Simplify Docker SSL handling (#2227)

CDash currently requires SSL/TLS by default when using our production
image. While useful for Docker Compose-based systems, this is a major
pain point for k8s systems which handle TLS termination at ingress. See
#2179, for example. This PR aims
to ease these pains by conditionally enabling SSL/TLS if certificates
are provided, in preparation for upcoming work to better support
k8s-based deployments.

Fixes #2179.

---------

Co-authored-by: Zack Galbreath <zack.galbreath@kitware.com>

Dockerfile

@@ -97,7 +97,6 @@ RUN mkdir -p /var/www/.npm && \
 
 # Copy Apache site-available config files into the image.
 COPY ./docker/cdash-site.conf /etc/apache2/sites-available/cdash-site.conf
-COPY ./docker/cdash-site-ssl.conf /etc/apache2/sites-available/cdash-site-ssl.conf
 
 # Change apache config to listen on port 8080 instead of port 80
 RUN sed -i 's/Listen 80/Listen 8080/g' /etc/apache2/ports.conf
@@ -111,8 +110,7 @@ RUN a2dissite 000-default && \
 # Enable https site if we're not doing a development build.
 RUN if [ "$DEVELOPMENT_BUILD" != '1' ]; then \
  a2enmod ssl && \
- a2enmod socache_shmcb && \
- a2ensite cdash-site-ssl; \
+ a2enmod socache_shmcb; \
 fi
 
 # Assign www-data ownership of apache2 configuration files
@@ -316,6 +314,7 @@ ENTRYPOINT ["/bin/bash", "/cdash/docker/docker-entrypoint.sh"]
 ###############################################################################
 
 FROM cdash-non-root-intermediate AS cdash
+HEALTHCHECK --interval=5s --timeout=1s CMD ["/bin/bash", "/cdash/docker/healthcheck.sh"]
 CMD ["start-website"]
 
 ###############################################################################

docker/cdash-site.conf

@@ -1,10 +1,28 @@
-<VirtualHost *:8080>
- <Directory "/cdash/public">
- AllowOverride All
- Require all granted
- </Directory>
- DocumentRoot "/cdash/public"
- ServerName localhost
- ErrorLog "/var/log/apache2/error.log"
- CustomLog "/var/log/apache2/access.log" common
-</VirtualHost>
+<IfFile "/var/www/cdash.pem">
+ <VirtualHost *:8080>
+ DocumentRoot "/cdash/public"
+ ServerName localhost
+ ErrorLog "/var/log/apache2/error.log"
+ CustomLog "/var/log/apache2/access.log" combined
+ SSLEngine on
+ SSLCertificateFile /var/www/cdash.pem
+ SSLCertificateKeyFile /var/www/cdash.key
+ <Directory "/cdash/public">
+ AllowOverride All
+ Require all granted
+ </Directory>
+ </VirtualHost>
+</IfFile>
+<IfFile !"/var/www/cdash.pem">
+ <VirtualHost *:8080>
+ <Directory "/cdash/public">
+ AllowOverride All
+ Require all granted
+ </Directory>
+ DocumentRoot "/cdash/public"
+ ServerName localhost
+ ErrorLog "/var/log/apache2/error.log"
+ CustomLog "/var/log/apache2/access.log" common
+ </VirtualHost>
+</IfFile>
+

docker/docker-compose.production.yml

@@ -3,10 +3,10 @@ services:
  env_file:
  - ../.env
  ports:
- - 443:443
+ - 443:8080
  volumes:
- - "${SSL_CERTIFICATE_FILE}:/var/www/my-cert.pem"
- - "${SSL_CERTIFICATE_KEY_FILE}:/var/www/my-cert.key"
+ - "${SSL_CERTIFICATE_FILE}:/var/www/cdash.pem"
+ - "${SSL_CERTIFICATE_KEY_FILE}:/var/www/cdash.key"
  worker:
  env_file:
  - ../.env

docker/docker-compose.yml

@@ -11,11 +11,6 @@ services:
  BASE_IMAGE: ${BASE_IMAGE-debian}
  environment:
  DB_HOST: database
- healthcheck:
- test: curl -s -o /dev/null -w "%{http_code}" http://cdash:8080/ping | grep 200 > /dev/null
- interval: 5s
- timeout: 10s
- retries: 20
  depends_on:
  database:
  condition: service_healthy

docker/healthcheck.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+# Ping both the http and https routes, and fail if neither of them is successful
+curl -s -o /dev/null -w "%{http_code}" http://cdash:8080/ping | grep 200 > /dev/null || \
+curl -s -o /dev/null -w "%{http_code}" https://cdash:8080/ping | grep 200 > /dev/null || exit 1

docs/docker.md

@@ -67,8 +67,8 @@ To set up a CDash production instance using docker compose, follow these steps:
 * `cp .env.example .env`
 * Edit `.env` and modify the following lines:
  - `APP_URL=https://<my-cdash-url>`
- - `SSL_CERTIFICATE_FILE=</path/to/certs/my-cert.pem>`
- - `SSL_CERTIFICATE_KEY_FILE=</path/to/certs/my-cert.key>`
+ - `SSL_CERTIFICATE_FILE=</path/to/certs/cdash.pem>`
+ - `SSL_CERTIFICATE_KEY_FILE=</path/to/certs/cdash.key>`
  - `NUM_WORKERS=<desired number of queue worker replicas, defaults to 1>`
 * For postgres only, edit `docker/docker-compose.postgres.yml` and uncomment the `worker` section.
 * Run this command to start your CDash containers: