Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

autoconf - various kubernetes fixes

Browse Source
This commit is contained in:
bunkerity 2021-08-13 16:42:31 +02:00
parent c9a6b6c27d
commit f1d5c07cc1
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
9 changed files with 180 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
autoconf/src/IngressController.py
View File

@ -86,7 +86,7 @@ class IngressController(Controller.Controller) :
for service in services : for service in services :
if service.metadata.annotations != None and "bunkerized-nginx.SERVER_NAME" in service.metadata.annotations : if service.metadata.annotations != None and "bunkerized-nginx.SERVER_NAME" in service.metadata.annotations :
env.update(self.__annotations_to_env(service.metadata.annotations)) env.update(self.__annotations_to_env(service.metadata.annotations))
first_servers.append(service.metadata.annotations["SERVER_NAME"]) first_servers.append(service.metadata.annotations["bunkerized-nginx.SERVER_NAME"])
first_servers = list(dict.fromkeys(first_servers)) first_servers = list(dict.fromkeys(first_servers))
if len(first_servers) == 0 : if len(first_servers) == 0 :
env["SERVER_NAME"] = "" env["SERVER_NAME"] = ""
@ -181,9 +181,11 @@ class IngressController(Controller.Controller) :
# Generate first config # Generate first config
env = self.get_env() env = self.get_env()
if not self.gen_conf(env) : if not self.gen_conf(env) :
self.lock.release()
return False, env return False, env
# Wait for bunkerized-nginx # Wait for bunkerized-nginx
self.lock.release()
return self._config.wait(services), env return self._config.wait(services), env
except : except :
pass pass

6
autoconf/src/SwarmController.py
View File

@ -56,8 +56,8 @@ class SwarmController(Controller.Controller) :
log("controller", "ERROR", "failed reload") log("controller", "ERROR", "failed reload")
else : else :
log("controller", "ERROR", "can't generate new configuration") log("controller", "ERROR", "can't generate new configuration")
except : except :
log("controller", "ERROR", "exception while receiving event") log("controller", "ERROR", "exception while receiving event")
self.lock.release() self.lock.release()
def reload(self) : def reload(self) :
@ -74,8 +74,10 @@ class SwarmController(Controller.Controller) :
# Generate first config # Generate first config
env = self.get_env() env = self.get_env()
if not self.gen_conf(env) : if not self.gen_conf(env) :
self.lock.release()
return False, env return False, env
# Wait for nginx # Wait for nginx
self.lock.release()
return self._config.wait(instances), env return self._config.wait(instances), env
except : except :
pass pass

4
docs/integrations.md
View File

@ -712,6 +712,7 @@ metadata:
bunkerized-nginx: "yes" bunkerized-nginx: "yes"
annotations: annotations:
bunkerized-nginx.SERVER_NAME: "www.example.com" bunkerized-nginx.SERVER_NAME: "www.example.com"
bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
bunkerized-nginx.USE_REVERSE_PROXY: "yes" bunkerized-nginx.USE_REVERSE_PROXY: "yes"
bunkerized-nginx.REVERSE_PROXY_URL: "/" bunkerized-nginx.REVERSE_PROXY_URL: "/"
bunkerized-nginx.REVERSE_PROXY_HOST: "http://myapp" bunkerized-nginx.REVERSE_PROXY_HOST: "http://myapp"
@ -749,8 +750,7 @@ $ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.sh
Before executing it, you should also check the signature : Before executing it, you should also check the signature :
```shell ```shell
$ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.sh.asc $ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.sh.asc
$ curl -fsSL https://TODO -o /tmp/bunkerized-nginx.key $ gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys contact@bunkerity.com
$ gpg --import /tmp/bunkerized-nginx.key
$ gpg --verify /tmp/bunkerized-nginx.sh.asc /tmp/bunkerized-nginx.sh $ gpg --verify /tmp/bunkerized-nginx.sh.asc /tmp/bunkerized-nginx.sh
``` ```

39
helpers/autoconf.yml Normal file
View File

@ -0,0 +1,39 @@
version: '3'
services:
mybunkerized:
image: bunkerity/bunkerized-nginx
restart: always
ports:
- 80:8080
- 443:8443
volumes:
- ./certs:/etc/letsencrypt
- ./www:/www:ro
- bunkerized-vol:/etc/nginx
environment:
- SERVER_NAME=
- MULTISITE=yes
- AUTO_LETS_ENCRYPT=yes
labels:
- "bunkerized-nginx.AUTOCONF"
networks:
- services-net
myautoconf:
image: bunkerity/bunkerized-nginx-autoconf
restart: always
volumes_from:
- mybunkerized
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- mybunkerized
volumes:
bunkerized-vol:
networks:
services-net:
name: services-net

65
helpers/kubernetes-ingress.yml
View File

@ -1,65 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bunkerized-nginx-ingress
labels:
bunkerized-nginx: "yes"
annotations:
# add any global and default environment variables here as annotations with the "bunkerized-nginx." prefix
# examples :
#bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
#bunkerized-nginx.USE_ANTIBOT: "javascript"
#bunkerized-nginx.REDIRECT_HTTP_TO_HTTPS: "yes"
#bunkerized-nginx.app.example.com_REVERSE_PROXY_WS: "yes"
#bunkerized-nginx.app.example.com_USE_MODSECURITY: "no"
# add "static" routes here (see https://kubernetes.io/docs/concepts/services-networking/ingress/)
# and/or add annotations to your services (see https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/kubernetes)
spec:
tls:
- hosts:
- app.example.com
rules:
- host: "app.example.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: myapp
port:
number: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: containous/whoami
---
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
type: ClusterIP
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80

145
helpers/kubernetes-nginx.yml
View File

@ -1,71 +1,4 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment
metadata:
name: bunkerized-nginx-ingress-controller
labels:
app: bunkerized-nginx-autoconf
spec:
replicas: 1
selector:
matchLabels:
app: bunkerized-nginx-autoconf
template:
metadata:
labels:
app: bunkerized-nginx-autoconf
spec:
serviceAccountName: bunkerized-nginx-ingress-controller
containers:
- name: bunkerized-nginx-autoconf
image: bunkerity/bunkerized-nginx-autoconf
#imagePullPolicy: Always
env:
- name: KUBERNETES_MODE
value: "yes"
- name: API_URI
value: "/ChangeMeToSomethingHardToGuess"
volumeMounts:
- name: confs
mountPath: /etc/nginx
- name: letsencrypt
mountPath: /etc/letsencrypt
- name: acme-challenge
mountPath: /acme-challenge
- name: cache
mountPath: /cache
- name: modsec-confs
mountPath: /modsec-confs
readOnly: true
- name: modsec-crs-confs
mountPath: /modsec-crs-confs
readOnly: true
volumes:
- name: confs
hostPath:
path: /shared/confs
type: Directory
- name: letsencrypt
hostPath:
path: /shared/letsencrypt
type: Directory
- name: acme-challenge
hostPath:
path: /shared/acme-challenge
type: Directory
- name: cache
hostPath:
path: /shared/cache
type: Directory
- name: modsec-confs
hostPath:
path: /shared/modsec-confs
type: Directory
- name: modsec-crs-confs
hostPath:
path: /shared/modsec-crs-confs
type: Directory
---
apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: bunkerized-nginx name: bunkerized-nginx
@ -79,12 +12,12 @@ spec:
metadata: metadata:
labels: labels:
name: bunkerized-nginx name: bunkerized-nginx
# this label is mandatory
bunkerized-nginx: "yes" bunkerized-nginx: "yes"
spec: spec:
containers: containers:
- name: bunkerized-nginx - name: bunkerized-nginx
image: bunkerity/bunkerized-nginx image: bunkerity/bunkerized-nginx
#imagePullPolicy: Always
ports: ports:
- containerPort: 8080 - containerPort: 8080
hostPort: 80 hostPort: 80
@ -114,18 +47,6 @@ spec:
- name: www - name: www
mountPath: /www mountPath: /www
readOnly: true readOnly: true
- name: http-confs
mountPath: /http-confs
readOnly: true
- name: server-confs
mountPath: /server-confs
readOnly: true
- name: modsec-confs
mountPath: /modsec-confs
readOnly: true
- name: modsec-crs-confs
mountPath: /modsec-crs-confs
readOnly: true
volumes: volumes:
- name: confs - name: confs
hostPath: hostPath:
@ -143,32 +64,64 @@ spec:
hostPath: hostPath:
path: /shared/www path: /shared/www
type: Directory type: Directory
- name: http-confs
hostPath:
path: /shared/http-confs
type: Directory
- name: server-confs
hostPath:
path: /shared/server-confs
type: Directory
- name: modsec-confs
hostPath:
path: /shared/modsec-confs
type: Directory
- name: modsec-crs-confs
hostPath:
path: /shared/modsec-crs-confs
type: Directory
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: bunkerized-nginx-service name: bunkerized-nginx-service
# this label is mandatory
labels: labels:
bunkerized-nginx: "yes" bunkerized-nginx: "yes"
# this annotation is mandatory
annotations: annotations:
bunkerized-nginx.AUTOCONF: "yes" bunkerized-nginx.AUTOCONF: "yes"
spec: spec:
clusterIP: None clusterIP: None
selector: selector:
name: bunkerized-nginx name: bunkerized-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bunkerized-nginx-ingress-controller
labels:
app: bunkerized-nginx-autoconf
spec:
replicas: 1
selector:
matchLabels:
app: bunkerized-nginx-autoconf
template:
metadata:
labels:
app: bunkerized-nginx-autoconf
spec:
serviceAccountName: bunkerized-nginx-ingress-controller
containers:
- name: bunkerized-nginx-autoconf
image: bunkerity/bunkerized-nginx-autoconf
env:
- name: KUBERNETES_MODE
value: "yes"
- name: API_URI
value: "/ChangeMeToSomethingHardToGuess"
volumeMounts:
- name: confs
mountPath: /etc/nginx
- name: letsencrypt
mountPath: /etc/letsencrypt
- name: acme-challenge
mountPath: /acme-challenge
volumes:
- name: confs
hostPath:
path: /shared/confs
type: Directory
- name: letsencrypt
hostPath:
path: /shared/letsencrypt
type: Directory
- name: acme-challenge
hostPath:
path: /shared/acme-challenge
type: Directory

67
helpers/swarm.yml Normal file
View File

@ -0,0 +1,67 @@
version: '3.8'
services:
nginx:
image: bunkerity/bunkerized-nginx
ports:
- published: 80
target: 8080
mode: host
protocol: tcp
- published: 443
target: 8443
mode: host
protocol: tcp
volumes:
- /shared/confs:/etc/nginx:ro
- /shared/www:/www:ro
- /shared/letsencrypt:/etc/letsencrypt:ro
- /shared/acme-challenge:/acme-challenge:ro
environment:
- SWARM_MODE=yes
- USE_API=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from autoconf
- MULTISITE=yes
- SERVER_NAME=
- AUTO_LETS_ENCRYPT=yes
networks:
- bunkerized-net
- services-net
deploy:
mode: global
placement:
constraints:
- "node.role==worker"
# mandatory label
labels:
- "bunkerized-nginx.AUTOCONF"
autoconf:
image: bunkerity/bunkerized-nginx-autoconf
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /shared/confs:/etc/nginx
- /shared/letsencrypt:/etc/letsencrypt
- /shared/acme-challenge:/acme-challenge
environment:
- SWARM_MODE=yes
- API_URI=/ChangeMeToSomethingHardToGuess # must match API_URI from nginx
networks:
- bunkerized-net
deploy:
replicas: 1
placement:
constraints:
- "node.role==manager"
# This will create the networks for you
networks:
bunkerized-net:
driver: overlay
attachable: true
name: bunkerized-net
services-net:
driver: overlay
attachable: true
name: services-net

13
jobs/main.py
View File

@ -27,6 +27,7 @@ if __name__ == "__main__" :
parser = argparse.ArgumentParser(description="job runner for bunkerized-nginx") parser = argparse.ArgumentParser(description="job runner for bunkerized-nginx")
parser.add_argument("--name", default="", type=str, help="job to run (e.g : abusers or certbot-new or certbot-renew ...)") parser.add_argument("--name", default="", type=str, help="job to run (e.g : abusers or certbot-new or certbot-renew ...)")
parser.add_argument("--cache", action="store_true", help="copy data from cache if available") parser.add_argument("--cache", action="store_true", help="copy data from cache if available")
parser.add_argument("--lock", action="store_true", help="lock access to the configuration")
parser.add_argument("--reload", action="store_true", help="reload nginx if necessary and the job is successful") parser.add_argument("--reload", action="store_true", help="reload nginx if necessary and the job is successful")
parser.add_argument("--domain", default="", type=str, help="domain(s) for certbot-new job (e.g. : www.example.com or app1.example.com,app2.example.com)") parser.add_argument("--domain", default="", type=str, help="domain(s) for certbot-new job (e.g. : www.example.com or app1.example.com,app2.example.com)")
parser.add_argument("--email", default="", type=str, help="email for certbot-new job (e.g. : contact@example.com)") parser.add_argument("--email", default="", type=str, help="email for certbot-new job (e.g. : contact@example.com)")
@ -45,7 +46,8 @@ if __name__ == "__main__" :
# Acquire the lock before # Acquire the lock before
management = JobManagement() management = JobManagement()
management.lock() if args.lock :
management.lock()
# Check if we are using redis or not # Check if we are using redis or not
redis_host = None redis_host = None
@ -71,7 +73,8 @@ if __name__ == "__main__" :
ret = instance.run() ret = instance.run()
if ret == JobRet.KO : if ret == JobRet.KO :
log("job", "ERROR", "error while running job " + job) log("job", "ERROR", "error while running job " + job)
management.unlock() if args.lock :
management.unlock()
sys.exit(1) sys.exit(1)
log("job", "INFO", "job " + job + " successfully executed") log("job", "INFO", "job " + job + " successfully executed")
@ -80,7 +83,8 @@ if __name__ == "__main__" :
ret = management.reload() ret = management.reload()
if ret == ReloadRet.KO : if ret == ReloadRet.KO :
log("job", "ERROR", "error while doing reload operation (job = " + job + ")") log("job", "ERROR", "error while doing reload operation (job = " + job + ")")
management.unlock() if args.lock :
management.unlock()
sys.exit(1) sys.exit(1)
elif ret == ReloadRet.OK : elif ret == ReloadRet.OK :
log("job", "INFO", "reload operation successfully executed (job = " + job + ")") log("job", "INFO", "reload operation successfully executed (job = " + job + ")")
@ -90,7 +94,8 @@ if __name__ == "__main__" :
log("job", "INFO", "skipped reload operation because it's not needed (job = " + job + ")") log("job", "INFO", "skipped reload operation because it's not needed (job = " + job + ")")
# Release the lock # Release the lock
management.unlock() if args.lock :
management.unlock()
# Done # Done
sys.exit(0) sys.exit(0)

14
misc/cron-autoconf
View File

@ -1,7 +1,7 @@
15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1 15 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name certbot-renew" nginx >> /var/log/nginx/jobs.log 2>&1
30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1 30 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name user-agents" nginx >> /var/log/nginx/jobs.log 2>&1
45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1 45 0 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name referrers" nginx >> /var/log/nginx/jobs.log 2>&1
0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1 0 1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name abusers" nginx >> /var/log/nginx/jobs.log 2>&1
0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1 0 2 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name proxies" nginx >> /var/log/nginx/jobs.log 2>&1
0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1 0 */1 * * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name exit-nodes" nginx >> /var/log/nginx/jobs.log 2>&1
0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1 0 3 2 * * /bin/su -c "/opt/bunkerized-nginx/jobs/main.py --reload --lock --name geoip" nginx >> /var/log/nginx/jobs.log 2>&1