docker/quay
1
0
Fork 0
mirror of https://github.com/quay/quay.git synced 2026-01-26 06:21:37 +03:00
Code Activity
Files
master
quay/conf/init/nginx_conf_create.py
Harish Govindarajulu f63d25bdd3 nginx: Add nginx routing logic to default to react UI for downstream (PROJQUAY-9207) (#4252) 
* Add ngnix routing logic to default to react UI for downstream

* Remove defaulting from env, update Makefile to build react by default for local

* Add cypress test for signin and create account workflow

* Add missing routes + fallback to backend server

* Hide UI toggle when defaulting to new UI

* Adds forgot password + recovery email, recaptcha, missing login checks

* Add external login screen + support for other login types for new UI

* Add new screen for update user after external login

* Add authorized apps section under external logins tab

* Implement updateuser react component + fix cypress test

* Fix external login OAuth flow for react

* switch logic to default to new ui

* Add DEFAULT_UI: angular to config for cypress CI

* Fix cypress tests for oauth-callback

* Rebase and fix merge conflicts

---------

Signed-off-by: harishsurf <hgovinda@redhat.com>
2025-10-14 15:10:39 -04:00

179 lines
5.3 KiB
Python
Raw Permalink Blame History

import os
import os.path
import jinja2
import yaml
QUAYPATH = os.getenv("QUAYPATH", ".")
QUAYDIR = os.getenv("QUAYDIR", "/")
QUAYCONF_DIR = os.getenv("QUAYCONF", os.path.join(QUAYDIR, QUAYPATH, "conf"))
STATIC_DIR = os.path.join(QUAYDIR, "static")
SSL_PROTOCOL_DEFAULTS = ["TLSv1.2", "TLSv1.3"]
SSL_CIPHER_DEFAULTS = [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256",
"kEDH+AESGCM",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA",
"ECDHE-ECDSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-DSS-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"DHE-DSS-AES256-SHA",
"DHE-RSA-AES256-SHA",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
"AES",
"CAMELLIA",
"!3DES",
"!aNULL",
"!eNULL",
"!EXPORT",
"!DES",
"!RC4",
"!MD5",
"!PSK",
"!aECDH",
"!EDH-DSS-DES-CBC3-SHA",
"!EDH-RSA-DES-CBC3-SHA",
"!KRB5-DES-CBC3-SHA",
]
def write_config(filename, **kwargs):
with open(filename + ".jnj") as f:
template = jinja2.Template(f.read())
rendered = template.render(kwargs)
with open(filename, "w") as f:
f.write(rendered)
def generate_nginx_config(config):
"""
Generates nginx config from the app config.
"""
config = config or {}
use_https = os.path.exists(os.path.join(QUAYCONF_DIR, "stack/ssl.key"))
v1_only_domain = config.get("V1_ONLY_DOMAIN", None)
enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
ssl_protocols = config.get("SSL_PROTOCOLS", SSL_PROTOCOL_DEFAULTS)
ssl_ciphers = config.get("SSL_CIPHERS", SSL_CIPHER_DEFAULTS)
# Enable IPv4 and/or IPv6. Valid values are IPv4, IPv6 or dual-stack.
ip_version = config.get("FEATURE_LISTEN_IP_VERSION", "IPv4")
use_ipv4 = True if ip_version.lower() != "ipv6" else False
use_ipv6 = True if ip_version.lower() in ["ipv6", "dual-stack"] else False
write_config(
os.path.join(QUAYCONF_DIR, "nginx/nginx.conf"),
use_https=use_https,
enable_rate_limits=enable_rate_limits,
v1_only_domain=v1_only_domain,
ssl_protocols=ssl_protocols,
ssl_ciphers=":".join(ssl_ciphers),
use_ipv4=use_ipv4,
use_ipv6=use_ipv6,
)
def generate_server_config(config):
"""
Generates server config from the app config.
"""
config = config or {}
tuf_server = config.get("TUF_SERVER", None)
tuf_host = config.get("TUF_HOST", None)
signing_enabled = config.get("FEATURE_SIGNING", False)
maximum_layer_size = config.get("MAXIMUM_LAYER_SIZE", "20G")
enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
manifests_endpoint_read_timeout = config.get("MANIFESTS_ENDPOINT_READ_TIMEOUT", None)
# Get default UI setting from config
default_ui = config.get("DEFAULT_UI", "react").lower()
# Validate against allowed values
if default_ui not in ["angular", "react"]:
default_ui = "react"
write_config(
os.path.join(QUAYCONF_DIR, "nginx/server-base.conf"),
tuf_server=tuf_server,
tuf_host=tuf_host,
signing_enabled=signing_enabled,
maximum_layer_size=maximum_layer_size,
enable_rate_limits=enable_rate_limits,
static_dir=STATIC_DIR,
manifests_endpoint_read_timeout=manifests_endpoint_read_timeout,
default_ui=default_ui,
)
def generate_rate_limiting_config(config):
"""
Generates rate limiting config from the app config.
"""
config = config or {}
non_rate_limited_namespaces = config.get("NON_RATE_LIMITED_NAMESPACES") or set()
enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
write_config(
os.path.join(QUAYCONF_DIR, "nginx/rate-limiting.conf"),
non_rate_limited_namespaces=non_rate_limited_namespaces,
enable_rate_limits=enable_rate_limits,
static_dir=STATIC_DIR,
)
def generate_http_base_config(config):
"""
Generates http base config from the app config.
"""
config = config or {}
trusted_proxy_cidr = config.get("TRUSTED_PROXY_CIDR", None)
write_config(
os.path.join(QUAYCONF_DIR, "nginx/http-base.conf"),
trusted_proxy_cidr=trusted_proxy_cidr,
)
def generate_hosted_http_base_config(config):
"""
Generates hosted http base config from the app config.
"""
config = config or {}
feature_proxy_protocol = config.get("FEATURE_PROXY_PROTOCOL", False)
write_config(
os.path.join(QUAYCONF_DIR, "nginx/hosted-http-base.conf"),
feature_proxy_protocol=feature_proxy_protocol,
)
if __name__ == "__main__":
if os.path.exists(os.path.join(QUAYCONF_DIR, "stack/config.yaml")):
with open(os.path.join(QUAYCONF_DIR, "stack/config.yaml"), "r") as f:
config = yaml.safe_load(f)
else:
config = None
generate_http_base_config(config)
generate_hosted_http_base_config(config)
generate_rate_limiting_config(config)
generate_server_config(config)
generate_nginx_config(config)
View Git Blame Copy Permalink