vault-wrap: Добавлена рабочая конфигурация traefik

This commit is contained in:
svkalinin 2024-07-10 12:55:19 +03:00
parent 6004e090e5
commit e1a9944082
7 changed files with 120 additions and 19 deletions

View File

@ -4,8 +4,10 @@ RUN apk --no-cache add gcc g++ make git
WORKDIR /go/src/app WORKDIR /go/src/app
COPY . . COPY . .
RUN go get ./... RUN go get ./...
RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go
FROM alpine:3.20 FROM alpine:3.20
RUN apk add tzdata RUN apk add tzdata
#RUN apk --no-cache add ca-certificates #RUN apk --no-cache add ca-certificates

View File

@ -7,6 +7,7 @@ services:
environment: environment:
- ACTION_ADDRESS=${ACTION_ADDRESS} - ACTION_ADDRESS=${ACTION_ADDRESS}
- VAULT_ADDRESS=${VAULT_ADDRESS} - VAULT_ADDRESS=${VAULT_ADDRESS}
- LISTEN_PORT=443
- TLS_KEY_FILE=${TLS_KEY_FILE} - TLS_KEY_FILE=${TLS_KEY_FILE}
- TLS_CERT_FILE=${TLS_CERT_FILE} - TLS_CERT_FILE=${TLS_CERT_FILE}
- TZ=Europe/Moscow - TZ=Europe/Moscow
@ -22,6 +23,42 @@ services:
max-size: "10m" max-size: "10m"
max-file: "5" max-file: "5"
traefik:
image: traefik:v3.0
command:
# - --entrypoints.web.address=:80
# - --entrypoints.web-secure.address=:443
# - --providers.docker=true
- --providers.file.directory=/configuration/
- --providers.file.watch=true
volumes:
- ./configuration/:/configuration/
- ./traefik.yml:/traefik.yml:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./ssl/:/ssl/:ro
ports:
- 80:80
- 8080:8080
- 888:888
- 443:443
restart: always
networks:
- default
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)"
- "traefik.http.routers.traefik.tls=true"
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
networks:
default:
name: reverse-proxy
external: true
volumes: volumes:
vault-wrap-log: vault-wrap-log:
vault-wrap-conf: vault-wrap-conf:

View File

@ -2,7 +2,7 @@
set -u set -u
while true ;do while true ;do
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log /go/binv/ault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}"
sleep 120 sleep 120
done done

View File

@ -4,26 +4,29 @@
<meta charset="utf-8"> <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Data Unwrap Form</title> <title>Data Unwrap Form</title>
<!-- <link rel="stylesheet" href="css/normalize.css"> </head>
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700" rel="stylesheet">
<link rel="stylesheet" href="css/main.css"> -->
</head>
<body> <body>
<table> <table>
<tr><td> <tr><td>
<a href={{.URL}}/unwrap>Расшифровать</a> | <!-- <a href={{.URL}}/unwrap>Расшифровать</a> |
<a href={{.URL}}/genpassword>Сгенерировать пароль</a> <a href={{.URL}}/genpassword>Сгенерировать пароль</a>-->
<tr><td><p></p></td></tr> <tr><td><p></p></td></tr>
<tr><td> <tr><td>
<form method="post" action="{{.URL}}/unwrap"> <form method="post">
<table> <table>
<tr><td> <tr><td>
<textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea> <textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea>
</td></tr> </td></tr>
<tr><td align=right> <tr><td align=right>
<button type="submit">Расшифровать</button> <button type="submit" formaction="{{.URL}}/unwrap">Расшифровать</button>
<tr><td><hr></td></tr>
</td></tr> </td></tr>
</form> <tr><td align=right>
Длина пароля (от 15 до 1024)
<input type="text" name="passlength"/ size=4 pattern="[0-9]{2,4}">
<button type="submit" formaction="{{.URL}}/genpassword">Сгенерировать пароль</button>
</td></tr>
</form>
</td></tr> </td></tr>
<tr><td> <tr><td>
</td></tr> </td></tr>

View File

@ -0,0 +1,12 @@
# Dynamic configuration
# in configuration/certificates.yaml
tls:
certificates:
# first certificate
- certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt
keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key
# second certificate
#- certFile: /path/to/other.cert
# keyFile: /path/to/other.key

30
traefik-files/traefik.yml Normal file
View File

@ -0,0 +1,30 @@
api:
dashboard: true
insecure: true
accessLog: {}
log:
level: INFO
entryPoints:
http:
address: ":80"
https:
address: ":443"
dashboard:
address: ":888"
http:
routers:
host:
entryPoints:
- http
rule: Host(`corp.samsonopt.ru`)
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configuration/certificates.yaml

View File

@ -195,24 +195,38 @@ func getDataFromHtmlForm(w http.ResponseWriter, r *http.Request) {
} }
func genPassword(w http.ResponseWriter, r *http.Request) { func genPassword(w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r) // params := mux.Vars(r)
passLength := params["passLength"] // passLength := params["passLength"]
r.ParseForm()
passLength := r.FormValue("passlength")
if Debug {
log.Printf(r.FormValue("passlength"), passLength)
}
if len(passLength) == 0 {
passLength = "32"
}
// w.Write([]byte("Длина пароля " + passLength + "/n")) // w.Write([]byte("Длина пароля " + passLength + "/n"))
passwordLength, err := strconv.Atoi(passLength) passwordLength, err := strconv.Atoi(passLength)
if passwordLength > 1024 { if passwordLength > 1024 {
log.Printf("Oversized password length") log.Printf("Oversized password length")
w.Write([]byte("Oversized password length")) Data = "Превышена длина пароля"
getStaticPage(w, r)
return return
} }
if err != nil { if err != nil {
log.Fatal(err) log.Println(err)
} }
res, err := password.Generate(passwordLength, 10, 5, false, true) res, err := password.Generate(passwordLength, 10, 5, false, true)
if err != nil { if err != nil {
log.Fatal(err) log.Println(err)
} }
log.Printf(res) if Debug {
w.Write([]byte(res)) log.Printf(res)
}
Data = res
// w.Write([]byte(res))
getStaticPage(w, r)
} }
func genPasswordDefault(w http.ResponseWriter, r *http.Request) { func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
@ -221,7 +235,10 @@ func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
log.Fatal(err) log.Fatal(err)
} }
log.Printf(res) log.Printf(res)
w.Write([]byte(res)) // w.Write([]byte(res))
Data = res
// w.Write([]byte(res))
getStaticPage(w, r)
} }
func main() { func main() {
@ -270,7 +287,7 @@ func main() {
rtr := mux.NewRouter() rtr := mux.NewRouter()
rtr.HandleFunc("/unwrap", getDataFromHtmlForm) rtr.HandleFunc("/unwrap", getDataFromHtmlForm)
rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword) rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword)
rtr.HandleFunc("/genpassword", genPasswordDefault) rtr.HandleFunc("/genpassword", genPassword)
rtr.HandleFunc("/", getDataFromHtmlForm) rtr.HandleFunc("/", getDataFromHtmlForm)
rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static"))) rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static")))