WIP Refactoring ingress

Move Cert generation to ingress as well.
Need to specify name for each http, https, cert resource.
Update tests and ingress definitions.
This commit is contained in:
erik 2022-10-14 16:41:25 +02:00
parent 8989679d57
commit 49dd95f78e
7 changed files with 113 additions and 59 deletions

View file

@ -8,19 +8,38 @@
:cljs [cljs.reader :as edn]) :cljs [cljs.reader :as edn])
[dda.c4k-common.yaml :as yaml] [dda.c4k-common.yaml :as yaml]
[dda.c4k-common.common :as cm] [dda.c4k-common.common :as cm]
[dda.c4k-common.base64 :as b64]
[dda.c4k-common.predicate :as pred] [dda.c4k-common.predicate :as pred]
[clojure.string :as str])) [clojure.string :as str]))
(s/def ::issuer pred/letsencrypt-issuer?) (s/def ::issuer pred/letsencrypt-issuer?)
(s/def ::service-name string?) (s/def ::service-name string?)
(s/def ::ingress-name string?)
(s/def ::cert-name string?)
(s/def ::service-port pos-int?) (s/def ::service-port pos-int?)
(s/def ::fqdns (s/coll-of pred/fqdn-string?)) (s/def ::fqdns (s/coll-of pred/fqdn-string?))
(def ingress? (s/keys :req-un [::fqdns ::service-name ::service-port] (def ingress? (s/keys :req-un [::fqdns ::ingress-name ::service-name ::service-port]
:opt-un [::issuer ::cert-name]))
(def certificate? (s/keys :req-un [::fqdns ::cert-name]
:opt-un [::issuer])) :opt-un [::issuer]))
(defn replace-dots-by-minus
[fqdn]
(str/replace fqdn #"\." "-"))
(defn generate-cert-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-cert"))
(defn generate-http-ingress-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-http-ingress"))
(defn generate-https-ingress-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-https-ingress"))
(defn-spec generate-rule pred/map-or-seq? (defn-spec generate-rule pred/map-or-seq?
[service-name ::service-name [service-name ::service-name
service-port ::service-port service-port ::service-port
@ -33,8 +52,32 @@
(defn-spec generate-http-ingress pred/map-or-seq? (defn-spec generate-http-ingress pred/map-or-seq?
[config ingress?] [config ingress?]
(let [{:keys [service-name service-port fqdns]} config] (let [{:keys [ingress-name service-name service-port fqdns]} config]
(-> (->
(yaml/load-as-edn "ingress/http-ingress.yaml") (yaml/load-as-edn "ingress/http-ingress.yaml")
(assoc-in [:metadata :name] (str service-name "-http-ingress")) (assoc-in [:metadata :name] ingress-name)
(assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns))))) (assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns)))))
(defn-spec generate-https-ingress pred/map-or-seq?
[config ingress?]
(let [{:keys [ingress-name cert-name service-name service-port fqdns]} config]
(->
(yaml/load-as-edn "ingress/https-ingress.yaml")
(assoc-in [:metadata :name] ingress-name)
(assoc-in [:spec :tls 0 :secretName] cert-name)
(assoc-in [:spec :tls 0 :hosts] fqdns)
(assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns)))))
(defn-spec generate-certificate pred/map-or-seq?
[config certificate?]
(let [{:keys [cert-name issuer fqdns]
:or {issuer "staging"}} config
letsencrypt-issuer (name issuer)]
(->
(yaml/load-as-edn "ingress/certificate.yaml")
(assoc-in [:metadata :name] cert-name)
(assoc-in [:spec :secretName] cert-name)
(assoc-in [:spec :commonName] (first fqdns))
(assoc-in [:spec :dnsNames] fqdns)
(assoc-in [:spec :issuerRef :name] letsencrypt-issuer))))

View file

@ -15,6 +15,6 @@ spec:
path: "/" path: "/"
backend: backend:
service: service:
name: SERVICENAME name: SERVIC_ENAME
port: port:
number: 80 number: 80

View file

@ -19,6 +19,6 @@ spec:
path: "/" path: "/"
backend: backend:
service: service:
name: SERVICENAME name: SERVICE_NAME
port: port:
number: 80 number: 80

View file

@ -10,8 +10,11 @@
(st/instrument `cut/generate-rule) (st/instrument `cut/generate-rule)
(st/instrument `cut/generate-http-ingress) (st/instrument `cut/generate-http-ingress)
(st/instrument `cut/generate-https-ingress)
(st/instrument `cut/generate-certificate)
(deftest should-genereate-rule
(deftest should-generate-rule
(is (= {:host "test.com", (is (= {:host "test.com",
:http :http
{:paths {:paths
@ -27,7 +30,7 @@
(is (= {:apiVersion "networking.k8s.io/v1", (is (= {:apiVersion "networking.k8s.io/v1",
:kind "Ingress", :kind "Ingress",
:metadata :metadata
{:name "myservice-http-ingress", {:name "test-io-http-ingress",
:namespace "default", :namespace "default",
:annotations :annotations
#:traefik.ingress.kubernetes.io{:router.entrypoints "web", #:traefik.ingress.kubernetes.io{:router.entrypoints "web",
@ -36,6 +39,7 @@
{:issuer "prod" {:issuer "prod"
:service-name "myservice" :service-name "myservice"
:service-port 3000 :service-port 3000
:ingress-name "test-io-http-ingress"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec))) :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec)))
(is (= {:rules (is (= {:rules
[{:host "test.de", [{:host "test.de",
@ -54,33 +58,57 @@
{:issuer "prod" {:issuer "prod"
:service-name "myservice" :service-name "myservice"
:service-port 3000 :service-port 3000
:ingress-name "test-io-http-ingress"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}))))) :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))))
;; (deftest should-generate-https-ingress (deftest should-generate-https-ingress
;; (is (= {:apiVersion "networking.k8s.io/v1", (is (= {:apiVersion "networking.k8s.io/v1",
;; :kind "Ingress", :kind "Ingress",
;; :metadata :metadata
;; {:name "test-io-https-ingress", {:name "test-io-https-ingress",
;; :namespace "default", :namespace "default",
;; :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}, :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}}
;; :spec (dissoc (cut/generate-https-ingress
;; {:tls [{:hosts ["test.de" "www.test.de" "test-it.de" "www.test-it.de"], :secretName "test-io-cert"}], {:issuer "prod"
;; :rules :service-name "test-io-service"
;; [{:host "test.de", :service-port 80
;; :http :ingress-name "test-io-https-ingress"
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec)))
;; {:host "www.test.de", (is (= {:tls
;; :http [{:hosts
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} ["test.de" "www.test.de" "test-it.de" "www.test-it.de"],
;; {:host "test-it.de", :secretName "test-io-cert"}]
;; :http :rules
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} [{:host "test.de",
;; {:host "www.test-it.de", :http
;; :http {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]}} {:host "www.test.de",
;; (cut/generate-https-ingress {:unique-name "test.io" :http
;; :gitea-host "gitea.evilorg" {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; :gitea-repo "none" {:host "test-it.de",
;; :branchname "mablain" :http
;; :issuer "prod" {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))) {:host "www.test-it.de",
:http
{:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]}
(:spec (cut/generate-https-ingress {:issuer "prod"
:service-name "test-io-service"
:service-port 80
:ingress-name "test-io-http-ingress"
:cert-name "test-io-cert"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))))
(deftest should-generate-certificate
(is (= {:apiVersion "cert-manager.io/v1",
:kind "Certificate",
:metadata {:name "test-io-cert", :namespace "default"},
:spec
{:secretName "test-io-cert",
:commonName "test.de",
:duration "2160h",
:renewBefore "360h",
:dnsNames ["test.de" "test.org" "www.test.de" "www.test.org"],
:issuerRef {:name "prod", :kind "ClusterIssuer"}}}
(cut/generate-certificate {:fqdns ["test.de" "test.org" "www.test.de" "www.test.org"]
:cert-name "test-io-cert"
:issuer "prod"}))))

View file

@ -42,23 +42,6 @@
:gitea-repo "repo" :gitea-repo "repo"
:branchname "main"}]})))) :branchname "main"}]}))))
(deftest should-generate-website-certificate
(is (= {:name-c1 "prod", :name-c2 "staging"}
(th/map-diff (cut/generate-website-certificate {:unique-name "test.io"
:gitea-host "gitea.evilorg"
:gitea-repo "none"
:branchname "mablain"
:issuer "prod"
:fqdns ["test.org" "test.de"]})
(cut/generate-website-certificate {:unique-name "test.io"
:gitea-host "gitea.evilorg"
:gitea-repo "none"
:branchname "mablain"
:issuer "staging"
:fqdns ["test.org" "test.de"]})))))
(deftest should-generate-nginx-configmap (deftest should-generate-nginx-configmap
(is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de www.test.de test-it.de www.test-it.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", (is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de www.test.de test-it.de www.test-it.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n",
:website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name example.de www.example.de example-by.de www.example-by.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name example.de www.example.de example-by.de www.example-by.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n",