Переезд на другой сервер

This commit is contained in:
svkalinin 2024-07-17 13:01:33 +03:00
parent f4c2f619d2
commit ee921f6ae3
5 changed files with 8 additions and 179 deletions

View File

@ -1,95 +0,0 @@
stages:
- build
- release
- deploy
variables:
DOCKER_DRIVER: overlay2
IMAGE_PATH: $CI_REGISTRY/$CI_PROJECT_PATH
# IMAGE_VERSION: $CI_COMMIT_SHORT_SHA
RELEASE_VERSION: $CI_COMMIT_SHORT_SHA
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- mkdir -p .ci_status
.dedicated-builder: &dedicated-builder
tags:
- build1-shell
.dedicated-runner: &dedicated-runner
tags:
- runner1-prod-shell
vault_wrap_build:
<<: *dedicated-builder
stage: build
script:
- DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 docker-compose -f docker-compose.yml build vault-wrap
- docker tag $IMAGE_PATH/vault-wrap:$RELEASE_VERSION $IMAGE_PATH/vault-wrap:dev
- docker push $IMAGE_PATH/vault-wrap:dev
- touch .ci_status/vault_wrap_build
only:
refs:
- main
changes:
- vault.go
- Dockerfile
- entrypoint.sh
- docker-compose.yml
- .gitlab-ci.yml
artifacts:
paths:
- .ci_status/
# --------------- RELEASE STAGE -------------#
vault_wrap_release:
<<: *dedicated-builder
stage: release
script:
- if [ -e .ci_status/vault_wrap_build ]; then docker pull $IMAGE_PATH/vault-wrap:dev; docker tag $IMAGE_PATH/vault-wrap:dev $IMAGE_PATH/vault-wrap:$RELEASE_VERSION; docker push $IMAGE_PATH/vault-wrap:$RELEASE_VERSION; touch .ci_status/vault_wrap_release; fi
artifacts:
paths:
- .ci_status/
only:
refs:
- main
#-------------- DEPLOY STAGE ------------------#
vault_wrap_deploy:
<<: *dedicated-runner
stage: deploy
script:
- docker volume create vault-wrap_vault-wrap-conf
- docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v /etc/ssl/certs/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.crt /temporary
- docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v /etc/ssl/private/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.key /temporary
- docker run --rm -v vault-wrap_vault-wrap-conf:/temporary -v ./html-template/:/files alpine cp files/index.html /temporary
# -cp /etc/ssl/certs/runner1-prod.corp.samsonopt.ru.crt /srv/docker/volumes/vault-wrap_vault-wrap-conf/_data/
# - cp /etc/ssl/private/runner1-prod.corp.samsonopt.ru.key /srv/docker/volumes/vault-wrap_vault-wrap-conf/_data/
- export TLS_CERT_FILE=runner1-prod.corp.samsonopt.ru.crt
- export TLS_KEY_FILE=runner1-prod.corp.samsonopt.ru.key
- if [ -e .ci_status/vault_wrap_release ]; then docker-compose -f docker-compose.yml up -d vault-wrap; fi
only:
refs:
- main
traefik_deploy:
<<: *dedicated-runner
stage: deploy
script:
- mkdir -p /home/gitlab-runner/traefik
- docker volume create vault-wrap_traefik-ssl
- docker volume create vault-wrap_traefik-dynamic-conf
- docker run --rm -v vault-wrap_traefik-ssl:/temporary -v /etc/ssl/certs/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.crt /temporary
- docker run --rm -v vault-wrap_traefik-ssl:/temporary -v /etc/ssl/private/:/files alpine cp files/runner1-prod.corp.samsonopt.ru.key /temporary
- docker run --rm -v vault-wrap_traefik-dynamic-conf:/temporary -v ./traefik-files:/files alpine cp files/certificates.yml /temporary
- cp traefik-files/traefik.yml /home/gitlab-runner/traefik/traefik.yml
- export TLS_CERT_FILE=runner1-prod.corp.samsonopt.ru.crt
- export TLS_KEY_FILE=runner1-prod.corp.samsonopt.ru.key
- if [ -e .ci_status/vault_wrap_release ]; then docker-compose -f docker-compose.yml up -d traefik; fi
only:
refs:
- main

View File

@ -9,7 +9,7 @@
Запуск с доступом по https (использование TLS/SSL): Запуск с доступом по https (использование TLS/SSL):
``` ```
vault-wrap -action-address "https://saecret.example.ru:8443" -vault-url "https://vault.example.ru:8200" -tls-cert cert.pem -tls-key privaty.key -listen-port 8443 -tls vault-wrap -action-address "https://secret.example.ru:8443" -vault-url "https://vault.example.ru:8200" -tls-cert cert.pem -tls-key privaty.key -listen-port 8443 -tls
``` ```
Запуск с доступом по http: Запуск с доступом по http:

View File

@ -6,7 +6,7 @@ services:
image: $IMAGE_PATH/vault-wrap:$RELEASE_VERSION image: $IMAGE_PATH/vault-wrap:$RELEASE_VERSION
container_name: vault-wrap container_name: vault-wrap
environment: environment:
- ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.corp.samsonopt.ru} - ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.example.ru}
- VAULT_ADDRESS=${VAULT_ADDRESS} - VAULT_ADDRESS=${VAULT_ADDRESS}
- LISTEN_PORT=8080 - LISTEN_PORT=8080
- TLS_KEY_FILE=${TLS_KEY_FILE} - TLS_KEY_FILE=${TLS_KEY_FILE}
@ -26,48 +26,16 @@ services:
max-size: "10m" max-size: "10m"
max-file: "5" max-file: "5"
labels: labels:
- "traefik.enable=true" - "tra.enable=true"
- "traefik.http.routers.secret.rule=Host(`secret.corp.samsonopt.ru`)" - "tra.http.routers.secret.rule=Host(`secret.example.ru`)"
- "traefik.http.services.secret.loadbalancer.server.port=8080" - "tra.http.services.secret.loadbalancer.server.port=8080"
- "traefik.docker.network=reverse-proxy" - "tra.docker.network=reverse-proxy"
- "traefik.http.routers.secret.tls=true" - "tra.http.routers.secret.tls=true"
- "traefik.http.services.secret.loadbalancer.server.scheme=http" - "tra.http.services.secret.loadbalancer.server.scheme=http"
networks: networks:
- default - default
- vault-wrap - vault-wrap
traefik:
image: traefik:v3.0
container_name: traefik
command:
# - --entrypoints.web.address=:80
# - --entrypoints.web-secure.address=:443
# - --providers.docker=true
- --providers.file.directory=/configuration/
- --providers.file.watch=true
volumes:
- traefik-dynamic-conf:/configuration/
- /home/gitlab-runner/traefik/traefik.yml:/traefik.yml:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-ssl:/ssl/:ro
ports:
- 80:80
# - 8080:8080
- 888:888
- 443:443
restart: always
networks:
- default
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=https"
- "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)"
- "traefik.http.routers.traefik.tls=true"
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik.loadbalancer.server.port=888"
- "traefik.http.services.traefik.loadbalancer.server.scheme=https"
networks: networks:
default: default:
name: reverse-proxy name: reverse-proxy
@ -78,5 +46,3 @@ networks:
volumes: volumes:
vault-wrap-log: vault-wrap-log:
vault-wrap-conf: vault-wrap-conf:
traefik-dynamic-conf:
traefik-ssl:

View File

@ -1,12 +0,0 @@
# Dynamic configuration
# in configuration/certificates.yaml
tls:
certificates:
# first certificate
- certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt
keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key
# second certificate
#- certFile: /path/to/other.cert
# keyFile: /path/to/other.key

View File

@ -1,30 +0,0 @@
api:
dashboard: true
insecure: true
accessLog: {}
log:
level: INFO
entryPoints:
http:
address: ":80"
https:
address: ":443"
dashboard:
address: ":888"
http:
routers:
host:
entryPoints:
- http
rule: Host(`corp.samsonopt.ru`)
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /configuration/certificates.yml