bflad / chef-stash

Chef Cookbook for Atlassian Stash
Other
37 stars 42 forks source link

Add SSH port forwarding from default SSH port #95

Open patcon opened 9 years ago

patcon commented 9 years ago

Might this be an additional feature we might want to provide a recipe for? https://confluence.atlassian.com/display/STASH/Setting+up+SSH+port+forwarding

bflad commented 9 years ago

On one hand, I think this is reasonable as long as haproxy not a hard dependency. e.g. New proxy recipe can exist and be tested (maybe controllable by attribute for default recipe) and extra feature is documented in the README. You can run into trouble like we did with the docker cookbook for all these extra dependencies if they're required.

On the other hand, while it might be nice to offer some sane defaults, how hard is coming up with the configuration without basically wrapping all the necessary haproxy attributes here? I guess we can provide attributes to set frontend to port 22 if desired, but do we now have to override haproxy user? (I think the answer is yes). Also, we definitely don't want to start making sshd changes in this cookbook to automatically support that as well so that part will still have to be manually documented in README.

In my opinion, I think this might seem better suited in its own cookbook given all the configuration variables and requisite setup. Honestly, even the Apache configuration in here has always been hazy of whether to wrap things in this cookbook versus reduce dependencies for the base setup. Everyone's environment can be different. Having another cookbook to still provide the desired automation (which can be documented here!) allows better/more succinct/reusable configuration without cluttering/versioning issues with a base Stash setup and this cookbook.

I'd be curious to know what @linc01n and you think though. :)

Note: I've purposefully left out database configuration from the above discussion because I think it is critical to the automation for a base Stash setup and should be wrapped still. Apache/nginx/haproxy configuration are outside the scope of the bare minimum to get Stash itself running.

bflad commented 9 years ago

And to complicate matters further, you can do SSH proxy things like this in Apache: http://mark.koli.ch/configuring-apache-to-support-ssh-through-an-http-web-proxy-with-proxytunnel

Who's to say which frontend you should use or how complicated the setup can get? Not sure if in this cookbook or my Confluence one, but folks definitely asked about using (and natively supporting in the cookbook) Nginx instead of Apache in their environment. I'd personally rather have haproxy for the frontends.

Don't let me scare you away though. Just be mindful of the complicated architecture questions. :frowning: