From 4c70d59c5d845a3b051043082440abd03c5241d3 Mon Sep 17 00:00:00 2001 From: dandds Date: Tue, 30 Jul 2019 10:59:01 -0400 Subject: [PATCH] Add k8s networking. - bind static azure IPs - Add load balancers for both CSPs --- .circleci/config.yml | 28 --------- k8s/aws/atst-nginx-configmap.yml | 91 ++++++++++++++++++++++-------- k8s/aws/aws.yml | 25 +++++++- k8s/azure/atst-nginx-configmap.yml | 91 ++++++++++++++++++++++-------- k8s/azure/azure.yml | 23 +++++++- 5 files changed, 182 insertions(+), 76 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 13a081fe..73d4da23 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -96,20 +96,6 @@ workflows: branches: only: - master - - azure-aks/update-container-image: - cluster-name: atat-cluster - container-image-updates: "atst=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}" - namespace: atat - resource-name: deployment.apps/atst - resource-group: atat - # uncomment below for debugging - # show-kubectl-command: true - requires: - - azure-acr/build_and_push_image - filters: - branches: - only: - - master - azure-aks/update-container-image: cluster-name: atat-cluster container-image-updates: "atst-worker=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}" @@ -147,17 +133,3 @@ workflows: branches: only: - master - - aws-eks/update-container-image: - cluster-name: atat - container-image-updates: "atst-worker=${AWS_ECR_ACCOUNT_URL}/atat:${CIRCLE_SHA1}" - namespace: atat - resource-name: deployment.apps/atst-worker - aws-region: "${AWS_REGION}" - # uncomment below for debugging - # show-kubectl-command: true - requires: - - aws-ecr/build_and_push_image - filters: - branches: - only: - - master diff --git a/k8s/aws/atst-nginx-configmap.yml b/k8s/aws/atst-nginx-configmap.yml index 3c38614b..cd0d051e 100644 --- a/k8s/aws/atst-nginx-configmap.yml +++ b/k8s/aws/atst-nginx-configmap.yml @@ -7,31 +7,78 @@ metadata: data: nginx-config: |- server { - listen 8442; - server_name localhost; - + server_name aws.atat.code.mil; + # access_log /var/log/nginx/access.log json; + listen 8442; + listen [::]:8442 ipv6only=on; + # if ($http_x_forwarded_proto != 'https') { + # return 301 https://$host$request_uri; + # } + location /login-redirect { + return 301 https://auth-aws.atat.code.mil$request_uri; + } + location /login-dev { + try_files $uri @appbasicauth; + } location / { try_files $uri @app; } - location @app { - uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; - uwsgi_param QUERY_STRING $query_string; - uwsgi_param REQUEST_METHOD $request_method; - uwsgi_param CONTENT_TYPE $content_type; - uwsgi_param CONTENT_LENGTH $content_length; - - uwsgi_param REQUEST_URI $request_uri; - uwsgi_param PATH_INFO $document_uri; - uwsgi_param DOCUMENT_ROOT $document_root; - uwsgi_param SERVER_PROTOCOL $server_protocol; - uwsgi_param REQUEST_SCHEME $scheme; - uwsgi_param HTTPS $https if_not_empty; - - uwsgi_param REMOTE_ADDR $remote_addr; - uwsgi_param REMOTE_PORT $remote_port; - uwsgi_param SERVER_PORT $server_port; - uwsgi_param SERVER_NAME $server_name; - uwsgi_param HTTP_X_REQUEST_ID $request_id; + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + uwsgi_param HTTP_X_REQUEST_ID $request_id; + } + location @appbasicauth { + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + auth_basic "Developer Access"; + auth_basic_user_file /etc/nginx/.htpasswd; + uwsgi_param HTTP_X_REQUEST_ID $request_id; + } + } + server { + # access_log /var/log/nginx/access.log json; + server_name auth-aws.atat.code.mil; + listen 8443; + listen [::]:8443 ipv6only=on; + # SSL server certificate and private key + # ssl_certificate /etc/ssl/private/auth.atat.crt; + # ssl_certificate_key /etc/ssl/private/auth.atat.key; + # Set SSL protocols, ciphers, and related options + # ssl_protocols TLSv1.3 TLSv1.2; + # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + # ssl_prefer_server_ciphers on; + # ssl_ecdh_curve secp384r1; + # ssl_dhparam /etc/ssl/dhparam.pem; + # SSL session options + # ssl_session_timeout 4h; + # ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions + # ssl_session_tickets off; + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.8.8 8.8.4.4; + # Request and validate client certificate + # ssl_verify_client on; + # ssl_verify_depth 10; + # ssl_client_certificate /etc/ssl/client-ca-bundle.pem; + # Guard against HTTPS -> HTTP downgrade + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; + location / { + return 301 https://aws.atat.code.mil$request_uri; + } + location /login-redirect { + try_files $uri @app; + } + location @app { + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; + # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; + # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; + # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; + # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; + # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; + uwsgi_param HTTP_X_REQUEST_ID $request_id; } } diff --git a/k8s/aws/aws.yml b/k8s/aws/aws.yml index 336d9434..dfb434b0 100644 --- a/k8s/aws/aws.yml +++ b/k8s/aws/aws.yml @@ -48,7 +48,9 @@ spec: image: nginx:alpine ports: - containerPort: 8442 - name: http + name: main + - containerPort: 8443 + name: auth volumeMounts: - name: nginx-config mountPath: "/etc/nginx/conf.d/atst.conf" @@ -137,8 +139,10 @@ kind: Service metadata: labels: app: atst - name: atst + name: atst-main namespace: atat + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: ports: - port: 80 @@ -146,3 +150,20 @@ spec: selector: role: web type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: atst + name: atst-auth + namespace: atat + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +spec: + ports: + - port: 80 + targetPort: 8443 + selector: + role: web + type: LoadBalancer diff --git a/k8s/azure/atst-nginx-configmap.yml b/k8s/azure/atst-nginx-configmap.yml index 3c38614b..77f69e5f 100644 --- a/k8s/azure/atst-nginx-configmap.yml +++ b/k8s/azure/atst-nginx-configmap.yml @@ -7,31 +7,78 @@ metadata: data: nginx-config: |- server { - listen 8442; - server_name localhost; - + server_name azure.atat.code.mil; + # access_log /var/log/nginx/access.log json; + listen 8442; + listen [::]:8442 ipv6only=on; + # if ($http_x_forwarded_proto != 'https') { + # return 301 https://$host$request_uri; + # } + location /login-redirect { + return 301 https://auth-azure.atat.code.mil$request_uri; + } + location /login-dev { + try_files $uri @appbasicauth; + } location / { try_files $uri @app; } - location @app { - uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; - uwsgi_param QUERY_STRING $query_string; - uwsgi_param REQUEST_METHOD $request_method; - uwsgi_param CONTENT_TYPE $content_type; - uwsgi_param CONTENT_LENGTH $content_length; - - uwsgi_param REQUEST_URI $request_uri; - uwsgi_param PATH_INFO $document_uri; - uwsgi_param DOCUMENT_ROOT $document_root; - uwsgi_param SERVER_PROTOCOL $server_protocol; - uwsgi_param REQUEST_SCHEME $scheme; - uwsgi_param HTTPS $https if_not_empty; - - uwsgi_param REMOTE_ADDR $remote_addr; - uwsgi_param REMOTE_PORT $remote_port; - uwsgi_param SERVER_PORT $server_port; - uwsgi_param SERVER_NAME $server_name; - uwsgi_param HTTP_X_REQUEST_ID $request_id; + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + uwsgi_param HTTP_X_REQUEST_ID $request_id; + } + location @appbasicauth { + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + auth_basic "Developer Access"; + auth_basic_user_file /etc/nginx/.htpasswd; + uwsgi_param HTTP_X_REQUEST_ID $request_id; + } + } + server { + # access_log /var/log/nginx/access.log json; + server_name auth-azure.atat.code.mil; + listen 8443; + listen [::]:8443 ipv6only=on; + # SSL server certificate and private key + # ssl_certificate /etc/ssl/private/auth.atat.crt; + # ssl_certificate_key /etc/ssl/private/auth.atat.key; + # Set SSL protocols, ciphers, and related options + # ssl_protocols TLSv1.3 TLSv1.2; + # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + # ssl_prefer_server_ciphers on; + # ssl_ecdh_curve secp384r1; + # ssl_dhparam /etc/ssl/dhparam.pem; + # SSL session options + # ssl_session_timeout 4h; + # ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions + # ssl_session_tickets off; + # OCSP Stapling + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.8.8 8.8.4.4; + # Request and validate client certificate + # ssl_verify_client on; + # ssl_verify_depth 10; + # ssl_client_certificate /etc/ssl/client-ca-bundle.pem; + # Guard against HTTPS -> HTTP downgrade + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; + location / { + return 301 https://azure.atat.code.mil$request_uri; + } + location /login-redirect { + try_files $uri @app; + } + location @app { + include uwsgi_params; + uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; + # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; + # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; + # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; + # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; + # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; + # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; + uwsgi_param HTTP_X_REQUEST_ID $request_id; } } diff --git a/k8s/azure/azure.yml b/k8s/azure/azure.yml index c407adee..2040e24e 100644 --- a/k8s/azure/azure.yml +++ b/k8s/azure/azure.yml @@ -48,7 +48,9 @@ spec: image: nginx:alpine ports: - containerPort: 8442 - name: http + name: main + - containerPort: 8443 + name: auth volumeMounts: - name: nginx-config mountPath: "/etc/nginx/conf.d/atst.conf" @@ -137,12 +139,29 @@ kind: Service metadata: labels: app: atst - name: atst + name: atst-main namespace: atat spec: + loadBalancerIP: 13.92.235.6 ports: - port: 80 targetPort: 8442 selector: role: web type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: atst + name: atst-auth + namespace: atat +spec: + loadBalancerIP: 23.100.24.41 + ports: + - port: 80 + targetPort: 8443 + selector: + role: web + type: LoadBalancer