Merge from ChrisAubuchon/nginx-consul

CiscoCloud · May 20, 2015 · 48bd4f1 · 48bd4f1
1 parent 872c512
commit 48bd4f1
Show file tree

Hide file tree

Showing 14 changed files with 128 additions and 136 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,23 +1,14 @@
-FROM gliderlabs/alpine
+FROM asteris/consul-template:latest
 
-MAINTAINER Steven Borrelli <[email protected]>
-
-ENV CONSUL_TEMPLATE_VERSION=0.8.0
+MAINTAINER Chris Aubuchon <[email protected]>
 
 RUN apk-install bash nginx ca-certificates
 
-ADD https://github.com/hashicorp/consul-template/releases/download/v${CONSUL_TEMPLATE_VERSION}/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz /
-
-RUN tar zxvf consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz && \
-    mv consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64/consul-template /usr/local/bin/consul-template && \
-    rm -rf /consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz && \
-    rm -rf /consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64
-
-RUN mkdir -p /consul-template /tmp/nginx
+RUN mkdir -p /tmp/nginx /defaults
 
-ADD template/ /consul-template/
-ADD launch.sh /launch.sh
-ADD nginx-run.sh /nginx-run.sh
-ADD nginx/nginx-auth.conf /etc/nginx/nginx-auth.conf
+ADD templates/ /consul-template/templates
+ADD config.d/ /consul-template/config.d
+ADD defaults/ /defaults
+ADD scripts /scripts/
 
-CMD ["/launch.sh"]
+CMD ["/scripts/launch.sh"]
diff --git a/README.md b/README.md
@@ -1,26 +1,5 @@
 
 
-## Creating self-signed SSL certificates
+## nginx-consul
 
-```
-openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -subj '/CN=nginx' -nodes
-
-```
-Make sure to mount these keys into your container using -v:
-
-```
-docker run -v /my/ssl/loc:/etc/nginx/ssl ...
-```
-
-## Running
-```
-docker run -v /my/ssl/loc:/etc/nginx/ssl -d --net=host  -e CONSUL_CONNECT=localhost:8500 --name nginx-proxy nginx
-
-```
-
-## SSL
-
-If you have an SSL root certificate that you need to trust to connect to Consul,
-mount a volume containing the PEM at `/usr/local/share/ca-certificates`
-(preferable read-only). The container will pick up the certificates and enable
-the relevant Consul flags at runtime.
+Docker container running an nginx configuration stored in Consul K/V. 
diff --git a/config.d/consul.cfg b/config.d/consul.cfg
@@ -0,0 +1,11 @@
+template {
+	source = "/consul-template/templates/nginx.tmpl.in"
+	destination = "/consul-template/templates/nginx.tmpl"
+	command = "pkill -HUP consul-template"
+}
+
+template {
+	source = "/consul-template/templates/nginx.tmpl"
+	destination = "/etc/nginx/nginx.conf"
+	command = "/scripts/nginx-run.sh || true"
+}
diff --git a/config/nginx-auth.cfg → defaults/config.d/nginx-auth.cfg b/config/nginx-auth.cfg → defaults/config.d/nginx-auth.cfg
@@ -1,4 +1,4 @@
 template {
-  source = "/consul-template/template.d/nginx-auth.tmpl"
+  source = "/consul-template/templates/nginx-auth.tmpl"
   destination = "/etc/nginx/nginx-auth.conf"
 }
diff --git a/defaults/templates/nginx-auth.tmpl.in b/defaults/templates/nginx-auth.tmpl.in
@@ -0,0 +1,2 @@
+{{ range $index, $user := ls "NGINX_AUTH_KV" }}{{ with vault (printf "NGINX_AUTH_KV/%s" $user.Key) }}{{ $user.Key }} {PLAIN}{{ .Data.password }}
+{{ end }}{{ end }}
diff --git a/defaults/templates/nginx-basic.tmpl b/defaults/templates/nginx-basic.tmpl
@@ -0,0 +1,2 @@
+{{ range ls (env "NGINX_AUTH_BASIC_KV") }}{{ .Key }}:{{ .Value }}
+{{ end }}
diff --git a/launch.sh b/launch.sh
diff --git a/nginx/nginx-auth.conf b/nginx/nginx-auth.conf
diff --git a/scripts/launch.sh b/scripts/launch.sh
@@ -0,0 +1,100 @@
+#!/bin/bash
+
+set -e 
+#set the DEBUG env variable to turn on debugging
+[[ -n "$DEBUG" ]] && set -x
+
+# Required vars
+NGINX_KV=${NGINX_KV:-nginx/template/default}
+CONSUL_LOGLEVEL=${CONSUL_LOGLEVEL:-debug}
+CONSUL_SSL_VERIFY=${CONSUL_SSL_VERIFY:-true}
+
+# set up SSL
+if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
+  # normally we'd use update-ca-certificates, but something about running it in
+  # Alpine is off, and the certs don't get added. Fortunately, we only need to
+  # add ca-certificates to the global store and it's all plain text.
+  cat /usr/local/share/ca-certificates/* >> /etc/ssl/certs/ca-certificates.crt
+fi
+
+function usage {
+cat <<USAGE
+  launch.sh             Start a consul-backed nginx instance
+
+Configure using the following environment variables:
+
+Nginx vars:
+  NGINX_KV              Consul K/V path to template contents
+                        (default nginx/template/default)
+
+  NGINX_DEBUG           If set, run consul-template once and check generated nginx.conf
+                        (default not set)
+
+  NGINX_AUTH_TYPE	Use a preconfigured template for Nginx basic authentication
+			Can be basic/auth/<not set>
+			(default not set)
+
+  NGINX_AUTH_BASIC_KV	Consul K/V path for nginx users
+			(default not set)
+
+Consul vars:
+  CONSUL_LOG_LEVEL	Set the consul-template log level
+			(default debug)
+
+  CONSUL_CONNECT	URI for Consul agent
+			(default not set)
+
+  CONSUL_SSL		Connect to Consul using SSL
+			(default not set)
+
+  CONSUL_SSL_VERIFY	Verify Consul SSL connection
+			(default true)
+USAGE
+}
+
+function config_auth {
+  case ${NGINX_AUTH_TYPE} in
+  basic)
+	ln -s /defaults/config.d/nginx-auth.cfg /consul-template/config.d/nginx-auth.cfg
+	ln -s /defaults/templates/nginx-basic.tmpl /consul-template/templates/nginx-auth.tmpl
+	;;
+  esac
+
+  # nginx fails if the file does not exist so create an empty one for now
+  touch /etc/nginx/nginx-auth.conf
+}
+
+function launch_consul_template {
+  vars=$@
+  ctargs=
+
+  if [ -n "${NGINX_AUTH_TYPE}" ]; then
+    config_auth
+  fi
+
+  [[ -n "${CONSUL_CONNECT}" ]] && ctargs="${ctargs} -consul ${CONSUL_CONNECT}"
+  [[ -n "${CONSUL_SSL}" ]] && ctargs="${ctargs} -ssl"
+  [[ -n "${CONSUL_SSL}" ]] && ctargs="${ctargs} -ssl-verify=${CONSUL_SSL_VERIFY}"
+
+  # Create an empty nginx.tmpl so consul-template will start
+  touch /consul-template/templates/nginx.tmpl
+
+  if [ -n "${NGINX_DEBUG}" ]; then
+    echo "Running consul template -once..."
+    consul-template -log-level ${CONSUL_LOGLEVEL} \
+		       -template /consul-template/templates/nginx.tmpl.in:/consul-template/templates/nginx.tmpl \
+		       ${ctargs} -once 
+
+    consul-template -log-level ${CONSUL_LOGLEVEL} \
+                       -config /consul-template/config.d \
+                       ${ctargs} -once ${vars}
+    /scripts/nginx-run.sh
+  else
+    echo "Starting consul template..."
+    exec consul-template -log-level ${CONSUL_LOGLEVEL} \
+                       -config /consul-template/config.d \
+                       ${ctargs} ${vars} 
+  fi
+}
+
+launch_consul_template $@
diff --git a/nginx-run.sh → scripts/nginx-run.sh b/nginx-run.sh → scripts/nginx-run.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -x
+
 if [ ! -s /etc/nginx/nginx.conf ]; then
   exit 0
 fi

diff --git a/template/consul.cfg b/template/consul.cfg
diff --git a/template/nginx-auth.tmpl b/template/nginx-auth.tmpl
diff --git a/template/nginx.tmpl b/template/nginx.tmpl
diff --git a/template/nginx.tmpl.in → templates/nginx.tmpl.in b/template/nginx.tmpl.in → templates/nginx.tmpl.in
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		{{ range $index, $user := ls "NGINX_AUTH_KV" }}{{ with vault (printf "NGINX_AUTH_KV/%s" $user.Key) }}{{ $user.Key }} {PLAIN}{{ .Data.password }}
		{{ end }}{{ end }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		{{ range ls (env "NGINX_AUTH_BASIC_KV") }}{{ .Key }}:{{ .Value }}
		{{ end }}