xai-corp.net/provisioning
1
0
Fork 0
Code Issues 9 Releases Activity

adjusting networks for certbot so that we can talk to the right containers

Browse Source
This commit is contained in:
richard
2020-06-06 15:18:26 -04:00
parent 4439ae493d
commit 68296c8e92
11 changed files with 82 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
dockerfiles/services/services/network.yml
View File

@@ -4,9 +4,9 @@
version: '3.4' version: '3.4'
networks: networks:
prod: # prod:
external: # external:
name: prod # name: prod
prod_ui: prod_ui:
external: external:
name: prod_ui name: prod_ui
@@ -19,3 +19,6 @@ networks:
prod_app: prod_app:
external: external:
name: prod_app name: prod_app
prod_tasks:
external:
name: prod_tasks

6
dockerfiles/services/sslproxy/cli/certbot/certbot
View File

@@ -17,11 +17,5 @@ run() {
run test $@ run test $@
} }
run_help() {
docker-compose \
-f docker-compose.tools.yml \
run test --help $@
}
run $@ run $@

4
dockerfiles/services/sslproxy/cli/certbot/info.help
View File

@@ -1,3 +1 @@
ARGS - The arguments you wish to provide to this command prod if you want to see info about production certs
TODO: Fill out the help information for this command.

2
dockerfiles/services/sslproxy/cli/certbot/info.usage
View File

@@ -1 +1 @@
ARGS... [prod]

48
dockerfiles/services/sslproxy/cli/certbot/renew
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
set -x
LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot
LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging
@@ -8,10 +7,6 @@ CERT_NAME=xai-corp.net
LOG=$(mktemp) LOG=$(mktemp)
##export LOCAL_IMAGE
#export REMOTE_IMAGE
##export TAG
### ###
run() { run() {
@@ -31,7 +26,24 @@ update() {
# shellcheck disable=SC2086 # shellcheck disable=SC2086
docker-compose \ docker-compose \
-f docker-compose.tools.yml \ -f docker-compose.tools.yml \
run --name sslproxy_renew renew ${OPTIONS} run --rm --name sslproxy_renew \
renew ${OPTIONS}
}
test_new_certs() {
echo | openssl s_client -showcerts -servername gnupg.org -connect git.xai-corp.net:443 2>/dev/null \
| openssl x509 -inform pem -noout -text \
| grep 'Timestamp :'
}
retart_nginx() {
export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
echo restarting nginx
containers=$(docker ps -q --filter "status=running" --filter "name=sslproxy_app")
for c in $containers; do
docker exec -it $c nginx -s reload
done
} }
function trap_exit() { function trap_exit() {
@@ -61,18 +73,24 @@ print_usage() {
ENVIRONMENT=dev ENVIRONMENT=dev
OPTIONS="--cert-name ${CERT_NAME}" OPTIONS="--cert-name ${CERT_NAME}"
while getopts de: name TEST_CERT=true
while getopts tnpde: name
do do
case $name in case $name in
d) d)
OPTIONS="$OPTIONS --dry-run" OPTIONS="$OPTIONS --dry-run"
;; ;;
e) p)
if [ $OPTARG == 'prod' ]; then TEST_CERT=false
ENVIRONMENT=prod ENVIRONMENT=prod
else ;;
OPTIONS="$OPTIONS --test-cert" t)
fi test_new_certs
exit 0
;;
n)
retart_nginx
exit 0
;; ;;
:) :)
echo "Invalid option: $OPTARG requires an argument" 1>&2 echo "Invalid option: $OPTARG requires an argument" 1>&2
@@ -81,5 +99,11 @@ do
esac esac
done done
if [ "$TEST_CERT" == "true" ]; then
OPTIONS="$OPTIONS --test-cert"
fi
# shellcheck disable=SC2068 # shellcheck disable=SC2068
run $@ run $@
restart_nginx
test_new_certs

4
dockerfiles/services/sslproxy/cli/certbot/renew.help
View File

@@ -1,3 +1,3 @@
ARGS - The arguments you wish to provide to this command renew certificates
TODO: Fill out the help information for this command. -p update production certs, otherwise we will update the staging certificates

2
dockerfiles/services/sslproxy/cli/certbot/renew.usage
View File

@@ -1 +1 @@
ARGS... [-p]

9
dockerfiles/services/sslproxy/cli/deploy
View File

@@ -54,6 +54,9 @@ function deploy_test() {
assertOK https xaibox.xai-corp.net assertOK https xaibox.xai-corp.net
# curl -If https://git.xai-corp.net/ # curl -If https://git.xai-corp.net/
# curl -If -H "Host: not.xai-corp.net" https://dkhost # curl -If -H "Host: not.xai-corp.net" https://dkhost
assertNetwork prod_ui
assertNetwork prod_tasks
} }
function deploy_save() { function deploy_save() {
@@ -79,6 +82,12 @@ function assertOK() {
| tee "$LOG" | grep -P "200 OK|302 Found|403 Forbidden" | tee "$LOG" | grep -P "200 OK|302 Found|403 Forbidden"
} }
function assertNetwork() {
network=$1
echo -e "\033[94minspecting network\033[39m $network"
docker network inspect "$network" | jq -r .[].Containers[].Name | tee "$LOG" | grep sslproxy_app
}
function trap_exit() { function trap_exit() {
code=$? code=$?
docker service ls | grep "${APP_NAME}" docker service ls | grep "${APP_NAME}"

15
dockerfiles/services/sslproxy/cli/exec
View File

@@ -1,9 +1,22 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -ex
export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
container=$(docker ps -qn1) container=$(docker ps -qn1)
while getopts c: name
do
case $name in
c)
container=$OPTARG
;;
*)
;;
esac
done
shift $((OPTIND -1))
# shellcheck disable=SC2068 # shellcheck disable=SC2068
docker exec -it "$container" $@ docker exec -it "$container" $@
#docker network inspect ingress #docker network inspect ingress

9
dockerfiles/services/sslproxy/cli/inspect
View File

@@ -6,7 +6,8 @@ export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
#container=$(docker service ps -q --filter "desired-state=Running" sslproxy_app | head -n 1) #container=$(docker service ps -q --filter "desired-state=Running" sslproxy_app | head -n 1)
inspect_service() { inspect_service() {
docker service ps --filter "desired-state=Running" sslproxy_app # docker service ps --filter "desired-state=Running" sslproxy_app
docker service inspect sslproxy_app
} }
inspect_stack() { inspect_stack() {
@@ -17,10 +18,16 @@ inspect_containers() {
docker ps -n2 docker ps -n2
} }
inspect_network() {
docker $@
}
if [ "$1" == "service" ]; then if [ "$1" == "service" ]; then
inspect_service inspect_service
elif [ "$1" == "stack" ]; then elif [ "$1" == "stack" ]; then
inspect_stack inspect_stack
elif [ "$1" == "network" ]; then
inspect_network $@
else else
inspect_containers inspect_containers
fi fi

5
dockerfiles/services/sslproxy/docker-compose.tools.yml
View File

@@ -4,7 +4,7 @@ version: '3.4'
services: services:
renew: renew:
container_name: certbot container_name: sslproxy_renew
image: ${LETSENCRYPT_IMAGE} image: ${LETSENCRYPT_IMAGE}
volumes: volumes:
- ${LETSENCRYPT_MOUNT}:/etc/letsencrypt - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt
@@ -14,8 +14,9 @@ services:
- certbot - certbot
- certonly - certonly
- --standalone - --standalone
- -n
networks: networks:
- prod_tasks: - prod_tasks
certificates: certificates:
image: ${LETSENCRYPT_IMAGE} image: ${LETSENCRYPT_IMAGE}