From b6e500da3b0134c9101abbfa3a55db146ff8252d Mon Sep 17 00:00:00 2001 From: erik Date: Wed, 12 Oct 2022 10:56:12 +0200 Subject: [PATCH] [Skip-Ci] WIP Generalize nginx configmap --- src/main/cljc/dda/c4k_website/website.cljc | 83 +++------------- .../resources/website/nginx-configmap.yaml | 99 +++++++++++++++++++ 2 files changed, 114 insertions(+), 68 deletions(-) create mode 100644 src/main/resources/website/nginx-configmap.yaml diff --git a/src/main/cljc/dda/c4k_website/website.cljc b/src/main/cljc/dda/c4k_website/website.cljc index 76f444b..f052017 100644 --- a/src/main/cljc/dda/c4k_website/website.cljc +++ b/src/main/cljc/dda/c4k_website/website.cljc @@ -1,7 +1,6 @@ (ns dda.c4k-website.website (:require - [clojure.spec.alpha :as s] - [clojure.string :as st] + [clojure.spec.alpha :as s] #?(:cljs [shadow.resource :as rc]) #?(:clj [orchestra.core :refer [defn-spec]] :cljs [orchestra.core :refer-macros [defn-spec]]) @@ -39,7 +38,7 @@ (defn unique-name-from-fqdn [fqdn] - (st/replace fqdn #"\." "-")) + (str/replace fqdn #"\." "-")) (defn generate-service-name [uname] @@ -49,6 +48,10 @@ [uname] (str (unique-name-from-fqdn uname) "-cert")) +(defn generate-configmap-name + [uname] + (str (unique-name-from-fqdn uname) "-configmap")) + ; ToDo: Move to common? (defn-spec replace-all-matching-subvalues-in-string-start pred/map-or-seq? [col string? ;ToDo richtig spec-en @@ -56,7 +59,7 @@ value-to-inplace string?] (clojure.walk/postwalk #(if (and (= (type value-to-partly-match) (type %)) (re-matches (re-pattern (str value-to-partly-match ".*")) %)) - (st/replace % value-to-partly-match value-to-inplace) %) + (str/replace % value-to-partly-match value-to-inplace) %) col)) #?(:cljs @@ -171,72 +174,16 @@ (generate-common-certificate config) (assoc-in spec-dnsNames fqdns)))) -(defn-spec generate-single-certificate pred/map-or-seq? +(defn-spec generate-nginx-configmap pred/map-or-seq? [config config?] - (let [{:keys [issuer single] - :or {issuer "staging"}} config - fqdn ((keyword single) config) - letsencrypt-issuer (name issuer)] + (let [{:keys [uname fqdns]} config] (-> - (yaml/load-as-edn "website/single-certificate.yaml") - (assoc-in [:spec :issuerRef :name] letsencrypt-issuer) - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn)) - (cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) - -(defn-spec generate-single-ingress pred/map-or-seq? - [config config?] - (let [{:keys [single]} config - fqdn ((keyword single) config)] - (-> - (yaml/load-as-edn "website/single-ingress.yaml") - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn)) - (cm/replace-all-matching-values-by-new-value "FQDN" fqdn)))) - -(defn-spec generate-single-nginx-configmap pred/map-or-seq? - [config config?] - (let [{:keys [single]} config - fqdn ((keyword single) config) - configmap (yaml/load-as-edn "website/single-nginx-configmap.yaml")] - (-> - configmap - (assoc-in [:data :website.conf] (st/replace (-> configmap :data :website.conf) #"FQDN" (str fqdn ";"))) - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn))))) - -(defn-spec generate-multi-certificate pred/map-or-seq? - [config config?] - (let [{:keys [issuer multi] - :or {issuer "staging"}} config - fqdn ((keyword (first multi)) config) - fqdn1 ((keyword (second multi)) config) - letsencrypt-issuer (name issuer)] - (-> - (yaml/load-as-edn "website/multi-certificate.yaml") - (assoc-in [:spec :issuerRef :name] letsencrypt-issuer) - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn)) - (cm/replace-all-matching-values-by-new-value "FQDN" fqdn) - (cm/replace-all-matching-values-by-new-value "FQDN1" fqdn1)))) - -(defn-spec generate-multi-ingress pred/map-or-seq? - [config config?] - (let [{:keys [multi]} config - fqdn ((keyword (first multi)) config) - fqdn1 ((keyword (second multi)) config)] - (-> - (yaml/load-as-edn "website/multi-ingress.yaml") - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn)) - (cm/replace-all-matching-values-by-new-value "FQDN" fqdn) - (cm/replace-all-matching-values-by-new-value "FQDN1" fqdn1)))) - -(defn-spec generate-multi-nginx-configmap pred/map-or-seq? - [config config?] - (let [{:keys [multi]} config - fqdn ((keyword (first multi)) config) - fqdn1 ((keyword (second multi)) config) - configmap (yaml/load-as-edn "website/multi-nginx-configmap.yaml")] - (-> - configmap - (assoc-in [:data :website.conf] (st/replace (-> configmap :data :website.conf) #"FQDN\ FQDN1" (str fqdn " " fqdn1 ";"))) - (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn fqdn))))) + (yaml/load-as-edn "website/nginx-configmap.yaml") + (replace-all-matching-subvalues-in-string-start "NAME" (unique-name-from-fqdn uname)) + (#(assoc-in % + [:data :website.conf] + (str/replace + (-> % :data :website.conf) #"FQDN" (str (str/join " " fqdns) ";"))))))) (defn-spec generate-nginx-deployment pred/map-or-seq? [config config?] diff --git a/src/main/resources/website/nginx-configmap.yaml b/src/main/resources/website/nginx-configmap.yaml new file mode 100644 index 0000000..1bdee73 --- /dev/null +++ b/src/main/resources/website/nginx-configmap.yaml @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: NAME-configmap + namespace: default +data: + nginx.conf: | + user nginx; + worker_processes 3; + error_log /var/log/nginx/error.log; + pid /var/log/nginx/nginx.pid; + worker_rlimit_nofile 8192; + events { + worker_connections 4096; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] $status' + '"$request" $body_bytes_sent "$http_referer"' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + server_names_hash_bucket_size 128; + include /etc/nginx/conf.d/website.conf; + } + mime.types: | + types { + text/html html htm shtml; + text/css css; + text/xml xml rss; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + text/plain txt; + text/x-component htc; + text/mathml mml; + image/png png; + image/x-icon ico; + image/x-jng jng; + image/vnd.wap.wbmp wbmp; + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/pdf pdf; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/zip zip; + application/octet-stream deb; + application/octet-stream bin exe dll; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + audio/mpeg mp3; + audio/x-realaudio ra; + video/mpeg mpeg mpg; + video/quicktime mov; + video/x-flv flv; + video/x-msvideo avi; + video/x-ms-wmv wmv; + video/x-ms-asf asx asf; + video/x-mng mng; + } + website.conf: | + server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl; + ssl_certificate /etc/certs/tls.crt; + ssl_certificate_key /etc/certs/tls.key; + server_name FQDN + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy "strict-origin"; + # add_header Permissions-Policy "permissions here"; + root /var/www/html/website/; + index index.html; + location / { + try_files $uri $uri/ /index.html =404; + } + } + \ No newline at end of file