mirror of
https://github.com/bunkerity/bunkerweb
synced 2026-05-24 09:28:37 +00:00
init work on supporting tls ingress on k8s
This commit is contained in:
florian
parent
62449f84c0
commit
53a143d716
11 changed files with 100 additions and 13 deletions
|
|
@ -654,7 +654,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
name: cr-bunkerweb
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services", "pods", "configmaps"]
|
||||
resources: ["services", "pods", "configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
|
|
|
|||
|
|
@ -121,10 +121,6 @@ class IngressController(Controller):
|
|||
location += 1
|
||||
services.append(service)
|
||||
|
||||
# parse tls
|
||||
if controller_service.spec.tls: # TODO: support tls
|
||||
self._logger.warning("Ignoring unsupported tls.")
|
||||
|
||||
# parse annotations
|
||||
if controller_service.metadata.annotations:
|
||||
for service in services:
|
||||
|
|
@ -142,6 +138,37 @@ class IngressController(Controller):
|
|||
variable = variable.replace(f"{server_name}_", "", 1)
|
||||
if self._is_setting_context(variable, "multisite"):
|
||||
service[variable] = value
|
||||
|
||||
# parse tls
|
||||
if controller_service.spec.tls:
|
||||
for tls in controller_service.spec.tls:
|
||||
if tls.hosts and tls.secret_name:
|
||||
for host in tls.hosts:
|
||||
for service in services:
|
||||
if host in service["SERVER_NAME"].split(" "):
|
||||
secret_tls = self.__corev1.list_secret_for_all_namespaces(
|
||||
watch=False,
|
||||
field_selector=f"metadata.name={tls.secret_name},metadata.namespace={namespace}",
|
||||
).items
|
||||
if not secret_tls:
|
||||
self._logger.warning(
|
||||
f"Ignoring tls setting for {host} : secret {tls.secret_name} not found.",
|
||||
)
|
||||
break
|
||||
if not secret_tls.data:
|
||||
self._logger.warning(
|
||||
f"Ignoring tls setting for {host} : secret {tls.secret_name} contains no data.",
|
||||
)
|
||||
break
|
||||
if "tls.crt" not in secret_tls.data or "tls.key" not in secret_tls.data:
|
||||
self._logger.warning(
|
||||
f"Ignoring tls setting for {host} : secret {tls.secret_name} is missing tls data.",
|
||||
)
|
||||
break
|
||||
service["USE_CUSTOM_SSL"] = "yes"
|
||||
service["CUSTOM_SSL_CERT_DATA"] = secret_tls.data["tls.crt"]
|
||||
service["CUSTOM_SSL_KEY_DATA"] = secret_tls.data["tls.key"]
|
||||
break
|
||||
return services
|
||||
|
||||
def _get_static_services(self) -> List[dict]:
|
||||
|
|
|
|||
|
|
@ -31,5 +31,4 @@ ssl_dhparam /etc/nginx/dhparam;
|
|||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
@ -6,6 +6,7 @@ from pathlib import Path
|
|||
from sys import exit as sys_exit, path as sys_path
|
||||
from traceback import format_exc
|
||||
from typing import Optional
|
||||
from base64 import b64decode
|
||||
|
||||
for deps_path in [
|
||||
join(sep, "usr", "share", "bunkerweb", *paths)
|
||||
|
|
@ -99,6 +100,28 @@ try:
|
|||
cert_path = getenv("CUSTOM_SSL_CERT", "")
|
||||
key_path = getenv("CUSTOM_SSL_KEY", "")
|
||||
|
||||
cert_data = b64decode(getenv("CUSTOM_SSL_CERT_DATA", ""))
|
||||
key_data = b64decode(getenv("CUSTOM_SSL_KEY_DATA", ""))
|
||||
for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
|
||||
if data != b"":
|
||||
file_path = Path(
|
||||
sep,
|
||||
"var",
|
||||
"tmp",
|
||||
"bunkerweb",
|
||||
"customcert",
|
||||
file
|
||||
)
|
||||
file_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
file_path.write_bytes(data)
|
||||
if file == "cert.pem":
|
||||
cert_path = str(file_path)
|
||||
else:
|
||||
key_path = str(file_path)
|
||||
|
||||
if cert_data != b"":
|
||||
with open()
|
||||
|
||||
if cert_path and key_path:
|
||||
logger.info(f"Checking certificate {cert_path} ...")
|
||||
need_reload = check_cert(cert_path, key_path)
|
||||
|
|
@ -124,6 +147,26 @@ try:
|
|||
cert_path = getenv(f"{first_server}_CUSTOM_SSL_CERT", "")
|
||||
key_path = getenv(f"{first_server}_CUSTOM_SSL_KEY", "")
|
||||
|
||||
cert_data = b64decode(getenv(f"{first_server}_CUSTOM_SSL_CERT_DATA", ""))
|
||||
key_data = b64decode(getenv(f"{first_server}_CUSTOM_SSL_KEY_DATA", ""))
|
||||
for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
|
||||
if data != b"":
|
||||
file_path = Path(
|
||||
sep,
|
||||
"var",
|
||||
"tmp",
|
||||
"bunkerweb",
|
||||
"customcert",
|
||||
server_name,
|
||||
file
|
||||
)
|
||||
file_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
file_path.write_bytes(data)
|
||||
if file == "cert.pem":
|
||||
cert_path = str(file_path)
|
||||
else:
|
||||
key_path = str(file_path)
|
||||
|
||||
if cert_path and key_path:
|
||||
logger.info(
|
||||
f"Checking certificate {cert_path} ...",
|
||||
|
|
|
|||
|
|
@ -31,6 +31,24 @@
|
|||
"label": "Key path",
|
||||
"regex": "^(/[\\w. \\-]+)*/?$",
|
||||
"type": "text"
|
||||
},
|
||||
"CUSTOM_SSL_CERT_DATA": {
|
||||
"context": "multisite",
|
||||
"default": "",
|
||||
"help": "Certificate data encoded in base64.",
|
||||
"id": "custom-https-cert-data",
|
||||
"label": "Certificate data (base64)",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
},
|
||||
"CUSTOM_SSL_KEY_DATA": {
|
||||
"context": "multisite",
|
||||
"default": "",
|
||||
"help": "Key data encoded in base64.",
|
||||
"id": "custom-https-key-data",
|
||||
"label": "Key data (base64)",
|
||||
"regex": "^.*$",
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"jobs": [
|
||||
|
|
|
|||
Loading…
Reference in a new issue