diff --git a/src/main/cljc/dda/c4k_website/ingress.cljc b/src/main/cljc/dda/c4k_website/ingress.cljc index 4729984..338b90c 100644 --- a/src/main/cljc/dda/c4k_website/ingress.cljc +++ b/src/main/cljc/dda/c4k_website/ingress.cljc @@ -7,23 +7,42 @@ #?(:clj [clojure.edn :as edn] :cljs [cljs.reader :as edn]) [dda.c4k-common.yaml :as yaml] - [dda.c4k-common.common :as cm] - [dda.c4k-common.base64 :as b64] + [dda.c4k-common.common :as cm] [dda.c4k-common.predicate :as pred] [clojure.string :as str])) - (s/def ::issuer pred/letsencrypt-issuer?) (s/def ::service-name string?) +(s/def ::ingress-name string?) +(s/def ::cert-name string?) (s/def ::service-port pos-int?) (s/def ::fqdns (s/coll-of pred/fqdn-string?)) -(def ingress? (s/keys :req-un [::fqdns ::service-name ::service-port] - :opt-un [::issuer])) +(def ingress? (s/keys :req-un [::fqdns ::ingress-name ::service-name ::service-port] + :opt-un [::issuer ::cert-name])) + +(def certificate? (s/keys :req-un [::fqdns ::cert-name] + :opt-un [::issuer])) + +(defn replace-dots-by-minus + [fqdn] + (str/replace fqdn #"\." "-")) + +(defn generate-cert-name + [unique-name] + (str (replace-dots-by-minus unique-name) "-cert")) + +(defn generate-http-ingress-name + [unique-name] + (str (replace-dots-by-minus unique-name) "-http-ingress")) + +(defn generate-https-ingress-name + [unique-name] + (str (replace-dots-by-minus unique-name) "-https-ingress")) (defn-spec generate-rule pred/map-or-seq? [service-name ::service-name - service-port ::service-port + service-port ::service-port fqdn pred/fqdn-string?] (-> (yaml/load-as-edn "ingress/rule.yaml") @@ -33,8 +52,32 @@ (defn-spec generate-http-ingress pred/map-or-seq? [config ingress?] - (let [{:keys [service-name service-port fqdns]} config] + (let [{:keys [ingress-name service-name service-port fqdns]} config] (-> (yaml/load-as-edn "ingress/http-ingress.yaml") - (assoc-in [:metadata :name] (str service-name "-http-ingress")) - (assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns))))) \ No newline at end of file + (assoc-in [:metadata :name] ingress-name) + (assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns))))) + +(defn-spec generate-https-ingress pred/map-or-seq? + [config ingress?] + (let [{:keys [ingress-name cert-name service-name service-port fqdns]} config] + (-> + (yaml/load-as-edn "ingress/https-ingress.yaml") + (assoc-in [:metadata :name] ingress-name) + (assoc-in [:spec :tls 0 :secretName] cert-name) + (assoc-in [:spec :tls 0 :hosts] fqdns) + (assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns))))) + +(defn-spec generate-certificate pred/map-or-seq? + [config certificate?] + (let [{:keys [cert-name issuer fqdns] + :or {issuer "staging"}} config + letsencrypt-issuer (name issuer)] + (-> + (yaml/load-as-edn "ingress/certificate.yaml") + (assoc-in [:metadata :name] cert-name) + (assoc-in [:spec :secretName] cert-name) + (assoc-in [:spec :commonName] (first fqdns)) + (assoc-in [:spec :dnsNames] fqdns) + (assoc-in [:spec :issuerRef :name] letsencrypt-issuer)))) + \ No newline at end of file diff --git a/src/main/cljc/dda/c4k_website/website.cljc b/src/main/cljc/dda/c4k_website/website.cljc index 84687be..9d1fd83 100644 --- a/src/main/cljc/dda/c4k_website/website.cljc +++ b/src/main/cljc/dda/c4k_website/website.cljc @@ -161,7 +161,7 @@ (-> (yaml/load-as-edn "website/certificate.yaml") (assoc-in [:spec :issuerRef :name] letsencrypt-issuer) - (cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) + (cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) (defn-spec generate-website-certificate pred/map-or-seq? [config websitedata?] diff --git a/src/main/resources/website/certificate.yaml b/src/main/resources/ingress/certificate.yaml similarity index 100% rename from src/main/resources/website/certificate.yaml rename to src/main/resources/ingress/certificate.yaml diff --git a/src/main/resources/ingress/http-ingress.yaml b/src/main/resources/ingress/http-ingress.yaml index 3b274a4..3ca4151 100644 --- a/src/main/resources/ingress/http-ingress.yaml +++ b/src/main/resources/ingress/http-ingress.yaml @@ -15,6 +15,6 @@ spec: path: "/" backend: service: - name: SERVICENAME + name: SERVIC_ENAME port: number: 80 diff --git a/src/main/resources/ingress/https-ingress.yaml b/src/main/resources/ingress/https-ingress.yaml index 4d7fbe2..8798b43 100644 --- a/src/main/resources/ingress/https-ingress.yaml +++ b/src/main/resources/ingress/https-ingress.yaml @@ -19,6 +19,6 @@ spec: path: "/" backend: service: - name: SERVICENAME + name: SERVICE_NAME port: number: 80 diff --git a/src/test/cljc/dda/c4k_website/ingress_test.cljc b/src/test/cljc/dda/c4k_website/ingress_test.cljc index 7e1266e..0b2b0f6 100644 --- a/src/test/cljc/dda/c4k_website/ingress_test.cljc +++ b/src/test/cljc/dda/c4k_website/ingress_test.cljc @@ -10,8 +10,11 @@ (st/instrument `cut/generate-rule) (st/instrument `cut/generate-http-ingress) +(st/instrument `cut/generate-https-ingress) +(st/instrument `cut/generate-certificate) -(deftest should-genereate-rule + +(deftest should-generate-rule (is (= {:host "test.com", :http {:paths @@ -27,7 +30,7 @@ (is (= {:apiVersion "networking.k8s.io/v1", :kind "Ingress", :metadata - {:name "myservice-http-ingress", + {:name "test-io-http-ingress", :namespace "default", :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "web", @@ -36,6 +39,7 @@ {:issuer "prod" :service-name "myservice" :service-port 3000 + :ingress-name "test-io-http-ingress" :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec))) (is (= {:rules [{:host "test.de", @@ -54,33 +58,57 @@ {:issuer "prod" :service-name "myservice" :service-port 3000 + :ingress-name "test-io-http-ingress" :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}))))) -;; (deftest should-generate-https-ingress -;; (is (= {:apiVersion "networking.k8s.io/v1", -;; :kind "Ingress", -;; :metadata -;; {:name "test-io-https-ingress", -;; :namespace "default", -;; :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}, -;; :spec -;; {:tls [{:hosts ["test.de" "www.test.de" "test-it.de" "www.test-it.de"], :secretName "test-io-cert"}], -;; :rules -;; [{:host "test.de", -;; :http -;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} -;; {:host "www.test.de", -;; :http -;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} -;; {:host "test-it.de", -;; :http -;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} -;; {:host "www.test-it.de", -;; :http -;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]}} -;; (cut/generate-https-ingress {:unique-name "test.io" -;; :gitea-host "gitea.evilorg" -;; :gitea-repo "none" -;; :branchname "mablain" -;; :issuer "prod" -;; :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))) \ No newline at end of file +(deftest should-generate-https-ingress + (is (= {:apiVersion "networking.k8s.io/v1", + :kind "Ingress", + :metadata + {:name "test-io-https-ingress", + :namespace "default", + :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}} + (dissoc (cut/generate-https-ingress + {:issuer "prod" + :service-name "test-io-service" + :service-port 80 + :ingress-name "test-io-https-ingress" + :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec))) + (is (= {:tls + [{:hosts + ["test.de" "www.test.de" "test-it.de" "www.test-it.de"], + :secretName "test-io-cert"}] + :rules + [{:host "test.de", + :http + {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} + {:host "www.test.de", + :http + {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} + {:host "test-it.de", + :http + {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} + {:host "www.test-it.de", + :http + {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]} + (:spec (cut/generate-https-ingress {:issuer "prod" + :service-name "test-io-service" + :service-port 80 + :ingress-name "test-io-http-ingress" + :cert-name "test-io-cert" + :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}))))) + +(deftest should-generate-certificate + (is (= {:apiVersion "cert-manager.io/v1", + :kind "Certificate", + :metadata {:name "test-io-cert", :namespace "default"}, + :spec + {:secretName "test-io-cert", + :commonName "test.de", + :duration "2160h", + :renewBefore "360h", + :dnsNames ["test.de" "test.org" "www.test.de" "www.test.org"], + :issuerRef {:name "prod", :kind "ClusterIssuer"}}} + (cut/generate-certificate {:fqdns ["test.de" "test.org" "www.test.de" "www.test.org"] + :cert-name "test-io-cert" + :issuer "prod"})))) \ No newline at end of file diff --git a/src/test/cljc/dda/c4k_website/website_test.cljc b/src/test/cljc/dda/c4k_website/website_test.cljc index fa21076..a118cfb 100644 --- a/src/test/cljc/dda/c4k_website/website_test.cljc +++ b/src/test/cljc/dda/c4k_website/website_test.cljc @@ -42,23 +42,6 @@ :gitea-repo "repo" :branchname "main"}]})))) - - -(deftest should-generate-website-certificate - (is (= {:name-c1 "prod", :name-c2 "staging"} - (th/map-diff (cut/generate-website-certificate {:unique-name "test.io" - :gitea-host "gitea.evilorg" - :gitea-repo "none" - :branchname "mablain" - :issuer "prod" - :fqdns ["test.org" "test.de"]}) - (cut/generate-website-certificate {:unique-name "test.io" - :gitea-host "gitea.evilorg" - :gitea-repo "none" - :branchname "mablain" - :issuer "staging" - :fqdns ["test.org" "test.de"]}))))) - (deftest should-generate-nginx-configmap (is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de www.test.de test-it.de www.test-it.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name example.de www.example.de example-by.de www.example-by.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n",