Replace Certbot with Lego for Let's Encrypt container
Replaces Certbot with Lego for certificate retrieval and renewal. Lego includes support for DNS ACME Challenges. Adds ssh-client to LetsEncrypt and ssh-server to HAProxy to allow both the transfer of Let's Encrypt certificates to the HAProxy container and to enable live updating of HAProxy certifices using the HAProxy API exposed on the local HAProxy socket. Implements: blueprint letsencrypt-https Change-Id: I737e1ce5bfc37d0703879c8272a9e915084c5ca6
This commit is contained in:
parent
9d5bdbf36d
commit
d424a63d60
40
docker/haproxy/haproxy-ssh/Dockerfile.j2
Normal file
40
docker/haproxy/haproxy-ssh/Dockerfile.j2
Normal file
@ -0,0 +1,40 @@
|
||||
FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
|
||||
{% block labels %}
|
||||
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
|
||||
{% endblock %}
|
||||
|
||||
{% block haproxy_ssh_header %}{% endblock %}
|
||||
|
||||
{% import "macros.j2" as macros with context %}
|
||||
|
||||
{{ macros.configure_user(name='haproxy', shell='/bin/bash') }}
|
||||
|
||||
{% if base_package_type == 'rpm' %}
|
||||
{% set haproxy_ssh_packages = [
|
||||
'openssh-server',
|
||||
'openssh-clients',
|
||||
] %}
|
||||
|
||||
# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
|
||||
# prevents SSH access to it.
|
||||
RUN rm -f /run/nologin
|
||||
|
||||
{% elif base_package_type == 'deb' %}
|
||||
{% set haproxy_ssh_packages = [
|
||||
'openssh-server',
|
||||
'openssh-client',
|
||||
] %}
|
||||
|
||||
RUN mkdir -p /var/run/sshd \
|
||||
&& chmod 0755 /var/run/sshd
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ macros.install_packages(haproxy_ssh_packages | customizable("packages")) }}
|
||||
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
RUN chmod 644 /usr/local/bin/kolla_extend_start \
|
||||
&& sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
|
||||
|
||||
{% block haproxy_ssh_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
16
docker/haproxy/haproxy-ssh/extend_start.sh
Normal file
16
docker/haproxy/haproxy-ssh/extend_start.sh
Normal file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
|
||||
SSH_HOST_KEY_TYPES=( "ecdsa" )
|
||||
|
||||
for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
|
||||
KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
|
||||
if [[ ! -f "${KEY_PATH}" ]]; then
|
||||
ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
|
||||
fi
|
||||
done
|
||||
|
||||
mkdir -p /var/lib/haproxy/.ssh
|
||||
|
||||
if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
|
||||
sudo chown haproxy: /var/lib/haproxy/.ssh
|
||||
fi
|
@ -5,25 +5,32 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}"
|
||||
|
||||
{% import "macros.j2" as macros with context %}
|
||||
|
||||
{# NOTE(jkirsch): EPEL required for lego #}
|
||||
{{ macros.enable_extra_repos(['epel']) }}
|
||||
|
||||
{% if base_package_type == 'rpm' %}
|
||||
{% set letsencrypt_packages = [
|
||||
'certbot',
|
||||
'openssh-clients',
|
||||
'cronie'
|
||||
] %}
|
||||
{% elif base_package_type == 'deb' %}
|
||||
{% set letsencrypt_packages = [
|
||||
'certbot',
|
||||
'openssh-client',
|
||||
'cron'
|
||||
] %}
|
||||
{% endif %}
|
||||
{{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}
|
||||
|
||||
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
RUN chmod 644 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{% block lego_repository %}
|
||||
ENV lego_version=4.6.0
|
||||
ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
|
||||
{% endblock %}
|
||||
|
||||
{% block lego_install %}
|
||||
RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
|
||||
&& tar xvf /tmp/lego.tar.gz -C /opt/ \
|
||||
&& rm -f /tmp/lego.tar.gz
|
||||
{% endblock %}
|
||||
|
||||
{% block letsencrypt_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
||||
|
Loading…
Reference in New Issue
Block a user