ include "apache-mod-mellon.fullname" . }}-virtualhost -data: - 000-default.conf: | - - ServerName {{ .Values.hostname }} - UseCanonicalName On - ProxyTimeout 300 - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - - ErrorLog /dev/stderr - CustomLog /dev/stdout combined - - - Options -Indexes - - MellonEnable "info" - MellonSecureCookie On - MellonUser eppn - MellonMergeEnvVars On - MellonSubjectConfirmationDataAddressCheck Off - MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key - MellonSPCertFile /etc/mod-mellon-config/mellon.cert - MellonSPentityId {{ .Values.mellon_config.entity_id }} - MellonOrganizationName "{{ .Values.mellon_config.organization_url }}" - MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}" - MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml - MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}" - MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem - MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem - MellonProbeDiscoveryTimeout 1 - MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}" - MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}" - MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}" - MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}" - MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}" - MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}" - - MellonEndpointPath /mellon - - # it is this proxy's responsability to make sure the value of these headers are legit - # See a list of headers used by geOrchestra here: - # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67 - RequestHeader unset sec-georchestra-preauthenticated - RequestHeader unset sec-mellon-name-id - RequestHeader unset sec-username - RequestHeader unset sec-name - RequestHeader unset sec-givenname - RequestHeader unset sec-email - RequestHeader unset sec-org - RequestHeader unset sec-proxy - RequestHeader unset sec-user - RequestHeader unset sec-organization - RequestHeader unset sec-userid - RequestHeader unset sec-lastupdated - RequestHeader unset sec-roles - RequestHeader unset sec-firstname - RequestHeader unset sec-lastname - RequestHeader unset sec-tel - RequestHeader unset sec-orgid - RequestHeader unset sec-orgname - RequestHeader unset sec-org-lastupdated - RequestHeader unset imp-roles - RequestHeader unset imp-username - - {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')" - {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')" - {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')" - {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')" - {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')" - {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')" - {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')" - - {{- if .Values.georchestra_proxypass_endpoint -}} - ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}" - ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}" - ProxyPreserveHost On - {{- end }} - - RewriteEngine on - RewriteCond %{QUERY_STRING} ^$ - RewriteCond %{REQUEST_METHOD} =GET - RewriteCond %{REQUEST_URI} ^/login$ - RewriteRule /login /login/mellon [R,L] - RewriteCond %{ENV:MELLON_NAME_ID} !^$ - RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }} - - - - - AuthType Mellon - MellonEnable auth - Require valid-user - RewriteEngine on - RewriteRule (.*) / [R] - - - \ No newline at end of file diff --git a/apache-mod-mellon/templates/apache-depl.yaml b/apache-mod-mellon/templates/apache-depl.yaml index 25825d3..213da86 100644 --- a/apache-mod-mellon/templates/apache-depl.yaml +++ b/apache-mod-mellon/templates/apache-depl.yaml @@ -33,16 +33,16 @@ spec: periodSeconds: 10 timeoutSeconds: 5 volumeMounts: - - name: virtualhost-config - mountPath: /usr/local/apache2/conf/extra/000-default.conf - subPath: 000-default.conf + - name: httpd-config + mountPath: /usr/local/apache2/conf/httpd.conf + subPath: httpd.conf - name: mod-mellon-config mountPath: /etc/mod-mellon-config volumes: - name: mod-mellon-config secret: secretName: {{ include "apache-mod-mellon.fullname" . }}-mod-mellon - - name: virtualhost-config + - name: httpd-config configMap: - name: {{ include "apache-mod-mellon.fullname" . }}-virtualhost + name: {{ include "apache-mod-mellon.fullname" . }}-httpd