From a0937ba1ba3100710175121ad52c9fc159b7d8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20L=C3=BCscher?= Date: Fri, 28 Apr 2023 18:02:56 +0000 Subject: [PATCH 1/3] chore(devcontainer): update spell-check dictionary --- .vscode/cspell_custom.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.vscode/cspell_custom.txt b/.vscode/cspell_custom.txt index 8f9b9ec..cd79d64 100644 --- a/.vscode/cspell_custom.txt +++ b/.vscode/cspell_custom.txt @@ -1,3 +1,4 @@ devcontainer minica +rvproxy ublue From b2b2f81b5d8201b3b90ee0bcc1844a5887056047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20L=C3=BCscher?= Date: Fri, 28 Apr 2023 18:03:25 +0000 Subject: [PATCH 2/3] docs: updates on reverse proxy --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index beae138..a92dede 100644 --- a/README.md +++ b/README.md @@ -27,12 +27,18 @@ We use a [Minica](https://github.com/jsha/minica) as simple CA to generate a key pair and a root certificate for `*.ublue.local`. The wildcard certificate is then made available to all other components and are valid for 2 years and 30 days. +### Reverse Proxy + +As an entry point for all components we use [Caddy](https://caddyserver.com/) as +a reverse proxy. Based on URL routing it will redirect the traffic to the +right container instance. + ### Container Registry As container registry we make use of the [Docker Registry 2.0](https://hub.docker.com/_/registry/) implementation for storing and distributing container images -The container registry is available at `registry.ublue.local:9001` +The container registry is available at `registry.ublue.local` ## Firing Up the Forge From aab9df8e0417f7b76435dba63398f095f2c08545 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20L=C3=BCscher?= Date: Fri, 28 Apr 2023 18:03:45 +0000 Subject: [PATCH 3/3] feat: add caddy as reverse proxy (#8) --- forge-pod.yml | 18 +++++++++++++++++- rvproxy/Caddyfile | 28 ++++++++++++++++++++++++++++ rvproxy/Containerfile | 5 +++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 rvproxy/Caddyfile create mode 100644 rvproxy/Containerfile diff --git a/forge-pod.yml b/forge-pod.yml index 145f9e8..4e466f2 100644 --- a/forge-pod.yml +++ b/forge-pod.yml @@ -10,10 +10,26 @@ spec: - name: ublue-os_forge-minica-pvc persistentVolumeClaim: claimName: ublue-os_forge-minica + - name: ublue-os_forge-registry-pvc persistentVolumeClaim: claimName: ublue-os_forge-registry + containers: + - name: rvproxy.ublue.local + image: rvproxy + resources: + limits: + memory: 128Mi + cpu: 200m + volumeMounts: + - mountPath: /certs + name: ublue-os_forge-minica-pvc + ports: + - containerPort: 443 + hostPort: 443 + protocol: TCP + - name: registry.ublue.local image: registry resources: @@ -28,8 +44,8 @@ spec: name: ublue-os_forge-registry-pvc ports: - containerPort: 5000 - hostPort: 9001 protocol: TCP + initContainers: - name: minica.ublue.local image: minica diff --git a/rvproxy/Caddyfile b/rvproxy/Caddyfile new file mode 100644 index 0000000..76cb80e --- /dev/null +++ b/rvproxy/Caddyfile @@ -0,0 +1,28 @@ +# Global options +{ + auto_https disable_certs + persist_config off +} + +# Reverse-proxy configuration +*.ublue.local { + ## TLS certificates + tls /certs/_.ublue.local/cert.pem /certs/_.ublue.local/key.pem + + # container registry + @registry host registry.ublue.local + + handle @registry { + reverse_proxy ublue-os_forge-registry.ublue.local:5000 { + transport http { + tls + tls_trusted_ca_certs /certs/minica.pem + } + } + } + + # Fallback for otherwise unhandled domains + handle { + respond "Bad hostname" 400 + } +} \ No newline at end of file diff --git a/rvproxy/Containerfile b/rvproxy/Containerfile new file mode 100644 index 0000000..e8171f9 --- /dev/null +++ b/rvproxy/Containerfile @@ -0,0 +1,5 @@ +# Source Image +FROM docker.io/library/caddy:2.6.4-alpine + +# Add configuration file +COPY ./Caddyfile /etc/caddy/Caddyfile