Allow providing own certificates for dev cluster

Author: Saancreed

.gitignore

@@ -247,9 +247,10 @@ src/Apps/*/dist/
 **/integration_tests_secrets.sh
 **/dist
 
-dev/proxy/*.pem
-dev/proxy/*.crt
-dev/proxy/*.key
+**/*.pem
+**/*.crt
+**/*.cert
+**/*.key
 
 !dev/**/.env
 !release/

.template.config/template.json

@@ -117,11 +117,11 @@
     {
       "actionId": "CB9A6CF3-4F5C-4860-B9D2-03A574959774",
       "args": {
-        "+x": ["./backend/dev/*/*.sh", "./dev-cluster/*.sh"]
+        "+x": ["./backend/dev/*/*.sh", "./dev-cluster/*.sh", "./dev-cluster/*/*.sh"]
       },
       "manualInstructions": [
         {
-          "text": "Run 'chmod +x ./backend/dev/*/*.sh ./dev-cluster/*.sh'"
+          "text": "Run 'chmod +x ./backend/dev/*/*.sh ./dev-cluster/*.sh ./dev-cluster/*/*.sh'"
         }
       ]
     }

dev-cluster/apps/Dockerfile.traefik-self-signed

@@ -0,0 +1,7 @@
+FROM traefik
+
+COPY --chmod=0644 local.lncd.pl.cert local.lncd.pl.key /certs/
+COPY config.toml /config/config.toml
+COPY dynamic.toml /config/dynamic/main.toml
+
+CMD ["--configFile=/config/config.toml"]

dev-cluster/apps/config.toml

@@ -0,0 +1,27 @@
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = false
+[log]
+  level = "DEBUG"
+[api]
+  dashboard = true
+  insecure = true
+  debug = true
+
+[provieders]
+  [providers.docker]
+    exposedByDefault = true
+  [providers.file]
+    directory = "/config/dynamic"
+    watch = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+    [entryPoints.web.http]
+      [entryPoints.web.http.redirections]
+        [entryPoints.web.http.redirections.entryPoint]
+          to = ":443"
+          scheme = "https"
+  [entryPoints.websecure]
+    address = ":443"

dev-cluster/apps/generate_certs.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -e
+
+if command -v apk 2>/dev/null
+then
+    apk add --no-cache openssl
+fi
+
+NAME=local.lncd.pl
+SUBJ="
+C=PL
+O=LeanCode DEV
+commonName=*.$NAME
+organizationalUnitName=LeanCode DEV
+[email protected]"
+SUBJ="$(echo "$SUBJ" | tr '\n' '/')"
+PASSWD=Passwd1!
+
+if ! test -f CA.key || ! test -f CA.pem
+then
+    openssl genrsa -des3 -out CA.key -passout pass:"$PASSWD" 2048
+    openssl req -x509 -new -nodes -subj "$SUBJ" -key CA.key -passin pass:"$PASSWD" -sha256 -days 825 -out CA.pem
+fi
+
+if ! test -f "$NAME.key" || ! test -f "$NAME.cert"
+then
+    openssl genrsa -out "$NAME.key" 2048
+    openssl req -new -subj "$SUBJ" -key "$NAME.key" -out "$NAME.csr"
+    cat > "$NAME.ext" <<-EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
+DNS.2 = *.$NAME # Optionally, add additional domains (I've added a subdomain here)
+EOF
+
+    openssl x509 -req -in "$NAME.csr" -CA CA.pem -CAkey CA.key -CAcreateserial \
+        -out "$NAME.cert" -days 825 -sha256 -extfile "$NAME.ext" -passin pass:"$PASSWD"
+fi
+
+chmod 666 -- CA.key CA.pem "$NAME.key" "$NAME.cert" || true
+rm -f -- "$NAME.ext" "$NAME.csr" CA.srl

dev-cluster/deploy.sh

@@ -6,10 +6,10 @@ cd "${0:A:h}"
 k3d cluster delete exampleapp || true
 k3d registry delete k3d-exampleapp-registry.local.lncd.pl || true
 rm *.tfstate* || true
+docker rm exampleapp-certificates || true
 
 # Docker provider will not be able to use the token
-az acr login -n leancode
-docker pull leancode.azurecr.io/traefik-proxy
+az acr login -n leancode && docker pull leancode.azurecr.io/traefik-proxy || true
 
 # We depend on these charts
 helm repo add traefik https://helm.traefik.io/traefik || true

dev-cluster/traefik.tf

@@ -4,20 +4,45 @@ locals {
   traefik_image         = "${local.traefik_image_name}:${local.traefik_image_version}"
 
   traefik_triggers = {
-    dockerfile_trigger   = filemd5("./apps/Dockerfile.traefik")
+    dockerfile_trigger   = filemd5(var.traefik_self_signed ? "./apps/Dockerfile.traefik-self-signed" : "./apps/Dockerfile.traefik")
     dynamic_toml_trigger = filemd5("./apps/dynamic.toml")
   }
 }
 
+resource "docker_image" "alpine" {
+  name         = "docker.io/library/alpine:latest"
+  keep_locally = true
+}
+
+resource "docker_container" "certificates" {
+  image = docker_image.alpine.image_id
+  name  = "exampleapp-certificates"
+
+  start       = true
+  attach      = true
+  wait        = true
+  rm          = true
+  working_dir = "/mnt"
+  command     = ["./generate_certs.sh"]
+
+  mounts {
+    type   = "bind"
+    source = abspath("${path.module}/apps")
+    target = "/mnt"
+  }
+}
+
 resource "docker_image" "traefik" {
   name = local.traefik_image
 
   build {
     context    = "./apps"
-    dockerfile = "Dockerfile.traefik"
+    dockerfile = var.traefik_self_signed ? "Dockerfile.traefik-self-signed" : "Dockerfile.traefik"
   }
 
   triggers = local.traefik_triggers
+
+  depends_on = [docker_container.certificates]
 }
 
 resource "docker_registry_image" "traefik" {

dev-cluster/variables.tf

@@ -1,3 +1,8 @@
+variable "traefik_self_signed" {
+  type    = bool
+  default = true
+}
+
 variable "metabase" {
   type    = bool
   default = false