Merge pull request #2005 from chirino/simpler-tls-certs

apiserver: terminate auth server TLS at the apiproxy

Containerfile.apiserver

@@ -21,7 +21,9 @@ RUN dnf update -qy && \
     dnf clean all -y &&\
     rm -rf /var/cache/yum
 
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
 
+ARG BUILD_PROFILE=dev
 ARG NEXODUS_PPROF=
 ARG NEXODUS_RACE_DETECTOR=
 
@@ -33,10 +35,12 @@ COPY . .
 RUN NOISY_BUILD=y \
     NEXODUS_RACE_DETECTOR=${NEXODUS_RACE_DETECTOR} \
     NEXODUS_PPROF=${NEXODUS_PPROF} \
+    NEXODUS_BUILD_PROFILE=$BUILD_PROFILE \
     make dist/apiserver
 
 FROM registry.access.redhat.com/ubi8/ubi
 
 COPY --from=build /src/dist/apiserver /apiserver
+COPY --chmod=755 --from=build /go/bin/dlv /dlv
 EXPOSE 8080
-ENTRYPOINT [ "/apiserver" ]
+CMD ["/apiserver"]

Containerfile.nexd

@@ -20,6 +20,8 @@ RUN dnf update -qy && \
     dnf clean all -y &&\
     rm -rf /var/cache/yum
 
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+
 ARG BUILD_PROFILE=dev
 ARG NEXODUS_PPROF=
 ARG NEXODUS_RACE_DETECTOR=
@@ -88,6 +90,7 @@ COPY --chmod=755 --from=build /src/dist/nexd /bin/nexd
 COPY --chmod=755 --from=build /src/dist/nexd-kstore /bin/nexd-kstore
 COPY --chmod=755 --from=build /src/dist/nexctl /bin/nexctl
 COPY --chmod=755 --from=build /go/bin/mkcert /bin/mkcert
+COPY --chmod=755 --from=build /go/bin/dlv /bin/dlv
 COPY --chmod=755 --from=build /go/bin/wireguard /bin/nexd-wireguard-go
 COPY --chmod=755 --from=build /src/udping /bin/udping
 COPY --chmod=755 --from=build /src/udpong /bin/udpong

Makefile

@@ -37,6 +37,7 @@ NEXODUS_BUILD_PROFILE?=dev
 NEXODUS_LDFLAGS:=$(NEXODUS_LDFLAGS) -X main.Version=$(NEXODUS_VERSION)-$(NEXODUS_RELEASE)
 ifeq ($(NEXODUS_BUILD_PROFILE),dev)
 	NEXODUS_LDFLAGS+=-X main.DefaultServiceURL=https://try.nexodus.127.0.0.1.nip.io
+	NEXODUS_GCFLAGS+=all=-N -l
 else ifeq ($(NEXODUS_BUILD_PROFILE),qa)
 	NEXODUS_LDFLAGS+=-X main.DefaultServiceURL=https://qa.nexodus.io
 else ifeq ($(NEXODUS_BUILD_PROFILE),prod)

contrib/docker-compose/.gitignore

@@ -0,0 +1,3 @@
+volumes/
+.env
+.env-keys

contrib/docker-compose/README.md

@@ -0,0 +1,29 @@
+# Running the API server in Docker with Docker Compose
+
+If you want to run the API server in Docker instead of Kubernetes, you can use the Docker Compose configuration found in this directory.  This is great option if your doing local development and don't want to install Kubernetes.
+
+Firstly you need to start a shell in the `contrib/docker-compose` directory:
+
+```bash
+cd contrib/docker-compose
+```
+
+Then you need to generate some of the configuration files with:
+
+```bash
+./generate-config.sh
+```
+
+That wille create the .env and ./volumes directories.  Advanced users can modify the .env file to change the configuration of the API server.
+
+Then you can start the server with:
+
+```bash
+docker-compose up -d
+```
+
+## Warning: Remote debugging is enabled by default
+
+The apiserver is started with a go debugger listening on port 2345.  You can connect to it with your IDE or a debugger on `localhost:2345`.
+
+To disable the debugger, you can edit the `docker-compose.yml` file and comment out th line that reads: `command: /dlv --continue --listen=:2345 --api-version=2 --only-same-user=false --headless --accept-multiclient exec /apiserver`

contrib/docker-compose/configure.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+set -e
+cd $(dirname "$0")
+
+if [[ ! -f .env  || "${1}" == "--force" ]] ; then
+  cp example.env .env
+fi
+
+set -o allexport
+source .env
+set +o allexport
+
+if [[ ! -d ./volumes/ingress/certs || "${1}" == "--force" ]] ; then
+  mkdir -p ../../certs || true
+  mkdir -p ./volumes/ingress/certs || true
+  CAROOT=../../certs mkcert -install \
+    -cert-file ./volumes/ingress/certs/tls.crt \
+    -key-file  ./volumes/ingress/certs/tls.key \
+    ${APIPROXY_WEB_DOMAIN} \
+    ${APIPROXY_AUTH_DOMAIN} \
+    ${APIPROXY_API_DOMAIN}
+fi
+
+cat > .env-keys <<EOF
+NEXAPI_TLS_KEY="$(cat ./volumes/ingress/certs/tls.key)"
+EOF
+
+mkdir -p ./volumes/envoy/sockets || true
+mkdir -p ./volumes/envoy/config || true
+mkdir -p ./volumes/apiserver/sockets || true
+
+cp ../../deploy/nexodus/base/apiproxy/files/*  ./volumes/envoy/config
+cat ../../deploy/nexodus/base/apiproxy/files/envoy.yaml | \
+  envsubst > ./volumes/envoy/config/envoy.yaml
+
+echo "Done.... now run:"
+echo
+echo "   docker-compose up -d"
+echo

contrib/docker-compose/docker-compose.yml

@@ -0,0 +1,197 @@
+version: "3.7"
+name: nexodus
+networks:
+  nexodus:
+volumes:
+  db:
+
+services:
+  db:
+    container_name: nexodus_db
+    image: postgres:16-alpine
+    networks:
+      - nexodus
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_DB}" ]
+      interval: 10s
+      timeout: 5s
+      retries: 6
+    volumes:
+      - type: volume
+        source: db
+        target: /var/lib/postgresql/data
+
+  ingress:
+    restart: unless-stopped
+    container_name: nexodus_ingress
+    networks:
+      - nexodus
+    depends_on:
+      - apiserver
+      - frontend
+      - auth
+    image: envoyproxy/envoy:v1.27.0
+    volumes:
+      - type: bind
+        source: ./volumes/ingress/certs
+        target: /configs/envoy-certs/nexodus-cert
+        read_only: true
+      - type: bind
+        source: ./volumes/envoy/config
+        target: /configs/envoy
+        read_only: true
+      - type: bind
+        source: ./volumes/envoy/sockets
+        target: /sockets
+    command:
+      - envoy
+      - --config-path
+      - /configs/envoy/envoy.yaml
+      - --component-log-level
+      - ${ENVOY_COMP_LOG_LEVEL}
+    ports:
+      - "443:8443"
+
+  frontend:
+    restart: unless-stopped
+    container_name: nexodus_frontend
+    networks:
+      - nexodus
+    build:
+      context: ../..
+      dockerfile: Containerfile.frontend
+
+  apiserver:
+    restart: unless-stopped
+    container_name: nexodus_apiserver
+    networks:
+      - nexodus
+    depends_on:
+      - db
+    # image: nexodus/nexodus:latest
+    build:
+      context: ../..
+      dockerfile: Containerfile.apiserver
+      args:
+        ARG NEXODUS_PPROF: ${NEXODUS_PPROF}
+        ARG NEXODUS_RACE_DETECTOR: ${NEXODUS_RACE_DETECTOR}
+    env_file:
+      - .env-keys
+    environment:
+      NEXAPI_LISTEN: 0.0.0.0:8080
+      NEXAPI_DEBUG: ${NEXAPI_DEBUG}
+      NEXAPI_DB_HOST: db
+      NEXAPI_DB_PORT: 5432
+      NEXAPI_DB_NAME: ${POSTGRES_DB}
+      NEXAPI_DB_USER: ${POSTGRES_USER}
+      NEXAPI_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      NEXAPI_DB_SSLMODE: ${POSTGRES_SSL_MODE}
+      NEXAPI_IPAM_URL: ${NEXAPI_IPAM_URL}
+      NEXAPI_OIDC_URL: ${NEXAPI_OIDC_URL}
+      NEXAPI_OIDC_BACKCHANNEL: ${NEXAPI_OIDC_BACKCHANNEL}
+      NEXAPI_INSECURE_TLS: ${NEXAPI_INSECURE_TLS}
+      NEXAPI_OIDC_CLIENT_ID_WEB: ${WEB_CLIENT_ID}
+      NEXAPI_OIDC_CLIENT_SECRET_WEB: ${WEB_CLIENT_SECRET}
+      NEXAPI_OIDC_CLIENT_ID_CLI: ${CLI_CLIENT_ID}
+      NEXAPI_TRACE_ENDPOINT_OTLP: ${NEXAPI_TRACE_ENDPOINT_OTLP}
+      NEXAPI_TRACE_INSECURE: ${NEXAPI_TRACE_INSECURE}
+      NEXAPI_FFLAG_SECURITY_GROUPS: ${NEXAPI_FFLAG_SECURITY_GROUPS}
+      NEXAPI_ORIGINS: ${NEXAPI_ORIGINS}
+      NEXAPI_DOMAIN: ${NEXAPI_DOMAIN}
+      NEXAPI_SCOPES: ${NEXAPI_SCOPES}
+      NEXAPI_REDIS_SERVER: ${NEXAPI_REDIS_SERVER}
+      NEXAPI_REDIS_DB: ${NEXAPI_REDIS_DB}
+      NEXAPI_ENVIRONMENT: ${NEXAPI_ENVIRONMENT}
+      NEXAPI_FETCH_MGR: ${NEXAPI_FETCH_MGR}
+      NEXAPI_FETCH_MGR_TIMEOUT: ${NEXAPI_FETCH_MGR_TIMEOUT}
+      NEXAPI_DEVICE_CACHE_SIZE: ${NEXAPI_DEVICE_CACHE_SIZE}
+      NEXAPI_URL: ${NEXAPI_URL}
+      NEXAPI_SMTP_FROM: ${NEXAPI_SMTP_FROM}
+      NEXAPI_SMTP_HOST_PORT: ${NEXAPI_SMTP_HOST_PORT}
+      NEXAPI_SMTP_PASSWORD: ${NEXAPI_SMTP_PASSWORD}
+      NEXAPI_SMTP_TLS: ${NEXAPI_SMTP_TLS}
+      NEXAPI_SMTP_USER: ${NEXAPI_SMTP_USER}
+      NEXAPI_FFLAG_DEVICES: ${NEXAPI_FFLAG_DEVICES}
+      NEXAPI_FFLAG_SITES: ${NEXAPI_FFLAG_SITES}
+    healthcheck:
+      test: curl --fail http://localhost:8080/private/ready || exit 1
+      interval: 5s
+      timeout: 10s
+      retries: 6
+    volumes:
+      - type: bind
+        source: ./volumes/apiserver/sockets
+        target: /var/lib/apiserver
+    ports:
+      - "2345:2345"
+    # comment the following line to disable remote debugging of the apiserver
+    command: /dlv --continue --listen=:2345 --api-version=2 --only-same-user=false --headless --accept-multiclient exec /apiserver
+
+  auth:
+    restart: unless-stopped
+    container_name: nexodus_auth
+    networks:
+      - nexodus
+    depends_on:
+      - db
+    image: quay.io/keycloak/keycloak:21.0.2
+    volumes:
+      - type: bind
+        source: ../../deploy/nexodus/base/auth/files/nexodus.json
+        target: /opt/keycloak/data/import/nexodus.json
+    environment:
+      KC_DB: "postgres"
+      KC_DB_URL_HOST: db
+      KC_DB_URL_PORT: 5432
+      KC_DB_URL_DATABASE: ${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      KC_HOSTNAME: ${KC_HOSTNAME}
+      KC_PROXY: "edge"
+      KC_HTTP_ENABLED: "true"
+      KC_HTTP_PORT: "8080"
+      KEYCLOAK_ADMIN: "admin"
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      WEB_CLIENT_ID: ${WEB_CLIENT_ID}
+      WEB_CLIENT_SECRET: ${WEB_CLIENT_SECRET}
+      CLI_CLIENT_ID: ${CLI_CLIENT_ID}
+      FRONTEND_URL: ${FRONTEND_URL}
+      REDIRECT_URL: ${REDIRECT_URL}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
+    command: [ "start", "--import-realm", "--features=preview", "--features=declarative-user-profile" ]
+
+  ipam:
+    restart: unless-stopped
+    container_name: nexodus_ipam
+    networks:
+      - nexodus
+    depends_on:
+      - db
+    build:
+      context: ../..
+      dockerfile: Containerfile.ipam
+    environment:
+      GOIPAM_PG_HOST: db
+      GOIPAM_PG_PORT: 5432
+      GOIPAM_PG_DBNAME: ${POSTGRES_DB}
+      GOIPAM_PG_USER: ${POSTGRES_USER}
+      GOIPAM_PG_PASSWORD: ${POSTGRES_PASSWORD}
+      GOIPAM_PG_SSLMODE: ${POSTGRES_SSL_MODE}
+    command:
+      - --grpc-server-endpoint=0.0.0.0:9090
+      - postgres
+
+  redis:
+    restart: unless-stopped
+    container_name: nexodus_redis
+    networks:
+      - nexodus
+    image: redis:6.0
+    command: [ "--maxmemory", "200mb", "--maxmemory-policy", "allkeys-lru", "--save", "" ]
+    volumes: []