From 742f74eec2e22640c898c9b642321e7a4a72febe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20L=C3=BCscher?= Date: Mon, 29 Apr 2024 11:00:32 +0000 Subject: [PATCH] feat(main): rewrite and update pod setup use traefik instead of caddy, use variables where needed --- forge-pod.yml | 144 +++++++++++++++++++++++++++++--------------------- forge.sh | 54 +++++++++++++------ 2 files changed, 122 insertions(+), 76 deletions(-) diff --git a/forge-pod.yml b/forge-pod.yml index c3d5755..9cd2e46 100644 --- a/forge-pod.yml +++ b/forge-pod.yml @@ -1,41 +1,82 @@ # uBlue-OS forge podman deployment +## variables will be replaces with envsubst when invoked via forge.sh --- apiVersion: v1 kind: Pod metadata: - name: ublue-os_forge + name: ${FORGE_POD_NAME_REVERSE_PROXY} + labels: + traefik.enable: true + traefik.http.routers.traefik-dashboard.entrypoints: web,websecure + traefik.http.routers.traefik-dashboard.rule: Host(`traefik.${FORGE_DOMAIN_NAME}`) + traefik.http.services.traefik-dashboard.loadbalancer.server.port: 8080 + traefik.http.routers.traefik-dashboard.service: api@internal +spec: + securityContext: + seLinuxOptions: + type: "container_runtime_t" # needed for podman.sock access + restartPolicy: OnFailure + volumes: + - name: podman-socket + hostPath: + path: /run/user/${FORGE_HOST_UID}/podman/podman.sock + type: Socket + - name: ublue-os_forge-certs-pvc + persistentVolumeClaim: + claimName: ublue-os_forge-certs + containers: + - name: traefik.${FORGE_DOMAIN_NAME} + image: traefik # will be built on pod start + resources: + limits: + memory: 128Mi + cpu: 200m + volumeMounts: + - mountPath: /var/run/podman.sock + name: podman-socket + readOnly: true + - mountPath: /certs + name: ublue-os_forge-certs-pvc + ports: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - containerPort: 8080 + hostPort: 8080 + protocol: TCP + initContainers: + - name: minica.${FORGE_DOMAIN_NAME} + image: minica + volumeMounts: + - mountPath: /certs + name: ublue-os_forge-certs-pvc + +--- +apiVersion: v1 +kind: Pod +metadata: + name: ${FORGE_POD_NAME_REGISTRY} + labels: + traefik.enable: true + traefik.http.routers.registry.entryPoints: web,websecure + traefik.http.services.registry.loadbalancer.server.port: 5000 + traefik.http.services.registry.loadbalancer.server.scheme: https + traefik.http.routers.registry.rule: Host(`registry.${FORGE_DOMAIN_NAME}`) spec: restartPolicy: OnFailure volumes: - name: ublue-os_forge-certs-pvc persistentVolumeClaim: claimName: ublue-os_forge-certs - - name: ublue-os_forge-registry-pvc persistentVolumeClaim: claimName: ublue-os_forge-registry - - - name: ublue-os_forge-semaphore-pvc - persistentVolumeClaim: - claimName: ublue-os_forge-semaphore - containers: - - name: rvproxy.ublue.local - image: rvproxy - resources: - limits: - memory: 128Mi - cpu: 200m - volumeMounts: - - mountPath: /certs - name: ublue-os_forge-certs-pvc - ports: - - containerPort: 443 - hostPort: 443 - protocol: TCP - - - name: registry.ublue.local - image: registry + - name: docker.${FORGE_DOMAIN_NAME} + image: registry # will be built on pod start resources: limits: memory: 512Mi @@ -43,61 +84,44 @@ spec: volumeMounts: - mountPath: /certs name: ublue-os_forge-certs-pvc - subPath: _.ublue.local + subPath: _.${FORGE_DOMAIN_NAME} - mountPath: /var/lib/registry name: ublue-os_forge-registry-pvc ports: - containerPort: 5000 protocol: TCP - - name: semaphore.ublue.local - image: semaphore - resources: - limits: - memory: 512Mi - cpu: 200m - volumeMounts: - - mountPath: /var/lib/semaphore - name: ublue-os_forge-semaphore-pvc - - mountPath: /certs - subPath: ssh - name: ublue-os_forge-certs-pvc - readOnly: true - ports: - - containerPort: 3000 - protocol: TCP - - - name: setup.ublue.local - image: setup +--- +apiVersion: v1 +kind: Pod +metadata: + name: ${FORGE_POD_NAME_SETUP} +spec: + restartPolicy: OnFailure + volumes: + - name: ublue-os_forge-certs-pvc + persistentVolumeClaim: + claimName: ublue-os_forge-certs + containers: + - name: ansible.${FORGE_DOMAIN_NAME} + image: ansible # will be built on pod start volumeMounts: - mountPath: /certs name: ublue-os_forge-certs-pvc readOnly: true env: - - name: ANSIBLE_FORGE_HOST_USER + - name: ANSIBLE_HOST_USER valueFrom: secretKeyRef: name: ublue-os_forge-secure - key: ANSIBLE_FORGE_HOST_USER + key: ANSIBLE_HOST_USER - - name: ANSIBLE_FORGE_HOST_BECOME_PASSWORD + - name: ANSIBLE_HOST_BECOME_PASSWORD valueFrom: secretKeyRef: name: ublue-os_forge-secure - key: ANSIBLE_FORGE_HOST_BECOME_PASSWORD - workingDir: /ansible + key: ANSIBLE_HOST_BECOME_PASSWORD command: - ansible-playbook args: - - main.yml - resources: - limits: - memory: 512Mi - cpu: 200m - - initContainers: - - name: minica.ublue.local - image: minica - volumeMounts: - - mountPath: /certs - name: ublue-os_forge-certs-pvc + - playbooks/configure_host.yml diff --git a/forge.sh b/forge.sh index 0e4f9a0..e7eddb9 100755 --- a/forge.sh +++ b/forge.sh @@ -1,4 +1,13 @@ #!/bin/bash +# Variables +export FORGE_DOMAIN_NAME="ublue.local" +export FORGE_NETWORK_NAME="ublue-os_forge" +export FORGE_HOST_UID=$(id -u) +export FORGE_POD_CONFIGURATION="forge-pod.yml" +export FORGE_POD_NAME_PRE_AMBLE="ublue-os_forge-" +export FORGE_POD_NAME_REVERSE_PROXY=${FORGE_POD_NAME_PRE_AMBLE}rvproxy +export FORGE_POD_NAME_REGISTRY=${FORGE_POD_NAME_PRE_AMBLE}registry +export FORGE_POD_NAME_SETUP=${FORGE_POD_NAME_PRE_AMBLE}setup # Functions function setup { @@ -6,14 +15,16 @@ function setup { check_prerequisites echo -e "${YELLOW}Creating secret configuration...${ENDCOLOR}" create_secrets + echo -e "${YELLOW}Creating podman network...${ENDCOLOR}" + create_network echo -e "${YELLOW}Heating up forge for the first time...${ENDCOLOR}" - podman play kube forge-pod.yml --build --replace & PID_BUILD=$! + cat ${FORGE_POD_CONFIGURATION} | envsubst | podman play kube --build --replace --network "${FORGE_NETWORK_NAME}" - & PID_BUILD=$! wait ${PID_BUILD} - echo -e "${YELLOW}Configuring host system...${ENDCOLOR}" - configure_host & PID_CONFIG=$! + echo -e "${YELLOW}Configuring host system pre-requisites...${ENDCOLOR}" + configure_host_prerequisites & PID_CONFIG=$! wait ${PID_CONFIG} - echo -e "${YELLOW}Configuring forge...${ENDCOLOR}" - podman logs --color -f ublue-os_forge-setup.ublue.local + echo -e "${YELLOW}Configuring host system...${ENDCOLOR}" + podman logs --color --follow "${FORGE_POD_NAME_SETUP}-ansible.${FORGE_DOMAIN_NAME}" echo "" echo -e "${YELLOW}Cleaning up secrets...${ENDCOLOR}" delete_secrets @@ -23,17 +34,19 @@ function setup { function up { echo -e "${YELLOW}Heating up forge...${ENDCOLOR}" - podman pod start ublue-os_forge + podman pod start ${FORGE_POD_NAME_REVERSE_PROXY} + podman pod start ${FORGE_POD_NAME_REGISTRY} echo -e "${GREEN}Done. Happy forging!${ENDCOLOR}" } function down { echo -e "${YELLOW}Cooling down forge...${ENDCOLOR}" - podman pod stop ublue-os_forge --ignore + podman pod stop "${FORGE_POD_NAME_REVERSE_PROXY}" --ignore + podman pod stop "${FORGE_POD_NAME_REGISTRY}" --ignore echo -e "${GREEN}Done. Have a nice day${ENDCOLOR}" } -function configure_host { +function configure_host_prerequisites { if [ ! -f ~/.config/.ublue-os_forge-host-setup-done ]; then echo "adding ssh public key to ~/.ssh/authorized_keys" @@ -46,7 +59,7 @@ function configure_host { touch ~/.config/.ublue-os_forge-host-setup-done echo "" else - echo "Host system already configured. Nothing to do..." + echo "Host system pre-requisites already configured. Nothing to do..." echo "" fi } @@ -54,11 +67,11 @@ function configure_host { function create_secrets { # Get user input echo -e "${YELLOW}Gathering user input${ENDCOLOR}" - read -s -p "Enter sudo password for user $USER: " ANSIBLE_FORGE_HOST_BECOME_PASSWORD + read -s -p "Enter sudo password for user $USER: " ANSIBLE_HOST_BECOME_PASSWORD cat </dev/null { - "ANSIBLE_FORGE_HOST_USER": "$USER", - "ANSIBLE_FORGE_HOST_BECOME_PASSWORD": "${ANSIBLE_FORGE_HOST_BECOME_PASSWORD}" + "ANSIBLE_HOST_USER": "$USER", + "ANSIBLE_HOST_BECOME_PASSWORD": "${ANSIBLE_HOST_BECOME_PASSWORD}" } EOF echo "" @@ -68,6 +81,15 @@ function delete_secrets { podman secret rm ublue-os_forge-secure } +function create_network { + if ! podman network inspect "${FORGE_NETWORK_NAME}" &>/dev/null; then + echo "Podman network ${FORGE_NETWORK_NAME} does not exist. Creating..." + podman network create "${FORGE_NETWORK_NAME}" + else + echo "Podman network ${FORGE_NETWORK_NAME} already exists." + fi +} + function check_prerequisites { echo -e "${YELLOW}Checking sshd service${ENDCOLOR}" SSH_SERVICE_STATUS="$(systemctl is-active sshd)" @@ -88,7 +110,7 @@ function check_prerequisites { echo -e "${RED}Make sure to install it first.${ENDCOLOR}" exit 1 else - echo -e "${GREEN}podman is installed${SSH_SERVICE_STATUS}${ENDCOLOR}" + echo -e "${GREEN}podman is installed${ENDCOLOR}" echo "" fi echo -e "${YELLOW}Checking jq installation${ENDCOLOR}" @@ -99,14 +121,14 @@ function check_prerequisites { echo -e "${RED}Make sure to install it first.${ENDCOLOR}" exit 1 else - echo -e "${GREEN}jq is installed${SSH_SERVICE_STATUS}${ENDCOLOR}" + echo -e "${GREEN}jq is installed${ENDCOLOR}" echo "" fi } function show_info { - VOLUME_DIR="$(podman volume inspect ublue-os_forge-certs | jq -r '.[0].Mountpoint')" - echo -e "${GREEN}uBlue forge is available at: https://forge.ublue.local${ENDCOLOR}" + echo -e "${GREEN}uBlue forge reverse-proxy is available at: https://traefik.${FORGE_DOMAIN_NAME}${ENDCOLOR}" + echo -e "${GREEN}uBlue forge docker registry is available at: registry.${FORGE_DOMAIN_NAME}${ENDCOLOR}" echo -e "${GREEN}To trust the certificate in your Browser of choice, make sure to import the root certificate from:${ENDCOLOR}" echo -e "${GREEN}$HOME/Downloads/tls/ublue-os_forge-root.pem${ENDCOLOR}" echo ""