diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 9b282a4..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,95 +0,0 @@ -stages: - - build - - release - - deploy - -variables: - DOCKER_DRIVER: overlay2 - IMAGE_PATH: $CI_REGISTRY/$CI_PROJECT_PATH - # IMAGE_VERSION: $CI_COMMIT_SHORT_SHA - RELEASE_VERSION: $CI_COMMIT_SHORT_SHA - -before_script: - - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - - mkdir -p .ci_status - -.dedicated-builder: &dedicated-builder - tags: - - build1-shell - - -.dedicated-runner: &dedicated-runner - tags: - - runner1-prod-shell - -vault_wrap_build: - <<: *dedicated-builder - stage: build - script: - - DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 docker-compose -f docker-compose.yml build vault-wrap - - docker tag $IMAGE_PATH/vault-wrap:$RELEASE_VERSION $IMAGE_PATH/vault-wrap:dev - - docker push $IMAGE_PATH/vault-wrap:dev - - touch .ci_status/vault_wrap_build - only: - refs: - - main - changes: - - vault.go - - Dockerfile - - entrypoint.sh - - docker-compose.yml - - .gitlab-ci.yml - artifacts: - paths: - - .ci_status/ - -# --------------- RELEASE STAGE -------------# -vault_wrap_release: - <<: *dedicated-builder - stage: release - script: - - if [ -e .ci_status/vault_wrap_build ]; then docker pull $IMAGE_PATH/vault-wrap:dev; docker tag $IMAGE_PATH/vault-wrap:dev $IMAGE_PATH/vault-wrap:$RELEASE_VERSION; docker push $IMAGE_PATH/vault-wrap:$RELEASE_VERSION; touch .ci_status/vault_wrap_release; fi - artifacts: - paths: - - .ci_status/ - only: - refs: - - main - - -#-------------- DEPLOY STAGE ------------------# -vault_wrap_deploy: - <<: *dedicated-runner - stage: deploy - script: - - docker volume create vault-wrap_vault-wrap-conf - - docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v /etc/ssl/certs/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.crt /temporary - - docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v /etc/ssl/private/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.key /temporary - - docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v ./html-template/:/files alpine cp files/index.html /temporary - # -cp /etc/ssl/certs/runner1-prod.corp.samsonopt.ru.crt /srv/docker/volumes/vault-wrap_vault-wrap-conf/_data/ - # - cp /etc/ssl/private/runner1-prod.corp.samsonopt.ru.key /srv/docker/volumes/vault-wrap_vault-wrap-conf/_data/ - - export TLS_CERT_FILE=runner1-prod.corp.samsonopt.ru.crt - - export TLS_KEY_FILE=runner1-prod.corp.samsonopt.ru.key - - if [ -e .ci_status/vault_wrap_release ]; then docker-compose -f docker-compose.yml up -d vault-wrap; fi - only: - refs: - - main - -traefik_deploy: - <<: *dedicated-runner - stage: deploy - script: - - mkdir -p /home/gitlab-runner/traefik - - docker volume create vault-wrap_traefik-ssl - - docker volume create vault-wrap_traefik-dynamic-conf - - docker run --rm -v vault-wrap_traefik-ssl:/temporary -v /etc/ssl/certs/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.crt /temporary - - docker run --rm -v vault-wrap_traefik-ssl:/temporary -v /etc/ssl/private/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.key /temporary - - docker run --rm -v vault-wrap_traefik-dynamic-conf:/temporary -v ./traefik-files:/files alpine cp files/certificates.yml /temporary - - cp traefik-files/traefik.yml /home/gitlab-runner/traefik/traefik.yml - - export TLS_CERT_FILE=runner1-prod.corp.samsonopt.ru.crt - - export TLS_KEY_FILE=runner1-prod.corp.samsonopt.ru.key - - if [ -e .ci_status/vault_wrap_release ]; then docker-compose -f docker-compose.yml up -d traefik; fi - only: - refs: - - main - diff --git a/README.md b/README.md index 0cb9902..91e2f95 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Запуск с доступом по https (использование TLS/SSL): ``` -vault-wrap -action-address "https://saecret.example.ru:8443" -vault-url "https://vault.example.ru:8200" -tls-cert cert.pem -tls-key privaty.key -listen-port 8443 -tls +vault-wrap -action-address "https://secret.example.ru:8443" -vault-url "https://vault.example.ru:8200" -tls-cert cert.pem -tls-key privaty.key -listen-port 8443 -tls ``` Запуск с доступом по http: diff --git a/docker-compose.yml b/docker-compose.yml index ee6f1ee..5bf3c11 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: image: $IMAGE_PATH/vault-wrap:$RELEASE_VERSION container_name: vault-wrap environment: - - ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.corp.samsonopt.ru} + - ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.example.ru} - VAULT_ADDRESS=${VAULT_ADDRESS} - LISTEN_PORT=8080 - TLS_KEY_FILE=${TLS_KEY_FILE} @@ -26,48 +26,16 @@ services: max-size: "10m" max-file: "5" labels: - - "traefik.enable=true" - - "traefik.http.routers.secret.rule=Host(`secret.corp.samsonopt.ru`)" - - "traefik.http.services.secret.loadbalancer.server.port=8080" - - "traefik.docker.network=reverse-proxy" - - "traefik.http.routers.secret.tls=true" - - "traefik.http.services.secret.loadbalancer.server.scheme=http" + - "tra.enable=true" + - "tra.http.routers.secret.rule=Host(`secret.example.ru`)" + - "tra.http.services.secret.loadbalancer.server.port=8080" + - "tra.docker.network=reverse-proxy" + - "tra.http.routers.secret.tls=true" + - "tra.http.services.secret.loadbalancer.server.scheme=http" networks: - default - vault-wrap - traefik: - image: traefik:v3.0 - container_name: traefik - command: -# - --entrypoints.web.address=:80 -# - --entrypoints.web-secure.address=:443 -# - --providers.docker=true - - --providers.file.directory=/configuration/ - - --providers.file.watch=true - volumes: - - traefik-dynamic-conf:/configuration/ - - /home/gitlab-runner/traefik/traefik.yml:/traefik.yml:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - - traefik-ssl:/ssl/:ro - ports: - - 80:80 - # - 8080:8080 - - 888:888 - - 443:443 - restart: always - networks: - - default - labels: - - "traefik.enable=true" - - "traefik.http.routers.traefik.entrypoints=https" - - "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)" - - "traefik.http.routers.traefik.tls=true" -# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt" - - "traefik.http.routers.traefik.service=api@internal" - - "traefik.http.services.traefik.loadbalancer.server.port=888" - - "traefik.http.services.traefik.loadbalancer.server.scheme=https" - networks: default: name: reverse-proxy @@ -78,5 +46,3 @@ networks: volumes: vault-wrap-log: vault-wrap-conf: - traefik-dynamic-conf: - traefik-ssl: diff --git a/traefik-files/certificates.yml b/traefik-files/certificates.yml deleted file mode 100644 index f555e91..0000000 --- a/traefik-files/certificates.yml +++ /dev/null @@ -1,12 +0,0 @@ -# Dynamic configuration -# in configuration/certificates.yaml -tls: - certificates: - # first certificate - - certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt - keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key - - # second certificate - #- certFile: /path/to/other.cert - # keyFile: /path/to/other.key - diff --git a/traefik-files/traefik.yml b/traefik-files/traefik.yml deleted file mode 100644 index e06d3ac..0000000 --- a/traefik-files/traefik.yml +++ /dev/null @@ -1,30 +0,0 @@ -api: - dashboard: true - insecure: true - -accessLog: {} - -log: - level: INFO - -entryPoints: - http: - address: ":80" - https: - address: ":443" - dashboard: - address: ":888" - -http: - routers: - host: - entryPoints: - - http - rule: Host(`corp.samsonopt.ru`) - -providers: - docker: - endpoint: "unix:///var/run/docker.sock" - exposedByDefault: false - file: - filename: /configuration/certificates.yml