vault-wrap: добавил выбор запуска http/https. INF-1541

This commit is contained in:
svkalinin 2024-07-11 09:07:03 +03:00
parent 58803532da
commit ef286325b4
3 changed files with 29 additions and 11 deletions

View File

@ -8,7 +8,7 @@ services:
environment:
- ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.corp.samsonopt.ru}
- VAULT_ADDRESS=${VAULT_ADDRESS}
- LISTEN_PORT=443
- LISTEN_PORT=8080
- TLS_KEY_FILE=${TLS_KEY_FILE}
- TLS_CERT_FILE=${TLS_CERT_FILE}
- TZ=Europe/Moscow
@ -26,10 +26,10 @@ services:
labels:
- "traefik.enable=true"
- "traefik.http.routers.secret.rule=Host(`secret.corp.samsonopt.ru`)"
- "traefik.http.services.secret.loadbalancer.server.port=443"
- "traefik.http.services.secret.loadbalancer.server.port=8080"
- "traefik.docker.network=reverse-proxy"
- "traefik.http.routers.secret.tls=true"
- "traefik.http.services.secret.loadbalancer.server.scheme=https"
- "traefik.http.routers.secret.tls=false"
- "traefik.http.services.secret.loadbalancer.server.scheme=http"
networks:
- default
- vault-wrap
@ -63,7 +63,8 @@ services:
- "traefik.http.routers.traefik.tls=true"
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
- "traefik.http.services.traefik.loadbalancer.server.port=888"
- "traefik.http.services.traefik.loadbalancer.server.scheme=https"
networks:
default:

View File

@ -2,7 +2,7 @@
set -u
while true ;do
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}"
# /go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}" -tls
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log
sleep 120
done

View File

@ -43,6 +43,7 @@ var (
VaultAddress string
Data string
ListenPort string
TlsEnable bool
TlsCertFile string
TlsKeyFile string
)
@ -250,10 +251,11 @@ func main() {
flag.StringVar(&TemplateDir, "template-dir", "html-template", "Каталог с шаблонами")
flag.StringVar(&TemplateFile, "template-file", "index.html", "Файл-шаблон для ВЭБ-странцы")
flag.StringVar(&VaultAddress, "vault-url", "", "Адрес сервера Hashicorp Vault (https://host.name:8200)")
flag.StringVar(&ActionAddress, "action-address", "", "Адрес данного сервиса (https://host.name")
flag.StringVar(&ListenPort, "listen-port", "8443", "Номер порта сервиса")
flag.StringVar(&ActionAddress, "action-address", "", "Адрес данного сервиса (host.name)")
flag.StringVar(&ListenPort, "listen-port", "8080", "Номер порта сервиса")
flag.StringVar(&TlsCertFile, "tls-cert", "", "TLS сертификат (файл)")
flag.StringVar(&TlsKeyFile, "tls-key", "", "TLS ключ (файл)")
flag.BoolVar(&TlsEnable, "tls", false, "Использовать SSL/TLS")
flag.Parse()
@ -295,10 +297,25 @@ func main() {
http.Handle("/", rtr)
if os.Getenv("LISTEN_PORT") != "" {
ListenPort = os.Getenv("LISTEN_PORT")
} else {
if TlsEnable && ListenPort == ""{
ListenPort = "8443"
}
}
listenAddr := ":" + ListenPort
log.Println("Listening...")
// http.ListenAndServe(":8080", nil)
log.Fatal(http.ListenAndServeTLS(listenAddr, TlsCertFile, TlsKeyFile, nil))
if TlsEnable {
ActionAddress = "https://" + ActionAddress
if Debug {
log.Printf("Адрес сервиса: %s%s ", ActionAddress, listenAddr)
}
log.Fatal(http.ListenAndServeTLS(listenAddr, TlsCertFile, TlsKeyFile, nil))
} else {
ActionAddress = "http://" + ActionAddress
if Debug {
log.Printf("Адрес сервиса: %s%s ", ActionAddress, listenAddr)
}
http.ListenAndServe(listenAddr, nil)
}
}