Replace Certbot with Lego for Let's Encrypt container

Replaces Certbot with Lego for certificate retrieval and renewal.
Lego includes support for DNS ACME Challenges.

Adds ssh-client to LetsEncrypt and ssh-server to HAProxy to allow both
the transfer of Let's Encrypt certificates to the HAProxy container and
to enable live updating of HAProxy certifices using the HAProxy API
exposed on the local HAProxy socket.

Implements: blueprint letsencrypt-https
Change-Id: I737e1ce5bfc37d0703879c8272a9e915084c5ca6
This commit is contained in:
generalfuzz 2022-03-17 11:15:08 -07:00 committed by Radosław Piliszek
parent 9d5bdbf36d
commit d424a63d60
5 changed files with 69 additions and 6 deletions

View File

@ -0,0 +1,40 @@
FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block haproxy_ssh_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.configure_user(name='haproxy', shell='/bin/bash') }}
{% if base_package_type == 'rpm' %}
{% set haproxy_ssh_packages = [
'openssh-server',
'openssh-clients',
] %}
# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
# prevents SSH access to it.
RUN rm -f /run/nologin
{% elif base_package_type == 'deb' %}
{% set haproxy_ssh_packages = [
'openssh-server',
'openssh-client',
] %}
RUN mkdir -p /var/run/sshd \
&& chmod 0755 /var/run/sshd
{% endif %}
{{ macros.install_packages(haproxy_ssh_packages | customizable("packages")) }}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 644 /usr/local/bin/kolla_extend_start \
&& sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
{% block haproxy_ssh_footer %}{% endblock %}
{% block footer %}{% endblock %}

View File

@ -0,0 +1,16 @@
#!/bin/bash
SSH_HOST_KEY_TYPES=( "ecdsa" )
for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
if [[ ! -f "${KEY_PATH}" ]]; then
ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
fi
done
mkdir -p /var/lib/haproxy/.ssh
if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
sudo chown haproxy: /var/lib/haproxy/.ssh
fi

View File

@ -5,25 +5,32 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}"
{% import "macros.j2" as macros with context %}
{# NOTE(jkirsch): EPEL required for lego #}
{{ macros.enable_extra_repos(['epel']) }}
{% if base_package_type == 'rpm' %}
{% set letsencrypt_packages = [
'certbot',
'openssh-clients',
'cronie'
] %}
{% elif base_package_type == 'deb' %}
{% set letsencrypt_packages = [
'certbot',
'openssh-client',
'cron'
] %}
{% endif %}
{{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 644 /usr/local/bin/kolla_extend_start
{% block lego_repository %}
ENV lego_version=4.6.0
ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
{% endblock %}
{% block lego_install %}
RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
&& tar xvf /tmp/lego.tar.gz -C /opt/ \
&& rm -f /tmp/lego.tar.gz
{% endblock %}
{% block letsencrypt_footer %}{% endblock %}
{% block footer %}{% endblock %}