Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
105
Merge Requests
105
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
d26a66dc
Commit
d26a66dc
authored
Nov 22, 2023
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Sozu fixup for parameters and certificate
parent
2d3959df
Changes
8
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
86 additions
and
53 deletions
+86
-53
software/sozu/buildout.hash.cfg
software/sozu/buildout.hash.cfg
+12
-4
software/sozu/instance-sozu-slave-input-schema.json
software/sozu/instance-sozu-slave-input-schema.json
+3
-8
software/sozu/instance-sozu.cfg.jinja2.in
software/sozu/instance-sozu.cfg.jinja2.in
+38
-16
software/sozu/instance.cfg.in
software/sozu/instance.cfg.in
+2
-0
software/sozu/software.cfg
software/sozu/software.cfg
+8
-10
software/sozu/templates/404.html
software/sozu/templates/404.html
+3
-0
software/sozu/templates/503.html
software/sozu/templates/503.html
+3
-0
software/sozu/templates/config.toml.in
software/sozu/templates/config.toml.in
+17
-15
No files found.
software/sozu/buildout.hash.cfg
View file @
d26a66dc
...
...
@@ -14,16 +14,24 @@
# not need these here).
[instance.cfg]
filename = instance.cfg.in
md5sum =
8a714ed894c0eb99cd8de49e588d0af4
md5sum =
d53e6dd9d1c1faf6c29837108574958c
[template-sozu]
filename = instance-sozu.cfg.jinja2.in
md5sum =
5ec499b5cab85d9aa2b55ea6ff3cf701
md5sum =
97ba1fa01024f131b932c36896f061ce
[config.toml]
filename = config.toml.in
md5sum =
3b407e5ee362e51de60ffb9f850f9cc0
filename =
templates/
config.toml.in
md5sum =
b4e2b7fd4ef12862944e2bcfe4c2e4d6
[publish-sozu-slave-parameters.cfg]
filename = publish-sozu-slave-parameters.cfg.in
md5sum = ee8dcb866fbe3b8916c6d2e5a28e19e3
[response-404.html]
filename = templates/404.html
md5sum = 688eb86fba7c320370b50ff84edcfa31
[response-503.html]
filename = templates/503.html
md5sum = 1bb8129372c26af854a3d9b60f495414
software/sozu/instance-sozu-slave-input-schema.json
View file @
d26a66dc
...
...
@@ -42,14 +42,9 @@
"patternProperties"
:
{
".*"
:
{
"properties"
:
{
"address"
:
{
"title"
:
"TCP listener"
,
"description"
:
"TCP address listener (ip and port). Something like: 0.0.0.0:8080"
,
"type"
:
"string"
},
"hostname"
:
{
"title"
:
"Hostname"
,
"description"
:
"
host name of the cluster
."
,
"title"
:
"Hostname
for frontend
"
,
"description"
:
"
Frontend hostname, this need to resolve frontend IP address. Default is empty
."
,
"type"
:
"string"
},
"path"
:
{
...
...
@@ -97,7 +92,7 @@
"items"
:
{
"type"
:
"string"
},
"default"
:
[]
"default"
:
[
"TLS_V12"
,
"TLS_V13"
]
},
"deploy-certificate"
:
{
"title"
:
"Deploy self-signed certificate"
,
...
...
software/sozu/instance-sozu.cfg.jinja2.in
View file @
d26a66dc
...
...
@@ -18,6 +18,7 @@ nginx-prefix = ${:var}/nginx
tmp = ${:home}/tmp
ssl = ${:etc}/ssl
dssl = ${:etc}/ssl-downloaded
assets = ${:srv}/sozu/assets
[createfile]
recipe = slapos.recipe.template:jinja2
...
...
@@ -41,31 +42,46 @@ cert-file = ${ca-directory:certs}/${:name}.key
executable = echo "request certificate"
wrapper = ${directory:tmp}/ca-${:name}
[cluster-frontend-port]
recipe = slapos.cookbook:free_port
minimum = 7091
maximum = 9190
ip = {{ ipv6 }}
{% set port_base = 7090 -%}
{% for slave_dict in slave_instance_list %}
{% set instance_dict = json_module.loads(slave_dict['_']) -%}
{% set name = slave_dict['slave_reference'] -%}
{% set slave_title = slave_dict['slave_title'] -%}
{% set cert_section_name = '${' ~ name ~ '-ssl:cert-file}' -%}
{% set key_section_name = '${' ~ name ~ '-ssl:key-file}' -%}
{% set port_base = port_base + 20 -%}
[{{ name }}-ssl]
<= ca-certificate-base
name = {{ name }}
{% for cluster_name, cluster_dict in instance_dict['frontend-dict'].items() %}
{% if cluster_dict.get('deploy-certificate') -%}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ '-ssl:cert-file}') -%}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ '-ssl:key-file}') -%}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ '-ssl:chain-file}') -%}
{% elif cluster_dict.get('certificate') and cluster_dict.get('key') and cluster_dict.get('certificate-chain') -%}
{{ createfile(name ~ cluster_name ~ "-crt", "${directory:dssl}/" ~ name ~ cluster_name ~ ".crt", cluster_dict['certificate']) }}
{{ createfile(name ~ cluster_name ~ "-key", "${directory:dssl}/" ~ name ~ cluster_name ~ ".key", cluster_dict['key']) }}
{{ createfile(name ~ cluster_name ~ "-chain", "${directory:dssl}/" ~ name ~ cluster_name ~ "-chain.crt", cluster_dict['certificate-chain']) }}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate', '${' ~ name ~ cluster_name~ '-crt:output}') -%}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('key', '${' ~ name ~ cluster_name~ '-key:output}') -%}
{% do instance_dict['frontend-dict'][cluster_name].__setitem__('certificate-chain', '${' ~ name ~ cluster_name~ '-chain:output}') -%}
{% for frontend_name, frontend_dict in instance_dict['frontend-dict'].items() %}
{% set frontend_port = port_base + 1 -%}
[{{ "%s-%s-port" | format(name, frontend_name) }}]
<= cluster-frontend-port
minimum= {{ frontend_port }}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__("address", "%s:${%s-%s-port:port}" | format(ipv6, name, frontend_name)) -%}
{% if frontend_dict.get('deploy-certificate') -%}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__("certificate", "${%s-ssl:cert-file}" | format(name)) -%}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__('key', "${%s-ssl:key-file}" | format(name)) -%}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate-chain', "${%s-ssl:chain-file}" | format(name)) -%}
{% elif frontend_dict.get('certificate') and frontend_dict.get('key') -%}
{{ createfile("%s-%s-crt" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ ".crt", frontend_dict['certificate']) }}
{{ createfile("%s-%s-key" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ ".key", frontend_dict['key']) }}
{% if frontend_dict.get('certificate-chain') -%}
{{ createfile("%s-%s-chain" | format(name, frontend_name), "${directory:dssl}/" ~ name ~ frontend_name ~ "-chain.crt", frontend_dict['certificate-chain']) }}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate-chain', "${%s-%s-chain:output}" | format(name, frontend_name)) -%}
{% endif -%}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__('certificate', "${%s-%s-crt:output}" | format(name, frontend_name)) -%}
{% do instance_dict['frontend-dict'][frontend_name].__setitem__('key', "${%s-%s-key:output}" | format(name, frontend_name)) -%}
{% endif -%}
{% endfor -%}
{% do cluster_definition_dict.__setitem__(name, instance_dict) -%}
...
...
@@ -75,9 +91,14 @@ name = {{ name }}
#warn, info, debug, trace
log-level = info
log-file = ${directory:log}/sozu.log
state-file = ${directory:etc}/sozu-state.json
access-log-file = ${directory:log}/sozu-access.log
socket-file = ${directory:run}/sozu.sock
max-buffer-size = 163840
404-html = {{ response_404_html }}
503-html = {{ response_503_html }}
buffer-size = 16393
cmd-buffer-size = 1048576
max-cmd-buffer-size = 2097152
worker-count = 2
max-connections = 500
# wait for a command to complete timeout
...
...
@@ -118,6 +139,7 @@ wrapper-path = ${directory:bin}/sozu
recipe = slapos.cookbook:certificate_authority.request
key-file = ${sozu-parameters:key-file}
cert-file = ${sozu-parameters:cert-file}
chain-file = ${ca-directory:root}/cacert.pem
executable = ${sozu-wrapper:wrapper-path}
wrapper = ${directory:bin}/ca-sozu
...
...
@@ -196,7 +218,7 @@ context =
[sozu-slave-information]
{% for name, cluster_dict in cluster_definition_dict.items() -%}
{{ name }} =
{{ dumps(cluster_dict)
}}
{{ name }} =
!py!{{ cluster_dict
}}
{% endfor -%}
[buildout]
...
...
software/sozu/instance.cfg.in
View file @
d26a66dc
...
...
@@ -50,6 +50,8 @@ extra-context =
# config files
raw config_toml_in {{ config_toml }}
raw template_publish_slave {{ template_publish_slave }}
raw response_404_html {{ template_404_html }}
raw response_503_html {{ template_503_html }}
[slave-output.cfg]
recipe = slapos.recipe.template:jinja2
...
...
software/sozu/software.cfg
View file @
d26a66dc
...
...
@@ -20,16 +20,6 @@ command =
PATH=${rustc:location}/bin:$PATH
cargo install --root=${:location} sozu
[sozu-d]
recipe = slapos.recipe.cmmi
url = https://github.com/sozu-proxy/sozu/archive/refs/tags/0.15.6.tar.gz
md5sum = 4cd4386b64c652af5ad416b10b6ca246
configure-command = :
make-binary = cargo install --root=%(location)s --path . --locked
make-targets =
environment =
PATH=${rustc:location}/bin:%(PATH)s
[dl-template]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/${:filename}
...
...
@@ -50,6 +40,8 @@ context =
key sozu_location sozu:location
key template_sozu_cfg template-sozu:target
key template_publish_slave publish-sozu-slave-parameters.cfg:target
key template_404_html response-404.html:target
key template_503_html response-503.html:target
[template-sozu]
<= dl-template
...
...
@@ -59,3 +51,9 @@ context =
[publish-sozu-slave-parameters.cfg]
<= dl-template
[response-404.html]
<= dl-template
[response-503.html]
<= dl-template
software/sozu/templates/404.html
0 → 100644
View file @
d26a66dc
HTTP/1.1 404 Not Found
Cache-Control: no-cache
Connection: close
\ No newline at end of file
software/sozu/templates/503.html
0 → 100644
View file @
d26a66dc
HTTP/1.1 503 Service unavailable
Cache-Control: no-cache
Connection: close
\ No newline at end of file
software/sozu/config.toml.in
→
software/sozu/
templates/
config.toml.in
View file @
d26a66dc
...
...
@@ -6,12 +6,12 @@
# routing. You can generate this file from sozu's current routing by running
# the command `sozu state save -f state.json`
# this must be RELATIVE to config.toml
# saved_state = "./state.json
"
saved_state = "{{ parameter_dict['state-file'] }}
"
# save the configuration to the saved_state file every time we receive a
# configuration message on the configuration socket
# defaults to false, and will not work if the 'saved_state' option is not set
#
automatic_state_save = false
automatic_state_save = false
# logging verbosity. Possible values are "error", "warn", "info", "debug" and
# "trace". For performance reasons, the logs at "debug" or "trace" level are
...
...
@@ -44,9 +44,9 @@ command_socket = "{{ parameter_dict['socket-file'] }}"
# buffer will grow up to max_command_buffer_size. If the buffer is still not large
# enough sozu will close the connection
# defaults to 1000000
command_buffer_size =
16384
command_buffer_size =
{{ parameter_dict["cmd-buffer-size"] }}
# defaults to command_buffer_size * 2
max_command_buffer_size = {{ parameter_dict["max-buffer-size"] }}
max_command_buffer_size = {{ parameter_dict["max-
cmd-
buffer-size"] }}
# the number of worker processes that will handle traffic
# defaults to 2 workers
...
...
@@ -85,7 +85,7 @@ max_connections = {{ parameter_dict["max-connections"] }}
# leave enough memory for one more worker (also for the kernel, etc), so total
# RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
# defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
buffer_size =
16393
buffer_size =
{{ parameter_dict["buffer-size"] }}
# how much time (in milliseconds) sozu command line will wait for a command to complete.
# Defaults to 1000 milliseconds
...
...
@@ -154,8 +154,8 @@ address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}"
# path to custom 404 and 503 answers
# a 404 response is sent when sozu does not know about the requested domain or path
# a 503 response is sent if there are no backend servers available
#answer_404 = "../lib/assets/404.html
"
#answer_503 = "../lib/assets/503.html
"
answer_404 = "{{ parameter_dict['404-html'] }}
"
answer_503 = "{{ parameter_dict['503-html'] }}
"
# defines the sticky session cookie's name, if `sticky_session` is activated for
# a cluster. Defaults to "SOZUBALANCEID"
...
...
@@ -176,8 +176,8 @@ address = "[{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }}"
# this option is incompatible with expect_proxy
# public_address = "1.2.3.4:80"
# answer_404 = "../lib/assets/404.html
"
# answer_503 = "../lib/assets/503.html
"
answer_404 = "{{ parameter_dict['404-html'] }}
"
answer_503 = "{{ parameter_dict['503-html'] }}
"
# sticky_name = "SOZUBALANCEID"
# Configures the client socket to receive a PROXY protocol header
...
...
@@ -212,9 +212,9 @@ cipher_list = [
# default certificate and key
# in case you want to set up TLS without SNI, you can define the default
# certificate here
certificate = "{{ parameter_dict['cert-file'] }}"
key = "{{ parameter_dict['key-file'] }}"
certificate_chain = "{{ parameter_dict['cert-chain-file'] }}"
#
certificate = "{{ parameter_dict['cert-file'] }}"
#
key = "{{ parameter_dict['key-file'] }}"
#
certificate_chain = "{{ parameter_dict['cert-chain-file'] }}"
# options specific to a TCP proxy listener
#[[listeners]]
...
...
@@ -258,19 +258,21 @@ load_metric = "{{ cluster_dict.get('load-metric', 'CONNECTIONS') }}"
# - hostname: host name of the cluster
# - path = "/api" # optional. A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.
# - path_type = PREFIX | REGEX | EQUALS # defaults to PREFIX
# - sticky_session = false # activates sticky sessions for this cluster
# - sticky_session = false # activates sticky sessions for this cluster
(not working!)
# - https_redirect = false # activates automatic redirection to HTTPS for this cluster
# - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
# - method
# - position
frontends = [
{% for _, frontend_dict in cluster_dict['frontend-dict'].items() -%}
{% set enable_https = frontend_dict.get("certificate") and frontend_dict.get("key") and frontend_dict.get("chain") -%}
{% set enable_https = frontend_dict.get("certificate") and frontend_dict.get("key") and frontend_dict.get("c
ertificate-c
hain") -%}
{% set tag_list = [] -%}
{% set user_tag_list = frontend_dict.get('tag-list', []) -%}
{% for tag in user_tag_list -%}
{% set k, v = tag.split('=') -%}
{% do tag_list.append(k.strip() ~ '="' ~ v.strip() ~ '"') -%}
{% endfor -%}
{ address = "{{ frontend_dict['address'] }}", hostname = "{{ frontend_dict.get('hostname') }}", {% if user_tag_list -%} tags = {{ tag_list | join(',') }}, {%- endif %} path = "{{ frontend_dict.get('path', '') }}", path_type = "{{ frontend_dict.get("path-type", "PREFIX") }}"
, sticky_session = {{ frontend_dict.get("sticky-session", "false") }}, https_redirect = {{ frontend_dict.get("https-redirect", "false") }}{% if enable_https -%}, tls_versions = {{ frontend_dict.get("tls-versions", []) }}, certificate = "{{ frontend_dict['certificate'] }}", key = "{{ frontend_dict['key'] }}", certificate_chain = "{{ frontend_dict['
chain'] }}" {% endif -%} },
{ address = "{{ frontend_dict['address'] }}", hostname = "{{ frontend_dict.get('hostname') }}", {% if user_tag_list -%} tags = {{ tag_list | join(',') }}, {%- endif %} path = "{{ frontend_dict.get('path', '') }}", path_type = "{{ frontend_dict.get("path-type", "PREFIX") }}"
{% if enable_https -%}, tls_versions = {{ frontend_dict.get("tls-versions", ["TLS_V12", "TLS_V13"]) }}, certificate = "{{ frontend_dict['certificate'] }}", key = "{{ frontend_dict['key'] }}", certificate_chain = "{{ frontend_dict['certificate-
chain'] }}" {% endif -%} },
{% endfor -%}
]
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment