Sozu fixup for parameters and certificate

d26a66dc · Alain Takoudjou · 2d3959df · d26a66dc · d26a66dc · d26a66dc
Commit d26a66dc authored Nov 22, 2023 by Alain Takoudjou
8 changed files
--- a/software/sozu/buildout.hash.cfg
+++ b/software/sozu/buildout.hash.cfg
@@ -14,16 +14,24 @@
 # not need these here).
 [instance.cfg]
 filename = instance.cfg.in
-md5sum = 8a714ed894c0eb99cd8de49e588d0af4
+md5sum = d53e6dd9d1c1faf6c29837108574958c

 [template-sozu]
 filename = instance-sozu.cfg.jinja2.in
-md5sum = 5ec499b5cab85d9aa2b55ea6ff3cf701
+md5sum = 97ba1fa01024f131b932c36896f061ce

 [config.toml]
-filename = config.toml.in
-md5sum = 3b407e5ee362e51de60ffb9f850f9cc0
+filename = templates/config.toml.in
+md5sum = b4e2b7fd4ef12862944e2bcfe4c2e4d6

 [publish-sozu-slave-parameters.cfg]
 filename = publish-sozu-slave-parameters.cfg.in
 md5sum = ee8dcb866fbe3b8916c6d2e5a28e19e3
+
+[response-404.html]
+filename = templates/404.html
+md5sum = 688eb86fba7c320370b50ff84edcfa31
+
+[response-503.html]
+filename = templates/503.html
+md5sum = 1bb8129372c26af854a3d9b60f495414
--- a/software/sozu/instance-sozu-slave-input-schema.json
+++ b/software/sozu/instance-sozu-slave-input-schema.json
@@ -42,14 +42,9 @@
      "patternProperties": {
        ".*": {
          "properties": {
-            "address": {
-              "title": "TCP listener",
-              "description": "TCP address listener (ip and port). Something like: 0.0.0.0:8080",
-              "type": "string"
-            },
            "hostname": {
-              "title": "Hostname",
-              "description": "host name of the cluster.",
+              "title": "Hostname for frontend",
+              "description": "Frontend hostname, this need to resolve frontend IP address. Default is empty.",
              "type": "string"
            },
            "path": {
@@ -97,7 +92,7 @@
              "items": {
                "type": "string"
              },
-              "default": []
+              "default": ["TLS_V12", "TLS_V13"]
            },
            "deploy-certificate": {
              "title": "Deploy self-signed certificate",

--- a/software/sozu/instance-sozu.cfg.jinja2.in
+++ b/software/sozu/instance-sozu.cfg.jinja2.in
@@ -18,6 +18,7 @@ nginx-prefix = ${:var}/nginx
 tmp = ${:home}/tmp
 ssl = ${:etc}/ssl
 dssl = ${:etc}/ssl-downloaded
+assets = ${:srv}/sozu/assets

 [createfile]
 recipe = slapos.recipe.template:jinja2
@@ -41,31 +42,46 @@ cert-file = ${ca-directory:certs}/${:name}.key
 executable = echo "request certificate"
 wrapper = ${directory:tmp}/ca-${:name}

+[cluster-frontend-port]
+recipe = slapos.cookbook:free_port
+minimum = 7091
+maximum = 9190
+ip = {{ ipv6 }}
+
+{% set port_base = 7090 -%}
 {% for slave_dict in slave_instance_list %}
 {% set instance_dict = json_module.loads(slave_dict['_']) -%}
 {% set name = slave_dict['slave_reference'] -%}
 {% set slave_title = slave_dict['slave_title'] -%}
 {% set cert_section_name = '${' ~ name ~ '-ssl:cert-file}' -%}
 {% set key_section_name = '${' ~ name ~ '-ssl:key-file}' -%}
+{% set port_base = port_base + 20 -%}

 [{{ name }}-ssl]
 <= ca-certificate-base
 name = {{ name }}

-{%  for cluster_name, cluster_dict in instance_dict['frontend-dict'].items() %}
-{%    if cluster_dict.get('deploy-certificate') -%}
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ '-ssl:cert-file}') -%}
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ '-ssl:key-file}') -%}
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ '-ssl:chain-file}') -%}
-
-{%    elif cluster_dict.get('certificate') and cluster_dict.get('key') and cluster_dict.get('certificate-chain') -%}
-{{ createfile(name ~ cluster_name ~ "-crt", "${directory:dssl}/" ~ name ~ cluster_name ~ ".crt", cluster_dict['certificate']) }}
-{{ createfile(name ~ cluster_name ~ "-key", "${directory:dssl}/" ~ name ~ cluster_name ~ ".key", cluster_dict['key']) }}
-{{ createfile(name ~ cluster_name ~ "-chain", "${directory:dssl}/" ~ name ~ cluster_name ~ "-chain.crt", cluster_dict['certificate-chain']) }}
-
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ cluster_name~ '-crt:output}') -%}
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ cluster_name~ '-key:output}') -%}
-{%      do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ cluster_name~ '-chain:output}') -%}
+{%  for frontend_name, frontend_dict in instance_dict['frontend-dict'].items() %}
+{% set frontend_port = port_base + 1 -%}
+[{{ "%s-%s-port" | format(name, frontend_name) }}]
+<= cluster-frontend-port
+minimum= {{ frontend_port }}
+
+{%    do instance_dict['frontend-dict'][frontend_name].__setitem__("address", "%s:${%s-%s-port:port}" | format(ipv6, name, frontend_name)) -%}
+{%    if frontend_dict.get('deploy-certificate') -%}
+{%      do instance_dict['frontend-dict'][frontend_name].__setitem__("certificate", "${%s-ssl:cert-file}" | format(name)) -%}
+{%      do instance_dict['frontend-dict'][frontend_name].__setitem__('key', "${%s-ssl:key-file}" | format(name)) -%}
+{%      do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate-chain', "${%s-ssl:chain-file}" | format(name)) -%}
+
+{%    elif frontend_dict.get('certificate') and frontend_dict.get('key') -%}
+{{ createfile("%s-%s-crt" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ ".crt", frontend_dict['certificate']) }}
+{{ createfile("%s-%s-key" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ ".key", frontend_dict['key']) }}
+{%      if frontend_dict.get('certificate-chain') -%}
+{{        createfile("%s-%s-chain" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ "-chain.crt", frontend_dict['certificate-chain']) }}
+{%        do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate-chain', "${%s-%s-chain:output}" | format(name, frontend_name)) -%}
+{%      endif -%}
+{%      do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate', "${%s-%s-crt:output}" | format(name, frontend_name)) -%}
+{%      do instance_dict['frontend-dict'][frontend_name].__setitem__('key', "${%s-%s-key:output}" | format(name, frontend_name)) -%}
 {%    endif -%}
 {%  endfor -%}
 {%  do cluster_definition_dict.__setitem__(name, instance_dict) -%}
@@ -75,9 +91,14 @@ name = {{ name }}
 #warn, info, debug, trace
 log-level = info
 log-file = ${directory:log}/sozu.log
+state-file = ${directory:etc}/sozu-state.json
 access-log-file = ${directory:log}/sozu-access.log
 socket-file = ${directory:run}/sozu.sock
-max-buffer-size = 163840
+404-html = {{ response_404_html }}
+503-html = {{ response_503_html }}
+buffer-size = 16393
+cmd-buffer-size = 1048576
+max-cmd-buffer-size = 2097152
 worker-count = 2
 max-connections = 500
 # wait for a command to complete timeout
@@ -118,6 +139,7 @@ wrapper-path = ${directory:bin}/sozu
 recipe = slapos.cookbook:certificate_authority.request
 key-file = ${sozu-parameters:key-file}
 cert-file = ${sozu-parameters:cert-file}
+chain-file = ${ca-directory:root}/cacert.pem
 executable = ${sozu-wrapper:wrapper-path}
 wrapper = ${directory:bin}/ca-sozu

@@ -196,7 +218,7 @@ context =

 [sozu-slave-information]
 {% for name, cluster_dict in cluster_definition_dict.items() -%}
-{{ name }} = {{ dumps(cluster_dict) }}
+{{ name }} = !py!{{ cluster_dict }}
 {% endfor -%}

 [buildout]

--- a/software/sozu/instance.cfg.in
+++ b/software/sozu/instance.cfg.in
@@ -50,6 +50,8 @@ extra-context =
 # config files
    raw config_toml_in             {{ config_toml }}
    raw template_publish_slave     {{ template_publish_slave }}
+    raw response_404_html          {{ template_404_html }}
+    raw response_503_html          {{ template_503_html }}

 [slave-output.cfg]
 recipe = slapos.recipe.template:jinja2

--- a/software/sozu/software.cfg
+++ b/software/sozu/software.cfg
@@ -20,16 +20,6 @@ command =
  PATH=${rustc:location}/bin:$PATH
  cargo install --root=${:location} sozu

-[sozu-d]
-recipe = slapos.recipe.cmmi
-url = https://github.com/sozu-proxy/sozu/archive/refs/tags/0.15.6.tar.gz
-md5sum = 4cd4386b64c652af5ad416b10b6ca246
-configure-command = :
-make-binary = cargo install --root=%(location)s --path . --locked
-make-targets =
-environment =
-  PATH=${rustc:location}/bin:%(PATH)s
-
 [dl-template]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/${:filename}
@@ -50,6 +40,8 @@ context =
    key sozu_location  sozu:location
    key template_sozu_cfg template-sozu:target
    key template_publish_slave publish-sozu-slave-parameters.cfg:target
+    key template_404_html  response-404.html:target
+    key template_503_html  response-503.html:target

 [template-sozu]
 <= dl-template
@@ -59,3 +51,9 @@ context =

 [publish-sozu-slave-parameters.cfg]
 <= dl-template
+
+[response-404.html]
+<= dl-template
+
+[response-503.html]
+<= dl-template
--- a/software/sozu/templates/404.html
+++ b/software/sozu/templates/404.html
+HTTP/1.1 404 Not Found
+Cache-Control: no-cache
+Connection: close
\ No newline at end of file
--- a/software/sozu/templates/503.html
+++ b/software/sozu/templates/503.html
+HTTP/1.1 503 Service unavailable
+Cache-Control: no-cache
+Connection: close
\ No newline at end of file
--- a/software/sozu/config.toml.in
+++ b/software/sozu/config.toml.in
@@ -6,12 +6,12 @@
 # routing. You can generate this file from sozu's current routing by running
 # the command `sozu state save -f state.json`
 # this must be RELATIVE to config.toml
-# saved_state = "./state.json"
+saved_state = "{{ parameter_dict['state-file'] }}"

 # save the configuration to the saved_state file every time we receive a
 # configuration message on the configuration socket
 # defaults to false, and will not work if the 'saved_state' option is not set
-# automatic_state_save = false
+automatic_state_save = false

 # logging verbosity. Possible values are "error", "warn", "info", "debug" and
 # "trace". For performance reasons, the logs at "debug" or "trace" level are
@@ -44,9 +44,9 @@ command_socket = "{{ parameter_dict['socket-file'] }}"
 # buffer will grow up to max_command_buffer_size. If the buffer is still not large
 # enough sozu will close the connection
 # defaults to 1000000
-command_buffer_size = 16384
+command_buffer_size = {{ parameter_dict["cmd-buffer-size"] }}
 # defaults to command_buffer_size * 2
-max_command_buffer_size = {{ parameter_dict["max-buffer-size"] }}
+max_command_buffer_size = {{ parameter_dict["max-cmd-buffer-size"] }}

 # the number of worker processes that will handle traffic
 # defaults to 2 workers
@@ -85,7 +85,7 @@ max_connections = {{ parameter_dict["max-connections"] }}
 # leave enough memory for one more worker (also for the kernel, etc), so total
 # RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
 # defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
-buffer_size = 16393
+buffer_size = {{ parameter_dict["buffer-size"] }}

 # how much time (in milliseconds) sozu command line will wait for a command to complete.
 # Defaults to 1000 milliseconds
@@ -154,8 +154,8 @@ address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}"
 # path to custom 404 and 503 answers
 # a 404 response is sent when sozu does not know about the requested domain or path
 # a 503 response is sent if there are no backend servers available
-#answer_404 = "../lib/assets/404.html"
-#answer_503 = "../lib/assets/503.html"
+answer_404 = "{{ parameter_dict['404-html'] }}"
+answer_503 = "{{ parameter_dict['503-html'] }}"

 # defines the sticky session cookie's name, if `sticky_session` is activated for
 # a cluster. Defaults to "SOZUBALANCEID"
@@ -176,8 +176,8 @@ address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }}"
 # this option is incompatible with expect_proxy
 # public_address = "1.2.3.4:80"

-# answer_404 = "../lib/assets/404.html"
-# answer_503 = "../lib/assets/503.html"
+answer_404 = "{{ parameter_dict['404-html'] }}"
+answer_503 = "{{ parameter_dict['503-html'] }}"
 # sticky_name = "SOZUBALANCEID"

 # Configures the client socket to receive a PROXY protocol header
@@ -212,9 +212,9 @@ cipher_list = [
 # default certificate and key
 # in case you want to set up TLS without SNI, you can define the default
 # certificate here
-certificate = "{{ parameter_dict['cert-file'] }}"
-key = "{{ parameter_dict['key-file'] }}"
-certificate_chain = "{{ parameter_dict['cert-chain-file'] }}"
+# certificate = "{{ parameter_dict['cert-file'] }}"
+# key = "{{ parameter_dict['key-file'] }}"
+# certificate_chain = "{{ parameter_dict['cert-chain-file'] }}"

 # options specific to a TCP proxy listener
 #[[listeners]]
@@ -258,19 +258,21 @@ load_metric = "{{ cluster_dict.get('load-metric', 'CONNECTIONS') }}"
 # - hostname: host name of the cluster
 # - path = "/api" # optional. A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.
 # - path_type = PREFIX | REGEX | EQUALS # defaults to PREFIX
-# - sticky_session = false # activates sticky sessions for this cluster
+# - sticky_session = false # activates sticky sessions for this cluster (not working!)
 # - https_redirect = false #  activates automatic redirection to HTTPS for this cluster
 # - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
+# - method
+# - position
 frontends = [
 {%  for _, frontend_dict in cluster_dict['frontend-dict'].items() -%}
-{%    set enable_https = frontend_dict.get("certificate") and frontend_dict.get("key") and frontend_dict.get("chain") -%}
+{%    set enable_https = frontend_dict.get("certificate") and frontend_dict.get("key") and frontend_dict.get("certificate-chain") -%}
 {%    set tag_list = [] -%}
 {%    set user_tag_list = frontend_dict.get('tag-list', []) -%}
 {%    for tag in user_tag_list -%}
 {%        set k, v = tag.split('=') -%}
 {%        do tag_list.append(k.strip() ~ '="' ~ v.strip() ~ '"') -%}
 {%    endfor -%}
-    { address = "{{ frontend_dict['address'] }}", hostname = "{{ frontend_dict.get('hostname') }}", {% if user_tag_list -%} tags = {{ tag_list | join(',') }}, {%- endif %} path = "{{ frontend_dict.get('path', '') }}", path_type = "{{ frontend_dict.get("path-type", "PREFIX") }}", sticky_session = {{ frontend_dict.get("sticky-session", "false") }}, https_redirect = {{ frontend_dict.get("https-redirect", "false") }}{% if enable_https -%}, tls_versions = {{ frontend_dict.get("tls-versions", []) }}, certificate = "{{ frontend_dict['certificate'] }}", key = "{{ frontend_dict['key'] }}", certificate_chain = "{{ frontend_dict['chain'] }}" {% endif -%} },
+    { address = "{{ frontend_dict['address'] }}", hostname = "{{ frontend_dict.get('hostname') }}", {% if user_tag_list -%} tags = {{ tag_list | join(',') }}, {%- endif %} path = "{{ frontend_dict.get('path', '') }}", path_type = "{{ frontend_dict.get("path-type", "PREFIX") }}" {% if enable_https -%}, tls_versions = {{ frontend_dict.get("tls-versions", ["TLS_V12", "TLS_V13"]) }}, certificate = "{{ frontend_dict['certificate'] }}", key = "{{ frontend_dict['key'] }}", certificate_chain = "{{ frontend_dict['certificate-chain'] }}" {% endif -%} },
 {%  endfor -%}
 ]