MK8S-25: Use nginx location directives to return 200 for health checks instead of index files

rdebay-scality · rdebay-scality · commit ba95fce9b86e · 2025-09-30T20:12:01.000+02:00
Simplified the approach to fix directory listing security issue by using
nginx configuration instead of creating index.html files.

Changes:
- Updated nginx.conf.j2 to return 200 for root (/) and saltenv paths (/metalk8s-*/)
- Removed all index.html file creation from Salt state (installed.sls)
- Removed all index.html creation logic from build system (repository.py)
- Health checks now pass without requiring any files to be created
- Repository files (RPMs, repodata) remain accessible as before
- Directory listing is disabled for security

This approach eliminates:
- Build-time index file creation complexity
- Deployment-time file dependencies
- Cleanup issues with index files
- Timing problems between file creation and container startup

The nginx location = / and location = /saltenv/ directives handle health
check requests with 200 status, while location / handles all other requests
with autoindex off for security.
diff --git a/buildchain/buildchain/targets/repository.py b/buildchain/buildchain/targets/repository.py
@@ -143,7 +143,6 @@ class RPMRepository(Repository):
     """A software repository for CentOS x86_64."""
 
     ARCH = "x86_64"
-    INDEX_HTML_FILENAME = "index.html"
 
     def __init__(
         self,
@@ -208,124 +207,11 @@ def clean() -> None:
             task["file_dep"].extend([self.get_rpm_path(pkg) for pkg in self.packages])
         return task
 
-    def _get_saltenv_directories(self) -> Tuple[Optional[Path], Optional[Path]]:
-        """Get saltenv directory paths for scality repository.
-
-        Returns:
-            Tuple of (saltenv_dir, top_saltenv_dir) paths
-        """
-        if self.name != "scality":
-            return None, None
-
-        # Saltenv directory at repository level (cleaner for cleanup)
-        saltenv_dir = (
-            self._repo_root
-            / self._releasever
-            / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
-        )
-        # Top-level saltenv directory (needed for health check)
-        top_saltenv_dir = (
-            self._repo_root / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
-        )
-        return saltenv_dir, top_saltenv_dir
-
-    def _get_index_file_paths(self) -> List[Path]:
-        """Get all index.html file paths for this repository.
-
-        Returns:
-            List of all index.html file paths that should be created/cleaned
-        """
-        return [
-            directory / self.INDEX_HTML_FILENAME
-            for directory in self._get_repository_directories()
-        ]
-
-    def _get_repository_directories(self) -> List[Path]:
-        """Get all repository directories that need index.html files.
-
-        Returns:
-            List of directory paths where index.html should be created
-        """
-        # Repository-specific directories
-        repository_directories = [
-            self.rootdir,  # Repository root (e.g., metalk8s-scality-el8)
-            self.rootdir / self.ARCH,  # Architecture directory (e.g., x86_64)
-        ]
-
-        # Add nginx root directory for scality repository
-        if self.name == "scality":
-            repository_directories.append(self._repo_root)  # /var/www/repositories
-
-        # Add saltenv directories for scality repository
-        saltenv_dir, top_saltenv_dir = self._get_saltenv_directories()
-        if saltenv_dir and top_saltenv_dir:
-            repository_directories.extend(
-                [
-                    # Repository-level saltenv structure
-                    saltenv_dir,
-                    saltenv_dir / "redhat",
-                    saltenv_dir / "redhat" / str(self._releasever),
-                    # Top-level saltenv (for health check)
-                    top_saltenv_dir,
-                ]
-            )
-
-        return repository_directories
-
-    def create_index_files(self) -> types.TaskDict:
-        """Create index.html files for repository directories."""
-
-        def clean() -> None:
-            """Delete the index.html files created by this task."""
-            # Remove the index.html files
-            for index_file in self._get_index_file_paths():
-                if index_file.exists():
-                    index_file.unlink()
-            # Also clean up any empty parent directories that we created
-            for index_file in self._get_index_file_paths():
-                parent_dir = index_file.parent
-                if parent_dir.exists() and not any(parent_dir.iterdir()):
-                    try:
-                        parent_dir.rmdir()
-                    except OSError:
-                        pass  # Directory not empty or doesn't exist, ignore
-
-        def create_index() -> None:
-            """Create empty index.html files in repository directories."""
-            for index_file in self._get_index_file_paths():
-                # Create directory if it doesn't exist, then create index.html
-                index_file.parent.mkdir(parents=True, exist_ok=True)
-                index_file.touch()
-                # Set readable permissions for nginx
-                index_file.chmod(0o644)
-
-        # Build targets list using centralized method
-        targets = self._get_index_file_paths()
-
-        task = self.basic_task
-        task.update(
-            {
-                "name": self._get_task_name("create_index_files"),
-                "actions": [create_index],
-                "doc": f"Create index.html files for {self.name} repository "
-                f"directories.",
-                "title": utils.title_with_target1("CREATE INDEX FILES"),
-                "targets": targets,
-                "uptodate": [True],
-                "verbosity": 0,
-                "clean": [clean],
-                "task_dep": [self._get_task_name("build_repodata", with_basename=True)],
-            }
-        )
-        return task
-
     @property
     def execution_plan(self) -> List[types.TaskDict]:
-        """Override execution plan to include index.html file creation."""
         tasks = [self.build_repo()]
         if self._packages:
             tasks.extend(self.build_packages())
-        tasks.append(self.create_index_files())
         return tasks
 
     def build_packages(self) -> List[types.TaskDict]:
diff --git a/salt/metalk8s/repo/files/nginx.conf.j2 b/salt/metalk8s/repo/files/nginx.conf.j2
@@ -2,12 +2,24 @@ server {
     listen       {{ listening_address }}:{{ listening_port }};
     server_name  localhost;
 
+    # Return 200 OK for root path health checks
+    location = / {
+        return 200 '';
+        add_header Content-Type text/plain;
+    }
+
+    # Return 200 OK for saltenv path health checks
+    {%- for env in archives.keys() %}
+    location = /{{ env }}/ {
+        return 200 '';
+        add_header Content-Type text/plain;
+    }
+    {%- endfor %}
+
     location / {
         root   /var/www/repositories;
         # Security fix: Disable directory listing to prevent exposing repository structure
         autoindex off;
-        # Serve index.html when directory is accessed
-        index index.html;
     }
 
     include conf.d/*.inc;
diff --git a/salt/metalk8s/repo/installed.sls b/salt/metalk8s/repo/installed.sls
@@ -36,25 +36,6 @@ Inject nginx image:
     - require:
       - sls: metalk8s.container-engine.running
 
-# Create index.html files to prevent directory listing issues
-Create repository index files:
-  file.managed:
-    - name: /var/lib/metalk8s/repositories/index.html
-    - contents: ''
-    - makedirs: True
-    - mode: '0644'
-    - require:
-      - file: Generate repositories nginx configuration
-
-Create saltenv index file:
-  file.managed:
-    - name: /var/lib/metalk8s/repositories/{{ saltenv }}/index.html
-    - contents: ''
-    - makedirs: True
-    - mode: '0644'
-    - require:
-      - file: Create repository index files
-
 Install repositories manifest:
   metalk8s.static_pod_managed:
     - name: /etc/kubernetes/manifests/repositories.yaml
@@ -92,7 +73,6 @@ Install repositories manifest:
       - file: Generate repositories nginx configuration
       - file: Deploy container registry nginx configuration
       - file: Generate container registry configuration
-      - file: Create saltenv index file
 
 Delay after repositories pod deployment:
   module.wait:
@@ -121,4 +101,4 @@ Wait for Repositories container to answer:
    - status: 200
    - request_interval: 1
    - require:
-      - file: Create saltenv index file
+      - module: Ensure repositories container is up
