Merge branch 'redevelop_sslproxy_deployment'

# Conflicts:
#	dockerfiles/services/sslproxy/Jenkinsfile

.gitignore

@@ -14,3 +14,5 @@ roles/vendor/
 
 !.idea/
 password.txt
+!/dockerfiles/services/sslproxy/certs/live/
+

.idea/inspectionProfiles/Project_Default.xml

@@ -3,9 +3,7 @@
     <option name="myName" value="Project Default" />
     <inspection_tool class="Php7ReadinessInspection" enabled="false" level="ERROR" enabled_by_default="false" />
     <inspection_tool class="PhpAbstractStaticMethodInspection" enabled="false" level="WARNING" enabled_by_default="false" />
-    <inspection_tool class="PhpCSValidationInspection" enabled="true" level="WEAK WARNING" enabled_by_default="true">
+    <inspection_tool class="PhpCSValidationInspection" enabled="true" level="WEAK WARNING" enabled_by_default="true" />
-      <option name="CODING_STANDARD" value="PSR2" />
-    </inspection_tool>
     <inspection_tool class="PhpConstantReassignmentInspection" enabled="false" level="WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpDeprecationInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpDocMissingReturnTagInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
@@ -54,5 +52,8 @@
     <inspection_tool class="PhpWrongCatchClausesOrderInspection" enabled="false" level="WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpWrongForeachArgumentTypeInspection" enabled="false" level="WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpWrongStringConcatenationInspection" enabled="false" level="WARNING" enabled_by_default="false" />
+    <inspection_tool class="ShellCheck" enabled="true" level="ERROR" enabled_by_default="true">
+      <shellcheck_settings value="SC2010" />
+    </inspection_tool>
   </profile>
 </component>

.idea/sshConfigs.xml

@@ -5,7 +5,7 @@
       <sshConfig host="192.168.2.11" id="70bdbabf-db45-47a0-b2da-6be7a975b6fa" keyPath="$USER_HOME$/.ssh/id_rsa" port="22" customName="home.xai-corp.net" nameFormat="CUSTOM" username="ansible" />
       <sshConfig host="192.168.2.22" id="c31798ce-5b4f-4118-bdf5-5cb9558d855a" keyPath="$USER_HOME$/.ssh/id_rsa" port="22" customName="home02.xai-corp.net" nameFormat="CUSTOM" username="ansible" />
       <sshConfig host="192.168.2.18" id="3d088a15-cbe4-479f-9805-05b8a7059f5a" keyPath="$USER_HOME$/.ssh/id_rsa" port="22" customName="web01.xai-corp.net" nameFormat="CUSTOM" username="ansible" />
-      <sshConfig host="192.168.2.18" id="0b324960-0566-4103-bd7d-a290a70ceddc" keyPath="$USER_HOME$/.ssh/id_rsa" port="22" customName="web01.xai-corp.net" nameFormat="CUSTOM" username="ansible" />
+      <sshConfig host="192.168.2.18" id="a4ebeb2f-1c23-4fa8-a856-2d3c9902b799" keyPath="$USER_HOME$/.ssh/id_rsa" port="22" customName="web01.xai-corp.net" nameFormat="CUSTOM" username="ansible" />
     </configs>
   </component>
 </project>

dockerfiles/services/services/network.yml

@@ -4,9 +4,9 @@
 version: '3.4'
 
 networks:
-  prod:
+#  prod:
-    external:
+#    external:
-      name: prod
+#      name: prod
   prod_ui:
     external:
       name: prod_ui
@@ -19,3 +19,6 @@ networks:
   prod_app:
     external:
       name: prod_app
+  prod_tasks:
+    external:
+      name: prod_tasks

dockerfiles/services/sslproxy/Dockerfile

@@ -2,3 +2,4 @@ FROM nginx:alpine
 
 COPY ./nginx.conf /etc/nginx/nginx.conf
 COPY ./hosts /etc/nginx/conf.d/
+RUN rm /etc/nginx/conf.d/default.conf

dockerfiles/services/sslproxy/certs/live/xai-corp.net/fullchain.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwKgAwIBAgIUZ2R4JeFPIi3G1leHHfJGlf6IWQYwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u
+dHJlYWwxGDAWBgNVBAoMD1hhaSBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRGV2ZWxv
+cG1lbnQxGTAXBgNVBAMMEHd3dy54YWktY29ycC5uZXQwHhcNMjAwNjA0MDIwOTM2
+WhcNMjEwNjA0MDIwOTM2WjB8MQswCQYDVQQGEwJDQTEPMA0GA1UECAwGUXVlYmVj
+MREwDwYDVQQHDAhNb250cmVhbDEYMBYGA1UECgwPWGFpIENvcnBvcmF0aW9uMRQw
+EgYDVQQLDAtEZXZlbG9wbWVudDEZMBcGA1UEAwwQd3d3LnhhaS1jb3JwLm5ldDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzYwesOX5FAc9IbsRfzRkVs
+Nzja1Zk6uBt4kQsAGfdwMvaOMzNrTdeltzckqf+ivxsdc5ZfYXR/xlWJXbD199/2
+PWtRjTQjADxfMvEzRiKNUXxKNMFr4I0vTIGwxduGIYr1H+xjXB7YdcxyIk/LkzOZ
+GsUNrmtEKf+RUyjPnDjduCrajm22ndhdTxC1PIYcJkdNbAtE8qTtqAtPnJauUmYF
+FtKiWnD4Wddt8h5ftHCcLVuz3IIwOO8QrptaK2JA1eRPdSCN1RGtouHyJjd9T3We
+nQRPTFrEljuX6DxotqLldGf8HJaPp0LLTw/Zju9WV6aZh6awRbB+hcTA8qw+P9kC
+AwEAAaOBkzCBkDCBjQYDVR0RBIGFMIGCggx4YWktY29ycC5uZXSCEHd3dy54YWkt
+Y29ycC5uZXSCEGFiYy54YWktY29ycC5uZXSCEWRrdWkueGFpLWNvcnAubmV0ghBn
+aXQueGFpLWNvcnAubmV0ghRqZW5raW5zLnhhaS1jb3JwLm5ldIITeGFpYm94Lnhh
+aS1jb3JwLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAWrG470Bp1rVK7084hrGt2EQU
+A9vIh2mHFANUG+wtL6cDSbmBMhq3BTxzHaol5lqS4MHHJZ9jWnLcsvUWaKHh8H1Z
+TBwuk/kYwfaUpUVASq9EloEhAnphzIJsJGgDPyB4n82+5TF2WftDINHGd2xOyJvE
+1C0i9fAgaspPzUVI3LXMMSl1CeKeGi4iZa8Anbo8LLpCqREAEalWqMS1uDxq7YcF
+ngDde5BToPETQREA/nLeY0S/agHkLdlBd+uMBmtRDj9tnww0ThYmQNbKvSgBqvX4
+R/Bu9qu7gVW2mYNQpFrEI4GuT6iC9iLl4i8SdItX12ekEYhGHGSaU++5TzJbqQ==
+-----END CERTIFICATE-----

dockerfiles/services/sslproxy/certs/live/xai-corp.net/privkey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC82MHrDl+RQHPS
+G7EX80ZFbDc42tWZOrgbeJELABn3cDL2jjMza03Xpbc3JKn/or8bHXOWX2F0f8ZV
+iV2w9fff9j1rUY00IwA8XzLxM0YijVF8SjTBa+CNL0yBsMXbhiGK9R/sY1we2HXM
+ciJPy5MzmRrFDa5rRCn/kVMoz5w43bgq2o5ttp3YXU8QtTyGHCZHTWwLRPKk7agL
+T5yWrlJmBRbSolpw+FnXbfIeX7RwnC1bs9yCMDjvEK6bWitiQNXkT3UgjdURraLh
+8iY3fU91np0ET0xaxJY7l+g8aLai5XRn/ByWj6dCy08P2Y7vVlemmYemsEWwfoXE
+wPKsPj/ZAgMBAAECggEBAJ1XzFpYY2/WT6njwK2/1/DHtUr9qbI9pl/dGJwdvYTY
+St36pNZWtUjTnc+oEKwZoTiqVUAYwE4cl9d02Ec06Q4FUC82h3vFHdEvUHZ+zhTD
+wfzYpxPxGesIWapE6tV48EGi8rI2Ju7cU2nAPq5VY5Q+IHvGZmihJoz1PGBoejU1
+uG1zWYMjonVMngrotoL89lJSd2lnOq1+uXGlXH5+pOiNxrPKLn9zV+9gNXzyRDo2
+ZiRQ9Bbrkuyxov6L8F1BH0hhp159YelB9fBH2L1m9CgvX0ObBFMkGDiqOCyOtXPF
+PVY2errlRfnVH3Sc8fCFkjiqjfxxj652SbTKejyoegECgYEA3mXyMT3cwAHMQCwu
+YKJ8mDpSYIU3pH74S7R9+3MxMJ4tYnSVyuF7dWk3e2zSIMZOydL4tYL/0vAZeFSC
+ZLTYcYcQqbuA+WksgtaRVqWUaJBNamvjBIWYyecVImh7FGOhRma4dA+efsHxu79g
+KIiX5cF35WLAhGWpkPInO5rMNjECgYEA2WEV3Tjdr0nPNZn9F1tiOcvA2H8tCQoQ
+252K9RQiS1KfWstzfISyNeaDjdRg/rTPfzN7tVWRYaANlgecsJlo7vGA9P0ZAhvR
+hiBayUgi149HmTyKUtSprDPLNmPrrIy98Gc58JILPWYJe91de7eEKnQe9V2TBRXF
+ElNlh400MikCgYA5lJuINEQbUlvXoZjAXFF1+GOrqdImPNl8gFa9660osUt+2kCO
+LqMQWxWKVzpwUefESWMrW6dwrclqZjb8a/Y+LoIZ7/oMmTZ1CajHjkdGa1Yf357/
+ZLeSTsoiBnsXZFQ1LhNDuWeH2h8ERSBYXkU1r0mjklXV8ZxdctTFkeadgQKBgQCj
+0Wt1vP4rtHcIkRTPvlmG7stVHHpm/oP3zYFD8rlphEl9ViehJitbPW3Uu8GhEcfx
+t226GVMnfEPg1bm6yNHwiGXDut1W3noHF2jzmX5QbrTpgVtI0uVPVfUF90VLUwFt
+I43hg14fFj99bjSeII3kpIAUL0G1qlNK3Th9b+dvCQKBgC6at6Vg6PT+U7SObRWq
+vADazLSb9hACfzxg30L0XEzOH71lmI1cyjpDlaRWzPe+BcTmh/5/31BEAyv948EM
+lxzaJNUm32adGfxWusTSpZ+Meqf7cWz95ndXk56DR1YPDPD9KPGcHNGgbjmQA3ji
+EMxMX9XMtV7aioijPd5zfKuS
+-----END PRIVATE KEY-----

dockerfiles/services/sslproxy/certs/xai-corp.net.conf

@@ -0,0 +1,37 @@
+[req]
+default_bits       = 2048
+default_keyfile    = localhost.key
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+x509_extensions    = v3_ca
+prompt             = yes
+
+[req_distinguished_name]
+countryName                 = Country Name (2 letter code)
+countryName_default         = CA
+stateOrProvinceName         = State or Province Name (full name)
+stateOrProvinceName_default = Quebec
+localityName                = Locality Name (eg, city)
+localityName_default        = Montreal
+organizationName            = Organization Name (eg, company)
+organizationName_default    = Xai Corporation
+organizationalUnitName      = organizationalunit
+organizationalUnitName_default = Development
+commonName                  = server FQDN
+commonName_default          = www.xai-corp.net
+commonName_max              = 128
+
+[req_ext]
+subjectAltName = @alt_names
+
+[v3_ca]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1   = xai-corp.net
+DNS.2   = www.xai-corp.net
+DNS.3   = abc.xai-corp.net
+DNS.4   = dkui.xai-corp.net
+DNS.5   = git.xai-corp.net
+DNS.6   = jenkins.xai-corp.net
+DNS.7   = xaibox.xai-corp.net

dockerfiles/services/sslproxy/cli/build

@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+set -e
+#set -x
+
+LOCAL_IMAGE=sslproxy
+TAG=2.2.${BUILD_NUMBER:-dev}
+REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG}
+
+LOG=$(mktemp)
+
+export LOCAL_IMAGE
+export REMOTE_IMAGE
+export TAG
+
+dc() {
+    # shellcheck disable=SC2068
+    docker-compose \
+    -f docker-compose.yml \
+    -f docker-compose.build.yml \
+    $@
+}
+
+###
+build() {
+  dc build
+}
+
+build_test() {
+  echo -e "\e[33mtesting the image\e[39m"
+
+  dc up -d --force-recreate
+  docker ps | grep sslproxy
+
+  sleep 5
+  assertTeapot https abcapi.xai-corp.net
+  assertTeapot https dkui.xai-corp.net
+  assertTeapot https git.xai-corp.net
+  assertTeapot https jenkins.xai-corp.net
+  assertTeapot https xaibox.xai-corp.net
+  assertMisdirectedRequest https not.xai-corp.net
+
+  #cert renewal
+  assertTeapot http xai-corp.net
+  assertTeapot http abcapi.xai-corp.net
+  assertTeapot http dkui.xai-corp.net
+  assertTeapot http git.xai-corp.net
+  assertTeapot http jenkins.xai-corp.net
+  assertTeapot http xaibox.xai-corp.net
+  assertTeapot http metrics.xai-corp.net
+}
+
+function assertMisdirectedRequest() {
+  proto=$1
+  domain=$2
+  set -e
+  echo -e "\033[94m${proto}://${domain}\033[39m testing for mistrected request"
+  curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "421 Misdirected Request"
+}
+
+function assertBadGateway() {
+  proto=$1
+  domain=$2
+  set -e
+  echo -e "\033[94m${proto}://${domain}\033[39m"
+  curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "502 Bad Gateway"
+}
+
+
+function assertTeapot() {
+  proto=$1
+  domain=$2
+  set -e
+  echo -e "\033[94m${proto}://${domain}\033[39m"
+  curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "418"
+}
+
+build_save() {
+  echo push to registry
+
+  docker tag "$LOCAL_IMAGE:$TAG" "$REMOTE_IMAGE"
+  docker push "$REMOTE_IMAGE"
+}
+
+function trap_exit() {
+  code=$?
+  dc down
+  if [ $code -gt 0 ]; then
+    echo
+    cat "$LOG"
+    rm "$LOG"
+    dc logs --tail=10
+    echo -e "\033[31mFailed to build functional image\033[39m"
+    exit $code
+  fi
+
+  rm "$LOG"
+  echo -e "\033[32mSuccess:\033[39m ${LOCAL_IMAGE}:${TAG} successfully built"
+}
+trap  trap_exit EXIT
+
+print_usage() {
+  printf "Usage: %s: [-b] [-t] [-s] \n" "$0"
+  echo -b build
+  echo -t test
+  echo -s push to registry
+  echo -h help
+  exit 0
+}
+
+######
+if [ -z "$1" ]; then
+  build && build_test && build_save
+  exit
+fi
+
+while getopts btdhs name
+do
+    case $name in
+    b)    build;;
+    t)    build_test;;
+    s)    build_save;;
+    *)    print_usage;;
+    esac
+done

dockerfiles/services/sslproxy/cli/build.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/build.usage

@@ -0,0 +1 @@
+[-b] [-t] [-d] [-h]

dockerfiles/services/sslproxy/cli/certbot/certbot

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -e
+set -x
+
+LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot
+LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging
+CERT_NAME=xai-corp.net
+
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+export LETSENCRYPT_MOUNT
+export LETSENCRYPT_IMAGE
+export CERT_NAME
+
+run() {
+  docker-compose \
+    -f docker-compose.tools.yml \
+    run test $@
+}
+
+
+run $@

dockerfiles/services/sslproxy/cli/certbot/certbot.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/certbot/certbot.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/cli/certbot/info

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+echo -e TODO: make this work!
+set -e
+set -x
+
+LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot
+LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging
+
+if [ "$1" == 'prod' ]; then
+  LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2
+fi
+
+
+
+export LETSENCRYPT_MOUNT
+export LETSENCRYPT_IMAGE
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+
+# shellcheck disable=SC2068
+docker-compose \
+  -f docker-compose.tools.yml \
+  run certificates

dockerfiles/services/sslproxy/cli/certbot/info.help

@@ -0,0 +1 @@
+prod if you want to see info about production certs

dockerfiles/services/sslproxy/cli/certbot/info.usage

@@ -0,0 +1 @@
+[prod]

dockerfiles/services/sslproxy/cli/certbot/renew

@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+set -e
+
+LETSENCRYPT_IMAGE=dkregistry.xai-corp.net:5000/xaicorp/acme-certbot
+LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2-staging
+CERT_NAME=xai-corp.net
+
+LOG=$(mktemp)
+
+###
+
+run() {
+  if [ "$ENVIRONMENT" == 'prod' ]; then
+    LETSENCRYPT_MOUNT=/opt/shared/letsencrypt-2
+  fi
+
+  update
+}
+
+update() {
+  export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+  export LETSENCRYPT_MOUNT
+  export LETSENCRYPT_IMAGE
+  export CERT_NAME
+
+  # shellcheck disable=SC2086
+  docker-compose \
+    -f docker-compose.tools.yml \
+    run --rm --name sslproxy_renew \
+    renew ${OPTIONS}
+}
+
+test_new_certs() {
+  echo | openssl s_client -showcerts -servername gnupg.org -connect git.xai-corp.net:443 2>/dev/null \
+   | openssl x509 -inform pem -noout -text \
+   | grep 'Timestamp :'
+}
+
+retart_nginx() {
+  export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+  echo restarting nginx
+
+  containers=$(docker ps -q --filter "status=running" --filter "name=sslproxy_app")
+  for c in $containers; do
+    docker exec -it $c nginx -s reload
+  done
+}
+
+function trap_exit() {
+  code=$?
+  if [ $code -gt 0 ]; then
+    echo
+    rm "$LOG"
+    echo -e "\033[31mFailed updating production certs \033[39m"
+    exit $code
+  fi
+
+  rm "$LOG"
+  echo -e "\033[32mSuccess:\033[39m ssl certs have been updated"
+}
+trap  trap_exit EXIT
+
+print_usage() {
+  printf "Usage: %s: [-b] [-t] [-s] \n" "$0"
+  echo -r rollback
+  echo -t smoke tests
+  echo -s tag as latest
+  echo -h help
+  exit 0
+}
+
+######
+
+ENVIRONMENT=dev
+OPTIONS="--cert-name ${CERT_NAME}"
+TEST_CERT=true
+while getopts tnpde: name
+do
+    case $name in
+    d)
+      OPTIONS="$OPTIONS --dry-run"
+      ;;
+    p)
+        TEST_CERT=false
+        ENVIRONMENT=prod
+      ;;
+    t)
+      test_new_certs
+      exit 0
+      ;;
+    n)
+      retart_nginx
+      exit 0
+      ;;
+    :)
+      echo "Invalid option: $OPTARG requires an argument" 1>&2
+      ;;
+    *)    print_usage;;
+    esac
+done
+
+if [ "$TEST_CERT" == "true" ]; then
+  OPTIONS="$OPTIONS --test-cert"
+fi
+
+# shellcheck disable=SC2068
+run $@
+restart_nginx
+test_new_certs

dockerfiles/services/sslproxy/cli/certbot/renew.help

@@ -0,0 +1,3 @@
+renew certificates
+
+-p update production certs, otherwise we will update the staging certificates

dockerfiles/services/sslproxy/cli/certbot/renew.usage

@@ -0,0 +1 @@
+[-p]

dockerfiles/services/sslproxy/cli/create-cert

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -e
+
+echo -e "\033[36mCreate\033[39m: self-signed certificates"
+
+CERTS_DIR=certs/live/xai-corp.net
+
+function make_cert() {
+mkdir -p $CERTS_DIR
+
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -batch \
+  -keyout $CERTS_DIR/privkey.pem \
+  -out $CERTS_DIR/fullchain.pem \
+  -config certs/xai-corp.net.conf
+
+#tell chrome to trust the cert
+  certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "www.xai-corp.net" -i $CERTS_DIR/fullchain.pem
+}
+
+function test_cert() {
+  ls -l $CERTS_DIR | grep privkey.pem
+  ls -l $CERTS_DIR | grep fullchain.pem
+}
+
+function trap_exit() {
+  code=$?
+  if [ $code -gt 0 ]; then
+    echo
+    echo -e "\033[31mFailed to create certificates\033[39m"
+    exit $code
+  fi
+}
+trap  trap_exit EXIT
+
+# RUN
+make_cert && test_cert

dockerfiles/services/sslproxy/cli/create-cert.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/create-cert.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/cli/deploy

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+set -e
+#set -x
+
+LOCAL_IMAGE=sslproxy
+TAG=2.2.${BUILD_NUMBER:-dev}
+#TAG=2.1
+REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG}
+APP_NAME=sslproxy_app
+
+LOG=$(mktemp)
+
+export LOCAL_IMAGE
+export REMOTE_IMAGE
+export TAG
+
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+
+###
+function deploy() {
+  docker pull "$REMOTE_IMAGE"
+
+  docker stack deploy \
+    --with-registry-auth \
+    -c docker-compose.prod.yml \
+    sslproxy
+
+
+  sleep 2
+  docker stack ps sslproxy
+#  docker service ps --filter "desired-state=Running" sslproxy_app
+
+  wait_for_completed
+}
+
+wait_for_completed() {
+  #states supported: "rollback_completed", "updating", "completed"
+  state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State)
+  while [ "completed" != "$state"  ]; do
+    echo "$state"
+    sleep 3
+    state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State)
+  done
+  sleep 5
+}
+
+function deploy_test() {
+  docker ps | grep sslproxy_app
+
+#  assertOK https abcapi.xai-corp.net
+  assertOK https dkui.xai-corp.net
+  assertOK https git.xai-corp.net
+  assertOK https jenkins.xai-corp.net
+  assertOK https xaibox.xai-corp.net
+#  curl -If https://git.xai-corp.net/
+#  curl -If -H "Host: not.xai-corp.net" https://dkhost
+
+  assertNetwork prod_ui
+  assertNetwork prod_tasks
+}
+
+function deploy_save() {
+  #tag as latest
+  docker tag "$REMOTE_IMAGE" "${REMOTE_IMAGE//${TAG}/latest}"
+  docker push "${REMOTE_IMAGE//${TAG}/latest}"
+}
+
+dc() {
+    # shellcheck disable=SC2068
+    docker-compose \
+    -f docker-compose.yml \
+    -f docker-compose.prod.yml \
+    $@
+}
+
+function assertOK() {
+  proto=$1
+  domain=$2
+  set -e
+  echo -e "\033[94m${proto}://${domain}\033[39m"
+  curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://dkhost.xai-corp.net" \
+  | tee "$LOG" | grep -P "200 OK|302 Found|403 Forbidden"
+}
+
+function assertNetwork() {
+  network=$1
+  echo  -e "\033[94minspecting network\033[39m $network"
+  docker network inspect "$network" | jq -r .[].Containers[].Name | tee "$LOG" | grep sslproxy_app
+}
+
+function trap_exit() {
+  code=$?
+  docker service ls | grep "${APP_NAME}"
+  if [ $code -gt 0 ]; then
+    echo
+    cat "$LOG"
+    rm "$LOG"
+    echo -e "\033[31mFailed to deploy ${REMOTE_IMAGE} \033[39m"
+    exit $code
+  fi
+
+  rm "$LOG"
+  echo -e "\033[32mSuccess:\033[39m ${REMOTE_IMAGE} successfully deployed"
+}
+trap  trap_exit EXIT
+
+print_usage() {
+  printf "Usage: %s: [-b] [-t] [-s] \n" "$0"
+  echo -d deploy
+  echo -t smoke tests
+  echo -s tag as latest
+  echo -h help
+  exit 0
+}
+
+######
+if [ -z "$1" ]; then
+  deploy && deploy_test && deploy_save
+  exit
+fi
+
+while getopts tdhs name
+do
+    case $name in
+    d)    deploy;;
+    t)    deploy_test;;
+    s)    deploy_save;;
+    *)    print_usage;;
+    esac
+done

dockerfiles/services/sslproxy/cli/deploy.help

@@ -0,0 +1,8 @@
+-d deploy
+-t test the deployment
+-s mark the deployment as complete
+
+Environment Variables:
+
+BUILD_NUMBER : is used in the image tag 2.2.$BUILD_NUMBER
+DOCKER_HOST

dockerfiles/services/sslproxy/cli/deploy.usage

@@ -0,0 +1 @@
+[-d][-t][-s]

dockerfiles/services/sslproxy/cli/exec

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -ex
+
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+
+container=$(docker ps -qn1)
+
+while getopts c: name
+do
+    case $name in
+      c)
+        container=$OPTARG
+        ;;
+      *)
+        ;;
+    esac
+done
+shift $((OPTIND -1))
+
+# shellcheck disable=SC2068
+docker exec -it "$container" $@
+#docker network inspect ingress
+
+#docker service $@
+
+#docker $@
+
+#wget --no-check-certificate --spider -S --header='Host: abcapi.xai-corp.net' https://localhost/

dockerfiles/services/sslproxy/cli/exec.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/exec.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/cli/inspect

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+
+#container=$(docker service ps -q --filter "desired-state=Running" sslproxy_app | head -n 1)
+
+inspect_service() {
+#  docker service ps --filter "desired-state=Running" sslproxy_app
+  docker service inspect sslproxy_app
+}
+
+inspect_stack() {
+  docker stack ps --filter "desired-state=Running" sslproxy
+}
+
+inspect_containers() {
+  docker ps -n2
+}
+
+inspect_network() {
+  docker $@
+}
+
+if [ "$1" == "service" ]; then
+  inspect_service
+elif [ "$1" == "stack" ]; then
+  inspect_stack
+elif [ "$1" == "network" ]; then
+  inspect_network $@
+else
+  inspect_containers
+fi

dockerfiles/services/sslproxy/cli/inspect.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/inspect.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/cli/rollback

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+set -e
+#set -x
+
+LOCAL_IMAGE=sslproxy
+TAG=2.2.${BUILD_NUMBER:-dev}
+REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG}
+APP_NAME=sslproxy_app
+
+LOG=$(mktemp)
+
+#export LOCAL_IMAGE
+export REMOTE_IMAGE
+#export TAG
+
+export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'}
+
+###
+
+function rollback() {
+#  docker service inspect ${APP_NAME}
+  docker service update --rollback "${APP_NAME}"
+
+  wait_for_completed
+#  docker service scale "${APP_NAME}=2"
+}
+
+wait_for_completed() {
+  #states supported: "rollback_completed", "updating", "completed"
+  state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State)
+  while [ "rollback_completed" != "$state"  ]; do
+    echo "$state"
+    sleep 3
+    state=$(docker service inspect sslproxy_app | jq -r .[0].UpdateStatus.State)
+  done
+}
+
+function rollback_test() {
+  docker service ps --filter "desired-state=Running" sslproxy_app
+
+  docker ps | grep "${APP_NAME}"
+
+  curl -If https://git.xai-corp.net/
+}
+
+function rollback_save() {
+  echo TODO
+}
+
+
+function trap_exit() {
+  code=$?
+  docker service ls | grep ${APP_NAME}
+  if [ $code -gt 0 ]; then
+    echo
+    rm "$LOG"
+    echo -e "\033[31mFailed rolling back ${APP_NAME} \033[39m"
+    exit $code
+  fi
+
+  rm "$LOG"
+  echo -e "\033[32mSuccess:\033[39m ${APP_NAME} successfully rolled back"
+}
+trap  trap_exit EXIT
+
+print_usage() {
+  printf "Usage: %s: [-b] [-t] [-s] \n" "$0"
+  echo -r rollback
+  echo -t smoke tests
+  echo -s tag as latest
+  echo -h help
+  exit 0
+}
+
+######
+if [ -z "$1" ]; then
+  rollback && rollback_test && rollback_save
+  exit
+fi
+
+while getopts tdhs name
+do
+    case $name in
+    d)    rollback;;
+    t)    rollback_test;;
+    s)    rollback_save;;
+    *)    print_usage;;
+    esac
+done

dockerfiles/services/sslproxy/cli/rollback.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/rollback.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/cli/up

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -e
+#set -x
+
+LOCAL_IMAGE=sslproxy
+TAG=2.2.${BUILD_NUMBER:-dev}
+REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG}
+
+LOG=$(mktemp)
+
+export LOCAL_IMAGE
+export REMOTE_IMAGE
+export TAG
+
+    # shellcheck disable=SC2068
+    docker-compose \
+    -f docker-compose.yml \
+    -f docker-compose.build.yml \
+    up $@

dockerfiles/services/sslproxy/cli/up.help

@@ -0,0 +1,3 @@
+ARGS  - The arguments you wish to provide to this command
+
+TODO: Fill out the help information for this command.

dockerfiles/services/sslproxy/cli/up.usage

@@ -0,0 +1 @@
+ARGS...

dockerfiles/services/sslproxy/docker-compose.build.yml

@@ -0,0 +1,46 @@
+---
+version: '3.4'
+
+services:
+
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    volumes: []
+    networks:
+      - prod_ui
+      - prod_tasks
+
+
+  mock:
+    image: library/nginx:alpine
+    volumes:
+      - ./test.conf:/etc/nginx/nginx.conf
+    networks:
+      prod_ui:
+        aliases:
+          - dkui_app
+          - abc-api_nginx
+          - gitea_app
+          - jenkins_app
+          - xaibox_app
+      prod_app:
+        aliases:
+          - xaibox_app
+          - abc-api_nginx
+      prod_tasks:
+        aliases:
+          - sslproxy_renew
+      prod_ingress:
+        aliases:
+          - xaibox.xai-corp.net
+          - xai-corp.net
+
+
+networks:
+  prod_ui:
+  prod_tasks:
+  prod_app:
+  prod_ingress:
+

dockerfiles/services/sslproxy/docker-compose.prod.yml

@@ -11,7 +11,7 @@ volumes:
 
 services:
   app:
-    image: "dkregistry.xai-corp.net:5000/sslproxy:2.1"
+    image: ${REMOTE_IMAGE}
     volumes:
       - /opt/shared/letsencrypt-2:/etc/letsencrypt:ro
       - cache:/data/nginx/cache
@@ -20,11 +20,11 @@ services:
       - "80:80" # required for letsencrypt
 
 #    healthcheck:
-#      test: ["CMD", "wget", "--spider", "--header", "'Host: dkui.xai-corp.net'", "https://localhost/"]
+#      test: ["CMD", "wget", "--spider", "--no-check-certificate", "--header", "Host: dkui.xai-corp.net", "https://localhost/"]
-#      interval: 1m30s
+#      interval: 10s
-#      timeout: 5s
+#      timeout: 2s
 #      retries: 3
-#      start_period: 10s
+#      start_period: 5s
 
     logging:
       driver: fluentd
@@ -54,8 +54,12 @@ services:
 
     networks:
       - prod_ui
+      - prod_tasks
 
 networks:
   prod_ui:
     external:
       name: prod_ui
+  prod_tasks:
+    external:
+      name: prod_tasks

dockerfiles/services/sslproxy/docker-compose.tools.yml

@@ -0,0 +1,46 @@
+---
+version: '3.4'
+
+services:
+
+  renew:
+    container_name: sslproxy_renew
+    image: ${LETSENCRYPT_IMAGE}
+    volumes:
+      - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt
+    ports:
+      - 80:80
+    entrypoint:
+      - certbot
+      - certonly
+      - --standalone
+      - -n
+    networks:
+      - prod_tasks
+
+  certificates:
+    image: ${LETSENCRYPT_IMAGE}
+    volumes:
+      - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt
+    ports:
+      - 80:80
+    command:
+      - certificates
+#      - --standalone
+#      - --test-cert
+#      - --dryrun
+
+  test:
+    image: ${LETSENCRYPT_IMAGE}
+    volumes:
+      - ${LETSENCRYPT_MOUNT}:/etc/letsencrypt
+    ports:
+      - 80:80
+
+networks:
+  prod_ui:
+    external:
+      name: prod_ui
+  prod_tasks:
+    external:
+      name: prod_tasks

dockerfiles/services/sslproxy/docker-compose.yml

@@ -5,21 +5,17 @@
 # DOCKER_HOST=dkhost:2376 docker stack deploy --with-registry-auth -c docker-compose.yml sslproxy
 # DOCKER_HOST=dkhost:2376 docker stack ps sslproxy
 
-version: '3'
+version: '3.4'
+volumes:
+  cache:
+
 services:
 
   app:
-    image: "dkregistry.xai-corp.net:5000/sslproxy:2.1"
+    image: ${LOCAL_IMAGE}:${TAG}
-    build:
-      context: .
-      dockerfile: Dockerfile
-
     volumes:
-      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - ./certs:/etc/letsencrypt
+      - cache:/data/nginx/cache
     ports:
-      - "443:443"
+      - 443:443
-
+      - 80:80
-#  certbot:
-#    image: "dkregistry.xai-corp.net:5000/sslproxy:latest"
-#    build:
-#      context: certbot

dockerfiles/services/sslproxy/hosts-disabled/metrics.xai-corp.net.conf

@@ -17,6 +17,11 @@ server {
 
     client_max_body_size 200m;
 
+    # this is the internal Docker DNS, cache only for 30s
+    resolver 127.0.0.11 valid=5s;
+
+    set $backend http://metrics_app:3001;
+
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
 

dockerfiles/services/sslproxy/hosts/abcapi.xai-corp.net.conf

@@ -8,7 +8,7 @@ proxy_cache_path /data/nginx/cache/abcapi levels=1:2 keys_zone=abcapi:10m max_si
 
 server {
     # this is the internal Docker DNS, cache only for 30s
-    resolver 127.0.0.11 valid=30s;
+    resolver 127.0.0.11 valid=5s;
 
     set $backend http://abc-api_nginx;
 

dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf

@@ -8,9 +8,9 @@ proxy_cache_path /data/nginx/cache/dkui levels=1:2 keys_zone=dkui:10m max_size=1
 # dkui.xai-corp.net
 server {
     # this is the internal Docker DNS, cache only for 30s
-    resolver 127.0.0.11 valid=30s;
+    resolver 127.0.0.11 valid=5s;
 
-    set $backend http://tasks.dkui_app:9000;
+    set $backend http://dkui_app:9000;
 
 #    listen  443 ssl ipv6only=off;
     listen  443 ssl;

dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf

@@ -4,13 +4,14 @@ proxy_cache_path /data/nginx/cache/gitea levels=1:2 keys_zone=gitea:10m max_size
 # git.xai-corp.net
 server {
     # this is the internal Docker DNS, cache only for 30s
-    resolver 127.0.0.11 valid=30s;
+    resolver 127.0.0.11 valid=5s;
 
-    set $backend http://dkhost.xai-corp.net:10080;
+    listen  443 ssl;
-
-    listen  443 ipv6only=off;
-    listen [::]:43 ipv6only=on;
     server_name git.xai-corp.net;
+
+    set $backend http://gitea_app:3000;
+    #set $backend http://dkhost.xai-corp.net:10080;
+
     ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 

dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf

@@ -4,9 +4,9 @@ proxy_cache_path /data/nginx/cache/jenkins levels=1:2 keys_zone=jenkins:10m max_
 # jenkins.xai-corp.net
 server {
     # this is the internal Docker DNS, cache only for 30s
-    resolver 127.0.0.11 valid=30s;
+    resolver 127.0.0.11 valid=5s;
 
-    set $backend http://dkhost.xai-corp.net:8080;
+    set $backend http://jenkins_app:8080;
 
     listen  443 ssl;
     server_name jenkins.xai-corp.net;

dockerfiles/services/sslproxy/hosts/letsencrypt.conf

@@ -1,13 +1,18 @@
 # proxy for unsecured traffic for letsencrypt verification
 server {
     listen  80 default_server;
-    server_name _
+    resolver 127.0.0.11 valid=2s;
+
+    #server_name _
+    #server_name xai-corp.net
+
+    set $backend http://sslproxy_renew;
 
     client_max_body_size 200m;
 
     location / {
         proxy_set_header Connection $http_connection;
-        proxy_pass http://dkhost.xai-corp.net:83;
+        proxy_pass $backend;
     }
 
 }

dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf

@@ -1,12 +1,12 @@
 proxy_cache_path /data/nginx/cache/xaibox levels=1:2 keys_zone=xaibox:10m max_size=10g
                  inactive=60m use_temp_path=off;
 
-upstream xaibox_upstream {
+#upstream xaibox_upstream {
-    server tasks.xaibox_app:8083;
+#    server tasks.xaibox_app:8083;
-
+#
-    server xaibox.xai-corp.net:8083   backup;
+#    server xaibox.xai-corp.net:8083   backup;
-    server dkhost.xai-corp.net:8083   backup;
+#    server dkhost.xai-corp.net:8083   backup;
-}
+#}
 
 # xaibox.xai-corp.net
 server {
@@ -17,17 +17,21 @@ server {
 
     client_max_body_size 200m;
 
+    # this is the internal Docker DNS, cache only for 30s
+    resolver 127.0.0.11 valid=5s;
+    set $backend http://xaibox_app;
+
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
 
     location / {
         proxy_set_header        Connection $http_connection;
-        proxy_set_header        Host $host:$server_port;
+        proxy_set_header        Host xaibox.xai-corp.net:$server_port;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Host $host;
         proxy_set_header        X-Forwarded-Proto $scheme;
-        proxy_pass http://xaibox_upstream;
+        proxy_pass $backend;
     }
 
 }

dockerfiles/services/sslproxy/nginx.conf

@@ -2,7 +2,7 @@
 user  nginx;
 worker_processes  1;
 
-error_log  /var/log/nginx/error.log warn;
+error_log /proc/self/fd/2 info;
 pid        /var/run/nginx.pid;
 
 
@@ -19,7 +19,7 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /var/log/nginx/access.log  main;
+    access_log  /proc/self/fd/2  main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -28,5 +28,14 @@ http {
 
     #gzip  on;
 
+    server {
+        #listen 80 default_server;
+        listen 443 default_server;
+        ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
+
+        return 421;
+    }
+
     include /etc/nginx/conf.d/*.conf;
 }

dockerfiles/services/sslproxy/test.conf

@@ -0,0 +1,40 @@
+
+user  nginx;
+worker_processes  1;
+
+error_log /proc/self/fd/2 info;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /proc/self/fd/2  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server {
+        listen 80 default_server;
+        listen 3000 default_server;
+        listen 8080 default_server;
+        listen 8083 default_server;
+        listen 9000 default_server;
+
+        return 418;
+    }
+}