diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-02-25 23:23:32 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-02-25 23:23:32 +0100 |
| commit | 1fd5003b61966454f39f0744bcf38dd66135384a (patch) | |
| tree | 427896b335c17122ecf7dbada23318d4c4144c14 | |
| parent | added hack for acmetool handling (diff) | |
TLS hack
| -rwxr-xr-x | src/flufigut.py | 8 | ||||
| -rw-r--r-- | templates/default/kubernetes/sfive-deploy.yml.j2 | 32 |
2 files changed, 34 insertions, 6 deletions
diff --git a/src/flufigut.py b/src/flufigut.py index 94c393d..ada1813 100755 --- a/src/flufigut.py +++ b/src/flufigut.py @@ -638,6 +638,14 @@ class Planet: hostname = "%s-%s%d" % (hostname_prefix, self.workers[worker_name]['flags']['stream'], (self.workers[worker_name]['flags']['stream-index'] + 1)) conf = {'listen': listen, 'protocol': 'http'} + if not for_onion: + conf['protocol'] = 'http+https' + conf['tls'] = {'min-protocol-version': 'TLSv1', 'prefer-server-ciphers': True} + conf['tls']['certificate'] = '/srv/acme/fullchain' + conf['tls']['certificate-key'] = '/srv/acme/privkey' + conf['tls']['ciphers'] = ['ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'ECDHE_RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_AES_256_GCM_SHA384', 'RSA_WITH_AES_256_CBC_SHA'] + conf['tls']['ecdh-curves'] = ['secp521r1', 'secp384r1', 'secp256r1'] conf['connect'] = 'http://flumotion-worker-' + self.workers[worker_name]['name'] + ':8000' conf['request_header'] = [{'op': 'del', 'header': 'X-Forwarded-For'}] conf['response_header'] = [{'op': 'set', 'header': 'Cache-Control', 'value': 'no-cache'}, diff --git a/templates/default/kubernetes/sfive-deploy.yml.j2 b/templates/default/kubernetes/sfive-deploy.yml.j2 index 68d907f..5b02eb0 100644 --- a/templates/default/kubernetes/sfive-deploy.yml.j2 +++ b/templates/default/kubernetes/sfive-deploy.yml.j2 @@ -40,6 +40,16 @@ spec: volumeMounts: - name: hub-data mountPath: /srv/data + - name: copy-certificates + image: busybox + command: ['sh', '-c', 'chmod 0750 /srv/acme && cp /var/lib/acme/live/{{ deploy.worker.flags['stream-hostname'] }}/* /srv/acme && chown -R 998 /srv/acme'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: proxy-cert + mountPath: /srv/acme + - name: acme-lib + mountPath: /var/lib/acme {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %} - name: prepare-onion-lib image: busybox @@ -76,6 +86,8 @@ spec: mountPath: /srv - name: proxy-config mountPath: /srv/config + - name: proxy-cert + mountPath: /srv/acme {% if 'stream-onion' in deploy.worker.flags %} - name: proxy-onion image: spreadspace/sfive:{{ desc.globals.deployment.parameter.sfive_image_version }} @@ -118,18 +130,26 @@ spec: - name: home emptyDir: medium: Memory + - name: hub-data + hostPath: + type: DirectoryOrCreate + path: /var/lib/sfive/{{ desc.globals.name }} {% if deploy.worker.flags.sfive == 'proxy' and 'stream-onion' in deploy.worker.flags %} - - name: onion-lib - emptyDir: - medium: Memory - name: onion-config configMap: name: onion-service-{{ deploy.worker.flags.stream }} + - name: onion-lib + emptyDir: + medium: Memory {% endif %} - name: proxy-config configMap: name: sfive-{{ deploy.worker.name }} - - name: hub-data + - name: proxy-cert + emptyDir: + medium: Memory + - name: acme-lib hostPath: - type: DirectoryOrCreate - path: /var/lib/sfive/{{ desc.globals.name }} + type: Directory + path: /var/lib/acme + readOnly: yes |