@bluedynamics/cdk8s-plone 0.1.10 → 0.1.12

package/examples/production-volto/cdk8s.yaml

@@ -0,0 +1,6 @@
+language: typescript
+app: npx ts-node main.ts
+imports:
+  - k8s
+  - https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.24/config/crd/bases/postgresql.cnpg.io_clusters.yaml
+  - https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

package/examples/production-volto/config/varnish.tpl.vcl

@@ -0,0 +1,297 @@
+vcl 4.0;
+
+import std;
+import directors;
+
+probe ploneBackendProbe {
+    .url = "/ok";
+    .timeout = 5s;
+    .interval = 15s;
+    .window = 10;
+    .threshold = 8;
+    # .initial = 3;
+}
+backend ploneBackend {
+    .host = "{{ .Env.BACKEND_SERVICE_NAME }}";
+    .port = "{{ .Env.BACKEND_SERVICE_PORT }}";
+    .probe = ploneBackendProbe;
+    .connect_timeout = 0.5s;
+    .first_byte_timeout = 120s;
+    .between_bytes_timeout = 60s;
+}
+
+probe ploneFrontendProbe {
+    .url = "/ok";
+    .timeout = 5s;
+    .interval = 15s;
+    .window = 10;
+    .threshold = 8;
+    # .initial = 3;
+}
+backend ploneFrontend {
+    .host = "{{ .Env.FRONTEND_SERVICE_NAME }}";
+    .port = "{{ .Env.FRONTEND_SERVICE_PORT }}";
+    .probe = ploneFrontendProbe;
+    .connect_timeout = 0.5s;
+    .first_byte_timeout = 120s;
+    .between_bytes_timeout = 60s;
+}
+
+/* Only allow PURGE from kubernetes network */
+acl purge {
+  "10.0.0.0/8";
+}
+
+sub detect_debug{
+  # Requests with X-Varnish-Debug will display additional
+  # information about requests
+  unset req.http.x-vcl-debug;
+  # Should be changed after switch to live
+  #if (req.http.x-varnish-debug) {
+  #    set req.http.x-vcl-debug = false;
+  #}
+  set req.http.x-vcl-debug = true;
+}
+
+sub detect_auth{
+  unset req.http.x-auth;
+  if (
+      (req.http.Cookie && (
+        req.http.Cookie ~ "__ac(_(name|password|persistent))?=" || req.http.Cookie ~ "_ZopeId" || req.http.Cookie ~ "auth_token")) ||
+      (req.http.Authenticate) ||
+      (req.http.Authorization)
+  ) {
+    set req.http.x-auth = true;
+  }
+}
+
+sub detect_requesttype{
+  unset req.http.x-varnish-reqtype;
+  set req.http.x-varnish-reqtype = "Default";
+  if (req.http.x-auth){
+    set req.http.x-varnish-reqtype = "auth";
+  } elseif (req.url ~ "\/@@(images|download|)\/?(.*)?$"){
+    set req.http.x-varnish-reqtype = "blob";
+  } elseif (req.url ~ "\/\+\+api\+\+/?(.*)?$") {
+    set req.http.x-varnish-reqtype = "api";
+  } else {
+    set req.http.x-varnish-reqtype = "express";
+  }
+}
+
+sub process_redirects{
+  if (req.http.x-redirect-to) {
+    return (synth(301, req.http.x-redirect-to));
+  }
+}
+
+sub vcl_init {
+  new lbPloneBackend = directors.round_robin();
+  lbPloneBackend.add_backend(ploneBackend);
+
+  new lbPloneFrontend = directors.round_robin();
+  lbPloneFrontend.add_backend(ploneFrontend);
+}
+
+sub vcl_recv {
+  # Annotate request with x-vcl-debug
+  call detect_debug;
+
+  # Annotate request with x-auth indicating if request is authenticated or not
+  call detect_auth;
+
+  # Annotate request with x-varnish-reqtype with a classification for the request
+  call detect_requesttype;
+
+  # Process redirects
+  call process_redirects;
+
+  # Routing: set the current Varnish backend to the matching Plone backend
+  # Attention:
+  # Confusing wording, we have two possible Varnish backends: the Plone frontend and the Plone backend *sigh*
+  if ((req.url ~ "^/\+\+api\+\+") || (req.http.x-varnish-reqtype ~ "blob")) {
+    set req.http.x-vcl-plone = "Backend";
+    set req.backend_hint = lbPloneBackend.backend();
+    # here we need a rewrite to add the virtualhost part of the URL for the Plone Backend
+    set req.http.x-vcl-proto = "http";
+    if (req.http.X-Forwarded-Proto) {
+      set req.http.x-vcl-proto = req.http.X-Forwarded-Proto;
+    }
+    set req.url = "/VirtualHostBase/" + req.http.x-vcl-proto + "/" + req.http.host + "/Plone/VirtualHostRoot" + req.url;
+  } else {
+    set req.http.x-vcl-plone = "Frontend";
+    set req.backend_hint = lbPloneFrontend.backend();
+  }
+
+  # short cut authenticated requests to pass
+  if (req.http.x-auth) {
+    return(pass);
+  }
+
+  # Sanitize cookies so they do not needlessly destroy cacheability for anonymous pages
+  if (req.http.Cookie) {
+    set req.http.Cookie = ";" + req.http.Cookie;
+    set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";(sticky|I18N_LANGUAGE|statusmessages|__ac|_ZopeId|__cp|beaker\.session|authomatic|serverid|__rf|auth_token)=", "; \1=");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
+    set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
+
+    if (req.http.Cookie == "") {
+        unset req.http.Cookie;
+    }
+  }
+
+  # Handle the different request types
+  if (req.method == "PURGE") {
+      if (!client.ip ~ purge) {
+          return (synth(405, "Not allowed."));
+      } else {
+          ban("req.url == " + req.url);
+          return (synth(200, "Purged."));
+      }
+
+  } elseif (req.method == "BAN") {
+      # Same ACL check as above:
+      if (!client.ip ~ purge) {
+          return (synth(405, "Not allowed."));
+      }
+      ban("req.http.host == " + req.http.host + "&& req.url == " + req.url);
+      # Throw a synthetic page so the
+      # request won't go to the backend.
+      return (synth(200, "Ban added"));
+
+  } elseif (req.method != "GET" &&
+      req.method != "HEAD" &&
+      req.method != "PUT" &&
+      req.method != "POST" &&
+      req.method != "PATCH" &&
+      req.method != "TRACE" &&
+      req.method != "OPTIONS" &&
+      req.method != "DELETE") {
+      /* Non-RFC2616 or CONNECT which is weird. */
+      return (pipe);
+  } elseif (req.method != "GET" &&
+      req.method != "HEAD" &&
+      req.method != "OPTIONS") {
+      /* POST, PUT, PATCH will pass, always */
+      return(pass);
+  }
+
+  return(hash);
+}
+
+sub vcl_pipe {
+  /* This is not necessary if you do not do any request rewriting. */
+  set req.http.connection = "close";
+}
+
+sub vcl_purge {
+  return (synth(200, "PURGE: " + req.url + " - " + req.hash));
+}
+
+sub vcl_synth {
+  if (resp.status == 301) {
+    set resp.http.location = resp.reason;
+    set resp.reason = "Moved";
+    return (deliver);
+  }
+}
+
+sub vcl_hit {
+  if (obj.ttl >= 0s) {
+    // A pure unadulterated hit, deliver it
+    return (deliver);
+  } elsif (obj.ttl + obj.grace > 0s) {
+    // Object is in grace, deliver it
+    // Automatically triggers a background fetch
+    return (deliver);
+  } else {
+    return (restart);
+  }
+}
+
+
+sub vcl_backend_response {
+  # Annotate request with info about the backend used
+  set beresp.http.x-varnish-plone-part = bereq.http.x-vcl-plone;
+  # set beresp.http.x-varnish-plone-proto = bereq.http.x-vcl-proto;
+  # set beresp.http.x-varnish-plone-host = bereq.http.x-vcl-host;
+  # Don't allow static files to set cookies.
+  # (?i) denotes case insensitive in PCRE (perl compatible regular expressions).
+  # make sure you edit both and keep them equal.
+  if (bereq.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
+    unset beresp.http.set-cookie;
+  }
+  if (beresp.http.Set-Cookie) {
+    set beresp.http.x-varnish-action = "FETCH (pass - response sets cookie)";
+    set beresp.uncacheable = true;
+    set beresp.ttl = 120s;
+    return(deliver);
+  }
+  if (beresp.http.Cache-Control ~ "(private|no-cache|no-store)") {
+    set beresp.http.x-varnish-action = "FETCH (pass - cache control disallows)";
+    set beresp.uncacheable = true;
+    set beresp.ttl = 120s;
+    return(deliver);
+  }
+
+  # if (beresp.http.Authorization && !beresp.http.Cache-Control ~ "public") {
+  # Do NOT cache if there is an "Authorization" header
+  # beresp never has an Authorization header in beresp, right?
+  if (beresp.http.Authorization) {
+    set beresp.http.x-varnish-action = "FETCH (pass - authorized and no public cache control)";
+    set beresp.uncacheable = true;
+    set beresp.ttl = 120s;
+    return(deliver);
+  }
+
+  # Use this rule IF no cache-control (SSR content)
+  if ((bereq.http.x-varnish-reqtype ~ "express") && (!beresp.http.Cache-Control)) {
+    set beresp.http.x-varnish-action = "INSERT (30s caching / 60s grace)";
+    set beresp.uncacheable = false;
+    set beresp.ttl = 30s;
+    set beresp.grace = 60s;
+    return(deliver);
+  }
+
+  if (!beresp.http.Cache-Control) {
+    set beresp.http.x-varnish-action = "FETCH (override - backend not setting cache control)";
+    set beresp.uncacheable = true;
+    set beresp.ttl = 120s;
+    return (deliver);
+  }
+
+  if (beresp.http.X-Anonymous && !beresp.http.Cache-Control) {
+    set beresp.http.x-varnish-action = "FETCH (override - anonymous backend not setting cache control)";
+    set beresp.ttl = 600s;
+    return (deliver);
+  }
+
+  set beresp.http.x-varnish-action = "FETCH (insert)";
+  return (deliver);
+}
+
+sub vcl_deliver {
+
+  if (req.http.x-vcl-debug) {
+    set resp.http.x-varnish-ttl = obj.ttl;
+    set resp.http.x-varnish-grace = obj.grace;
+    set resp.http.x-hits = obj.hits;
+    set resp.http.x-varnish-reqtype = req.http.x-varnish-reqtype;
+    if (req.http.x-auth) {
+      set resp.http.x-auth = "Logged-in";
+    } else {
+      set resp.http.x-auth = "Anon";
+    }
+    if (obj.hits > 0) {
+      set resp.http.x-cache = "HIT";
+    } else {
+      set resp.http.x-cache = "MISS";
+    }
+  } else {
+    unset resp.http.x-varnish-action;
+    unset resp.http.x-cache-operation;
+    unset resp.http.x-cache-rule;
+    unset resp.http.x-powered-by;
+  }
+}

package/examples/production-volto/ingress.ts

@@ -0,0 +1,229 @@
+import { Construct } from 'constructs';
+import *  as k8s from './imports/k8s';
+import * as traefik from './imports/traefik.io';
+
+export interface IngressOptions {
+
+    /**
+     * type: konq or traefik
+    * @default - traefik
+    */
+    readonly ingressType?: string;
+
+    /**
+     * issuer: cert-manager/cluster-issuer
+    * @default none
+    */
+    readonly issuer: string;
+
+    /**
+     * domainCached is the Domain used for the cached setup and should be the main public domain
+     * @default - none
+     */
+    readonly domainCached: string;
+
+    /**
+     * domainUncached is the Domain used for the uncached setup and should be the internal for testing pruposes only
+     * @default - none
+     */
+    readonly domainUncached: string;
+
+    /**
+     * domainMaintenance is the Domain to access the Plone backend (API) server for maintenance
+     * @default - none
+     */
+
+    readonly domainMaintenance: string;
+
+    /**
+     * frontendServiceName is the K8S Service name of the Plone frontend (Express)
+     * @default - none
+     */
+    readonly frontendServiceName: string;
+
+    /**
+     * backendServiceName is the K8S Service name of the Plone backend (API + Blobs)
+     * @default - none
+     */
+    readonly backendServiceName: string;
+
+    /**
+     * httpcacheServiceName is the K8S Service name of the http-cache (Varnish)
+     * @default - none
+     */
+    readonly httpcacheServiceName: string;
+}
+
+
+export class IngressChart extends Construct {
+
+    readonly issuer: string;
+
+    constructor(scope: Construct, id: string, options: IngressOptions) {
+        super(scope, id);
+        this.issuer = options.issuer;
+        if (options.ingressType === 'traefik') {
+            this.traefikIngress(
+                'main',
+                'cached',
+                options.domainCached,
+                '/',
+                options.httpcacheServiceName,
+                80,
+            );
+            this.traefikIngress(
+                'main',
+                'uncached',
+                options.domainUncached,
+                `/`,
+                options.frontendServiceName,
+                3000,
+            );
+            this.traefikIngress(
+                'main',
+                'maintenance',
+                options.domainMaintenance,
+                `/`,
+                options.backendServiceName,
+                8080,
+                `/VirtualHostBase/https/${options.domainMaintenance}/VirtualHostRoot/`
+            );
+        } else if (options.ingressType === 'kong') {
+
+            // Create the ingress for the cached (main) domain
+            this.kongIngress(
+                'main',
+                'cached',
+                options.domainCached,
+                '/',
+                options.httpcacheServiceName,
+                80,
+            );
+
+            // Create the two ingresses for the uncached (test) domain
+            // - to frontend:
+            this.kongIngress(
+                'uncached',
+                'frontend',
+                options.domainUncached,
+                '/',
+                options.frontendServiceName,
+                3000,
+            );
+            // - to backend:
+            this.kongIngress(
+                'uncached',
+                'backend',
+                options.domainUncached,
+                '/~/((?:(?:\\+\\+api\\+\\+)(?:.*))|(?:(?:.*)/(?:(?:@@images|@@downloads)/.*)))',
+                options.backendServiceName,
+                8080,
+                `/VirtualHostBase/https/${options.domainUncached}/Plone/VirtualHostRoot/$1`,
+            );
+
+            // Create the ingress for the maintenance
+            this.kongIngress(
+                'maintenance',
+                'backend',
+                options.domainMaintenance,
+                '/~/(.*)',
+                options.backendServiceName,
+                8080,
+                `/VirtualHostBase/https/${options.domainMaintenance}/VirtualHostRoot/$1`
+            );
+        } else {
+            throw new Error('Unknown ingress type');
+        }
+    }
+
+    traefikIngress(prefix: string, postfix: string, domain: string, path: string, backendServiceName: string, backendPort: number, rewrite?: string) {
+           var annotations: { [key: string]: string } = {
+            'kubernetes.io/ingress.class': 'traefik',
+            'cert-manager.io/cluster-issuer': this.issuer,
+        };
+        if (rewrite !== undefined) {
+            const rewritemw = new traefik.Middleware(this, `${prefix}-${postfix}-addprefix`,
+                {
+                metadata: {},
+                    spec: {
+                        addPrefix: {
+                            prefix: rewrite,
+                        },
+                    },
+                }
+            );
+            annotations['traefik.ingress.kubernetes.io/router.middlewares'] = `plone-${rewritemw.name}@kubernetescrd`;
+        }
+
+        new k8s.KubeIngress(this, `${prefix}-${postfix}`, {
+            metadata: {
+                annotations: annotations,
+            },
+            spec: {
+                ingressClassName: 'traefik',
+                rules: [{
+                    host: domain,
+                    http: {
+                        paths: [{
+                            backend: {
+                                service: {
+                                    name: backendServiceName,
+                                    port: { number: backendPort },
+                                },
+                            },
+                            path: path,
+                            pathType: 'Prefix',
+                        }],
+                    },
+                }],
+            },
+        });
+
+    }
+
+    kongIngress(prefix: string, postfix: string, domain: string, path: string, backendServiceName: string, backendPort: number, rewrite?: string) {
+        /*
+        Create a konq general ingress
+
+        Properties:
+        - prefix: prefix for the ingress name used for grouping tls secrets
+        - postfix: postfix for the ingress name, used concatenated with the prefix as identifer for the ingress
+        - domain: domain for the ingress
+        - path: path for the ingress
+        - backendServiceName: name of the backend service
+        - backendPort: port of the backend service
+        - rewrite (optional): rewrite path for the ingress
+        */
+        var annotations: { [key: string]: string } = {
+            'cert-manager.io/cluster-issuer': 'sectigo-issuer',
+            'konghq.com/https-redirect-status-code': '308',
+            'konghq.com/protocols': 'https',
+        };
+        if (rewrite !== undefined) {
+            annotations['konghq.com/rewrite'] = rewrite;
+        }
+        new k8s.KubeIngress(this, `${prefix}-${postfix}`, {
+            metadata: {
+                annotations: annotations,
+            },
+            spec: {
+                ingressClassName: 'kong',
+                rules: [{
+                    host: domain,
+                    http: {
+                        paths: [{
+                            backend: {
+                                service: {
+                                    name: backendServiceName,
+                                    port: { number: backendPort },
+                                },
+                            },
+                            path: path,
+                            pathType: 'Prefix',
+                        }],
+                    },
+                }],
+            },
+        });
+    }
+}

package/examples/production-volto/jest.config.js

@@ -0,0 +1,11 @@
+module.exports = {
+  roots: [
+    "<rootDir>"
+  ],
+  moduleFileExtensions: ["ts", "tsx", "js", "mjs", "cjs", "jsx", "json", "node"],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    "^.+\\.tsx?$": "ts-jest"
+  },
+  testEnvironment: 'node',
+}

package/examples/production-volto/main.test.ts

@@ -0,0 +1,11 @@
+import { ExampleChart } from './main';
+import { Testing } from 'cdk8s';
+
+describe('Production Volto Example', () => {
+  test('Synthesizes correctly', () => {
+    const app = Testing.app();
+    const chart = new ExampleChart(app, 'test-chart');
+    const results = Testing.synth(chart);
+    expect(results).toMatchSnapshot();
+  });
+});

package/examples/production-volto/main.ts

@@ -0,0 +1,104 @@
+import { Construct } from 'constructs';
+import { App, Chart, ChartProps } from 'cdk8s';
+import { Plone, PloneHttpcache } from '@bluedynamics/cdk8s-plone';
+import * as kplus from 'cdk8s-plus-30';
+import * as path from 'path';
+import { IngressChart } from './ingress';
+import { config } from 'dotenv';
+import { PGBitnamiChart } from './postgres.bitnami';
+import { PGCloudNativePGChart } from './postgres.cloudnativepg';
+
+
+export class ExampleChart extends Chart {
+  constructor(scope: Construct, id: string, props: ChartProps = {}) {
+    super(scope, id, props);
+
+    config();
+
+    // ================================================================================================================
+    // Postgresql
+    let db: PGBitnamiChart | PGCloudNativePGChart;
+    let postgresql_username;
+    let postgresql_password;
+    if ((process.env.DATABASE ?? 'bitnami') == 'cloudnativepg') {
+      const cloudnativepgDb = new PGCloudNativePGChart(this, 'db');
+      db = cloudnativepgDb;
+      // CloudNativePG creates secrets with format: {cluster-name}-app
+      // Use the CDK8S-generated cluster name, never hard-code
+      const secretName = `${cloudnativepgDb.clusterName}-app`;
+      postgresql_username = { valueFrom: { secretKeyRef: { name: secretName, key: 'username' }}};
+      postgresql_password = { valueFrom: { secretKeyRef: { name: secretName, key: 'password' }}};
+    } else {
+      const bitnamiDb = new PGBitnamiChart(this, 'db');
+      db = bitnamiDb;
+      postgresql_username = { value: 'plone' };
+      postgresql_password = { valueFrom: { secretKeyRef: { name: `${bitnamiDb.dbServiceName}`, key: 'password' }}};
+    }
+
+    // ================================================================================================================
+    // Plone
+
+
+    // prepare the environment variables for the plone deployment
+    const dbMDName = db.dbServiceName
+    const env = new kplus.Env(
+      [],
+      {
+        SECRET_POSTGRESQL_USERNAME: postgresql_username,
+        SECRET_POSTGRESQL_PASSWORD: postgresql_password,
+        INSTANCE_db_storage: { value: `relstorage` },
+        INSTANCE_db_blob_mode: { value: `cache` },
+        INSTANCE_db_cache_size: { value: `5000` },
+        INSTANCE_db_cache_size_bytes: { value: `1500MB` },
+        INSTANCE_db_relstorage: { value: `postgresql` },
+        INSTANCE_db_relstorage_postgresql_dsn: { value: `host='${dbMDName}' dbname='plone' user='$(SECRET_POSTGRESQL_USERNAME)' password='$(SECRET_POSTGRESQL_PASSWORD)'` },
+        INSTANCE_db_relstorage_cache_local_mb: { value: `800` },
+      },
+    );
+
+    // create the plone deployment and related resources
+    const plone = new Plone(this, 'plone', {
+      version: 'test.version',
+      backend: {
+        image: process.env.PLONE_BACKEND_IMAGE ?? 'plone/plone-backend:6.1.3',
+        environment: env,
+      },
+      frontend: {
+        image: process.env.PLONE_FRONTEND_IMAGE ?? 'plone/plone-frontend:latest',
+        readinessEnabled: false,
+      },
+    })
+
+    // ================================================================================================================
+    // Varnish with kube-httpcache
+    const httpcache = new PloneHttpcache(
+      this,
+      'httpcache',
+      {
+        plone: plone,
+        varnishVclFile: path.join(__dirname, 'config', 'varnish.tpl.vcl'),
+      }
+    )
+
+    // ================================================================================================================
+    // Ingress
+    new IngressChart(
+      this,
+      'ingress',
+      {
+        ingressType: 'traefik',
+        issuer: process.env.CLUSTER_ISSUER ?? 'letsencrypt-prod',
+        domainCached: process.env.DOMAIN_CACHED ?? 'mxplone-cached.example.com',
+        domainUncached: process.env.DOMAIN_UNCACHED ?? 'mxplone-cached.example.com',
+        domainMaintenance: process.env.DOMAIN_MAINTENANCE ?? 'mxplone-maintenance.example.com',
+        backendServiceName: plone.backendServiceName,
+        frontendServiceName: plone.frontendServiceName ?? '',
+        httpcacheServiceName: httpcache.httpcacheServiceName,
+      });
+  }
+}
+
+
+const app = new App();
+new ExampleChart(app, 'plone-example');
+app.synth();