Replace Certbot with Lego for Let's Encrypt container

Replaces Certbot with Lego for certificate retrieval and renewal. Lego includes support for DNS ACME Challenges. Adds ssh-client to LetsEncrypt and ssh-server to HAProxy to allow both the transfer of Let's Encrypt certificates to the HAProxy container and to enable live updating of HAProxy certifices using the HAProxy API exposed on the local HAProxy socket. Implements: blueprint letsencrypt-https Change-Id: I737e1ce5bfc37d0703879c8272a9e915084c5ca6
2022-03-17 11:15:08 -07:00 · 2022-03-17 11:15:08 -07:00 · d424a63d60
parent 9d5bdbf36d
commit d424a63d60
5 changed files with 69 additions and 6 deletions
--- a/docker/haproxy/haproxy-ssh/Dockerfile.j2
+++ b/docker/haproxy/haproxy-ssh/Dockerfile.j2
@ -0,0 +1,40 @@
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block haproxy_ssh_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='haproxy', shell='/bin/bash') }}
+
+{% if base_package_type == 'rpm' %}
+    {% set haproxy_ssh_packages = [
+        'openssh-server',
+        'openssh-clients',
+    ] %}
+
+# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
+# prevents SSH access to it.
+RUN rm -f /run/nologin
+
+{% elif base_package_type == 'deb' %}
+    {% set haproxy_ssh_packages = [
+        'openssh-server',
+        'openssh-client',
+    ] %}
+
+RUN mkdir -p /var/run/sshd \
+    && chmod 0755 /var/run/sshd
+
+{% endif %}
+
+{{ macros.install_packages(haproxy_ssh_packages | customizable("packages")) }}
+
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 644 /usr/local/bin/kolla_extend_start \
+    && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
+
+{% block haproxy_ssh_footer %}{% endblock %}
+{% block footer %}{% endblock %}
--- a/docker/haproxy/haproxy-ssh/extend_start.sh
+++ b/docker/haproxy/haproxy-ssh/extend_start.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+
+SSH_HOST_KEY_TYPES=( "ecdsa" )
+
+for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
+    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
+    if [[ ! -f "${KEY_PATH}" ]]; then
+        ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
+    fi
+done
+
+mkdir -p /var/lib/haproxy/.ssh
+
+if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
+    sudo chown haproxy: /var/lib/haproxy/.ssh
+fi
--- a/docker/haproxy/haproxy/Dockerfile.j2
+++ b/docker/haproxy/haproxy/Dockerfile.j2
--- a/docker/haproxy/haproxy/ensure_latest_config.sh
+++ b/docker/haproxy/haproxy/ensure_latest_config.sh
--- a/docker/letsencrypt/Dockerfile.j2
+++ b/docker/letsencrypt/Dockerfile.j2
@ -5,25 +5,32 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}"

 {% import "macros.j2" as macros with context %}

-{# NOTE(jkirsch): EPEL required for lego #}
-{{ macros.enable_extra_repos(['epel']) }}
-
 {% if base_package_type == 'rpm' %}
    {% set letsencrypt_packages = [
-        'certbot',
+        'openssh-clients',
        'cronie'
    ] %}
 {% elif base_package_type == 'deb' %}
    {% set letsencrypt_packages = [
-        'certbot',
+        'openssh-client',
        'cron'
    ] %}
 {% endif %}
 {{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}

-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 644 /usr/local/bin/kolla_extend_start

+{% block lego_repository %}
+ENV lego_version=4.6.0
+ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
+{% endblock %}
+
+{% block lego_install %}
+RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
+    && tar xvf /tmp/lego.tar.gz -C /opt/ \
+    && rm -f /tmp/lego.tar.gz
+{% endblock %}
+
 {% block letsencrypt_footer %}{% endblock %}
 {% block footer %}{% endblock %}