Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

multiple fixes docker alpine build

This commit is contained in:
manager 2021-01-26 10:32:26 +03:00
parent f0fbc81370
commit 7add8ab408
4 changed files with 224 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docker/Dockerfile
View File

@ -1,4 +1,4 @@
FROM alpine:3.8 FROM python:3.7.9-alpine3.12
ARG VERSION ARG VERSION
ENV VERSION master ENV VERSION master
@ -12,7 +12,7 @@ ENV group lemur
RUN addgroup -S ${group} -g ${gid} && \ RUN addgroup -S ${group} -g ${gid} && \
adduser -D -S ${user} -G ${group} -u ${uid} && \ adduser -D -S ${user} -G ${group} -u ${uid} && \
apk --update add python3 libldap postgresql-client nginx supervisor curl tzdata openssl bash && \ apk add --no-cache --update python3 py-pip libldap postgresql-client nginx supervisor curl tzdata openssl bash && \
apk --update add --virtual build-dependencies \ apk --update add --virtual build-dependencies \
git \ git \
tar \ tar \
@ -42,7 +42,9 @@ RUN addgroup -S ${group} -g ${gid} && \
WORKDIR /opt/lemur WORKDIR /opt/lemur
RUN npm install --unsafe-perm && \ RUN echo "Running with python:" && python -c 'import platform; print(platform.python_version())' && \
echo "Running with nodejs:" && node -v && \
npm install --unsafe-perm && \
pip3 install -e . && \ pip3 install -e . && \
node_modules/.bin/gulp build && \ node_modules/.bin/gulp build && \
node_modules/.bin/gulp package --urlContextPath=${URLCONTEXT} && \ node_modules/.bin/gulp package --urlContextPath=${URLCONTEXT} && \

21
docker/docker-compose.yml
View File

@ -1,9 +1,12 @@
version: '3' version: '3'
volumes:
pg_data: { }
services: services:
postgres: postgres:
image: "postgres:10" image: "postgres:13.1-alpine"
restart: always restart: on-failure
volumes: volumes:
- pg_data:/var/lib/postgresql/data - pg_data:/var/lib/postgresql/data
env_file: env_file:
@ -11,7 +14,9 @@ services:
lemur: lemur:
# image: "netlix-lemur:latest" # image: "netlix-lemur:latest"
build: . restart: on-failure
build:
context: .
depends_on: depends_on:
- postgres - postgres
- redis - redis
@ -19,11 +24,9 @@ services:
- lemur-env - lemur-env
- pgsql-env - pgsql-env
ports: ports:
- 80:80 - 87:80
- 443:443 - 447:443
redis: redis:
image: "redis:alpine" image: "redis:alpine3.12"
restart: on-failure
volumes:
pg_data: {}

4
docker/entrypoint
View File

@ -14,10 +14,10 @@ export LEMUR_ADMIN_PASSWORD="${LEMUR_ADMIN_PASSWORD:-admin}"
export SQLALCHEMY_DATABASE_URI="postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" export SQLALCHEMY_DATABASE_URI="postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB"
PGPASSWORD=$POSTGRES_PASSWORD psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -d $POSTGRES_DB --command 'select 1;' PGPASSWORD=$POSTGRES_PASSWORD psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" --command 'select 1;'
echo " # Create Postgres trgm extension" echo " # Create Postgres trgm extension"
PGPASSWORD=$POSTGRES_PASSWORD psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -d $POSTGRES_DB --command 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' PGPASSWORD=$POSTGRES_PASSWORD psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" --command 'CREATE EXTENSION IF NOT EXISTS pg_trgm;'
echo " # Done" echo " # Done"
if [ -z "${SKIP_SSL}" ]; then if [ -z "${SKIP_SSL}" ]; then

245
docker/src/lemur.conf.py
View File

@ -1,11 +1,18 @@
import os import os.path
import random import random
import string import string
from celery.schedules import crontab
import base64 import base64
from ast import literal_eval
_basedir = os.path.abspath(os.path.dirname(__file__)) _basedir = os.path.abspath(os.path.dirname(__file__))
# See the Lemur docs (https://lemur.readthedocs.org) for more information on configuration
LOG_LEVEL = str(os.environ.get('LOG_LEVEL', 'DEBUG'))
LOG_FILE = str(os.environ.get('LOG_FILE', '/home/lemur/.lemur/lemur.log'))
LOG_JSON = True
CORS = os.environ.get("CORS") == "True" CORS = os.environ.get("CORS") == "True"
debug = os.environ.get("DEBUG") == "True" debug = os.environ.get("DEBUG") == "True"
@ -17,44 +24,214 @@ def get_random_secret(length):
return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4))) return secret_key + ''.join(random.choice(string.digits) for x in range(round(length / 4)))
# This is the secret key used by Flask session management
SECRET_KEY = repr(os.environ.get('SECRET_KEY', get_random_secret(32).encode('utf8'))) SECRET_KEY = repr(os.environ.get('SECRET_KEY', get_random_secret(32).encode('utf8')))
# You should consider storing these separately from your config
LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET', LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET',
base64.b64encode(get_random_secret(32).encode('utf8')))) base64.b64encode(get_random_secret(32).encode('utf8'))))
# This must match the key for whichever DB the container is using - this could be a dump of dev or test, or a unique key
LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS', LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS',
base64.b64encode(get_random_secret(32).encode('utf8')))) base64.b64encode(get_random_secret(32).encode('utf8')).decode('utf8')))
LEMUR_ALLOWED_DOMAINS = [] REDIS_HOST = 'redis'
REDIS_PORT = 6379
LEMUR_EMAIL = '' REDIS_DB = 0
LEMUR_SECURITY_TEAM_EMAIL = [] CELERY_RESULT_BACKEND = f'redis://{REDIS_HOST}:{REDIS_PORT}'
CELERY_BROKER_URL = f'redis://{REDIS_HOST}:{REDIS_PORT}'
ALLOW_CERT_DELETION = os.environ.get('ALLOW_CERT_DELETION') == "True" CELERY_IMPORTS = ('lemur.common.celery')
CELERYBEAT_SCHEDULE = {
LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) # All tasks are disabled by default. Enable any tasks you wish to run.
LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) # 'fetch_all_pending_acme_certs': {
LEMUR_DEFAULT_LOCATION = str(os.environ.get('LEMUR_DEFAULT_LOCATION','')) # 'task': 'lemur.common.celery.fetch_all_pending_acme_certs',
LEMUR_DEFAULT_ORGANIZATION = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) # 'options': {
LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) # 'expires': 180
# },
LEMUR_DEFAULT_ISSUER_PLUGIN = str(os.environ.get('LEMUR_DEFAULT_ISSUER_PLUGIN','')) # 'schedule': crontab(minute="*"),
LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY','')) # },
# 'remove_old_acme_certs': {
ACTIVE_PROVIDERS = [] # 'task': 'lemur.common.celery.remove_old_acme_certs',
# 'options': {
METRIC_PROVIDERS = [] # 'expires': 180
# },
LOG_LEVEL = str(os.environ.get('LOG_LEVEL','DEBUG')) # 'schedule': crontab(hour=8, minute=0, day_of_week=5),
LOG_FILE = str(os.environ.get('LOG_FILE','/home/lemur/.lemur/lemur.log')) # },
# 'clean_all_sources': {
# 'task': 'lemur.common.celery.clean_all_sources',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=5, minute=0, day_of_week=5),
# },
# 'sync_all_sources': {
# 'task': 'lemur.common.celery.sync_all_sources',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour="*/2", minute=0),
# # this job is running 30min before endpoints_expire which deletes endpoints which were not updated
# },
# 'sync_source_destination': {
# 'task': 'lemur.common.celery.sync_source_destination',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour="*/2", minute=15),
# },
# 'report_celery_last_success_metrics': {
# 'task': 'lemur.common.celery.report_celery_last_success_metrics',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(minute="*"),
# },
# 'certificate_reissue': {
# 'task': 'lemur.common.celery.certificate_reissue',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=9, minute=0),
# },
# 'certificate_rotate': {
# 'task': 'lemur.common.celery.certificate_rotate',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0),
# },
# 'endpoints_expire': {
# 'task': 'lemur.common.celery.endpoints_expire',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour="*/2", minute=30),
# # this job is running 30min after sync_all_sources which updates endpoints
# },
# 'get_all_zones': {
# 'task': 'lemur.common.celery.get_all_zones',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(minute="*/30"),
# },
# 'check_revoked': {
# 'task': 'lemur.common.celery.check_revoked',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0),
# }
# 'enable_autorotate_for_certs_attached_to_endpoint': {
# 'task': 'lemur.common.celery.enable_autorotate_for_certs_attached_to_endpoint',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0),
# }
# 'notify_expirations': {
# 'task': 'lemur.common.celery.notify_expirations',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0),
# },
# 'notify_authority_expirations': {
# 'task': 'lemur.common.celery.notify_authority_expirations',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0),
# },
# 'send_security_expiration_summary': {
# 'task': 'lemur.common.celery.send_security_expiration_summary',
# 'options': {
# 'expires': 180
# },
# 'schedule': crontab(hour=10, minute=0, day_of_week='mon-fri'),
# }
}
CELERY_TIMEZONE = 'UTC'
SQLALCHEMY_ENABLE_FLASK_REPLICATED = False
SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI', 'postgresql://lemur:lemur@localhost:5432/lemur') SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI', 'postgresql://lemur:lemur@localhost:5432/lemur')
LDAP_DEBUG = os.environ.get('LDAP_DEBUG') == "True" SQLALCHEMY_TRACK_MODIFICATIONS = False
LDAP_AUTH = os.environ.get('LDAP_AUTH') == "True" SQLALCHEMY_ECHO = True
LDAP_IS_ACTIVE_DIRECTORY = os.environ.get('LDAP_IS_ACTIVE_DIRECTORY') == "True" SQLALCHEMY_POOL_RECYCLE = 499
LDAP_BIND_URI = str(os.environ.get('LDAP_BIND_URI','')) SQLALCHEMY_POOL_TIMEOUT = 20
LDAP_BASE_DN = str(os.environ.get('LDAP_BASE_DN',''))
LDAP_EMAIL_DOMAIN = str(os.environ.get('LDAP_EMAIL_DOMAIN','')) LEMUR_EMAIL = 'lemur@example.com'
LDAP_USE_TLS = str(os.environ.get('LDAP_USE_TLS','')) LEMUR_SECURITY_TEAM_EMAIL = ['security@example.com']
LDAP_REQUIRED_GROUP = str(os.environ.get('LDAP_REQUIRED_GROUP','')) LEMUR_SECURITY_TEAM_EMAIL_INTERVALS = [15, 2]
LDAP_GROUPS_TO_ROLES = literal_eval(os.environ.get('LDAP_GROUPS_TO_ROLES') or "{}") LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS = [30, 15, 2]
LEMUR_EMAIL_SENDER = 'smtp'
# mail configuration
# MAIL_SERVER = 'mail.example.com'
PUBLIC_CA_MAX_VALIDITY_DAYS = 397
DEFAULT_VALIDITY_DAYS = 365
LEMUR_OWNER_EMAIL_IN_SUBJECT = False
LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY', 'US'))
LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE', 'California'))
LEMUR_DEFAULT_LOCATION = str(os.environ.get('LEMUR_DEFAULT_LOCATION', 'Los Gatos'))
LEMUR_DEFAULT_ORGANIZATION = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATION', 'Example, Inc.'))
LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT', ''))
LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY', 'ExampleCa'))
LEMUR_DEFAULT_ROLE = 'operator'
ACTIVE_PROVIDERS = []
METRIC_PROVIDERS = []
# Authority Settings - These will change depending on which authorities you are
# using
current_path = os.path.dirname(os.path.realpath(__file__))
# DNS Settings
# exclude logging missing SAN, since we can have certs from private CAs with only cn, prod parity
LOG_SSL_SUBJ_ALT_NAME_ERRORS = False
ACME_DNS_PROVIDER_TYPES = {"items": [
{
'name': 'route53',
'requirements': [
{
'name': 'account_id',
'type': 'int',
'required': True,
'helpMessage': 'AWS Account number'
},
]
},
{
'name': 'cloudflare',
'requirements': [
{
'name': 'email',
'type': 'str',
'required': True,
'helpMessage': 'Cloudflare Email'
},
{
'name': 'key',
'type': 'str',
'required': True,
'helpMessage': 'Cloudflare Key'
},
]
},
{
'name': 'dyn',
},
{
'name': 'ultradns',
},
]}
# Authority plugins which support revocation
SUPPORTED_REVOCATION_AUTHORITY_PLUGINS = ['acme-issuer']