diff --git a/.travis.yml b/.travis.yml index 94b83396..5a0734c2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,14 +1,17 @@ sudo: required -language: python -python: "3.6" +language: minimal services: - docker git: submodules: false env: global: - - TESTER_IMAGE_NAME=atst-tester - PROD_IMAGE_NAME=atst-prod + - TESTER_IMAGE1_NAME=atst-tester-nocrls + - TESTER_IMAGE2_NAME=atst-tester +cache: + directories: + - crl before_install: # Use sed to replace the SSH URL with the public URL @@ -17,16 +20,22 @@ before_install: - git submodule update --init --recursive before_script: + - rm -rf ./crl/* - docker run -d --name postgres96 postgres:9.6-alpine - docker run -d --name redis redis:4.0.10-alpine - docker run --link postgres96:postgres96 --link redis:redis waisbrot/wait - export postgres_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" postgres96)" - export redis_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" redis)" - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL - - docker build --tag "${TESTER_IMAGE_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile + - docker build --tag "${TESTER_IMAGE1_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile script: - - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}" + - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE1_NAME}" + - docker container exec -t current-atst-tester script/sync-crls + - docker commit current-atst-tester "${TESTER_IMAGE2_NAME}" + - docker cp current-atst-tester:/opt/atat/atst/crl/. ./crl/ + - docker container stop current-atst-tester + - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE2_NAME}" before_deploy: - docker build --tag "${PROD_IMAGE_NAME}" . -f deploy/docker/prod/Dockerfile diff --git a/deploy/kubernetes/atst-debugger.yml b/deploy/kubernetes/atst-debugger.yml new file mode 100644 index 00000000..d86abd0f --- /dev/null +++ b/deploy/kubernetes/atst-debugger.yml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Pod +metadata: + name: atst-debugger + namespace: atat +spec: + securityContext: + fsGroup: 101 + containers: + - name: atst-debugger + image: registry.atat.codes:443/atst-prod:a1916b1 + args: ["/bin/bash", "-c", "while true; do date; sleep 45; done"] + envFrom: + - configMapRef: + name: atst-envvars + volumeMounts: + - name: atst-config + mountPath: "/opt/atat/atst/atst-overrides.ini" + subPath: atst-overrides.ini + - name: uwsgi-config + mountPath: "/opt/atat/atst/uwsgi-config.ini" + subPath: uwsgi-config.ini + - name: uwsgi-socket-dir + mountPath: "/var/run/uwsgi" + volumes: + - name: atst-config + secret: + secretName: atst-config-ini + items: + - key: atst-overrides.ini + path: atst-overrides.ini + mode: 0644 + - name: uwsgi-config + configMap: + name: atst-config + items: + - key: uwsgi-config + path: uwsgi-config.ini + mode: 0644 + - name: uwsgi-socket-dir + emptyDir: + medium: Memory + restartPolicy: Never diff --git a/deploy/kubernetes/atst-nginx-configmap.yml b/deploy/kubernetes/atst-nginx-configmap.yml index 6e2b1d69..553bb30b 100644 --- a/deploy/kubernetes/atst-nginx-configmap.yml +++ b/deploy/kubernetes/atst-nginx-configmap.yml @@ -55,9 +55,9 @@ data: ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; # Request and validate client certificate - #ssl_verify_client on; - #ssl_verify_depth 10; - #ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem; + ssl_verify_client on; + ssl_verify_depth 10; + ssl_client_certificate /etc/ssl/client-ca-bundle.pem; # Guard against HTTPS -> HTTP downgrade add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; location / { diff --git a/deploy/kubernetes/atst.yml b/deploy/kubernetes/atst.yml index c302f8af..c62d7a6a 100644 --- a/deploy/kubernetes/atst.yml +++ b/deploy/kubernetes/atst.yml @@ -24,7 +24,10 @@ spec: fsGroup: 101 containers: - name: atst - image: registry.atat.codes:443/atst-prod:e9b6f76 + image: registry.atat.codes:443/atst-prod:a1916b1 + resources: + requests: + memory: "2500Mi" envFrom: - configMapRef: name: atst-envvars @@ -32,6 +35,9 @@ spec: - name: atst-config mountPath: "/opt/atat/atst/atst-overrides.ini" subPath: atst-overrides.ini + - name: nginx-client-ca-bundle + mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem" + subPath: client-ca-bundle.pem - name: uwsgi-config mountPath: "/opt/atat/atst/uwsgi-config.ini" subPath: uwsgi-config.ini @@ -47,6 +53,9 @@ spec: volumeMounts: - name: nginx-auth-tls mountPath: "/etc/ssl/private" + - name: nginx-client-ca-bundle + mountPath: "/etc/ssl/client-ca-bundle.pem" + subPath: client-ca-bundle.pem - name: nginx-config mountPath: "/etc/nginx/conf.d/atst.conf" subPath: atst.conf @@ -78,6 +87,13 @@ spec: - key: tls.key path: auth.atat.key mode: 0640 + - name: nginx-client-ca-bundle + secret: + secretName: nginx-client-ca-bundle + items: + - key: client-ca-bundle.pem + path: client-ca-bundle.pem + mode: 0666 - name: nginx-config configMap: name: atst-nginx diff --git a/deploy/kubernetes/set_clientca_secret.sh b/deploy/kubernetes/set_clientca_secret.sh new file mode 100755 index 00000000..b27fbb2d --- /dev/null +++ b/deploy/kubernetes/set_clientca_secret.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +kubectl -n atat delete secret atst-config-ini +kubectl -n atat create secret generic nginx-client-ca-bundle --from-file="${1}" diff --git a/script/alpine_setup b/script/alpine_setup index b9eeb9a7..41096326 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -10,7 +10,7 @@ APP_USER="atst" APP_UID="8010" # Add additional packages required by app dependencies -ADDITIONAL_PACKAGES="postgresql-libs python3 uwsgi uwsgi-python3" +ADDITIONAL_PACKAGES="postgresql-libs python3 rsync uwsgi uwsgi-python3" # Run the shared alpine setup script source ./script/include/run_alpine_setup