From 0c1ca83418d1a85205b0389e3f9bb9e80f36a808 Mon Sep 17 00:00:00 2001 From: bobmex <38759636+bobmex@users.noreply.github.com> Date: Tue, 4 Dec 2018 09:06:21 -0800 Subject: [PATCH] registry and vault related stuff (#18) --- mgmt/registry/README.md | 35 +++++++++++++++++ mgmt/registry/gen-htpasswd.sh | 2 + mgmt/registry/run-docker-registry.sh | 15 +++++++ mgmt/registry/run-gohttpserver.sh | 2 + mgmt/registry/run-nexus-simple.sh | 1 + mgmt/registry/run-nginx-nexus-proxy.sh | 2 + mgmt/vault/README.md | 29 ++++++++++++++ mgmt/vault/consul/Dockerfile | 32 +++++++++++++++ mgmt/vault/consul/config/consul-config.json | 9 +++++ mgmt/vault/consul/data/.gitkeep | 0 mgmt/vault/docker-compose.yml | 43 +++++++++++++++++++++ mgmt/vault/run-nginx-vault-proxy.sh | 2 + mgmt/vault/vault/Dockerfile | 32 +++++++++++++++ mgmt/vault/vault/config/vault-config.json | 15 +++++++ mgmt/vault/vault/data/.gitkeep | 0 mgmt/vault/vault/logs/.gitkeep | 0 mgmt/vault/vault/policies/app-policy.json | 7 ++++ 17 files changed, 226 insertions(+) create mode 100644 mgmt/registry/README.md create mode 100755 mgmt/registry/gen-htpasswd.sh create mode 100755 mgmt/registry/run-docker-registry.sh create mode 100755 mgmt/registry/run-gohttpserver.sh create mode 100755 mgmt/registry/run-nexus-simple.sh create mode 100755 mgmt/registry/run-nginx-nexus-proxy.sh create mode 100644 mgmt/vault/README.md create mode 100644 mgmt/vault/consul/Dockerfile create mode 100644 mgmt/vault/consul/config/consul-config.json create mode 100644 mgmt/vault/consul/data/.gitkeep create mode 100644 mgmt/vault/docker-compose.yml create mode 100755 mgmt/vault/run-nginx-vault-proxy.sh create mode 100644 mgmt/vault/vault/Dockerfile create mode 100644 mgmt/vault/vault/config/vault-config.json create mode 100644 mgmt/vault/vault/data/.gitkeep create mode 100644 mgmt/vault/vault/logs/.gitkeep create mode 100644 mgmt/vault/vault/policies/app-policy.json diff --git a/mgmt/registry/README.md b/mgmt/registry/README.md new file mode 100644 index 000000000..a59aaf461 --- /dev/null +++ b/mgmt/registry/README.md @@ -0,0 +1,35 @@ +# registry + +On gcp. Installed at registry.mobiledgex.net + +maven, docker registry and file server. +They are run as docker containers. + +## auth/ + +credentials, certificates, etc. + +## gen-cert-registry-mobiledgex.sh + +get letsencrypt certs for registry + +## run-docker-registry.sh + +docker registry runs at port 5000. + +## gen-htpasswd.sh + +generate htpasswd for use with the above docker registry container image + +## run-gohttpserver.sh + +https file server at 8000. + +## run-nexus-simple.sh + +maven repo at 8081, but exposed via https at 443 via nginx proxy below. + +## run-nginx-nexus-proxy.sh + +TLS termination for nexus at 443. + diff --git a/mgmt/registry/gen-htpasswd.sh b/mgmt/registry/gen-htpasswd.sh new file mode 100755 index 000000000..d618ac514 --- /dev/null +++ b/mgmt/registry/gen-htpasswd.sh @@ -0,0 +1,2 @@ +docker run --entrypoint htpasswd registry:2 -Bbn bob Keon >> auth/htpasswd +docker run --entrypoint htpasswd registry:2 -Bbn mobiledgex sandhill >> auth/htpasswd diff --git a/mgmt/registry/run-docker-registry.sh b/mgmt/registry/run-docker-registry.sh new file mode 100755 index 000000000..a78d8a120 --- /dev/null +++ b/mgmt/registry/run-docker-registry.sh @@ -0,0 +1,15 @@ +docker run -d \ + -p 5000:5000 \ + --restart=always \ + --name docker-registry \ + -v `pwd`/auth:/auth \ + -v /home/bob/docker-registry:/var/lib/registry \ + -e "REGISTRY_AUTH=htpasswd" \ + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ + -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ + -v `pwd`/certs:/certs \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \ + -e REGISTRY_HTTP_TLS_KEY=/certs/registry.mobiledgex.net.key \ + registry:2 + +#docker run -d -p 5000:5000 --restart always --name registry registry:2 diff --git a/mgmt/registry/run-gohttpserver.sh b/mgmt/registry/run-gohttpserver.sh new file mode 100755 index 000000000..69a5d1e9d --- /dev/null +++ b/mgmt/registry/run-gohttpserver.sh @@ -0,0 +1,2 @@ +#!/bin/bash +docker run -d --rm -p 8000:8000 -v /home/bob/certs:/certs -v /home/bob/files-repo:/app/public --name gohttpserver codeskyblue/gohttpserver ./gohttpserver --root /app/public --auth-type http --auth-http mobiledgex:sandhill --cors --upload --delete --title mobiledgex --cert=/certs/cert.pem --key=/certs/key.pem diff --git a/mgmt/registry/run-nexus-simple.sh b/mgmt/registry/run-nexus-simple.sh new file mode 100755 index 000000000..25cad18cf --- /dev/null +++ b/mgmt/registry/run-nexus-simple.sh @@ -0,0 +1 @@ +docker run -d -p 8081:8081 -v /home/bob/nexus:/sonatype-work --name nexus sonatype/nexus:oss diff --git a/mgmt/registry/run-nginx-nexus-proxy.sh b/mgmt/registry/run-nginx-nexus-proxy.sh new file mode 100755 index 000000000..eff24044b --- /dev/null +++ b/mgmt/registry/run-nginx-nexus-proxy.sh @@ -0,0 +1,2 @@ +#!/bin/bash +docker run -d --restart always --net host --name nginx-nexus-proxy -v /home/bob/auth/nginx-nexus:/etc/nginx nginx diff --git a/mgmt/vault/README.md b/mgmt/vault/README.md new file mode 100644 index 000000000..518a3d588 --- /dev/null +++ b/mgmt/vault/README.md @@ -0,0 +1,29 @@ +# Vault + +On gcp. + +Installed in vault.mobiledgex.net. + +## first time run + +``` +docker-compose up -d --build +``` + +Builds the docker images of consul and vault. + +## certificates + +``` +gen-cert-vault-moiledgex.sh +``` + + +## HTTPS + +Nginx at 443 + +``` +run-nginx-vault-proxy.sh +``` + diff --git a/mgmt/vault/consul/Dockerfile b/mgmt/vault/consul/Dockerfile new file mode 100644 index 000000000..b751b6987 --- /dev/null +++ b/mgmt/vault/consul/Dockerfile @@ -0,0 +1,32 @@ +# base image +FROM alpine:3.7 + +# set consul version +ENV CONSUL_VERSION 1.2.1 + +# create a new directory +RUN mkdir /consul + +# download dependencies +RUN apk --no-cache add \ + bash \ + ca-certificates \ + wget + +# download and set up consul +RUN wget --quiet --output-document=/tmp/consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip && \ + unzip /tmp/consul.zip -d /consul && \ + rm -f /tmp/consul.zip && \ + chmod +x /consul/consul + +# update PATH +ENV PATH="PATH=$PATH:$PWD/consul" + +# add the config file +COPY ./config/consul-config.json /consul/config/config.json + +# expose ports +EXPOSE 8300 8400 8500 8600 + +# run consul +ENTRYPOINT ["consul"] diff --git a/mgmt/vault/consul/config/consul-config.json b/mgmt/vault/consul/config/consul-config.json new file mode 100644 index 000000000..deb3583df --- /dev/null +++ b/mgmt/vault/consul/config/consul-config.json @@ -0,0 +1,9 @@ +{ + "datacenter": "localhost", + "data_dir": "/consul/data", + "log_level": "DEBUG", + "ui": true, + "ports": { + "dns": 53 + } +} diff --git a/mgmt/vault/consul/data/.gitkeep b/mgmt/vault/consul/data/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/mgmt/vault/docker-compose.yml b/mgmt/vault/docker-compose.yml new file mode 100644 index 000000000..74eae9387 --- /dev/null +++ b/mgmt/vault/docker-compose.yml @@ -0,0 +1,43 @@ +version: '3.6' + +services: + + vault: + build: + context: ./vault + dockerfile: Dockerfile + ports: + - 8200:8200 + volumes: + - ./vault/config:/vault/config + - ./vault/policies:/vault/policies + - ./vault/data:/vault/data + - ./vault/logs:/vault/logs + environment: + - VAULT_ADDR=http://127.0.0.1:8200 + command: server -config=/vault/config/vault-config.json + cap_add: + - IPC_LOCK + depends_on: + - consul + + consul: + build: + context: ./consul + dockerfile: Dockerfile + ports: + - 8500:8500 + command: agent -server -bind 0.0.0.0 -client 0.0.0.0 -bootstrap-expect 1 -config-file=/consul/config/config.json + volumes: + - ./consul/config/consul-config.json:/consul/config/config.json + - ./consul/data:/consul/data + + consul-worker: + build: + context: ./consul + dockerfile: Dockerfile + command: agent -server -join consul -config-file=/consul/config/config.json + volumes: + - ./consul/config/consul-config.json:/consul/config/config.json + depends_on: + - consul diff --git a/mgmt/vault/run-nginx-vault-proxy.sh b/mgmt/vault/run-nginx-vault-proxy.sh new file mode 100755 index 000000000..6210f70c3 --- /dev/null +++ b/mgmt/vault/run-nginx-vault-proxy.sh @@ -0,0 +1,2 @@ +#!/bin/bash +docker run -d --restart always --net host --name nginx-vault-proxy -v /home/bob/auth/nginx-vault:/etc/nginx nginx diff --git a/mgmt/vault/vault/Dockerfile b/mgmt/vault/vault/Dockerfile new file mode 100644 index 000000000..7078a779e --- /dev/null +++ b/mgmt/vault/vault/Dockerfile @@ -0,0 +1,32 @@ +# base image +FROM alpine:3.7 + +# set vault version +ENV VAULT_VERSION 0.10.3 + +# create a new directory +RUN mkdir /vault + +# download dependencies +RUN apk --no-cache add \ + bash \ + ca-certificates \ + wget + +# download and set up vault +RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ + unzip /tmp/vault.zip -d /vault && \ + rm -f /tmp/vault.zip && \ + chmod +x /vault + +# update PATH +ENV PATH="PATH=$PATH:$PWD/vault" + +# add the config file +COPY ./config/vault-config.json /vault/config/vault-config.json + +# expose port 8200 +EXPOSE 8200 + +# run vault +ENTRYPOINT ["vault"] diff --git a/mgmt/vault/vault/config/vault-config.json b/mgmt/vault/vault/config/vault-config.json new file mode 100644 index 000000000..25a6eb58f --- /dev/null +++ b/mgmt/vault/vault/config/vault-config.json @@ -0,0 +1,15 @@ +{ + "backend": { + "consul": { + "address": "consul:8500", + "path": "vault/" + } + }, + "listener": { + "tcp":{ + "address": "0.0.0.0:8200", + "tls_disable": 1 + } + }, + "ui": true +} diff --git a/mgmt/vault/vault/data/.gitkeep b/mgmt/vault/vault/data/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/mgmt/vault/vault/logs/.gitkeep b/mgmt/vault/vault/logs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/mgmt/vault/vault/policies/app-policy.json b/mgmt/vault/vault/policies/app-policy.json new file mode 100644 index 000000000..9bac41092 --- /dev/null +++ b/mgmt/vault/vault/policies/app-policy.json @@ -0,0 +1,7 @@ +{ + "path": { + "secret/data/app/*": { + "policy": "read" + } + } +}