From 68296c8e925452c98de8493a9674591fcacb3005 Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 6 Jun 2020 15:18:26 -0400 Subject: [PATCH] adjusting networks for certbot so that we can talk to the right containers --- dockerfiles/services/services/network.yml | 9 ++-- .../services/sslproxy/cli/certbot/certbot | 6 --- .../services/sslproxy/cli/certbot/info.help | 4 +- .../services/sslproxy/cli/certbot/info.usage | 2 +- .../services/sslproxy/cli/certbot/renew | 50 ++++++++++++++----- .../services/sslproxy/cli/certbot/renew.help | 4 +- .../services/sslproxy/cli/certbot/renew.usage | 2 +- dockerfiles/services/sslproxy/cli/deploy | 9 ++++ dockerfiles/services/sslproxy/cli/exec | 15 +++++- dockerfiles/services/sslproxy/cli/inspect | 9 +++- .../sslproxy/docker-compose.tools.yml | 5 +- 11 files changed, 82 insertions(+), 33 deletions(-) diff --git a/dockerfiles/services/services/network.yml b/dockerfiles/services/services/network.yml index 0e4e9c4..a20998a 100644 --- a/dockerfiles/services/services/network.yml +++ b/dockerfiles/services/services/network.yml @@ -4,9 +4,9 @@ version: '3.4' networks: - prod: - external: - name: prod +# prod: +# external: +# name: prod prod_ui: external: name: prod_ui @@ -19,3 +19,6 @@ networks: prod_app: external: name: prod_app + prod_tasks: + external: + name: prod_tasks diff --git a/dockerfiles/services/sslproxy/cli/certbot/certbot b/dockerfiles/services/sslproxy/cli/certbot/certbot index 0983a64..38b6b28 100755 --- a/dockerfiles/services/sslproxy/cli/certbot/certbot +++ b/dockerfiles/services/sslproxy/cli/certbot/certbot @@ -17,11 +17,5 @@ run() { run test $@ } -run_help() { - docker-compose \ - -f docker-compose.tools.yml \ - run test --help $@ -} - run $@ diff --git a/dockerfiles/services/sslproxy/cli/certbot/info.help b/dockerfiles/services/sslproxy/cli/certbot/info.help index 7aa5493..ca431f4 100644 --- a/dockerfiles/services/sslproxy/cli/certbot/info.help +++ b/dockerfiles/services/sslproxy/cli/certbot/info.help @@ -1,3 +1 @@ -ARGS - The arguments you wish to provide to this command - -TODO: Fill out the help information for this command. +prod if you want to see info about production certs diff --git a/dockerfiles/services/sslproxy/cli/certbot/info.usage b/dockerfiles/services/sslproxy/cli/certbot/info.usage index 5226895..04946aa 100644 --- a/dockerfiles/services/sslproxy/cli/certbot/info.usage +++ b/dockerfiles/services/sslproxy/cli/certbot/info.usage @@ -1 +1 @@ -ARGS... +[prod] diff --git a/dockerfiles/services/sslproxy/cli/certbot/renew b/dockerfiles/services/sslproxy/cli/certbot/renew index 758e4f7..0fb8e3f 100755 --- a/dockerfiles/services/sslproxy/cli/certbot/renew +++ b/dockerfiles/services/sslproxy/cli/certbot/renew @@ -1,6 +1,5 @@ #!/usr/bin/env bash set -e -set -x LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging @@ -8,10 +7,6 @@ CERT_NAME=xai-corp.net LOG=$(mktemp) -##export LOCAL_IMAGE -#export REMOTE_IMAGE -##export TAG - ### run() { @@ -31,7 +26,24 @@ update() { # shellcheck disable=SC2086 docker-compose \ -f docker-compose.tools.yml \ - run --name sslproxy_renew renew ${OPTIONS} + run --rm --name sslproxy_renew \ + renew ${OPTIONS} +} + +test_new_certs() { + echo | openssl s_client -showcerts -servername gnupg.org -connect git.xai-corp.net:443 2>/dev/null \ + | openssl x509 -inform pem -noout -text \ + | grep 'Timestamp :' +} + +retart_nginx() { + export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} + echo restarting nginx + + containers=$(docker ps -q --filter "status=running" --filter "name=sslproxy_app") + for c in $containers; do + docker exec -it $c nginx -s reload + done } function trap_exit() { @@ -61,25 +73,37 @@ print_usage() { ENVIRONMENT=dev OPTIONS="--cert-name ${CERT_NAME}" -while getopts de: name +TEST_CERT=true +while getopts tnpde: name do case $name in d) OPTIONS="$OPTIONS --dry-run" ;; - e) - if [ $OPTARG == 'prod' ]; then + p) + TEST_CERT=false ENVIRONMENT=prod - else - OPTIONS="$OPTIONS --test-cert" - fi ;; - : ) + t) + test_new_certs + exit 0 + ;; + n) + retart_nginx + exit 0 + ;; + :) echo "Invalid option: $OPTARG requires an argument" 1>&2 ;; *) print_usage;; esac done +if [ "$TEST_CERT" == "true" ]; then + OPTIONS="$OPTIONS --test-cert" +fi + # shellcheck disable=SC2068 run $@ +restart_nginx +test_new_certs diff --git a/dockerfiles/services/sslproxy/cli/certbot/renew.help b/dockerfiles/services/sslproxy/cli/certbot/renew.help index 7aa5493..de7cbfc 100644 --- a/dockerfiles/services/sslproxy/cli/certbot/renew.help +++ b/dockerfiles/services/sslproxy/cli/certbot/renew.help @@ -1,3 +1,3 @@ -ARGS - The arguments you wish to provide to this command +renew certificates -TODO: Fill out the help information for this command. +-p update production certs, otherwise we will update the staging certificates diff --git a/dockerfiles/services/sslproxy/cli/certbot/renew.usage b/dockerfiles/services/sslproxy/cli/certbot/renew.usage index 5226895..6d17cb6 100644 --- a/dockerfiles/services/sslproxy/cli/certbot/renew.usage +++ b/dockerfiles/services/sslproxy/cli/certbot/renew.usage @@ -1 +1 @@ -ARGS... +[-p] diff --git a/dockerfiles/services/sslproxy/cli/deploy b/dockerfiles/services/sslproxy/cli/deploy index d2fc794..826b56c 100755 --- a/dockerfiles/services/sslproxy/cli/deploy +++ b/dockerfiles/services/sslproxy/cli/deploy @@ -54,6 +54,9 @@ function deploy_test() { assertOK https xaibox.xai-corp.net # curl -If https://git.xai-corp.net/ # curl -If -H "Host: not.xai-corp.net" https://dkhost + + assertNetwork prod_ui + assertNetwork prod_tasks } function deploy_save() { @@ -79,6 +82,12 @@ function assertOK() { | tee "$LOG" | grep -P "200 OK|302 Found|403 Forbidden" } +function assertNetwork() { + network=$1 + echo -e "\033[94minspecting network\033[39m $network" + docker network inspect "$network" | jq -r .[].Containers[].Name | tee "$LOG" | grep sslproxy_app +} + function trap_exit() { code=$? docker service ls | grep "${APP_NAME}" diff --git a/dockerfiles/services/sslproxy/cli/exec b/dockerfiles/services/sslproxy/cli/exec index c013594..d645b94 100755 --- a/dockerfiles/services/sslproxy/cli/exec +++ b/dockerfiles/services/sslproxy/cli/exec @@ -1,9 +1,22 @@ #!/usr/bin/env bash -set -e +set -ex export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} container=$(docker ps -qn1) + +while getopts c: name +do + case $name in + c) + container=$OPTARG + ;; + *) + ;; + esac +done +shift $((OPTIND -1)) + # shellcheck disable=SC2068 docker exec -it "$container" $@ #docker network inspect ingress diff --git a/dockerfiles/services/sslproxy/cli/inspect b/dockerfiles/services/sslproxy/cli/inspect index d6f67d2..01f7098 100755 --- a/dockerfiles/services/sslproxy/cli/inspect +++ b/dockerfiles/services/sslproxy/cli/inspect @@ -6,7 +6,8 @@ export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} #container=$(docker service ps -q --filter "desired-state=Running" sslproxy_app | head -n 1) inspect_service() { - docker service ps --filter "desired-state=Running" sslproxy_app +# docker service ps --filter "desired-state=Running" sslproxy_app + docker service inspect sslproxy_app } inspect_stack() { @@ -17,10 +18,16 @@ inspect_containers() { docker ps -n2 } +inspect_network() { + docker $@ +} + if [ "$1" == "service" ]; then inspect_service elif [ "$1" == "stack" ]; then inspect_stack +elif [ "$1" == "network" ]; then + inspect_network $@ else inspect_containers fi diff --git a/dockerfiles/services/sslproxy/docker-compose.tools.yml b/dockerfiles/services/sslproxy/docker-compose.tools.yml index 3be43ff..0c7c93e 100644 --- a/dockerfiles/services/sslproxy/docker-compose.tools.yml +++ b/dockerfiles/services/sslproxy/docker-compose.tools.yml @@ -4,7 +4,7 @@ version: '3.4' services: renew: - container_name: certbot + container_name: sslproxy_renew image: ${LETSENCRYPT_IMAGE} volumes: - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt @@ -14,8 +14,9 @@ services: - certbot - certonly - --standalone + - -n networks: - - prod_tasks: + - prod_tasks certificates: image: ${LETSENCRYPT_IMAGE}