Skip to content

Commit

Permalink
Use certbot container for letsencrypt certificates
Browse files Browse the repository at this point in the history 
- add certbot container to docker-compose
- bind mount www path for certbot/nginx to use it in webroot mode
- bind mount certboot cnf path to allow nginx find the certificates

Fixes:
- remove location /cloud-init as per review
- remove NGINX_ARTIFACTS_SSL_PATH variable . Will use multiple domain names in PROD also.
- adapt bb and ci NGINX conf files to handle the acme challenge on port 80
- fix generate-config to avoid exposing nginx env variables to other containers other than nginx
  • Loading branch information
@RazvanLiviuVarzaru
RazvanLiviuVarzaru committed Oct 14, 2024
1 parent 9f8f1bc commit c82491b
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 62 deletions.
1 change: 0 additions & 1 deletion docker-compose/.env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ MASTER_PACKAGES_DIR="/mnt/autofs/master_packages"
GALERA_PACKAGES_DIR="/mnt/autofs/galera_packages"
ARTIFACTS_URL="https://ci.mariadb.org"
NGINX_ARTIFACTS_VHOST="ci.mariadb.org"
NGINX_ARTIFACTS_SSL_PATH="ci.mariadb.org"
NGINX_BUILDBOT_VHOST="buildbot.mariadb.org"
ENVIRON="PROD"
BRANCH="main"
Expand Down
1 change: 0 additions & 1 deletion docker-compose/.env.dev
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ MASTER_PACKAGES_DIR="/mnt/autofs/master_dev_packages"
GALERA_PACKAGES_DIR="/mnt/autofs/galera_dev_packages"
ARTIFACTS_URL="https://ci.dev.mariadb.org"
NGINX_ARTIFACTS_VHOST="ci.dev.mariadb.org"
NGINX_ARTIFACTS_SSL_PATH="buildbot.dev.mariadb.org"
NGINX_BUILDBOT_VHOST="buildbot.dev.mariadb.org"
ENVIRON="DEV"
BRANCH="dev"
Expand Down
52 changes: 8 additions & 44 deletions docker-compose/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ services:
- /srv/buildbot/packages:/srv/buildbot/packages:ro
- /srv/buildbot/galera_packages:/srv/buildbot/galera_packages:ro
- /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro
- /etc/letsencrypt/live:/etc/nginx/ssl:ro
- ./logs/nginx:/var/log/nginx
- ./certbot/www/:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
ports:
- "443:443"
- "80:80"
environment:
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- NGINX_ARTIFACTS_SSL_PATH
extra_hosts:
- "hz-bbw5=127.0.0.1"
networks:
Expand All @@ -71,6 +71,12 @@ services:
options:
tag: "bb-nginx"

certbot:
image: certbot/certbot:latest
volumes:
- ./certbot/www/:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rw

master-web:
image: quay.io/mariadb-foundation/bb-master:master-web
restart: unless-stopped
Expand All @@ -90,9 +96,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=8010
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -127,9 +130,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=9996
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -170,9 +170,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=9997
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -212,9 +209,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=9998
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -254,9 +248,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=9999
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -296,9 +287,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10000
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -338,9 +326,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10001
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -380,9 +365,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10002
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -422,9 +404,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10003
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -464,9 +443,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10004
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -506,9 +482,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10005
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -548,9 +521,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10006
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -590,9 +560,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10007
- TITLE
- TITLE_URL
Expand Down Expand Up @@ -632,9 +599,6 @@ services:
- MASTER_NONLATENT_DOCKERLIBRARY_WORKER
- MASTER_PACKAGES_DIR
- MQ_ROUTER_URL
- NGINX_ARTIFACTS_SSL_PATH
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- PORT=10008
- TITLE
- TITLE_URL
Expand Down
14 changes: 11 additions & 3 deletions docker-compose/generate-config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,15 +78,15 @@
- /srv/buildbot/packages:/srv/buildbot/packages:ro
- /srv/buildbot/galera_packages:/srv/buildbot/galera_packages:ro
- /srv/buildbot/helper_files:/srv/buildbot/helper_files:ro
- /etc/letsencrypt/live:/etc/nginx/ssl:ro
- ./logs/nginx:/var/log/nginx
- ./certbot/www/:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
ports:
- "443:443"
- "80:80"
environment:
- NGINX_ARTIFACTS_VHOST
- NGINX_BUILDBOT_VHOST
- NGINX_ARTIFACTS_SSL_PATH
extra_hosts:
- "{cr_host_wg_addr}"
networks:
Expand All @@ -97,6 +97,12 @@
options:
tag: "bb-nginx"
certbot:
image: certbot/certbot:latest
volumes:
- ./certbot/www/:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rw
master-web:
image: quay.io/mariadb-foundation/bb-master:master-web
restart: unless-stopped
Expand Down Expand Up @@ -170,7 +176,9 @@ def generate_volumes(volumes, indent_level=2):
def construct_env_section(env_vars):
env_section = " environment:\n"
for key, value in sorted(env_vars.items()):
if key != "PORT":
if key.startswith("NGINX_"):
continue
elif key != "PORT":
env_section += f" - {key}\n"
else:
env_section += f" - {key}={value}\n"
Expand Down
16 changes: 12 additions & 4 deletions docker-compose/nginx/templates/bb.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
server {
listen 80;
listen [::]:80;
server_name ${NGINX_BUILDBOT_VHOST};
return 301 https://$server_name$request_uri;

server_name ${NGINX_BUILDBOT_VHOST} www.${NGINX_BUILDBOT_VHOST};
server_tokens off;

location /.well-known/acme-challenge/ {
root /var/www/certbot;
}

location / {
return 301 https://$server_name$request_uri;
}


Expand All @@ -22,8 +30,8 @@ server {

# SSL configuration
# ssl on; Deprecated in newer versions of NGINX (yields nginx: [emerg] unknown directive "ssl )
ssl_certificate /etc/nginx/ssl/${NGINX_BUILDBOT_VHOST}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/nginx/ssl/${NGINX_BUILDBOT_VHOST}/privkey.pem; # managed by Certbot
ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem; # managed by Certbot
# put a one day session timeout for websockets to stay longer
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
Expand Down
20 changes: 11 additions & 9 deletions docker-compose/nginx/templates/ci.conf.template
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,15 @@
server {
listen 80;
listen [::]:80;
server_name ${NGINX_ARTIFACTS_VHOST};
return 301 https://$server_name$request_uri;
server_name ${NGINX_ARTIFACTS_VHOST} www.${NGINX_ARTIFACTS_VHOST};
server_tokens off;

location /.well-known/acme-challenge/ {
root /var/www/certbot;
}

location / {
return 301 https://$server_name$request_uri;
}

# Build artifacts location
Expand All @@ -19,11 +26,6 @@ server {
location /galera {
alias /srv/buildbot/galera_packages;
}
#FIX ME - Still needed? Not present in DEV.
# location /cloud-init {
# alias /srv/buildbot/cloud-init;
# autoindex off;
# }
location = /favicon.ico {
access_log off;
}
Expand All @@ -49,8 +51,8 @@ server {

# SSL configuration
# ssl on;
ssl_certificate /etc/nginx/ssl/${NGINX_ARTIFACTS_SSL_PATH}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/${NGINX_ARTIFACTS_SSL_PATH}/privkey.pem;
ssl_certificate /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/${NGINX_BUILDBOT_VHOST}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;

# Force https - Enable HSTS
Expand Down

0 comments on commit c82491b

Please sign in to comment.