svk/vault-unwrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault-wrap: добавил выбор запуска http/https. INF-1541

Browse Source
This commit is contained in:
svkalinin 2024-07-11 09:07:03 +03:00
parent 58803532da
commit ef286325b4
3 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docker-compose.yml
View File

@ -8,7 +8,7 @@ services:
environment: environment:
- ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.corp.samsonopt.ru} - ACTION_ADDRESS=${ACTION_ADDRESS:-https://secret.corp.samsonopt.ru}
- VAULT_ADDRESS=${VAULT_ADDRESS} - VAULT_ADDRESS=${VAULT_ADDRESS}
- LISTEN_PORT=443 - LISTEN_PORT=8080
- TLS_KEY_FILE=${TLS_KEY_FILE} - TLS_KEY_FILE=${TLS_KEY_FILE}
- TLS_CERT_FILE=${TLS_CERT_FILE} - TLS_CERT_FILE=${TLS_CERT_FILE}
- TZ=Europe/Moscow - TZ=Europe/Moscow
@ -26,10 +26,10 @@ services:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.secret.rule=Host(`secret.corp.samsonopt.ru`)" - "traefik.http.routers.secret.rule=Host(`secret.corp.samsonopt.ru`)"
- "traefik.http.services.secret.loadbalancer.server.port=443" - "traefik.http.services.secret.loadbalancer.server.port=8080"
- "traefik.docker.network=reverse-proxy" - "traefik.docker.network=reverse-proxy"
- "traefik.http.routers.secret.tls=true" - "traefik.http.routers.secret.tls=false"
- "traefik.http.services.secret.loadbalancer.server.scheme=https" - "traefik.http.services.secret.loadbalancer.server.scheme=http"
networks: networks:
- default - default
- vault-wrap - vault-wrap
@ -63,7 +63,8 @@ services:
- "traefik.http.routers.traefik.tls=true" - "traefik.http.routers.traefik.tls=true"
# - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt" # - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
- "traefik.http.routers.traefik.service=api@internal" - "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.services.traefik-traefik.loadbalancer.server.port=888" - "traefik.http.services.traefik.loadbalancer.server.port=888"
- "traefik.http.services.traefik.loadbalancer.server.scheme=https"
networks: networks:
default: default:

4
entrypoint.sh
View File

@ -2,7 +2,7 @@
set -u set -u
while true ;do while true ;do
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}" # /go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}" -tls
/go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log
sleep 120 sleep 120
done done

23
vault.go
View File

@ -43,6 +43,7 @@ var (
VaultAddress string VaultAddress string
Data string Data string
ListenPort string ListenPort string
TlsEnable bool
TlsCertFile string TlsCertFile string
TlsKeyFile string TlsKeyFile string
) )
@ -250,10 +251,11 @@ func main() {
flag.StringVar(&TemplateDir, "template-dir", "html-template", "Каталог с шаблонами") flag.StringVar(&TemplateDir, "template-dir", "html-template", "Каталог с шаблонами")
flag.StringVar(&TemplateFile, "template-file", "index.html", "Файл-шаблон для ВЭБ-странцы") flag.StringVar(&TemplateFile, "template-file", "index.html", "Файл-шаблон для ВЭБ-странцы")
flag.StringVar(&VaultAddress, "vault-url", "", "Адрес сервера Hashicorp Vault (https://host.name:8200)") flag.StringVar(&VaultAddress, "vault-url", "", "Адрес сервера Hashicorp Vault (https://host.name:8200)")
flag.StringVar(&ActionAddress, "action-address", "", "Адрес данного сервиса (https://host.name") flag.StringVar(&ActionAddress, "action-address", "", "Адрес данного сервиса (host.name)")
flag.StringVar(&ListenPort, "listen-port", "8443", "Номер порта сервиса") flag.StringVar(&ListenPort, "listen-port", "8080", "Номер порта сервиса")
flag.StringVar(&TlsCertFile, "tls-cert", "", "TLS сертификат (файл)") flag.StringVar(&TlsCertFile, "tls-cert", "", "TLS сертификат (файл)")
flag.StringVar(&TlsKeyFile, "tls-key", "", "TLS ключ (файл)") flag.StringVar(&TlsKeyFile, "tls-key", "", "TLS ключ (файл)")
flag.BoolVar(&TlsEnable, "tls", false, "Использовать SSL/TLS")
flag.Parse() flag.Parse()
@ -295,10 +297,25 @@ func main() {
http.Handle("/", rtr) http.Handle("/", rtr)
if os.Getenv("LISTEN_PORT") != "" { if os.Getenv("LISTEN_PORT") != "" {
ListenPort = os.Getenv("LISTEN_PORT") ListenPort = os.Getenv("LISTEN_PORT")
} else {
if TlsEnable && ListenPort == ""{
ListenPort = "8443"
}
} }
listenAddr := ":" + ListenPort listenAddr := ":" + ListenPort
log.Println("Listening...") log.Println("Listening...")
// http.ListenAndServe(":8080", nil) if TlsEnable {
ActionAddress = "https://" + ActionAddress
if Debug {
log.Printf("Адрес сервиса: %s%s ", ActionAddress, listenAddr)
}
log.Fatal(http.ListenAndServeTLS(listenAddr, TlsCertFile, TlsKeyFile, nil)) log.Fatal(http.ListenAndServeTLS(listenAddr, TlsCertFile, TlsKeyFile, nil))
} else {
ActionAddress = "http://" + ActionAddress
if Debug {
log.Printf("Адрес сервиса: %s%s ", ActionAddress, listenAddr)
}
http.ListenAndServe(listenAddr, nil)
}
} }