swarm/k8s - less storage, more API
This commit is contained in:
florian
@@ -11,7 +11,7 @@ COPY autoconf/entrypoint.sh /opt/bunkerized-nginx/entrypoint/
|
||||
COPY autoconf/requirements.txt /opt/bunkerized-nginx/entrypoint/
|
||||
COPY autoconf/src/* /opt/bunkerized-nginx/entrypoint/
|
||||
|
||||
RUN apk add --no-cache py3-pip bash certbot curl openssl && \
|
||||
RUN apk add --no-cache py3-pip bash certbot curl openssl socat && \
|
||||
pip3 install -r /opt/bunkerized-nginx/gen/requirements.txt && \
|
||||
pip3 install -r /opt/bunkerized-nginx/entrypoint/requirements.txt && \
|
||||
pip3 install -r /opt/bunkerized-nginx/jobs/requirements.txt
|
||||
@@ -24,4 +24,6 @@ RUN chmod +x /tmp/prepare.sh && \
|
||||
# Fix CVE-2021-36159
|
||||
RUN apk add "apk-tools>=2.12.6-r0"
|
||||
|
||||
#VOLUME /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /etc/letsencrypt /acme-challenge
|
||||
|
||||
ENTRYPOINT ["/opt/bunkerized-nginx/entrypoint/entrypoint.sh"]
|
||||
|
||||
@@ -29,6 +29,11 @@ mkdir /var/log/letsencrypt
|
||||
chown nginx:nginx /var/log/letsencrypt
|
||||
chmod 770 /var/log/letsencrypt
|
||||
|
||||
# prepare /etc/nginx
|
||||
mkdir /etc/nginx
|
||||
chown root:nginx /etc/nginx
|
||||
chmod 770 /etc/nginx
|
||||
|
||||
# prepare /etc/letsencrypt
|
||||
mkdir /etc/letsencrypt
|
||||
chown root:nginx /etc/letsencrypt
|
||||
@@ -51,6 +56,18 @@ mkdir /acme-challenge
|
||||
chown root:nginx /acme-challenge
|
||||
chmod 770 /acme-challenge
|
||||
|
||||
# prepare /http-confs
|
||||
ln -s /http-confs /opt/bunkerized-nginx/http-confs
|
||||
mkdir /http-confs
|
||||
chown root:nginx /http-confs
|
||||
chmod 770 /http-confs
|
||||
|
||||
# prepare /server-confs
|
||||
ln -s /server-confs /opt/bunkerized-nginx/server-confs
|
||||
mkdir /server-confs
|
||||
chown root:nginx /server-confs
|
||||
chmod 770 /server-confs
|
||||
|
||||
# prepare /modsec-confs
|
||||
ln -s /modsec-confs /opt/bunkerized-nginx/modsec-confs
|
||||
mkdir /modsec-confs
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
import subprocess, shutil, os, traceback, requests, time, dns.resolver
|
||||
import subprocess, shutil, os, traceback, requests, time, dns.resolver, io, tarfile
|
||||
|
||||
import Controller
|
||||
|
||||
@@ -79,24 +79,25 @@ class Config :
|
||||
|
||||
def send(self, instances) :
|
||||
ret = True
|
||||
if self.__type == Controller.Type.DOCKER :
|
||||
return ret
|
||||
elif self.__type == Controller.Type.SWARM or self.__type == Controller.Type.KUBERNERTES :
|
||||
fail = False
|
||||
for name, path in CONFIGS.items() :
|
||||
file = self.__tarball(path)
|
||||
if not self.__api_call(instances, "/" + name, file=file) :
|
||||
log("config", "ERROR", "can't send config " + name + " to instance(s)")
|
||||
fail = True
|
||||
file.close()
|
||||
if fail :
|
||||
ret = False
|
||||
fail = False
|
||||
for name, path in CONFIGS.items() :
|
||||
file = self.__tarball(path)
|
||||
if not self.__api_call(instances, "/" + name, file=file) :
|
||||
log("config", "ERROR", "can't send config " + name + " to instance(s)")
|
||||
fail = True
|
||||
file.close()
|
||||
if fail :
|
||||
ret = False
|
||||
return ret
|
||||
|
||||
def __tarball(path) :
|
||||
def stop_temp(self, instances) :
|
||||
return self.__api_call(instances, "/stop-temp")
|
||||
|
||||
def __tarball(self, path) :
|
||||
file = io.BytesIO()
|
||||
with tarfile.open(mode="w:gz", fileobj=file) as tar :
|
||||
tar.add(path, arcname=".")
|
||||
file.seek(0, 0)
|
||||
return file
|
||||
|
||||
def __ping(self, instances) :
|
||||
@@ -178,7 +179,8 @@ class Config :
|
||||
if file == None :
|
||||
req = requests.post(url)
|
||||
else :
|
||||
req = requests.post(url, {'file': file})
|
||||
file.seek(0, 0)
|
||||
req = requests.post(url, files={'file': file})
|
||||
except :
|
||||
pass
|
||||
if req and req.status_code == 200 and req.text == "ok" :
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import traceback
|
||||
from abc import ABC, abstractmethod
|
||||
from enum import Enum
|
||||
|
||||
@@ -55,6 +56,13 @@ class Controller(ABC) :
|
||||
def _send(self, instances) :
|
||||
try :
|
||||
ret = self._config.send(instances)
|
||||
except :
|
||||
except Exception as e :
|
||||
ret = False
|
||||
return ret
|
||||
|
||||
def _stop_temp(self, instances) :
|
||||
try :
|
||||
ret = self._config.stop_temp(instances)
|
||||
except Exception as e :
|
||||
ret = False
|
||||
return ret
|
||||
|
||||
@@ -138,6 +138,9 @@ class IngressController(Controller.Controller) :
|
||||
def send(self) :
|
||||
return self._send(self.__get_services(autoconf=True))
|
||||
|
||||
def stop_temp(self) :
|
||||
return self._stop_temp(self.__get_services(autoconf=True))
|
||||
|
||||
def wait(self) :
|
||||
self.lock.acquire()
|
||||
try :
|
||||
@@ -146,20 +149,28 @@ class IngressController(Controller.Controller) :
|
||||
while len(pods) == 0 :
|
||||
time.sleep(1)
|
||||
pods = self.__get_pods()
|
||||
|
||||
# Wait for at least one bunkerized-nginx service
|
||||
services = self.__get_services(autoconf=True)
|
||||
while len(services) == 0 :
|
||||
time.sleep(1)
|
||||
services = self.__get_services(autoconf=True)
|
||||
|
||||
# Generate first config
|
||||
env = self.get_env()
|
||||
if not self.gen_conf(env) :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
|
||||
# Send the config
|
||||
if not self.send() :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Stop the temporary server
|
||||
if not self.stop_temp() :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Wait for bunkerized-nginx
|
||||
if not self._config.wait(instances) :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
self.lock.release()
|
||||
return self._config.wait(services), env
|
||||
except :
|
||||
|
||||
@@ -20,6 +20,12 @@ class ReloadServerHandler(socketserver.StreamRequestHandler):
|
||||
self.server.controller.lock.release()
|
||||
locked = False
|
||||
self.request.sendall(b"ok")
|
||||
elif data == b"acme" :
|
||||
ret = self.server.controller.send()
|
||||
if ret :
|
||||
self.request.sendall(b"ok")
|
||||
else :
|
||||
self.request.sendall(b"ko")
|
||||
elif data == b"reload" :
|
||||
ret = self.server.controller.reload()
|
||||
if ret :
|
||||
|
||||
@@ -64,6 +64,9 @@ class SwarmController(Controller.Controller) :
|
||||
def send(self) :
|
||||
return self._send(self.__get_instances())
|
||||
|
||||
def stop_temp(self) :
|
||||
return self._stop_temp(self.__get_instances())
|
||||
|
||||
def wait(self) :
|
||||
self.lock.acquire()
|
||||
try :
|
||||
@@ -72,14 +75,29 @@ class SwarmController(Controller.Controller) :
|
||||
while len(instances) == 0 :
|
||||
time.sleep(1)
|
||||
instances = self.__get_instances()
|
||||
# Wait for temporary bunkerized-nginx
|
||||
if not self._config.wait(instances) :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Generate first config
|
||||
env = self.get_env()
|
||||
if not self.gen_conf(env) :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Wait for nginx
|
||||
# Send the config
|
||||
if not self.send() :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Stop the temporary server
|
||||
if not self.stop_temp() :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
# Wait for bunkerized-nginx
|
||||
if not self._config.wait(instances) :
|
||||
self.lock.release()
|
||||
return False, env
|
||||
self.lock.release()
|
||||
return self._config.wait(instances), env
|
||||
return True, env
|
||||
except :
|
||||
pass
|
||||
self.lock.release()
|
||||
|
||||
Reference in New Issue
Block a user