From d424a63d6049d8d241ab1294aea035d4b187a111 Mon Sep 17 00:00:00 2001
From: generalfuzz <generalfuzz@gmail.com>
Date: Thu, 17 Mar 2022 11:15:08 -0700
Subject: [PATCH] Replace Certbot with Lego for Let's Encrypt container

Replaces Certbot with Lego for certificate retrieval and renewal.
Lego includes support for DNS ACME Challenges.

Adds ssh-client to LetsEncrypt and ssh-server to HAProxy to allow both
the transfer of Let's Encrypt certificates to the HAProxy container and
to enable live updating of HAProxy certifices using the HAProxy API
exposed on the local HAProxy socket.

Implements: blueprint letsencrypt-https
Change-Id: I737e1ce5bfc37d0703879c8272a9e915084c5ca6
---
 docker/haproxy/haproxy-ssh/Dockerfile.j2      | 40 +++++++++++++++++++
 docker/haproxy/haproxy-ssh/extend_start.sh    | 16 ++++++++
 docker/haproxy/{ => haproxy}/Dockerfile.j2    |  0
 .../{ => haproxy}/ensure_latest_config.sh     |  0
 docker/letsencrypt/Dockerfile.j2              | 19 ++++++---
 5 files changed, 69 insertions(+), 6 deletions(-)
 create mode 100644 docker/haproxy/haproxy-ssh/Dockerfile.j2
 create mode 100644 docker/haproxy/haproxy-ssh/extend_start.sh
 rename docker/haproxy/{ => haproxy}/Dockerfile.j2 (100%)
 rename docker/haproxy/{ => haproxy}/ensure_latest_config.sh (100%)

diff --git a/docker/haproxy/haproxy-ssh/Dockerfile.j2 b/docker/haproxy/haproxy-ssh/Dockerfile.j2
new file mode 100644
index 0000000000..8eecc88916
--- /dev/null
+++ b/docker/haproxy/haproxy-ssh/Dockerfile.j2
@@ -0,0 +1,40 @@
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block haproxy_ssh_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='haproxy', shell='/bin/bash') }}
+
+{% if base_package_type == 'rpm' %}
+    {% set haproxy_ssh_packages = [
+        'openssh-server',
+        'openssh-clients',
+    ] %}
+
+# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
+# prevents SSH access to it.
+RUN rm -f /run/nologin
+
+{% elif base_package_type == 'deb' %}
+    {% set haproxy_ssh_packages = [
+        'openssh-server',
+        'openssh-client',
+    ] %}
+
+RUN mkdir -p /var/run/sshd \
+    && chmod 0755 /var/run/sshd
+
+{% endif %}
+
+{{ macros.install_packages(haproxy_ssh_packages | customizable("packages")) }}
+
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 644 /usr/local/bin/kolla_extend_start \
+    && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
+
+{% block haproxy_ssh_footer %}{% endblock %}
+{% block footer %}{% endblock %}
diff --git a/docker/haproxy/haproxy-ssh/extend_start.sh b/docker/haproxy/haproxy-ssh/extend_start.sh
new file mode 100644
index 0000000000..d571e72920
--- /dev/null
+++ b/docker/haproxy/haproxy-ssh/extend_start.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+SSH_HOST_KEY_TYPES=( "ecdsa" )
+
+for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
+    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
+    if [[ ! -f "${KEY_PATH}" ]]; then
+        ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
+    fi
+done
+
+mkdir -p /var/lib/haproxy/.ssh
+
+if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
+    sudo chown haproxy: /var/lib/haproxy/.ssh
+fi
diff --git a/docker/haproxy/Dockerfile.j2 b/docker/haproxy/haproxy/Dockerfile.j2
similarity index 100%
rename from docker/haproxy/Dockerfile.j2
rename to docker/haproxy/haproxy/Dockerfile.j2
diff --git a/docker/haproxy/ensure_latest_config.sh b/docker/haproxy/haproxy/ensure_latest_config.sh
similarity index 100%
rename from docker/haproxy/ensure_latest_config.sh
rename to docker/haproxy/haproxy/ensure_latest_config.sh
diff --git a/docker/letsencrypt/Dockerfile.j2 b/docker/letsencrypt/Dockerfile.j2
index b344c6734d..30062f0b0c 100644
--- a/docker/letsencrypt/Dockerfile.j2
+++ b/docker/letsencrypt/Dockerfile.j2
@@ -5,25 +5,32 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}"
 
 {% import "macros.j2" as macros with context %}
 
-{# NOTE(jkirsch): EPEL required for lego #}
-{{ macros.enable_extra_repos(['epel']) }}
-
 {% if base_package_type == 'rpm' %}
     {% set letsencrypt_packages = [
-        'certbot',
+        'openssh-clients',
         'cronie'
     ] %}
 {% elif base_package_type == 'deb' %}
     {% set letsencrypt_packages = [
-        'certbot',
+        'openssh-client',
         'cron'
     ] %}
 {% endif %}
 {{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}
 
-
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 644 /usr/local/bin/kolla_extend_start
 
+{% block lego_repository %}
+ENV lego_version=4.6.0
+ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
+{% endblock %}
+
+{% block lego_install %}
+RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
+    && tar xvf /tmp/lego.tar.gz -C /opt/ \
+    && rm -f /tmp/lego.tar.gz
+{% endblock %}
+
 {% block letsencrypt_footer %}{% endblock %}
 {% block footer %}{% endblock %}