diff --git a/Dockerfile b/Dockerfile index bcccdab..64e59c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,23 +1,14 @@ -FROM gliderlabs/alpine +FROM asteris/consul-template:latest -MAINTAINER Steven Borrelli - -ENV CONSUL_TEMPLATE_VERSION=0.8.0 +MAINTAINER Chris Aubuchon RUN apk-install bash nginx ca-certificates -ADD https://github.com/hashicorp/consul-template/releases/download/v${CONSUL_TEMPLATE_VERSION}/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz / - -RUN tar zxvf consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz && \ - mv consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64/consul-template /usr/local/bin/consul-template && \ - rm -rf /consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.tar.gz && \ - rm -rf /consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64 - -RUN mkdir -p /consul-template /tmp/nginx +RUN mkdir -p /tmp/nginx /defaults -ADD template/ /consul-template/ -ADD launch.sh /launch.sh -ADD nginx-run.sh /nginx-run.sh -ADD nginx/nginx-auth.conf /etc/nginx/nginx-auth.conf +ADD templates/ /consul-template/templates +ADD config.d/ /consul-template/config.d +ADD defaults/ /defaults +ADD scripts /scripts/ -CMD ["/launch.sh"] +CMD ["/scripts/launch.sh"] diff --git a/README.md b/README.md index b5673e6..bc6cc97 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,5 @@ -## Creating self-signed SSL certificates +## nginx-consul -``` -openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -subj '/CN=nginx' -nodes - -``` -Make sure to mount these keys into your container using -v: - -``` -docker run -v /my/ssl/loc:/etc/nginx/ssl ... -``` - -## Running -``` -docker run -v /my/ssl/loc:/etc/nginx/ssl -d --net=host -e CONSUL_CONNECT=localhost:8500 --name nginx-proxy nginx - -``` - -## SSL - -If you have an SSL root certificate that you need to trust to connect to Consul, -mount a volume containing the PEM at `/usr/local/share/ca-certificates` -(preferable read-only). The container will pick up the certificates and enable -the relevant Consul flags at runtime. +Docker container running an nginx configuration stored in Consul K/V. diff --git a/config.d/consul.cfg b/config.d/consul.cfg new file mode 100644 index 0000000..519bd41 --- /dev/null +++ b/config.d/consul.cfg @@ -0,0 +1,11 @@ +template { + source = "/consul-template/templates/nginx.tmpl.in" + destination = "/consul-template/templates/nginx.tmpl" + command = "pkill -HUP consul-template" +} + +template { + source = "/consul-template/templates/nginx.tmpl" + destination = "/etc/nginx/nginx.conf" + command = "/scripts/nginx-run.sh || true" +} diff --git a/config/nginx-auth.cfg b/defaults/config.d/nginx-auth.cfg similarity index 50% rename from config/nginx-auth.cfg rename to defaults/config.d/nginx-auth.cfg index 07b7a05..e8d6b62 100644 --- a/config/nginx-auth.cfg +++ b/defaults/config.d/nginx-auth.cfg @@ -1,4 +1,4 @@ template { - source = "/consul-template/template.d/nginx-auth.tmpl" + source = "/consul-template/templates/nginx-auth.tmpl" destination = "/etc/nginx/nginx-auth.conf" } diff --git a/defaults/templates/nginx-auth.tmpl.in b/defaults/templates/nginx-auth.tmpl.in new file mode 100644 index 0000000..5a5c000 --- /dev/null +++ b/defaults/templates/nginx-auth.tmpl.in @@ -0,0 +1,2 @@ +{{ range $index, $user := ls "NGINX_AUTH_KV" }}{{ with vault (printf "NGINX_AUTH_KV/%s" $user.Key) }}{{ $user.Key }} {PLAIN}{{ .Data.password }} +{{ end }}{{ end }} diff --git a/defaults/templates/nginx-basic.tmpl b/defaults/templates/nginx-basic.tmpl new file mode 100644 index 0000000..eec92f2 --- /dev/null +++ b/defaults/templates/nginx-basic.tmpl @@ -0,0 +1,2 @@ +{{ range ls (env "NGINX_AUTH_BASIC_KV") }}{{ .Key }}:{{ .Value }} +{{ end }} diff --git a/launch.sh b/launch.sh deleted file mode 100755 index 74462e3..0000000 --- a/launch.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash - -set -e -#set the DEBUG env variable to turn on debugging -[[ -n "$DEBUG" ]] && set -x - -# Required vars -NGINX=${NGINX:-/usr/sbin/nginx} -NGINX_KV=${NGINX_KV:-nginx/template/default} - -CONSUL_TEMPLATE=${CONSUL_TEMPLATE:-/usr/local/bin/consul-template} -CONSUL_CONFIG=${CONSUL_CONFIG:-/consul-template/config.d} -CONSUL_CONNECT=${CONSUL_CONNECT:-127.0.0.1:8500} -CONSUL_MINWAIT=${CONSUL_MINWAIT:-2s} -CONSUL_MAXWAIT=${CONSUL_MAXWAIT:-10s} -CONSUL_LOGLEVEL=${CONSUL_LOGLEVEL:-debug} - -# set up SSL -if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then - CONSUL_SSL="-ssl" - # normally we'd use update-ca-certificates, but something about running it in - # Alpine is off, and the certs don't get added. Fortunately, we only need to - # add ca-certificates to the global store and it's all plain text. - cat /usr/local/share/ca-certificates/* >> /etc/ssl/certs/ca-certificates.crt -else - CONSUL_SSL="" -fi - -function usage { -cat <> /etc/ssl/certs/ca-certificates.crt +fi + +function usage { +cat < + (default not set) + + NGINX_AUTH_BASIC_KV Consul K/V path for nginx users + (default not set) + +Consul vars: + CONSUL_LOG_LEVEL Set the consul-template log level + (default debug) + + CONSUL_CONNECT URI for Consul agent + (default not set) + + CONSUL_SSL Connect to Consul using SSL + (default not set) + + CONSUL_SSL_VERIFY Verify Consul SSL connection + (default true) +USAGE +} + +function config_auth { + case ${NGINX_AUTH_TYPE} in + basic) + ln -s /defaults/config.d/nginx-auth.cfg /consul-template/config.d/nginx-auth.cfg + ln -s /defaults/templates/nginx-basic.tmpl /consul-template/templates/nginx-auth.tmpl + ;; + esac + + # nginx fails if the file does not exist so create an empty one for now + touch /etc/nginx/nginx-auth.conf +} + +function launch_consul_template { + vars=$@ + ctargs= + + if [ -n "${NGINX_AUTH_TYPE}" ]; then + config_auth + fi + + [[ -n "${CONSUL_CONNECT}" ]] && ctargs="${ctargs} -consul ${CONSUL_CONNECT}" + [[ -n "${CONSUL_SSL}" ]] && ctargs="${ctargs} -ssl" + [[ -n "${CONSUL_SSL}" ]] && ctargs="${ctargs} -ssl-verify=${CONSUL_SSL_VERIFY}" + + # Create an empty nginx.tmpl so consul-template will start + touch /consul-template/templates/nginx.tmpl + + if [ -n "${NGINX_DEBUG}" ]; then + echo "Running consul template -once..." + consul-template -log-level ${CONSUL_LOGLEVEL} \ + -template /consul-template/templates/nginx.tmpl.in:/consul-template/templates/nginx.tmpl \ + ${ctargs} -once + + consul-template -log-level ${CONSUL_LOGLEVEL} \ + -config /consul-template/config.d \ + ${ctargs} -once ${vars} + /scripts/nginx-run.sh + else + echo "Starting consul template..." + exec consul-template -log-level ${CONSUL_LOGLEVEL} \ + -config /consul-template/config.d \ + ${ctargs} ${vars} + fi +} + +launch_consul_template $@ diff --git a/nginx-run.sh b/scripts/nginx-run.sh similarity index 98% rename from nginx-run.sh rename to scripts/nginx-run.sh index 7105ccd..104b3c4 100755 --- a/nginx-run.sh +++ b/scripts/nginx-run.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -x + if [ ! -s /etc/nginx/nginx.conf ]; then exit 0 fi diff --git a/template/consul.cfg b/template/consul.cfg deleted file mode 100644 index 187aa4c..0000000 --- a/template/consul.cfg +++ /dev/null @@ -1,11 +0,0 @@ -template { - source = "/consul-template/nginx.tmpl.in" - destination = "/consul-template/nginx.tmpl" - command = "pkill -HUP consul-template" -} - -template { - source = "/consul-template/nginx.tmpl" - destination = "/etc/nginx/nginx.conf" - command = "/nginx-run.sh" -} diff --git a/template/nginx-auth.tmpl b/template/nginx-auth.tmpl deleted file mode 100644 index 0368d1a..0000000 --- a/template/nginx-auth.tmpl +++ /dev/null @@ -1,2 +0,0 @@ -{{ range ls "service/nginx/auth/users" }}{{ .Key }}:{{ .Value }} -{{ end }} diff --git a/template/nginx.tmpl b/template/nginx.tmpl deleted file mode 100644 index e69de29..0000000 diff --git a/template/nginx.tmpl.in b/templates/nginx.tmpl.in similarity index 100% rename from template/nginx.tmpl.in rename to templates/nginx.tmpl.in