diff --git a/src/main/clj/dda/c4k_website/uberjar.clj b/src/main/clj/dda/c4k_website/uberjar.clj index 78a335b..f87f507 100644 --- a/src/main/clj/dda/c4k_website/uberjar.clj +++ b/src/main/clj/dda/c4k_website/uberjar.clj @@ -5,5 +5,6 @@ [dda.c4k-website.website :as website] [dda.c4k-common.uberjar :as uberjar])) + (defn -main [& cmd-args] - (uberjar/main-common "c4k-website" website/config? nil website/config-defaults core/k8s-objects cmd-args)) + (uberjar/main-common "c4k-website" website/config? website/auth? website/config-defaults core/k8s-objects cmd-args)) diff --git a/src/main/cljc/dda/c4k_website/core.cljc b/src/main/cljc/dda/c4k_website/core.cljc index 8b4243c..a37e767 100644 --- a/src/main/cljc/dda/c4k_website/core.cljc +++ b/src/main/cljc/dda/c4k_website/core.cljc @@ -7,10 +7,10 @@ (defn k8s-objects [config] (cm/concat-vec (map yaml/to-string - (filter #(not (nil? %)) - [(website/generate-certificate config) - (website/generate-ingress config) - (website/generate-nginx-configmap config) - (website/generate-nginx-deployment) - (website/generate-nginx-service) - (website/generate-website-content-volume config)])))) + [(website/generate-nginx-deployment) + (website/generate-nginx-configmap config) + (website/generate-nginx-service) + (website/generate-website-content-volume config) + (website/generate-ingress config) + (website/generate-certificate config) + ]))) diff --git a/src/main/cljc/dda/c4k_website/website.cljc b/src/main/cljc/dda/c4k_website/website.cljc index bc2f041..a4f8be1 100644 --- a/src/main/cljc/dda/c4k_website/website.cljc +++ b/src/main/cljc/dda/c4k_website/website.cljc @@ -27,6 +27,8 @@ (def config? (s/keys :req-un [::fqdn] :opt-un [::issuer])) +(def auth? (s/keys :req-un [::none])) + (def vol? (s/keys :req-un [::volume-total-storage-size ::number-of-websites])) @@ -61,7 +63,7 @@ (defn-spec generate-ingress pred/map-or-seq? [config config?] - (let [{:keys [fqdn issuer]} config] + (let [{:keys [fqdn]} config] (-> (yaml/load-as-edn "website/ingress.yaml") (cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) @@ -72,7 +74,7 @@ configmap (yaml/load-as-edn "website/nginx-configmap.yaml")] (-> configmap - (assoc-in [:data :website.conf] (st/replace (-> configmap :data :website.conf) #"FQDN" fqdn)) + (assoc-in [:data :website.conf] (st/replace (-> configmap :data :website.conf) #"FQDN" (str fqdn ";"))) ) )) diff --git a/src/main/resources/website/nginx-configmap.yaml b/src/main/resources/website/nginx-configmap.yaml index be9d94f..6ea0179 100644 --- a/src/main/resources/website/nginx-configmap.yaml +++ b/src/main/resources/website/nginx-configmap.yaml @@ -1,52 +1,31 @@ apiVersion: v1 kind: ConfigMap metadata: - name: nginx-conf + name: nginxconf namespace: default data: nginx.conf: | - user nginx; - - worker_processes 3; - - error_log /var/log/nginx/error.log; - - pid /var/log/nginx/nginx.pid; - + user nginx; + worker_processes 3; + error_log /var/log/nginx/error.log; + pid /var/log/nginx/nginx.pid; worker_rlimit_nofile 8192; - - events { - worker_connections 4096; ## Default: 1024 + events { + worker_connections 4096; } - - # daemon off; # run in foreground - http { - - include /etc/nginx/mime.types; # should be replaced by c4k - + include /etc/nginx/mime.types; default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] $status ' - '"$request" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - - tcp_nopush on; - + log_format main '$remote_addr - $remote_user [$time_local] $status' + '"$request" $body_bytes_sent "$http_referer"' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; keepalive_timeout 65; - - server_names_hash_bucket_size 128; # this seems to be required for some vhosts - - # it might be a good idea to set a common reverse proxy - # which points to the ingress? - + server_names_hash_bucket_size 128; include /etc/nginx/conf.d/website.conf; } - mime.types: | types { text/html html htm shtml; @@ -96,19 +75,14 @@ data: video/x-ms-asf asx asf; video/x-mng mng; } - website.conf: | + website.conf: | server { - listen 80 default_server; listen [::]:80 default_server; - listen 443 ssl; - ssl_certificate /etc/certs/tls.crt; ssl_certificate_key /etc/certs/tls.key; - server_name FQDN - # security headers add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; @@ -118,12 +92,8 @@ data: add_header Referrer-Policy "strict-origin"; # maybe need to add: # add_header Permissions-Policy "permissions here"; - root /var/www/html/website/; # root /usr/share/nginx/html/; # testing purposes - index index.html; - try_files $uri /index.html; - } \ No newline at end of file diff --git a/src/main/resources/website/nginx-deployment.yaml b/src/main/resources/website/nginx-deployment.yaml index aa554af..87b7cf1 100644 --- a/src/main/resources/website/nginx-deployment.yaml +++ b/src/main/resources/website/nginx-deployment.yaml @@ -19,9 +19,9 @@ spec: ports: - containerPort: 80 volumeMounts: - - mountPath: /etc/nginx # mount nginx volume to /etc/nginx + - mountPath: /etc/nginx readOnly: true - name: nginx-conf + name: nginxconfigvol - mountPath: /var/log/nginx name: log - mountPath: /var/www/html/website @@ -30,9 +30,9 @@ spec: name: website-cert readOnly: true volumes: - - name: nginx-conf + - name: nginxconfigvol configMap: - name: nginx-conf + name: nginxconf items: - key: nginx.conf path: nginx.conf diff --git a/valid-auth.edn b/valid-auth.edn new file mode 100644 index 0000000..5567b06 --- /dev/null +++ b/valid-auth.edn @@ -0,0 +1 @@ +{:none "none"} diff --git a/valid-config.edn b/valid-config.edn new file mode 100644 index 0000000..18105d1 --- /dev/null +++ b/valid-config.edn @@ -0,0 +1,5 @@ +{:fqdn "repo.test.meissa.de" + :issuer "staging" + :volume-total-storage-size 20 + :number-of-websites 5 + }