Compare commits
2 Commits
f6a8a59ecf
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
8b27e73203
|
|||
|
a40fc162ff
|
@@ -67,7 +67,7 @@ func newServer() (*http.Server, error) {
|
||||
"HUB_SERVER_KEY_FILE": "",
|
||||
}
|
||||
|
||||
for k, _ := range requiredVars {
|
||||
for k := range requiredVars {
|
||||
val, isSet := os.LookupEnv(k)
|
||||
if !isSet {
|
||||
return nil, fmt.Errorf("hub: required environment variable is unset: %s", k)
|
||||
|
||||
@@ -8,10 +8,13 @@ import (
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"time"
|
||||
)
|
||||
|
||||
var HUB_BASE_URL string = ""
|
||||
|
||||
func main() {
|
||||
logger := log.New(os.Stdout, "main: ", log.LstdFlags|log.Lshortfile)
|
||||
|
||||
@@ -39,10 +42,25 @@ func main() {
|
||||
}
|
||||
|
||||
func HubClient() (*http.Client, error) {
|
||||
caFile, err := os.Open("./certs/ca.pem")
|
||||
requiredVars := map[string]string{
|
||||
"SPOKE_AGENT_CA_CERT_FILE": "",
|
||||
"SPOKE_AGENT_CERT_FILE": "",
|
||||
"SPOKE_AGENT_KEY_FILE": "",
|
||||
"HUB_SERVER_URL": "",
|
||||
}
|
||||
for k := range requiredVars {
|
||||
val, isSet := os.LookupEnv(k)
|
||||
if !isSet {
|
||||
return nil, fmt.Errorf("spoke agent: required environment variables is unset: %s", k)
|
||||
}
|
||||
requiredVars[k] = val
|
||||
}
|
||||
|
||||
caFile, err := os.Open(requiredVars["SPOKE_AGENT_CA_CERT_FILE"])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to open ca cert: %w", err)
|
||||
}
|
||||
|
||||
caCert, err := io.ReadAll(caFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to read the ca cert: %w", err)
|
||||
@@ -51,8 +69,8 @@ func HubClient() (*http.Client, error) {
|
||||
pool := x509.NewCertPool()
|
||||
pool.AppendCertsFromPEM(caCert)
|
||||
|
||||
certPath := "./certs/app1.pem"
|
||||
keyPath := "./certs/app1-key.pem"
|
||||
certPath := requiredVars["SPOKE_AGENT_CERT_FILE"]
|
||||
keyPath := requiredVars["SPOKE_AGENT_KEY_FILE"]
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
|
||||
if err != nil {
|
||||
@@ -68,11 +86,17 @@ func HubClient() (*http.Client, error) {
|
||||
},
|
||||
}
|
||||
|
||||
HUB_BASE_URL = requiredVars["HUB_SERVER_URL"]
|
||||
return client, nil
|
||||
}
|
||||
|
||||
func getCurrentState(client *http.Client, logger *log.Logger) string {
|
||||
resp, err := client.Post("https://example.net:3001/register", "application/json", nil)
|
||||
reqURL, err := url.JoinPath(HUB_BASE_URL, "/register")
|
||||
if err != nil {
|
||||
logger.Fatalf("failed to setup register URL: %v", err)
|
||||
}
|
||||
|
||||
resp, err := client.Post(reqURL, "application/json", nil)
|
||||
if err != nil {
|
||||
logger.Fatalf("registration failed: %v", err)
|
||||
}
|
||||
|
||||
6
manifests/hub-cacrt.yaml
Normal file
6
manifests/hub-cacrt.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: hub-ca-crt
|
||||
data:
|
||||
ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZWRENDQkR5Z0F3SUJBZ0lSQU8xZFc4bHQrOTlOUHMxcVNZM1JzOGN3RFFZSktvWklodmNOQVFFTEJRQXcKY1RFTE1Ba0dBMVVFQmhNQ1ZWTXhNekF4QmdOVkJBb1RLaWhUVkVGSFNVNUhLU0JKYm5SbGNtNWxkQ0JUWldOMQpjbWwwZVNCU1pYTmxZWEpqYUNCSGNtOTFjREV0TUNzR0ExVUVBeE1rS0ZOVVFVZEpUa2NwSUVSdlkzUnZjbVZrCklFUjFjbWxoYmlCU2IyOTBJRU5CSUZnek1CNFhEVEl4TURFeU1ERTVNVFF3TTFvWERUSTBNRGt6TURFNE1UUXcKTTFvd1pqRUxNQWtHQTFVRUJoTUNWVk14TXpBeEJnTlZCQW9US2loVFZFRkhTVTVIS1NCSmJuUmxjbTVsZENCVApaV04xY21sMGVTQlNaWE5sWVhKamFDQkhjbTkxY0RFaU1DQUdBMVVFQXhNWktGTlVRVWRKVGtjcElGQnlaWFJsCmJtUWdVR1ZoY2lCWU1UQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxiYWdFZEQKVGExUWdHQldTWWt5TWhzY1pYRU5PQmFWUlRNWDFoY2VKRU5nc0wwTWE0OUQzTWlsSTRLUzM4bXRrbWRGNmNQVwpuTCsrZmdlaFQwRmJSSFpnak9FcjhVQU40akg2b21qcmJURCsrVlpuZVRzTVZhR2FtUW1EZEZsNWcxZ1lhaWdrCmtteDhPaUNPNjhhNFFYZzR3U3luNmlEaXBLUDh1dHNFK3gxRTI4U0E3NUhPWXFwZHJrNEhHeHVVTHZscjAzd1oKR1RJZi9vUnQyL2MrZFltRG9hSmhnZStHT3JMQUVRQnlPNys4K3Z6T3dwTkFQRXg2TFcrY3JFRVo3ZUJYaWg2VgpQMTlzVEd5M3lmcUs1dFB0VGRYWENPUU1LQXArZ0NqL1ZCeWhtSXIrMGlOREM1NDBndHZWMzAzV3BjYndua2tMCllDMEZ0MmNZVXlIdGtzdE9mUmNSTytLMmNab3pvU3dWUHlCOC9KOVJwY1JLM2pnblg5bHVqZndBL3BBYlAwSjIKVVBRRnhtV0ZSUW5GamFxNnJrcWJORUJnTHkra0ZMMU5Fc1JidkZiS3JSaTViWXkybE5tczJOSlBadmROUWJULwoyZEJaS21KcXhIa3hDdU9RRmpoSlFOZU8rTmptMVoxaUFUUy8zcnRzMnlabHFYS3N4UVV6TjZ2TmJEOEtuWFJNCkVlT1hVWXZiVjRscWZDZjhtUzE0V0ViU2lNeTg3R0I1Uzl1Y1NWMVhVcmxURzVVR2NNU1pPQmNFVXBpc1JQRW0KUVdVT1RXSW9EUTVGT2lhL0dJK0tpNTIzcjJydUVtYm1HMzdFQlNCWGR4SWRuZHFyankrUVZBbUNlYnlEeDllVgpFR09JcG4yNmJXNUxLZXJ1bUp4YS9DRkJhS2k0YlJ2bWRKUkxBZ01CQUFHamdmRXdnZTR3RGdZRFZSMFBBUUgvCkJBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkxYelpmTCtzQXFTSC9zOGZmTkUKb0t4akpjTVVNQjhHQTFVZEl3UVlNQmFBRkFoWDJvbkhvbE41REUvZDRKQ1BkTHJpSjNORU1EZ0dDQ3NHQVFVRgpCd0VCQkN3d0tqQW9CZ2dyQmdFRkJRY3dBb1ljYUhSMGNEb3ZMM04wWnkxa2MzUXpMbWt1YkdWdVkzSXViM0puCkx6QXRCZ05WSFI4RUpqQWtNQ0tnSUtBZWhoeG9kSFJ3T2k4dmMzUm5MV1J6ZERNdVl5NXNaVzVqY2k1dmNtY3YKTUNJR0ExVWRJQVFiTUJrd0NBWUdaNEVNQVFJQk1BMEdDeXNHQVFRQmd0OFRBUUVCTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQjd0UjhCMGVJUVNTNk1oUDVrdXZHdGgrZE4wMkRzSWhyMHlKdGsyZWhJY1BJcVN4UlJtSEdsCjR1MmMzUWx2RXBlUkRwMnc3ZVFkUlRsSS9Xbk5oWTRKT29mcE1mMnp3QUJnQld0QXUwVm9vUWNaWlRwUXJ1aWcKRi96NnhZa0JrM1VIa2plcXh6TU4zZDFFcUd1c3hKb3FnZFRvdVo1WDVRVFRJZWU5blEzTEVoV25SU1hEeDdZMAp0dFIxQkdmY2RxSG9wTzRJQnFBaGJrS1JqRjV6ajdPRDhjRzM1b215d1ViWnRPSm5mdGlJMG5GY1JheGJYbzB2Cm9EZkxEMFM2K0FDMlIzdEtwcWprTlg2LzkxaHJSRmdsVWFreU1jWlUveGxlcWJ2NitMcjNZRDhQc0JUdWI2bEkKb1oybFMzOGZMMThBb240NThmYmMwQlBIdGVuZmhLajUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
|
||||
34
manifests/hub-cert.yaml
Normal file
34
manifests/hub-cert.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: hub-dev-fixergrid-net-stg
|
||||
namespace: hub
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: hub-dev-stg-cert-tls
|
||||
|
||||
duration: 2160h # 90d
|
||||
renewBefore: 360h # 15d
|
||||
subject:
|
||||
organizations:
|
||||
- Equinix Metal
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: hub.dev.fixergrid.net
|
||||
isCA: false
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
# At least one of a DNS Name, URI, or IP address is required.
|
||||
dnsNames:
|
||||
- hub.dev.fixergrid.net
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: letsencrypt-staging
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: ClusterIssuer
|
||||
71
manifests/hub.yaml
Normal file
71
manifests/hub.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: hub
|
||||
name: hub
|
||||
namespace: hub
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: hub
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: hub
|
||||
spec:
|
||||
volumes:
|
||||
- name: server-certs
|
||||
projected:
|
||||
sources:
|
||||
- secret:
|
||||
name: hub-dev-stg-cert-tls
|
||||
- secret:
|
||||
name: hub-ca-crt
|
||||
containers:
|
||||
- image: amohd/servicedemon:v2
|
||||
name: servicedemon
|
||||
command: ["/hub"]
|
||||
env:
|
||||
- name: HUB_CA_CERT_FILE
|
||||
value: /etc/hub/certs/ca.crt
|
||||
- name: HUB_SERVER_CERT_FILE
|
||||
value: /etc/hub/certs/tls.crt
|
||||
- name: HUB_SERVER_KEY_FILE
|
||||
value: /etc/hub/certs/tls.key
|
||||
volumeMounts:
|
||||
- name: server-certs
|
||||
mountPath: /etc/hub/certs/
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: hub-svc
|
||||
namespace: hub
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: hub
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: 3001
|
||||
protocol: "TCP"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
namespace: hub
|
||||
name: hub-dev-fixergrid-net
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
tls:
|
||||
passthrough: true
|
||||
routes:
|
||||
- match: HostSNI(`hub.dev.fixergrid.net`)
|
||||
priority: 1
|
||||
services:
|
||||
- name: hub-svc
|
||||
port: 443
|
||||
weight: 1
|
||||
19
manifests/issuer.yaml
Normal file
19
manifests/issuer.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
# You must replace this email address with your own.
|
||||
# Let's Encrypt will use this to contact you about expiring
|
||||
# certificates, and issues related to your account.
|
||||
email: adam@fixergrid.net
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
# Secret resource that will be used to store the account's private key.
|
||||
name: dev-fixergrid-net-issuer-account-key
|
||||
# Add a single challenge solver, HTTP01 using nginx
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
ingressClassName: traefik
|
||||
34
manifests/my-app-crt.yaml
Normal file
34
manifests/my-app-crt.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: app-dev-fixergrid-net-stg
|
||||
namespace: app1
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: app1-dev-stg-cert-tls
|
||||
|
||||
duration: 2160h # 90d
|
||||
renewBefore: 360h # 15d
|
||||
subject:
|
||||
organizations:
|
||||
- Equinix Metal
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: app1.dev.fixergrid.net
|
||||
isCA: false
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
# At least one of a DNS Name, URI, or IP address is required.
|
||||
dnsNames:
|
||||
- app1.dev.fixergrid.net
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: letsencrypt-staging
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: ClusterIssuer
|
||||
42
manifests/my-app.yaml
Normal file
42
manifests/my-app.yaml
Normal file
@@ -0,0 +1,42 @@
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: app1
|
||||
name: app1
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app1
|
||||
spec:
|
||||
volumes:
|
||||
- name: server-certs
|
||||
projected:
|
||||
sources:
|
||||
- secret:
|
||||
name: app1-dev-stg-cert-tls
|
||||
- secret:
|
||||
name: hub-ca-crt
|
||||
containers:
|
||||
- image: amohd/servicedemon:v2
|
||||
name: servicedemon
|
||||
command: ["/spoke-agent"]
|
||||
env:
|
||||
- name: SPOKE_AGENT_CA_CERT_FILE
|
||||
value: /etc/spoke-agent/certs/ca.crt
|
||||
- name: SPOKE_AGENT_CERT_FILE
|
||||
value: /etc/spoke-agent/certs/tls.crt
|
||||
- name: SPOKE_AGENT_KEY_FILE
|
||||
value: /etc/spoke-agent/certs/tls.key
|
||||
- name: HUB_SERVER_URL
|
||||
value: https://hub.dev.fixergrid.net
|
||||
volumeMounts:
|
||||
- name: server-certs
|
||||
mountPath: /etc/spoke-agent/certs/
|
||||
Reference in New Issue
Block a user