backup

a285c57d · dsaucezi · 62adb0ad · a285c57d · a285c57d · a285c57d
Commit a285c57d authored 6 months ago by dsaucezi
--- a/https/Dockerfile
+++ b/https/Dockerfile
+FROM python:3.10-slim
+WORKDIR /api-flask
+COPY requirements.txt  /api-flask/
+RUN pip3 install --upgrade pip && pip install --no-cache-dir -r requirements.txt
+COPY server.flask.py /api-flask/
+EXPOSE 443
+CMD ["python3", "server.flask.py"]
--- a/https/ingress.sh
+++ b/https/ingress.sh
+helm upgrade --install ingress-nginx ingress-nginx \
+  --repo https://kubernetes.github.io/ingress-nginx \
+  --namespace ingress-nginx --create-namespace
+
+kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=120s
+
+IP=$(kubectl get service ingress-nginx-controller --namespace=ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+echo $IP
+
+HOSTNAME=demo-nginx.default.svc
+#openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=FR/L=Sophia Antipolis/O=SLICES-RI/CN=$HOSTNAME" -out server.csr
+#openssl x509 -req -extfile <(printf "subjectAltName=DNS:$HOSTNAME") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
+#kubectl create secret tls $HOSTNAME-secret --cert=server.crt --key=server.key 
+
+cat << EOF > ingress-demo.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: demo-nginx
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - www.demo.io               	   # The hostname for HTTPS
+    secretName: $HOSTNAME-secret       # TLS secret for SSL termination
+  rules:
+  - host: www.demo.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: demo-nginx
+            port:
+              number: 5000
+        path: /
+        pathType: Prefix
+EOF
--- a/https/launch.sh
+++ b/https/launch.sh
 #!/usr/bin/bash
-#openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
-#openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
-python3 -m venv .
-source ./bin/activate
-pip3 install -r requirements.txt 
-python3/server.flask.py
+# openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=FR/L=Sophia Antipolis/O=SLICES-RI/CN=$HOSTNAME" -out server.csr
+# openssl x509 -req -extfile <(printf "subjectAltName=DNS:$HOSTNAME") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
+# kubectl create secret generic tls-secret --from-file=server.key --from-file=server.crt
+
+#python3 -m venv .
+#source ./bin/activate
+#pip3 install -r requirements.txt 
+#python3/server.flask.py
--- a/https/server.flask.py
+++ b/https/server.flask.py
+# openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
+# openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
+# kubectl create secret generic tls-secret --from-file=server.key --from-file=server.crt
+
 # openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
 # openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
 # python3 -m venv ~/https
@@ -5,6 +9,48 @@
 # pip3 install -r requirements.txt 

 from flask import Flask, request, jsonify
+import argparse
+import os
+
+def check_environment_variables():
+    """
+    Checks and returns the 'KEY', 'CERTIFICATE', and 'PORT' values.
+
+    - Both 'KEY' and 'CERTIFICATE' are optional environment variables, but if one is set, 
+      both must be defined. If only one is set without the other, a ValueError is raised.
+    - 'PORT' can be provided via an environment variable. Defaults to 80 if 'KEY' is not defined, 
+      and 443 if 'KEY' is defined, if the environment variable is not set.
+
+    Returns:
+        tuple: A tuple containing the values of 'KEY', 'CERTIFICATE', and 'PORT'. If neither 
+               'KEY' nor 'CERTIFICATE' is set, both values will be None.
+
+    Raises:
+        ValueError: If one of 'KEY' or 'CERTIFICATE' is set but the other is not.
+    """
+    key = os.getenv('KEY')
+    certificate = os.getenv('CERTIFICATE')
+
+    if key is not None or certificate is not None:
+        if not (key and certificate):
+            raise ValueError("Both 'KEY' and 'CERTIFICATE' must be defined if one is set.")
+
+    # Determine port value from environment variable
+    port_env = os.getenv('PORT')
+    if port_env is not None:
+        try:
+            port = int(port_env)
+        except ValueError:
+            raise ValueError("Environment variable 'PORT' must be an integer.")
+    else:
+        # Default port values based on the presence of 'key'
+        if key is not None:
+            port = 443
+        else:
+            port = 80
+
+    return key, certificate, port
+
 app = Flask(__name__)

 @app.route("/namespace", methods = ['GET', 'POST'])
@@ -69,4 +115,12 @@ def hello():
    return msg

 if __name__ == "__main__":
-    app.run(host='0.0.0.0', port=8000, ssl_context=('server.crt', 'server.key'))
+    try:
+        key, certificate, port = check_environment_variables()
+    except ValueError as e:
+        print(f"Error: {e}")
+
+    if key is None:
+        app.run(host='0.0.0.0', port=port)
+    else:
+        app.run(host='0.0.0.0', port=port, ssl_context=(certificate, key))
--- a/k8s/service.yaml
+++ b/k8s/service.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: demo-nginx
+  labels:
+    app.kubernetes.io/name: proxy
+spec:
+  containers:
+  - name: demo-nginx
+    image: 172.29.7.10:5001/k8s-webhook
+    env:
+      - name: KEY
+        value: "/server.key"
+      - name: CERTIFICATE
+        value: "/server.crt"
+    volumeMounts:
+    - name: secret-volume
+      mountPath: "/server.key"
+      subPath: server.key
+      readOnly: true
+    - name: secret-volume
+      mountPath: "/server.crt"
+      subPath: server.crt
+      readOnly: true
+    ports:
+      - containerPort: 443
+        name: http-web-svc
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: tls-secret
+      items:
+      - key: server.key
+        path: server.key
+      - key: server.crt
+        path: server.crt
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: demo-nginx
+spec:
+  selector:
+    app.kubernetes.io/name: proxy
+  ports:
+  - name: name-of-service-port
+    protocol: TCP
+    port: 443 
+    targetPort: http-web-svc
--- a/k8s/webhook_service.sh
+++ b/k8s/webhook_service.sh
+cat <<EOF > webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: my-webhook
+webhooks:
+- name: www.demo.io
+  clientConfig:
+    service:
+      namespace: default
+      name: demo-nginx
+      path: /namespace
+    caBundle: $(sudo cat /etc/kubernetes/pki/ca.crt | base64 | tr -d "\n")
+  rules:
+  - operations: ["CREATE", "DELETE"]
+    apiGroups: [""] 
+    apiVersions: ["v1"]
+    resources: ["namespaces"]
+  admissionReviewVersions: ["v1"]
+  timeoutSeconds: 5
+  sideEffects: NoneOnDryRun
+EOF
+
+kubectl create -f webhook.yaml