From de38d9d65ac05f6531f1517a0af15b0bea3a4281 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Tue, 28 Sep 2021 18:25:54 +0200
Subject: [PATCH] Datagrepper: add live/ready probes and CSP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 .../datagrepper/templates/datagrepper.cfg.py  |  4 +++
 .../templates/deploymentconfig.yml            | 29 +++++++++----------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py b/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
index 10b6178f6f..d99ae6d777 100644
--- a/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
+++ b/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
@@ -5,3 +5,7 @@
 APP_PATH = "https://apps{{ env_suffix }}.fedoraproject.org/datagrepper2"
 DEFAULT_QUERY_DELTA = 3600
 DATANOMMER_SQLALCHEMY_URL = "postgresql://{{ datanommerDBUser }}:{{ (env == 'production')|ternary(datanommerDBPassword, datanommer_stg_db_password) }}@db-datanommer01{{ env_suffix }}.iad2.fedoraproject.org/datanommer2"
+
+# Only allow ajax/websockets connections back to our domains.
+# https://github.com/fedora-infra/datagrepper/pull/192
+CONTENT_SECURITY_POLICY = "connect-src https://*.fedoraproject.org wss://*.fedoraproject.org"
diff --git a/roles/openshift-apps/datagrepper/templates/deploymentconfig.yml b/roles/openshift-apps/datagrepper/templates/deploymentconfig.yml
index 05e76b83c6..dd54814e1e 100644
--- a/roles/openshift-apps/datagrepper/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/datagrepper/templates/deploymentconfig.yml
@@ -30,7 +30,6 @@ spec:
         imagePullPolicy: Always
         ports:
         - containerPort: 8080
-          #protocol: TCP
         #resources: {}
         #terminationMessagePath: /dev/termination-log
         #terminationMessagePolicy: File
@@ -50,20 +49,20 @@ spec:
           value: "/etc/datagrepper/gunicorn.conf.py"
         - name: SCRIPT_NAME
           value: "/datagrepper2"
-        # readinessProbe:
-        #   timeoutSeconds: 10
-        #   initialDelaySeconds: 5
-        #   periodSeconds: 60
-        #   httpGet:
-        #     path: "/datagrepper/healthz/ready"
-        #     port: 8080
-        # livenessProbe:
-        #   timeoutSeconds: 10
-        #   initialDelaySeconds: 10
-        #   periodSeconds: 60
-        #   httpGet:
-        #     path: "/datagrepper/healthz/live"
-        #     port: 8080
+        readinessProbe:
+          timeoutSeconds: 10
+          initialDelaySeconds: 5
+          periodSeconds: 60
+          httpGet:
+            path: "/datagrepper/healthz/ready"
+            port: 8080
+        livenessProbe:
+          timeoutSeconds: 10
+          initialDelaySeconds: 3
+          periodSeconds: 60
+          httpGet:
+            path: "/datagrepper/healthz/live"
+            port: 8080
       volumes:
       - name: datagrepper-config-volume
         configMap: