vault-wrap: Добавлена рабочая конфигурация traefik

This commit is contained in:
svkalinin 2024-07-10 12:55:19 +03:00
parent 6004e090e5
commit e1a9944082
7 changed files with 120 additions and 19 deletions

View File

@ -4,8 +4,10 @@ RUN apk --no-cache add gcc g++ make git
WORKDIR /go/src/app
COPY . .
RUN go get ./...
RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go
FROM alpine:3.20
RUN apk add tzdata
#RUN apk --no-cache add ca-certificates

View File

@ -7,6 +7,7 @@ services:
environment:
- ACTION_ADDRESS=${ACTION_ADDRESS}
- VAULT_ADDRESS=${VAULT_ADDRESS}
- LISTEN_PORT=443
- TLS_KEY_FILE=${TLS_KEY_FILE}
- TLS_CERT_FILE=${TLS_CERT_FILE}
- TZ=Europe/Moscow
@ -22,6 +23,42 @@ services:
max-size: "10m"
max-file: "5"
traefik:
image: traefik:v3.0
command:
# - --entrypoints.web.address=:80
# - --entrypoints.web-secure.address=:443
# - --providers.docker=true
- --providers.file.directory=/configuration/
- --providers.file.watch=true
volumes:
- ./configuration/:/configuration/
- ./traefik.yml:/traefik.yml:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./ssl/:/ssl/:ro
ports:
- 80:80
- 8080:8080
- 888:888
- 443:443
restart: always
networks:
- default
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)"
- "traefik.http.routers.traefik.tls=true"
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
networks:
default:
name: reverse-proxy
external: true
volumes:
vault-wrap-log:
vault-wrap-conf:

View File

@ -2,7 +2,7 @@
set -u
while true ;do
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log
/go/binv/ault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}"
sleep 120
done

View File

@ -4,24 +4,27 @@
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Data Unwrap Form</title>
<!-- <link rel="stylesheet" href="css/normalize.css">
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700" rel="stylesheet">
<link rel="stylesheet" href="css/main.css"> -->
</head>
<body>
<table>
<tr><td>
<a href={{.URL}}/unwrap>Расшифровать</a> |
<a href={{.URL}}/genpassword>Сгенерировать пароль</a>
<!-- <a href={{.URL}}/unwrap>Расшифровать</a> |
<a href={{.URL}}/genpassword>Сгенерировать пароль</a>-->
<tr><td><p></p></td></tr>
<tr><td>
<form method="post" action="{{.URL}}/unwrap">
<form method="post">
<table>
<tr><td>
<textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea>
</td></tr>
<tr><td align=right>
<button type="submit">Расшифровать</button>
<button type="submit" formaction="{{.URL}}/unwrap">Расшифровать</button>
<tr><td><hr></td></tr>
</td></tr>
<tr><td align=right>
Длина пароля (от 15 до 1024)
<input type="text" name="passlength"/ size=4 pattern="[0-9]{2,4}">
<button type="submit" formaction="{{.URL}}/genpassword">Сгенерировать пароль</button>
</td></tr>
</form>
</td></tr>

View File

@ -0,0 +1,12 @@
# Dynamic configuration
# in configuration/certificates.yaml
tls:
certificates:
# first certificate
- certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt
keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key
# second certificate
#- certFile: /path/to/other.cert
# keyFile: /path/to/other.key

30
traefik-files/traefik.yml Normal file
View File

@ -0,0 +1,30 @@
api:
dashboard: true
insecure: true
accessLog: {}
log:
level: INFO
entryPoints:
http:
address: ":80"
https:
address: ":443"
dashboard:
address: ":888"
http:
routers:
host:
entryPoints:
- http
rule: Host(`corp.samsonopt.ru`)
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configuration/certificates.yaml

View File

@ -195,24 +195,38 @@ func getDataFromHtmlForm(w http.ResponseWriter, r *http.Request) {
}
func genPassword(w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
passLength := params["passLength"]
// params := mux.Vars(r)
// passLength := params["passLength"]
r.ParseForm()
passLength := r.FormValue("passlength")
if Debug {
log.Printf(r.FormValue("passlength"), passLength)
}
if len(passLength) == 0 {
passLength = "32"
}
// w.Write([]byte("Длина пароля " + passLength + "/n"))
passwordLength, err := strconv.Atoi(passLength)
if passwordLength > 1024 {
log.Printf("Oversized password length")
w.Write([]byte("Oversized password length"))
Data = "Превышена длина пароля"
getStaticPage(w, r)
return
}
if err != nil {
log.Fatal(err)
log.Println(err)
}
res, err := password.Generate(passwordLength, 10, 5, false, true)
if err != nil {
log.Fatal(err)
log.Println(err)
}
if Debug {
log.Printf(res)
w.Write([]byte(res))
}
Data = res
// w.Write([]byte(res))
getStaticPage(w, r)
}
func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
@ -221,7 +235,10 @@ func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
log.Fatal(err)
}
log.Printf(res)
w.Write([]byte(res))
// w.Write([]byte(res))
Data = res
// w.Write([]byte(res))
getStaticPage(w, r)
}
func main() {
@ -270,7 +287,7 @@ func main() {
rtr := mux.NewRouter()
rtr.HandleFunc("/unwrap", getDataFromHtmlForm)
rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword)
rtr.HandleFunc("/genpassword", genPasswordDefault)
rtr.HandleFunc("/genpassword", genPassword)
rtr.HandleFunc("/", getDataFromHtmlForm)
rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static")))