diff --git a/dockerfiles/services/sslproxy/certs/live/xai-corp.net/fullchain.pem b/dockerfiles/services/sslproxy/certs/live/xai-corp.net/fullchain.pem new file mode 100644 index 0000000..baf1b57 --- /dev/null +++ b/dockerfiles/services/sslproxy/certs/live/xai-corp.net/fullchain.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGjCCAwKgAwIBAgIUZ2R4JeFPIi3G1leHHfJGlf6IWQYwDQYJKoZIhvcNAQEL +BQAwfDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxGDAWBgNVBAoMD1hhaSBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRGV2ZWxv +cG1lbnQxGTAXBgNVBAMMEHd3dy54YWktY29ycC5uZXQwHhcNMjAwNjA0MDIwOTM2 +WhcNMjEwNjA0MDIwOTM2WjB8MQswCQYDVQQGEwJDQTEPMA0GA1UECAwGUXVlYmVj +MREwDwYDVQQHDAhNb250cmVhbDEYMBYGA1UECgwPWGFpIENvcnBvcmF0aW9uMRQw +EgYDVQQLDAtEZXZlbG9wbWVudDEZMBcGA1UEAwwQd3d3LnhhaS1jb3JwLm5ldDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzYwesOX5FAc9IbsRfzRkVs +Nzja1Zk6uBt4kQsAGfdwMvaOMzNrTdeltzckqf+ivxsdc5ZfYXR/xlWJXbD199/2 +PWtRjTQjADxfMvEzRiKNUXxKNMFr4I0vTIGwxduGIYr1H+xjXB7YdcxyIk/LkzOZ +GsUNrmtEKf+RUyjPnDjduCrajm22ndhdTxC1PIYcJkdNbAtE8qTtqAtPnJauUmYF +FtKiWnD4Wddt8h5ftHCcLVuz3IIwOO8QrptaK2JA1eRPdSCN1RGtouHyJjd9T3We +nQRPTFrEljuX6DxotqLldGf8HJaPp0LLTw/Zju9WV6aZh6awRbB+hcTA8qw+P9kC +AwEAAaOBkzCBkDCBjQYDVR0RBIGFMIGCggx4YWktY29ycC5uZXSCEHd3dy54YWkt +Y29ycC5uZXSCEGFiYy54YWktY29ycC5uZXSCEWRrdWkueGFpLWNvcnAubmV0ghBn +aXQueGFpLWNvcnAubmV0ghRqZW5raW5zLnhhaS1jb3JwLm5ldIITeGFpYm94Lnhh +aS1jb3JwLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAWrG470Bp1rVK7084hrGt2EQU +A9vIh2mHFANUG+wtL6cDSbmBMhq3BTxzHaol5lqS4MHHJZ9jWnLcsvUWaKHh8H1Z +TBwuk/kYwfaUpUVASq9EloEhAnphzIJsJGgDPyB4n82+5TF2WftDINHGd2xOyJvE +1C0i9fAgaspPzUVI3LXMMSl1CeKeGi4iZa8Anbo8LLpCqREAEalWqMS1uDxq7YcF +ngDde5BToPETQREA/nLeY0S/agHkLdlBd+uMBmtRDj9tnww0ThYmQNbKvSgBqvX4 +R/Bu9qu7gVW2mYNQpFrEI4GuT6iC9iLl4i8SdItX12ekEYhGHGSaU++5TzJbqQ== +-----END CERTIFICATE----- diff --git a/dockerfiles/services/sslproxy/certs/live/xai-corp.net/privkey.pem b/dockerfiles/services/sslproxy/certs/live/xai-corp.net/privkey.pem new file mode 100644 index 0000000..ebabb37 --- /dev/null +++ b/dockerfiles/services/sslproxy/certs/live/xai-corp.net/privkey.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC82MHrDl+RQHPS +G7EX80ZFbDc42tWZOrgbeJELABn3cDL2jjMza03Xpbc3JKn/or8bHXOWX2F0f8ZV +iV2w9fff9j1rUY00IwA8XzLxM0YijVF8SjTBa+CNL0yBsMXbhiGK9R/sY1we2HXM +ciJPy5MzmRrFDa5rRCn/kVMoz5w43bgq2o5ttp3YXU8QtTyGHCZHTWwLRPKk7agL +T5yWrlJmBRbSolpw+FnXbfIeX7RwnC1bs9yCMDjvEK6bWitiQNXkT3UgjdURraLh +8iY3fU91np0ET0xaxJY7l+g8aLai5XRn/ByWj6dCy08P2Y7vVlemmYemsEWwfoXE +wPKsPj/ZAgMBAAECggEBAJ1XzFpYY2/WT6njwK2/1/DHtUr9qbI9pl/dGJwdvYTY +St36pNZWtUjTnc+oEKwZoTiqVUAYwE4cl9d02Ec06Q4FUC82h3vFHdEvUHZ+zhTD +wfzYpxPxGesIWapE6tV48EGi8rI2Ju7cU2nAPq5VY5Q+IHvGZmihJoz1PGBoejU1 +uG1zWYMjonVMngrotoL89lJSd2lnOq1+uXGlXH5+pOiNxrPKLn9zV+9gNXzyRDo2 +ZiRQ9Bbrkuyxov6L8F1BH0hhp159YelB9fBH2L1m9CgvX0ObBFMkGDiqOCyOtXPF +PVY2errlRfnVH3Sc8fCFkjiqjfxxj652SbTKejyoegECgYEA3mXyMT3cwAHMQCwu +YKJ8mDpSYIU3pH74S7R9+3MxMJ4tYnSVyuF7dWk3e2zSIMZOydL4tYL/0vAZeFSC +ZLTYcYcQqbuA+WksgtaRVqWUaJBNamvjBIWYyecVImh7FGOhRma4dA+efsHxu79g +KIiX5cF35WLAhGWpkPInO5rMNjECgYEA2WEV3Tjdr0nPNZn9F1tiOcvA2H8tCQoQ +252K9RQiS1KfWstzfISyNeaDjdRg/rTPfzN7tVWRYaANlgecsJlo7vGA9P0ZAhvR +hiBayUgi149HmTyKUtSprDPLNmPrrIy98Gc58JILPWYJe91de7eEKnQe9V2TBRXF +ElNlh400MikCgYA5lJuINEQbUlvXoZjAXFF1+GOrqdImPNl8gFa9660osUt+2kCO +LqMQWxWKVzpwUefESWMrW6dwrclqZjb8a/Y+LoIZ7/oMmTZ1CajHjkdGa1Yf357/ +ZLeSTsoiBnsXZFQ1LhNDuWeH2h8ERSBYXkU1r0mjklXV8ZxdctTFkeadgQKBgQCj +0Wt1vP4rtHcIkRTPvlmG7stVHHpm/oP3zYFD8rlphEl9ViehJitbPW3Uu8GhEcfx +t226GVMnfEPg1bm6yNHwiGXDut1W3noHF2jzmX5QbrTpgVtI0uVPVfUF90VLUwFt +I43hg14fFj99bjSeII3kpIAUL0G1qlNK3Th9b+dvCQKBgC6at6Vg6PT+U7SObRWq +vADazLSb9hACfzxg30L0XEzOH71lmI1cyjpDlaRWzPe+BcTmh/5/31BEAyv948EM +lxzaJNUm32adGfxWusTSpZ+Meqf7cWz95ndXk56DR1YPDPD9KPGcHNGgbjmQA3ji +EMxMX9XMtV7aioijPd5zfKuS +-----END PRIVATE KEY----- diff --git a/dockerfiles/services/sslproxy/cli/certbot/certbot b/dockerfiles/services/sslproxy/cli/certbot/certbot index 1cc1c29..0983a64 100755 --- a/dockerfiles/services/sslproxy/cli/certbot/certbot +++ b/dockerfiles/services/sslproxy/cli/certbot/certbot @@ -1,13 +1,15 @@ #!/usr/bin/env bash set -e -#set -x +set -x LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging +CERT_NAME=xai-corp.net export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} export LETSENCRYPT_MOUNT export LETSENCRYPT_IMAGE +export CERT_NAME run() { docker-compose \ @@ -22,10 +24,4 @@ run_help() { } -while getopts h name -do - case $name in - h) run_help $@;; - *) run $@;; - esac -done +run $@ diff --git a/dockerfiles/services/sslproxy/cli/certbot/renew b/dockerfiles/services/sslproxy/cli/certbot/renew index 57d7b4f..758e4f7 100755 --- a/dockerfiles/services/sslproxy/cli/certbot/renew +++ b/dockerfiles/services/sslproxy/cli/certbot/renew @@ -1,9 +1,10 @@ #!/usr/bin/env bash set -e -#set -x +set -x LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging +CERT_NAME=xai-corp.net LOG=$(mktemp) @@ -25,11 +26,12 @@ update() { export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} export LETSENCRYPT_MOUNT export LETSENCRYPT_IMAGE + export CERT_NAME # shellcheck disable=SC2086 docker-compose \ -f docker-compose.tools.yml \ - run renew ${OPTIONS} + run --name sslproxy_renew renew ${OPTIONS} } function trap_exit() { @@ -58,12 +60,12 @@ print_usage() { ###### ENVIRONMENT=dev -OPTIONS='' +OPTIONS="--cert-name ${CERT_NAME}" while getopts de: name do case $name in d) - OPTIONS="$OPTIONS --dryrun" + OPTIONS="$OPTIONS --dry-run" ;; e) if [ $OPTARG == 'prod' ]; then diff --git a/dockerfiles/services/sslproxy/cli/deploy b/dockerfiles/services/sslproxy/cli/deploy index e26c045..004189b 100755 --- a/dockerfiles/services/sslproxy/cli/deploy +++ b/dockerfiles/services/sslproxy/cli/deploy @@ -1,9 +1,9 @@ #!/usr/bin/env bash set -e -set -x +#set -x LOCAL_IMAGE=sslproxy -#TAG=2.2.${BUILD_NUMBER:-dev} +TAG=2.2.${BUILD_NUMBER:-dev} TAG=2.1 REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG} APP_NAME=sslproxy_app @@ -18,19 +18,40 @@ export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} ### function deploy() { + docker pull "$REMOTE_IMAGE" + docker stack deploy \ --with-registry-auth \ - --prune \ -c docker-compose.prod.yml \ sslproxy - (cd ../ && chmod +x ./scaleout.sh && ./scaleout.sh sslproxy_app 30) + docker stack ps sslproxy + + sleep 2 + docker service ps --filter "desired-state=Running" sslproxy_app + + wait_for_completed +} + +wait_for_completed() { + #states supported: "rollback_completed", "updating", "completed" + state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State) + while [ "completed" != "$state" ]; do + echo "$state" + sleep 3 + state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State) + done } function deploy_test() { docker ps | grep sslproxy_app - curl -If https://git.xai-corp.net/ +# assertOK https abcapi.xai-corp.net + assertOK https dkui.xai-corp.net + assertOK https git.xai-corp.net + assertOK https jenkins.xai-corp.net + assertOK https xaibox.xai-corp.net +# curl -If https://git.xai-corp.net/ # curl -If -H "Host: not.xai-corp.net" https://dkhost } @@ -48,11 +69,21 @@ dc() { $@ } +function assertOK() { + proto=$1 + domain=$2 + set -e + echo -e "\033[94m${proto}://${domain}\033[39m" + curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://dkhost.xai-corp.net" \ + | tee "$LOG" | grep -P "200 OK|302 Found|403 Forbidden" +} + function trap_exit() { code=$? docker service ls | grep "${APP_NAME}" if [ $code -gt 0 ]; then echo + cat "$LOG" rm "$LOG" echo -e "\033[31mFailed to deploy ${REMOTE_IMAGE} \033[39m" exit $code diff --git a/dockerfiles/services/sslproxy/cli/exec b/dockerfiles/services/sslproxy/cli/exec index 2b12d5e..d431714 100755 --- a/dockerfiles/services/sslproxy/cli/exec +++ b/dockerfiles/services/sslproxy/cli/exec @@ -3,5 +3,9 @@ set -e export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} -docker exec $@ +#docker exec $@ #docker network inspect ingress + +#docker service $@ + +docker $@ diff --git a/dockerfiles/services/sslproxy/cli/rollback b/dockerfiles/services/sslproxy/cli/rollback index 4401b4d..eb1e6dc 100755 --- a/dockerfiles/services/sslproxy/cli/rollback +++ b/dockerfiles/services/sslproxy/cli/rollback @@ -18,12 +18,26 @@ export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} ### function rollback() { - docker service inspect ${APP_NAME} +# docker service inspect ${APP_NAME} docker service update --rollback "${APP_NAME}" - docker service scale "${APP_NAME}=2" + + wait_for_completed +# docker service scale "${APP_NAME}=2" +} + +wait_for_completed() { + #states supported: "rollback_completed", "updating", "completed" + state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State) + while [ "rollback_completed" != "$state" ]; do + echo "$state" + sleep 3 + state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State) + done } function rollback_test() { + docker service ps --filter "desired-state=Running" sslproxy_app + docker ps | grep "${APP_NAME}" curl -If https://git.xai-corp.net/ diff --git a/dockerfiles/services/sslproxy/docker-compose.build.yml b/dockerfiles/services/sslproxy/docker-compose.build.yml index 6d4a786..c369813 100644 --- a/dockerfiles/services/sslproxy/docker-compose.build.yml +++ b/dockerfiles/services/sslproxy/docker-compose.build.yml @@ -22,4 +22,5 @@ services: - jenkins_app - sslproxy_renew - xaibox_app + - xaibox.xai-corp.net diff --git a/dockerfiles/services/sslproxy/docker-compose.prod.yml b/dockerfiles/services/sslproxy/docker-compose.prod.yml index 5e117a9..8244b45 100644 --- a/dockerfiles/services/sslproxy/docker-compose.prod.yml +++ b/dockerfiles/services/sslproxy/docker-compose.prod.yml @@ -20,8 +20,8 @@ services: - "80:80" # required for letsencrypt # healthcheck: -# test: ["CMD", "wget", "--spider", "--header", "'Host: dkui.xai-corp.net'", "https://localhost/"] -# interval: 1m30s +# test: ["CMD", "wget", "--spider", "'Host: dkui.xai-corp.net'", "https://localhost/"] +# interval: 10s # timeout: 5s # retries: 3 # start_period: 10s diff --git a/dockerfiles/services/sslproxy/docker-compose.tools.yml b/dockerfiles/services/sslproxy/docker-compose.tools.yml index f4e9c3f..e66c0d2 100644 --- a/dockerfiles/services/sslproxy/docker-compose.tools.yml +++ b/dockerfiles/services/sslproxy/docker-compose.tools.yml @@ -4,19 +4,16 @@ version: '3.4' services: renew: + container_name: certbot image: ${LETSENCRYPT_IMAGE} volumes: - - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt:ro + - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt ports: - 80:80 - command: + entrypoint: + - certbot - certonly - - -n - --standalone - - --test-cert - - --dryrun - networks: - - prod_ui certificates: image: ${LETSENCRYPT_IMAGE} @@ -36,10 +33,3 @@ services: - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt ports: - 80:80 - - - -networks: - prod_ui: - external: - name: prod_ui diff --git a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf index 44fbc82..649e806 100644 --- a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf @@ -9,7 +9,7 @@ server { # this is the internal Docker DNS, cache only for 30s resolver 127.0.0.11 valid=5s; - set $backend http://gitea_app:10080; + set $backend http://gitea_app:3000; #set $backend http://dkhost.xai-corp.net:10080; ssl_certificate /etc/letsencrypt/live/xai-corp.net/fullchain.pem; diff --git a/dockerfiles/services/sslproxy/hosts/letsencrypt.conf b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf index 4028159..ad4541a 100644 --- a/dockerfiles/services/sslproxy/hosts/letsencrypt.conf +++ b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf @@ -1,12 +1,12 @@ # proxy for unsecured traffic for letsencrypt verification server { listen 80 default_server; - resolver 127.0.0.11 valid=30s; + resolver 127.0.0.11 valid=2s; #server_name _ #server_name xai-corp.net - set $backend http://sslproxy_renew:80; + set $backend http://sslproxy_renew; client_max_body_size 200m; diff --git a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf index ed428d7..c11697d 100644 --- a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf @@ -19,7 +19,7 @@ server { # this is the internal Docker DNS, cache only for 30s resolver 127.0.0.11 valid=5s; - set $backend http://xaibox_app; + set $backend http://xaibox.xai-corp.net:8083; #Strict-Transport-Security: max-age=15768000 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; diff --git a/dockerfiles/services/sslproxy/test.conf b/dockerfiles/services/sslproxy/test.conf index 8d7a950..bb06406 100644 --- a/dockerfiles/services/sslproxy/test.conf +++ b/dockerfiles/services/sslproxy/test.conf @@ -30,8 +30,9 @@ http { server { listen 80 default_server; - listen 10080 default_server; + listen 3000 default_server; listen 8080 default_server; + listen 8083 default_server; listen 9000 default_server; return 418;