meissa/c4k-website
6
5
Fork 0
Code Issues Pull requests Projects Releases 8 Packages Wiki Activity

WIP Refactoring ingress

Browse source 
Move Cert generation to ingress as well.
Need to specify name for each http, https, cert resource.
Update tests and ingress definitions.
This commit is contained in:
erik 2022-10-14 16:41:25 +02:00
parent 8989679d57
commit 49dd95f78e
7 changed files with 113 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
src/main/cljc/dda/c4k_website/ingress.cljc
View file

@ -7,23 +7,42 @@
#?(:clj [clojure.edn :as edn] #?(:clj [clojure.edn :as edn]
:cljs [cljs.reader :as edn]) :cljs [cljs.reader :as edn])
[dda.c4k-common.yaml :as yaml] [dda.c4k-common.yaml :as yaml]
[dda.c4k-common.common :as cm] [dda.c4k-common.common :as cm]
[dda.c4k-common.base64 :as b64]
[dda.c4k-common.predicate :as pred] [dda.c4k-common.predicate :as pred]
[clojure.string :as str])) [clojure.string :as str]))
(s/def ::issuer pred/letsencrypt-issuer?) (s/def ::issuer pred/letsencrypt-issuer?)
(s/def ::service-name string?) (s/def ::service-name string?)
(s/def ::ingress-name string?)
(s/def ::cert-name string?)
(s/def ::service-port pos-int?) (s/def ::service-port pos-int?)
(s/def ::fqdns (s/coll-of pred/fqdn-string?)) (s/def ::fqdns (s/coll-of pred/fqdn-string?))
(def ingress? (s/keys :req-un [::fqdns ::service-name ::service-port] (def ingress? (s/keys :req-un [::fqdns ::ingress-name ::service-name ::service-port]
:opt-un [::issuer])) :opt-un [::issuer ::cert-name]))
(def certificate? (s/keys :req-un [::fqdns ::cert-name]
:opt-un [::issuer]))
(defn replace-dots-by-minus
[fqdn]
(str/replace fqdn #"\." "-"))
(defn generate-cert-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-cert"))
(defn generate-http-ingress-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-http-ingress"))
(defn generate-https-ingress-name
[unique-name]
(str (replace-dots-by-minus unique-name) "-https-ingress"))
(defn-spec generate-rule pred/map-or-seq? (defn-spec generate-rule pred/map-or-seq?
[service-name ::service-name [service-name ::service-name
service-port ::service-port service-port ::service-port
fqdn pred/fqdn-string?] fqdn pred/fqdn-string?]
(-> (->
(yaml/load-as-edn "ingress/rule.yaml") (yaml/load-as-edn "ingress/rule.yaml")
@ -33,8 +52,32 @@
(defn-spec generate-http-ingress pred/map-or-seq? (defn-spec generate-http-ingress pred/map-or-seq?
[config ingress?] [config ingress?]
(let [{:keys [service-name service-port fqdns]} config] (let [{:keys [ingress-name service-name service-port fqdns]} config]
(-> (->
(yaml/load-as-edn "ingress/http-ingress.yaml") (yaml/load-as-edn "ingress/http-ingress.yaml")
(assoc-in [:metadata :name] (str service-name "-http-ingress")) (assoc-in [:metadata :name] ingress-name)
(assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns))))) (assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns)))))
(defn-spec generate-https-ingress pred/map-or-seq?
[config ingress?]
(let [{:keys [ingress-name cert-name service-name service-port fqdns]} config]
(->
(yaml/load-as-edn "ingress/https-ingress.yaml")
(assoc-in [:metadata :name] ingress-name)
(assoc-in [:spec :tls 0 :secretName] cert-name)
(assoc-in [:spec :tls 0 :hosts] fqdns)
(assoc-in [:spec :rules] (mapv (partial generate-rule service-name service-port) fqdns)))))
(defn-spec generate-certificate pred/map-or-seq?
[config certificate?]
(let [{:keys [cert-name issuer fqdns]
:or {issuer "staging"}} config
letsencrypt-issuer (name issuer)]
(->
(yaml/load-as-edn "ingress/certificate.yaml")
(assoc-in [:metadata :name] cert-name)
(assoc-in [:spec :secretName] cert-name)
(assoc-in [:spec :commonName] (first fqdns))
(assoc-in [:spec :dnsNames] fqdns)
(assoc-in [:spec :issuerRef :name] letsencrypt-issuer))))

2
src/main/cljc/dda/c4k_website/website.cljc
View file

@ -161,7 +161,7 @@
(-> (->
(yaml/load-as-edn "website/certificate.yaml") (yaml/load-as-edn "website/certificate.yaml")
(assoc-in [:spec :issuerRef :name] letsencrypt-issuer) (assoc-in [:spec :issuerRef :name] letsencrypt-issuer)
(cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) (cm/replace-all-matching-values-by-new-value "FQDN" fqdn))))
(defn-spec generate-website-certificate pred/map-or-seq? (defn-spec generate-website-certificate pred/map-or-seq?
[config websitedata?] [config websitedata?]

0
src/main/resources/website/certificate.yaml → src/main/resources/ingress/certificate.yaml
View file

2
src/main/resources/ingress/http-ingress.yaml
View file

@ -15,6 +15,6 @@ spec:
path: "/" path: "/"
backend: backend:
service: service:
name: SERVICENAME name: SERVIC_ENAME
port: port:
number: 80 number: 80

2
src/main/resources/ingress/https-ingress.yaml
View file

@ -19,6 +19,6 @@ spec:
path: "/" path: "/"
backend: backend:
service: service:
name: SERVICENAME name: SERVICE_NAME
port: port:
number: 80 number: 80

88
src/test/cljc/dda/c4k_website/ingress_test.cljc
View file

@ -10,8 +10,11 @@
(st/instrument `cut/generate-rule) (st/instrument `cut/generate-rule)
(st/instrument `cut/generate-http-ingress) (st/instrument `cut/generate-http-ingress)
(st/instrument `cut/generate-https-ingress)
(st/instrument `cut/generate-certificate)
(deftest should-genereate-rule
(deftest should-generate-rule
(is (= {:host "test.com", (is (= {:host "test.com",
:http :http
{:paths {:paths
@ -27,7 +30,7 @@
(is (= {:apiVersion "networking.k8s.io/v1", (is (= {:apiVersion "networking.k8s.io/v1",
:kind "Ingress", :kind "Ingress",
:metadata :metadata
{:name "myservice-http-ingress", {:name "test-io-http-ingress",
:namespace "default", :namespace "default",
:annotations :annotations
#:traefik.ingress.kubernetes.io{:router.entrypoints "web", #:traefik.ingress.kubernetes.io{:router.entrypoints "web",
@ -36,6 +39,7 @@
{:issuer "prod" {:issuer "prod"
:service-name "myservice" :service-name "myservice"
:service-port 3000 :service-port 3000
:ingress-name "test-io-http-ingress"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec))) :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec)))
(is (= {:rules (is (= {:rules
[{:host "test.de", [{:host "test.de",
@ -54,33 +58,57 @@
{:issuer "prod" {:issuer "prod"
:service-name "myservice" :service-name "myservice"
:service-port 3000 :service-port 3000
:ingress-name "test-io-http-ingress"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}))))) :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))))
;; (deftest should-generate-https-ingress (deftest should-generate-https-ingress
;; (is (= {:apiVersion "networking.k8s.io/v1", (is (= {:apiVersion "networking.k8s.io/v1",
;; :kind "Ingress", :kind "Ingress",
;; :metadata :metadata
;; {:name "test-io-https-ingress", {:name "test-io-https-ingress",
;; :namespace "default", :namespace "default",
;; :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}, :annotations #:traefik.ingress.kubernetes.io{:router.entrypoints "websecure", :router.tls "true"}}}
;; :spec (dissoc (cut/generate-https-ingress
;; {:tls [{:hosts ["test.de" "www.test.de" "test-it.de" "www.test-it.de"], :secretName "test-io-cert"}], {:issuer "prod"
;; :rules :service-name "test-io-service"
;; [{:host "test.de", :service-port 80
;; :http :ingress-name "test-io-https-ingress"
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]}) :spec)))
;; {:host "www.test.de", (is (= {:tls
;; :http [{:hosts
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} ["test.de" "www.test.de" "test-it.de" "www.test-it.de"],
;; {:host "test-it.de", :secretName "test-io-cert"}]
;; :http :rules
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}} [{:host "test.de",
;; {:host "www.test-it.de", :http
;; :http {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]}} {:host "www.test.de",
;; (cut/generate-https-ingress {:unique-name "test.io" :http
;; :gitea-host "gitea.evilorg" {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; :gitea-repo "none" {:host "test-it.de",
;; :branchname "mablain" :http
;; :issuer "prod" {:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}
;; :fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))) {:host "www.test-it.de",
:http
{:paths [{:pathType "Prefix", :path "/", :backend {:service {:name "test-io-service", :port {:number 80}}}}]}}]}
(:spec (cut/generate-https-ingress {:issuer "prod"
:service-name "test-io-service"
:service-port 80
:ingress-name "test-io-http-ingress"
:cert-name "test-io-cert"
:fqdns ["test.de" "www.test.de" "test-it.de" "www.test-it.de"]})))))
(deftest should-generate-certificate
(is (= {:apiVersion "cert-manager.io/v1",
:kind "Certificate",
:metadata {:name "test-io-cert", :namespace "default"},
:spec
{:secretName "test-io-cert",
:commonName "test.de",
:duration "2160h",
:renewBefore "360h",
:dnsNames ["test.de" "test.org" "www.test.de" "www.test.org"],
:issuerRef {:name "prod", :kind "ClusterIssuer"}}}
(cut/generate-certificate {:fqdns ["test.de" "test.org" "www.test.de" "www.test.org"]
:cert-name "test-io-cert"
:issuer "prod"}))))

17
src/test/cljc/dda/c4k_website/website_test.cljc
View file

@ -42,23 +42,6 @@
:gitea-repo "repo" :gitea-repo "repo"
:branchname "main"}]})))) :branchname "main"}]}))))
(deftest should-generate-website-certificate
(is (= {:name-c1 "prod", :name-c2 "staging"}
(th/map-diff (cut/generate-website-certificate {:unique-name "test.io"
:gitea-host "gitea.evilorg"
:gitea-repo "none"
:branchname "mablain"
:issuer "prod"
:fqdns ["test.org" "test.de"]})
(cut/generate-website-certificate {:unique-name "test.io"
:gitea-host "gitea.evilorg"
:gitea-repo "none"
:branchname "mablain"
:issuer "staging"
:fqdns ["test.org" "test.de"]})))))
(deftest should-generate-nginx-configmap (deftest should-generate-nginx-configmap
(is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de www.test.de test-it.de www.test-it.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", (is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de www.test.de test-it.de www.test-it.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n",
:website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name example.de www.example.de example-by.de www.example-by.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name example.de www.example.de example-by.de www.example-by.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n",