vault-wrap: Добавлена рабочая конфигурация traefik
This commit is contained in:
parent
6004e090e5
commit
e1a9944082
|
@ -4,8 +4,10 @@ RUN apk --no-cache add gcc g++ make git
|
||||||
WORKDIR /go/src/app
|
WORKDIR /go/src/app
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
RUN go get ./...
|
RUN go get ./...
|
||||||
RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go
|
RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go
|
||||||
|
|
||||||
FROM alpine:3.20
|
FROM alpine:3.20
|
||||||
RUN apk add tzdata
|
RUN apk add tzdata
|
||||||
#RUN apk --no-cache add ca-certificates
|
#RUN apk --no-cache add ca-certificates
|
||||||
|
|
|
@ -7,6 +7,7 @@ services:
|
||||||
environment:
|
environment:
|
||||||
- ACTION_ADDRESS=${ACTION_ADDRESS}
|
- ACTION_ADDRESS=${ACTION_ADDRESS}
|
||||||
- VAULT_ADDRESS=${VAULT_ADDRESS}
|
- VAULT_ADDRESS=${VAULT_ADDRESS}
|
||||||
|
- LISTEN_PORT=443
|
||||||
- TLS_KEY_FILE=${TLS_KEY_FILE}
|
- TLS_KEY_FILE=${TLS_KEY_FILE}
|
||||||
- TLS_CERT_FILE=${TLS_CERT_FILE}
|
- TLS_CERT_FILE=${TLS_CERT_FILE}
|
||||||
- TZ=Europe/Moscow
|
- TZ=Europe/Moscow
|
||||||
|
@ -22,6 +23,42 @@ services:
|
||||||
max-size: "10m"
|
max-size: "10m"
|
||||||
max-file: "5"
|
max-file: "5"
|
||||||
|
|
||||||
|
traefik:
|
||||||
|
image: traefik:v3.0
|
||||||
|
command:
|
||||||
|
# - --entrypoints.web.address=:80
|
||||||
|
# - --entrypoints.web-secure.address=:443
|
||||||
|
# - --providers.docker=true
|
||||||
|
- --providers.file.directory=/configuration/
|
||||||
|
- --providers.file.watch=true
|
||||||
|
volumes:
|
||||||
|
- ./configuration/:/configuration/
|
||||||
|
- ./traefik.yml:/traefik.yml:ro
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
- ./ssl/:/ssl/:ro
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 8080:8080
|
||||||
|
- 888:888
|
||||||
|
- 443:443
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.traefik.entrypoints=https"
|
||||||
|
- "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)"
|
||||||
|
- "traefik.http.routers.traefik.tls=true"
|
||||||
|
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
|
||||||
|
- "traefik.http.routers.traefik.service=api@internal"
|
||||||
|
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
name: reverse-proxy
|
||||||
|
external: true
|
||||||
|
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
vault-wrap-log:
|
vault-wrap-log:
|
||||||
vault-wrap-conf:
|
vault-wrap-conf:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
while true ;do
|
while true ;do
|
||||||
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log
|
/go/binv/ault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}"
|
||||||
|
|
||||||
sleep 120
|
sleep 120
|
||||||
done
|
done
|
||||||
|
|
|
@ -4,26 +4,29 @@
|
||||||
<meta charset="utf-8">
|
<meta charset="utf-8">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
<title>Data Unwrap Form</title>
|
<title>Data Unwrap Form</title>
|
||||||
<!-- <link rel="stylesheet" href="css/normalize.css">
|
</head>
|
||||||
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700" rel="stylesheet">
|
|
||||||
<link rel="stylesheet" href="css/main.css"> -->
|
|
||||||
</head>
|
|
||||||
<body>
|
<body>
|
||||||
<table>
|
<table>
|
||||||
<tr><td>
|
<tr><td>
|
||||||
<a href={{.URL}}/unwrap>Расшифровать</a> |
|
<!-- <a href={{.URL}}/unwrap>Расшифровать</a> |
|
||||||
<a href={{.URL}}/genpassword>Сгенерировать пароль</a>
|
<a href={{.URL}}/genpassword>Сгенерировать пароль</a>-->
|
||||||
<tr><td><p></p></td></tr>
|
<tr><td><p></p></td></tr>
|
||||||
<tr><td>
|
<tr><td>
|
||||||
<form method="post" action="{{.URL}}/unwrap">
|
<form method="post">
|
||||||
<table>
|
<table>
|
||||||
<tr><td>
|
<tr><td>
|
||||||
<textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea>
|
<textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
<tr><td align=right>
|
<tr><td align=right>
|
||||||
<button type="submit">Расшифровать</button>
|
<button type="submit" formaction="{{.URL}}/unwrap">Расшифровать</button>
|
||||||
|
<tr><td><hr></td></tr>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
</form>
|
<tr><td align=right>
|
||||||
|
Длина пароля (от 15 до 1024)
|
||||||
|
<input type="text" name="passlength"/ size=4 pattern="[0-9]{2,4}">
|
||||||
|
<button type="submit" formaction="{{.URL}}/genpassword">Сгенерировать пароль</button>
|
||||||
|
</td></tr>
|
||||||
|
</form>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
<tr><td>
|
<tr><td>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
|
|
12
traefik-files/certificates.yaml
Normal file
12
traefik-files/certificates.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
# Dynamic configuration
|
||||||
|
# in configuration/certificates.yaml
|
||||||
|
tls:
|
||||||
|
certificates:
|
||||||
|
# first certificate
|
||||||
|
- certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt
|
||||||
|
keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key
|
||||||
|
|
||||||
|
# second certificate
|
||||||
|
#- certFile: /path/to/other.cert
|
||||||
|
# keyFile: /path/to/other.key
|
||||||
|
|
30
traefik-files/traefik.yml
Normal file
30
traefik-files/traefik.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
api:
|
||||||
|
dashboard: true
|
||||||
|
insecure: true
|
||||||
|
|
||||||
|
accessLog: {}
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
entryPoints:
|
||||||
|
http:
|
||||||
|
address: ":80"
|
||||||
|
https:
|
||||||
|
address: ":443"
|
||||||
|
dashboard:
|
||||||
|
address: ":888"
|
||||||
|
|
||||||
|
http:
|
||||||
|
routers:
|
||||||
|
host:
|
||||||
|
entryPoints:
|
||||||
|
- http
|
||||||
|
rule: Host(`corp.samsonopt.ru`)
|
||||||
|
|
||||||
|
providers:
|
||||||
|
docker:
|
||||||
|
endpoint: "unix:///var/run/docker.sock"
|
||||||
|
exposedByDefault: false
|
||||||
|
file:
|
||||||
|
filename: /configuration/certificates.yaml
|
35
vault.go
35
vault.go
|
@ -195,24 +195,38 @@ func getDataFromHtmlForm(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func genPassword(w http.ResponseWriter, r *http.Request) {
|
func genPassword(w http.ResponseWriter, r *http.Request) {
|
||||||
params := mux.Vars(r)
|
// params := mux.Vars(r)
|
||||||
passLength := params["passLength"]
|
// passLength := params["passLength"]
|
||||||
|
|
||||||
|
r.ParseForm()
|
||||||
|
passLength := r.FormValue("passlength")
|
||||||
|
if Debug {
|
||||||
|
log.Printf(r.FormValue("passlength"), passLength)
|
||||||
|
}
|
||||||
|
if len(passLength) == 0 {
|
||||||
|
passLength = "32"
|
||||||
|
}
|
||||||
// w.Write([]byte("Длина пароля " + passLength + "/n"))
|
// w.Write([]byte("Длина пароля " + passLength + "/n"))
|
||||||
passwordLength, err := strconv.Atoi(passLength)
|
passwordLength, err := strconv.Atoi(passLength)
|
||||||
if passwordLength > 1024 {
|
if passwordLength > 1024 {
|
||||||
log.Printf("Oversized password length")
|
log.Printf("Oversized password length")
|
||||||
w.Write([]byte("Oversized password length"))
|
Data = "Превышена длина пароля"
|
||||||
|
getStaticPage(w, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal(err)
|
log.Println(err)
|
||||||
}
|
}
|
||||||
res, err := password.Generate(passwordLength, 10, 5, false, true)
|
res, err := password.Generate(passwordLength, 10, 5, false, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal(err)
|
log.Println(err)
|
||||||
}
|
}
|
||||||
log.Printf(res)
|
if Debug {
|
||||||
w.Write([]byte(res))
|
log.Printf(res)
|
||||||
|
}
|
||||||
|
Data = res
|
||||||
|
// w.Write([]byte(res))
|
||||||
|
getStaticPage(w, r)
|
||||||
}
|
}
|
||||||
|
|
||||||
func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
|
func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
|
||||||
|
@ -221,7 +235,10 @@ func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
|
||||||
log.Fatal(err)
|
log.Fatal(err)
|
||||||
}
|
}
|
||||||
log.Printf(res)
|
log.Printf(res)
|
||||||
w.Write([]byte(res))
|
// w.Write([]byte(res))
|
||||||
|
Data = res
|
||||||
|
// w.Write([]byte(res))
|
||||||
|
getStaticPage(w, r)
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
@ -270,7 +287,7 @@ func main() {
|
||||||
rtr := mux.NewRouter()
|
rtr := mux.NewRouter()
|
||||||
rtr.HandleFunc("/unwrap", getDataFromHtmlForm)
|
rtr.HandleFunc("/unwrap", getDataFromHtmlForm)
|
||||||
rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword)
|
rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword)
|
||||||
rtr.HandleFunc("/genpassword", genPasswordDefault)
|
rtr.HandleFunc("/genpassword", genPassword)
|
||||||
|
|
||||||
rtr.HandleFunc("/", getDataFromHtmlForm)
|
rtr.HandleFunc("/", getDataFromHtmlForm)
|
||||||
rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static")))
|
rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static")))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user