autoconf - let's encrypt support for ingress controller

2021-08-03 22:38:00 +02:00 · 2021-08-03 22:38:00 +02:00 · b6809266af
parent 4e178b474c
commit b6809266af
9 changed files with 31 additions and 23 deletions
--- a/autoconf/src/Config.py
+++ b/autoconf/src/Config.py
@ -8,10 +8,11 @@ from logger import log

 class Config :

-	def __init__(self, type, api_uri, lock=None) :
+	def __init__(self, type, api_uri, lock=None, http_port="8080") :
 		self.__type = type
 		self.__api_uri = api_uri
 		self.__lock = lock
+		self.__http_port = http_port

 	def __jobs(self) :
 		log("config", "INFO", "starting jobs ...")
@ -145,16 +146,16 @@ class Config :
 				try :
 					dns_result = dns.resolver.query("tasks." + name)
 					for ip in dns_result :
-						urls.append("http://" + ip.to_text() + ":8080" + self.__api_uri + path)
+						urls.append("http://" + ip.to_text() + ":" + self.__http_port + self.__api_uri + path)
 				except :
 					ret = False
 		elif self.__type == Controller.Type.KUBERNETES :
 			for instance in instances :
 				name = instance.metadata.name
 				try :
-					dns_result = dns.resolver.query(name + ".default.svc.cluster.local")
+					dns_result = dns.resolver.query(name + "." + instance.metadata.namespace + ".svc.cluster.local")
 					for ip in dns_result :
-						urls.append("http://" + ip.to_text() + ":8080" + self.__api_uri + path)
+						urls.append("http://" + ip.to_text() + ":" + self.__http_port + self.__api_uri + path)
 				except :
 					ret = False

--- a/autoconf/src/Controller.py
+++ b/autoconf/src/Controller.py
@ -10,8 +10,8 @@ class Type(Enum) :

 class Controller(ABC) :

-	def __init__(self, type, api_uri=None, lock=None) :
-		self._config = Config(type, api_uri, lock)
+	def __init__(self, type, api_uri=None, lock=None, http_port="8080") :
+		self._config = Config(type, api_uri, lock=lock, http_port=http_port)
 		self.lock = lock

 	@abstractmethod
--- a/autoconf/src/IngressController.py
+++ b/autoconf/src/IngressController.py
@ -8,8 +8,8 @@ from logger import log

 class IngressController(Controller.Controller) :

-	def __init__(self, api_uri) :
-		super().__init__(Controller.Type.KUBERNETES, api_uri=api_uri, lock=Lock())
+	def __init__(self, api_uri, http_port) :
+		super().__init__(Controller.Type.KUBERNETES, api_uri=api_uri, lock=Lock(), http_port=http_port)
 		config.load_incluster_config()
 		self.__api = client.CoreV1Api()
 		self.__extensions_api = client.ExtensionsV1beta1Api()
@ -78,6 +78,10 @@ class IngressController(Controller.Controller) :
 				first_servers.extend(env["SERVER_NAME"].split(" "))
 		for ingress in ingresses :
 			env.update(self.__rules_to_env(ingress.spec.rules))
+			if ingress.spec.tls :
+				for tls_entry in ingress.spec.tls :
+					for host in tls_entry.hosts :
+						env[host + "_AUTO_LETS_ENCRYPT"] = "yes"
 			if "SERVER_NAME" in env and env["SERVER_NAME"] != "" :
 				first_servers.extend(env["SERVER_NAME"].split(" "))
 		for service in services :
--- a/autoconf/src/SwarmController.py
+++ b/autoconf/src/SwarmController.py
@ -7,8 +7,8 @@ import Controller

 class SwarmController(Controller.Controller) :

-	def __init__(self, docker_host, api_uri) :
-		super().__init__(Controller.Type.SWARM, api_uri=api_uri, lock=Lock())
+	def __init__(self, docker_host, api_uri, http_port) :
+		super().__init__(Controller.Type.SWARM, api_uri=api_uri, lock=Lock(), http_port=http_port)
 		self.__client = docker.DockerClient(base_url=docker_host)

 	def __get_instances(self) :
--- a/autoconf/src/app.py
+++ b/autoconf/src/app.py
@ -15,14 +15,15 @@ swarm		= os.getenv("SWARM_MODE", "no") == "yes"
 kubernetes	= os.getenv("KUBERNETES_MODE", "no") == "yes"
 api_uri		= os.getenv("API_URI", "")
 docker_host	= os.getenv("DOCKER_HOST", "unix:///var/run/docker.sock")
+http_port	= os.getenv("HTTP_PORT", "8080")

 # Instantiate the controller
 if swarm :
 	log("autoconf", "INFO", "swarm mode detected")
-	controller = SwarmController(docker_host, api_uri)
+	controller = SwarmController(docker_host, api_uri, http_port)
 elif kubernetes :
 	log("autoconf", "INFO", "kubernetes mode detected")
-	controller = IngressController(api_uri)
+	controller = IngressController(api_uri, http_port)
 else :
 	log("autoconf", "INFO", "docker mode detected")
 	controller = DockerController(docker_host)
--- a/confs/global/multisite-default-server-https.conf
+++ b/confs/global/multisite-default-server-https.conf
@ -10,4 +10,3 @@ ssl_session_cache shared:MozSSL:10m;
 ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif +%}
-include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
--- a/confs/global/multisite-default-server.conf
+++ b/confs/global/multisite-default-server.conf
@ -2,6 +2,7 @@ server {
 	{% if LISTEN_HTTP == "yes" %}listen 0.0.0.0:{{ HTTP_PORT }} default_server{% endif +%};
 	server_name _;
 	{% if has_value("AUTO_LETS_ENCRYPT", "yes") %}include /etc/nginx/multisite-default-server-https.conf;{% endif +%}
+	include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;
 	{% if USE_API == "yes" %}
 	location ^~ {{ API_URI }} {
 		include /etc/nginx/api.conf;
--- a/helpers/kubernetes-ingress.yml
+++ b/helpers/kubernetes-ingress.yml
@ -16,6 +16,9 @@ metadata:
 # add "static" routes here (see https://kubernetes.io/docs/concepts/services-networking/ingress/)
 # and/or add annotations to your services (see https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/kubernetes)
 spec:
+  tls:
+  - hosts:
+    - app.example.com
  rules:
  - host: "app.example.com"
    http:
--- a/helpers/kubernetes-nginx.yml
+++ b/helpers/kubernetes-nginx.yml
@ -17,17 +17,13 @@ spec:
      serviceAccountName: bunkerized-nginx-ingress-controller
      containers:
      - name: bunkerized-nginx-autoconf
-        image: bunkerity/bunkerized-nginx-autoconf:testing
-        imagePullPolicy: Always
+        image: bunkerity/bunkerized-nginx-autoconf
+        #imagePullPolicy: Always
        env:
        - name: KUBERNETES_MODE
          value: "yes"
        - name: API_URI
          value: "/ChangeMeToSomethingHardToGuess"
-        - name: SERVER_NAME
-          value: ""
-        - name: MULTISITE
-          value: "yes"
        volumeMounts:
        - name: confs
          mountPath: /etc/nginx
@ -85,12 +81,15 @@ spec:
        name: bunkerized-nginx
        bunkerized-nginx: "yes"
    spec:
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: bunkerized-nginx
-        image: bunkerity/bunkerized-nginx:testing
-        imagePullPolicy: Always
+        image: bunkerity/bunkerized-nginx
+        #imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          hostPort: 80
+        - containerPort: 8443
+          hostPort: 443
        env:
        - name: KUBERNETES_MODE
          value: "yes"