diff --git a/.actrc b/.actrc
index fc2d5a8..2a23273 100644
--- a/.actrc
+++ b/.actrc
@@ -9,3 +9,5 @@
--platform ubuntu-22.04=ghcr.io/catthehacker/ubuntu:act-22.04
--platform ubuntu-20.04=ghcr.io/catthehacker/ubuntu:act-20.04
--platform ubuntu-18.04=ghcr.io/catthehacker/ubuntu:act-18.04
+--secret-file=.act.secrets
+--var-file=.act.vars
diff --git a/.github/workflows/docker.build.yml b/.github/workflows/docker.build.yml
index a83faca..07bd80e 100644
--- a/.github/workflows/docker.build.yml
+++ b/.github/workflows/docker.build.yml
@@ -9,35 +9,37 @@ on:
workflow_dispatch:
env:
- PLATFORMS: linux/amd64,linux/arm64
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
+ PLATFORMS: ${{ vars.PLATFORMS }}
+ DOCKER_IMAGE: ghcr.io/${{ github.repository }}
jobs:
docker-build:
name: Build Swarm Load Balancer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: benzine-framework/action-setup-php@main
- uses: benzine-framework/action-get-datetime@main
- uses: benzine-framework/action-setup-docker@main
with:
- ghcr_user: matthewbaggett
- ghcr_token: ${{ secrets.GITHUB_TOKEN }}
- docker_hub_user: matthewbaggett
- docker_hub_token: ${{ secrets.DOCKER_HUB_TOKEN }}
+ ghcr_user: ${{ vars.SERVICE_ACCOUNT_USERNAME }}
+ ghcr_token: ${{ secrets.SERVICE_ACCOUNT_TOKEN }}
- name: "Build & Push Candidate Image as ${{ env.CANDIDATE_IMAGE }}"
uses: docker/build-push-action@v5
with:
context: .
- target: bouncer
+ target: loadbalancer
build-args: |
+ MAINTAINER=${{ vars.PUBLIC_MAINTAINER || 'Matthew Baggett <matthew@baggett.me>' }}
+ SOURCE_URL="https://github.com/${{ github.repository }}"
GIT_SHA=${{ github.sha }}
GIT_BUILD_ID=${{ github.ref_name }}
GIT_COMMIT_MESSAGE=${{ github.event.head_commit.message }}
BUILD_DATE=${{ env.ATOM }}
- platforms: ${{ github.actor != 'nektos/act' && env.PLATFORMS || 'linux/amd64' }}
+ platforms: ${{ github.actor != 'nektos/act' && vars.PLATFORMS || 'linux/amd64' }}
pull: true
push: ${{ github.ref == 'refs/heads/main' }}
- tags: ${{ env.CANDIDATE_IMAGE }}
+ tags: |
+ ${{ env.DOCKER_IMAGE }}:date-${{ env.DATE }}
+ ${{ env.DOCKER_IMAGE }}:sha-${{ github.sha }}
cache-from: ${{ env.DOCKER_CACHE_FROM }}
cache-to: ${{ env.DOCKER_CACHE_TO }}
diff --git a/.github/workflows/docker.clean.yml b/.github/workflows/docker.clean.yml
index d31c9f1..18cf19d 100644
--- a/.github/workflows/docker.clean.yml
+++ b/.github/workflows/docker.clean.yml
@@ -15,30 +15,32 @@ on:
jobs:
cleanup-delete-candidate-image:
name: Delete candidate image
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
+ continue-on-error: true
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: bouncer
+ container: docker-swarm-loadbalancer
dry-run: true
prune-tags-regexes: |
^build-${{ github.sha }}$
cleanup-untagged-images:
name: Delete untagged images
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- uses: vlaurin/action-ghcr-prune@v0.6.0
+ continue-on-error: true
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
- container: bouncer
+ container: docker-swarm-loadbalancer
dry-run: true
- keep-younger-than: 30 # days
+ keep-younger-than: 90 # days
keep-last: 2
prune-untagged: true
keep-tags-regexes: |
diff --git a/.github/workflows/docker.release.yml b/.github/workflows/docker.release.yml
index 5722175..dbec1e0 100644
--- a/.github/workflows/docker.release.yml
+++ b/.github/workflows/docker.release.yml
@@ -9,26 +9,15 @@ on:
workflow_dispatch:
env:
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
- RELEASE_IMAGE_GHCR: ghcr.io/benzine-framework/bouncer:latest
- RELEASE_IMAGE_DOCKER: benzine/bouncer:latest
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
+ RELEASE_IMAGE: ghcr.io/${{ github.repository }}:latest
jobs:
release-ghcr:
- name: GHCR
- runs-on: ubuntu-latest
+ name: GitHub Container Registry
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- - run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
+ - run: docker login ghcr.io -u ${{ vars.SERVICE_ACCOUNT_USERNAME }} -p ${{ secrets.SERVICE_ACCOUNT_TOKEN }}
- run: docker pull ${{ env.CANDIDATE_IMAGE }}
- - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE_GHCR }}
- - run: docker push ${{ env.RELEASE_IMAGE_GHCR }}
-
- release-docker-hub:
- name: Docker Hub
- runs-on: ubuntu-latest
- steps:
- - run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- - run: docker login docker.io -u matthewbaggett -p ${{ secrets.DOCKER_HUB_TOKEN }}
- - run: docker pull ${{ env.CANDIDATE_IMAGE }}
- - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE_DOCKER }}
- - run: docker push ${{ env.RELEASE_IMAGE_DOCKER }}
+ - run: docker tag ${{ env.CANDIDATE_IMAGE }} ${{ env.RELEASE_IMAGE }}
+ - run: docker push ${{ env.RELEASE_IMAGE }}
diff --git a/.github/workflows/docker.validate.yml b/.github/workflows/docker.validate.yml
index b95d432..fd2789e 100644
--- a/.github/workflows/docker.validate.yml
+++ b/.github/workflows/docker.validate.yml
@@ -13,12 +13,12 @@ on:
- completed
env:
- CANDIDATE_IMAGE: ghcr.io/benzine-framework/bouncer:build-${{ github.sha }}
+ CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
jobs:
validate-install-report:
name: Run Install Report
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
@@ -27,7 +27,7 @@ jobs:
run: docker run --rm ${{ env.CANDIDATE_IMAGE }} /usr/bin/install-report
validate-dive-report:
name: Run Dive
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
@@ -48,7 +48,7 @@ jobs:
config-file: ${{ github.workspace }}/.dive-ci.yml
validate-vulnerability-report:
name: Run Trivy
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
diff --git a/.github/workflows/php.check.yml b/.github/workflows/php.check.yml
index 38442eb..da71cf1 100644
--- a/.github/workflows/php.check.yml
+++ b/.github/workflows/php.check.yml
@@ -10,7 +10,7 @@ on:
jobs:
php-stan:
name: PHPStan
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # To post annotations
contents: read # For repo checkout
@@ -20,7 +20,7 @@ jobs:
php-cs-fixer:
name: PHP-CS-Fixer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # For trunk to post annotations
contents: read # For repo checkout
diff --git a/.github/workflows/tag.release.yml b/.github/workflows/tag.release.yml
index 2dc83cf..1a26043 100644
--- a/.github/workflows/tag.release.yml
+++ b/.github/workflows/tag.release.yml
@@ -17,7 +17,7 @@ env:
jobs:
build-tagged-release:
name: Build Swarm Load Balancer
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
if: startsWith(github.ref, 'refs/tags/v')
steps:
- run: echo "Building Tagged Release ${{ env.TAG_IMAGE_GHCR }} & ${{ env.TAG_IMAGE_DOCKER }}"
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 64204d7..790466c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -10,49 +10,63 @@ on:
jobs:
test-integration:
name: Integration Tests
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: actions/checkout@v4
- - name: Start Bouncer
+ - name: Start Loadbalancer
run: |
rm -f docker-compose.override.yml
- docker compose up --build -d bouncer test-box
+ docker compose up --build -d loadbalancer test-box
- name: Give it a moment...
run: sleep 5
- name: No-SSL Connect to Web A
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://a.example.org > a.nossl.http
grep "HTTP/1.1 200 OK" a.nossl.http;
grep "<h1>Website A</h1>" a.nossl.http;
- name: SSL Connect to Web A
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://a.example.org 2>&1 > a.ssl.http;
grep "HTTP/1.1 200 OK" a.ssl.http;
grep "<h1>Website A</h1>" a.ssl.http;
- name: No-SSL Connect to Web B
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://b.example.org 2>&1 > b.nossl.http
grep "HTTP/1.1 200 OK" b.nossl.http
grep "<h1>Website B</h1>" b.nossl.http
- name: SSL Connect to Web B
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://b.example.org 2>&1 > b.ssl.http
grep "HTTP/1.1 200 OK" b.ssl.http
grep "<h1>Website B</h1>" b.ssl.http
- name: No-SSL Connect to SSL-redirect
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -D - http://redirect-to-ssl.example.org 2>&1 > redirect.nossl.http
# Validate its redirected
grep "HTTP/1.1 301 Moved Permanently" redirect.nossl.http
# And going to the right place
grep "Location: https://redirect-to-ssl.example.org" redirect.nossl.http
- name: SSL Connect to SSL-redirect
+ shell: bash
run: |
+ set -xeu
docker compose exec test-box curl -s -k -D - https://redirect-to-ssl.example.org 2>&1 > redirect.ssl.http
grep "HTTP/1.1 200 OK" redirect.ssl.http
grep "<h1>Website redirect-to-ssl</h1>" redirect.ssl.http
- name: Connect to Plural multiple times and verify it loadbalances
+ shell: bash
run: |
+ set -xeu
rm -f plural_requests
for i in {1..20}; do
docker compose exec test-box curl -s -k https://plural.example.org 2>&1 >> plural_requests
diff --git a/.github/workflows/trunk.cache.yml b/.github/workflows/trunk.cache.yml
index 51ce2f6..8d25d9a 100644
--- a/.github/workflows/trunk.cache.yml
+++ b/.github/workflows/trunk.cache.yml
@@ -22,7 +22,7 @@ concurrency:
jobs:
trunk-cache:
name: Trunk Cache
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
actions: write
steps:
diff --git a/.github/workflows/trunk.check.yml b/.github/workflows/trunk.check.yml
index 564aeef..5e72b8c 100644
--- a/.github/workflows/trunk.check.yml
+++ b/.github/workflows/trunk.check.yml
@@ -10,7 +10,7 @@ on:
jobs:
trunk-check:
name: Trunk Check Runner
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
checks: write # For trunk to post annotations
contents: read # For repo checkout
diff --git a/.github/workflows/trunk.upgrade.yml b/.github/workflows/trunk.upgrade.yml
index c8093aa..a0f4dd4 100644
--- a/.github/workflows/trunk.upgrade.yml
+++ b/.github/workflows/trunk.upgrade.yml
@@ -20,7 +20,7 @@ concurrency:
jobs:
trunk-upgrade:
name: Upgrade Trunk
- runs-on: ubuntu-latest
+ runs-on: ${{ vars.RUNS_ON }}
permissions:
contents: write # For trunk to create PRs
pull-requests: write # For trunk to create PRs
diff --git a/.gitignore b/.gitignore
index edcef9f..72dede8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@
/.php-cs-fixer.cache
/.github/cache
/.secrets
+/.act.secrets
+/.act.vars
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index 8ba46f5..1ba1f50 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -47,16 +47,16 @@ tools:
enabled:
- tfupdate@0.8.2
- phpstan@1.10.58
- - gh@2.49.2
+ - gh@2.51.0
- jq@jq-1.7.1
- - yq@4.44.1
- - awscli@1.33.9
+ - yq@4.44.2
+ - awscli@1.33.13
- action-validator@0.6.0
- act@0.2.63
- shellcheck@0.10.0
- hadolint@2.12.0
- svgo@3.3.2
- - tofu@1.7.1
+ - tofu@1.7.2
- trunk-toolbox@0.3.1
- tflint@0.51.1
- terraform@1.1.4
diff --git a/Dockerfile b/Dockerfile
index d6ea36b..a2d7e2e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,22 @@
# checkov:skip=CKV_DOCKER_3 I don't have time for rootless
-FROM ghcr.io/benzine-framework/php:cli-8.2 AS bouncer
+FROM ghcr.io/benzine-framework/php:cli-8.2 AS loadbalancer
-LABEL maintainer="Matthew Baggett <matthew@baggett.me>" \
- org.label-schema.vcs-url="https://github.com/benzine-framework/docker-swarm-loadbalancer" \
- org.opencontainers.image.source="https://github.com/benzine-framework/docker-swarm-loadbalancer"
+# Allow overriding the default SSL cert subject
+ARG DEFAULT_SSL_CERT_SUBJECT="/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
+ARG PUBLIC_MAINTAINER="Matthew Baggett <matthew@baggett.me>"
+ARG SOURCE_URL="https://github.com/benzine-framework/docker-swarm-loadbalancer"
+ARG BUILD_DATE
+ARG GIT_SHA
+ARG GIT_BUILD_ID
+ARG GIT_COMMIT_MESSAGE
+ENV BUILD_DATE=${BUILD_DATE} \
+ GIT_SHA=${GIT_SHA} \
+ GIT_BUILD_ID=${GIT_BUILD_ID} \
+ GIT_COMMIT_MESSAGE=${GIT_COMMIT_MESSAGE}
+
+LABEL maintainer="${PUBLIC_MAINTAINER}" \
+ org.label-schema.vcs-url="${SOURCE_URL}" \
+ org.opencontainers.image.source="${SOURCE_URL}"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -37,8 +50,17 @@ RUN apt-get -qq update && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/lib/dpkg/status.old /var/cache/debconf/templates.dat /var/log/dpkg.log /var/log/lastlog /var/log/apt/*.log
-# copy some default self-signed certs
-COPY self-signed-certificates /certs
+# Generate some default self-signed certs
+RUN mkdir /certs && \
+ openssl req \
+ -x509 \
+ -newkey rsa:4096 \
+ -keyout /certs/example.key \
+ -out /certs/example.crt \
+ -sha256 \
+ -days 3650 \
+ -nodes \
+ -subj "${DEFAULT_SSL_CERT_SUBJECT}"
# Install runits for services
COPY nginx.runit /etc/service/nginx/run
@@ -72,16 +94,6 @@ COPY src /app/src
COPY templates /app/templates
RUN chmod +x /app/bin/bouncer
-# stuff some envs from build
-ARG BUILD_DATE
-ARG GIT_SHA
-ARG GIT_BUILD_ID
-ARG GIT_COMMIT_MESSAGE
-ENV BUILD_DATE=${BUILD_DATE} \
- GIT_SHA=${GIT_SHA} \
- GIT_BUILD_ID=${GIT_BUILD_ID} \
- GIT_COMMIT_MESSAGE=${GIT_COMMIT_MESSAGE}
-
# Create some volumes for logs and certs
VOLUME /etc/letsencrypt
VOLUME /var/log/bouncer
@@ -104,5 +116,5 @@ HEALTHCHECK --start-period=3s --interval=3s \
# checkov:skip=CKV_DOCKER_7 This is a test container.
# checkov:skip=CKV_DOCKER_3 This is a test container.
-FROM alpine as test-box
-RUN apk add --no-cache curl bash
\ No newline at end of file
+FROM alpine AS test-box
+RUN apk add --no-cache curl bash
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 30c611f..4a53ea2 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -1,5 +1,5 @@
services:
- bouncer:
+ loadbalancer:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./src:/app/src
diff --git a/docker-compose.yml b/docker-compose.yml
index ff22836..532a517 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,14 +2,22 @@ networks:
default:
services:
- bouncer:
+ loadbalancer:
build:
context: .
- target: bouncer
+ target: loadbalancer
+ args:
+ MAINTAINER: "Test <test@oneupsales.co.uk>"
+ SOURCE_URL: "https://github.com/doesntmatter"
+ GIT_SHA: "1234"
+ GIT_BUILD_ID: "test"
+ GIT_COMMIT_MESSAGE: "testy mctestface"
+ BUILD_DATE: "1970-01-01"
additional_contexts:
- php:cli=docker-image://ghcr.io/benzine-framework/php:cli-8.2
volumes:
- /var/run/docker.sock:/var/run/docker.sock
+ image: loadbalancer-test
networks:
default:
aliases:
diff --git a/self-signed-certificates/example.crt b/self-signed-certificates/example.crt
deleted file mode 100644
index 58e206b..0000000
--- a/self-signed-certificates/example.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDnTCCAoWgAwIBAgIUJYUUmBQ2/ERZ7xinAJzVhiFWViYwDQYJKoZIhvcNAQEL
-BQAwXTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1p
-YW1pMRYwFAYDVQQKDA1FeGFtcGxlIEdyb3VwMRQwEgYDVQQDDAtleGFtcGxlLm9y
-ZzAgFw0yMTA1MzAxNzU4MzlaGA8yMTIxMDUwNjE3NTgzOVowXTELMAkGA1UEBhMC
-VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1pYW1pMRYwFAYDVQQKDA1F
-eGFtcGxlIEdyb3VwMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANJa9OcoCW+mej8qDMCCTGnqMAuUqBIj1wZLgOdT
-4DHriq1vKi1JLsDZkYekrCq/sfWo97kDXsdK6YN4+mua5EN4cTG3mSpal+RgLTc2
-HMKHFfgzPzIN/n5AEqzdVZb5j0P3LoUNH687AlplW0BB+K64Gw//2KPx0Q8Fkhq2
-I97V8SRpqds78PJHzhfuZNs/AUFpFXnYHJyO2Q63Btq2aoTMQyoLDRBBxin70II2
-6Cjh3k6EhMY+HuYS1AjfI8cDQw289asJBLa6zPoD0VGaGNfCSrOzxrUqfhIoOkuY
-W7rOIsK6rSSu1neSKQIiOLVjQxifxrQIIKTQhRiSplgD9LUCAwEAAaNTMFEwHQYD
-VR0OBBYEFADK74w4AGeETK72k/htsnol9ye0MB8GA1UdIwQYMBaAFADK74w4AGeE
-TK72k/htsnol9ye0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AKElv0xx95lD2leXEOfD6DKakrzuE8lONmcrkfjehTOd7jbqblnj8u1DCWytwB8P
-gEr5FXve0iy7avGoNkU33MufbbQokAMoTs/IA+rwMfv0unupT1aYN8TTEXJJ100j
-MXBsq/PvNkBNwkBcXjYHHsVjdM3bptbaw9A4V9opfMjQXAY5wuk3rBBm8On2rJKy
-Qksh/uLoe8wbZ5dvLv9oc9sRpIilaSy8TcbrHkDIaWA5WCdVFfcayDGYdjhCYLGW
-tj/48g0THvJv6JvVYwFJqTM690YUSlxaOHQE2ZneLytocVyAdEL2MMldRezvtI1z
-1OXOia2G7koNYtS7cD8G1IM=
------END CERTIFICATE-----
diff --git a/self-signed-certificates/example.key b/self-signed-certificates/example.key
deleted file mode 100644
index 3c63e83..0000000
--- a/self-signed-certificates/example.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDSWvTnKAlvpno/
-KgzAgkxp6jALlKgSI9cGS4DnU+Ax64qtbyotSS7A2ZGHpKwqv7H1qPe5A17HSumD
-ePprmuRDeHExt5kqWpfkYC03NhzChxX4Mz8yDf5+QBKs3VWW+Y9D9y6FDR+vOwJa
-ZVtAQfiuuBsP/9ij8dEPBZIatiPe1fEkaanbO/DyR84X7mTbPwFBaRV52BycjtkO
-twbatmqEzEMqCw0QQcYp+9CCNugo4d5OhITGPh7mEtQI3yPHA0MNvPWrCQS2usz6
-A9FRmhjXwkqzs8a1Kn4SKDpLmFu6ziLCuq0krtZ3kikCIji1Y0MYn8a0CCCk0IUY
-kqZYA/S1AgMBAAECggEARqfQjPgwuzTi6OZ55AugGQ9VVf53uagaKH4h7RGKQ5pH
-OVwWgaGMN7CcpkAUqEM9RjOcCaPtKOmrp8Jx8sTTGSqScs2lf8lwLYB0j4/4dwqi
-wXyNJIX4znU9EJ1Di3OFwKF9Gam/077xWmWjEeFW43DpfiVEokSuIOqRGbHGOKlt
-2ygHJu+rmPapEPyYqSWQnAkYX0DW/KCAGiyIAqph/SgrCDTdsxbNOa2OwDygPC54
-7xW0yCduvgFLh9bxedF8iifzRkPw710cxyqVsYwHiwugDgxL4NiK1DlWbpBimab5
-ocye9+ElymMZ8DTjpA85cXny/TtoqJfqTs1YGYgrvQKBgQDwHnAcY0BjQ4o+ZneG
-oqBJeQ8KCMRU4pEIa5QOOeUr46gtiPIfcFh/BJUHQ61qk7gcJj5BV2GXNS7+m+sU
-RC3Usblm9twwxZn7mfoOk4z9NEfBI2MXmbB8ARjAQBCost+3KQAoSIL1AyDKiAlY
-2JfMt+73+kwUsg7b9g0pYIfn/wKBgQDgRJPlSIxJs2mbjzUwVBAeslct2W0dehrh
-V0sXPxEhJHWX6P343vLqRHRsKgqhbU/vy+3JrIS9ftwGKcmb+Y9EJgYrR+D3ZYzs
-idSOsunSspJgbCG5mHE1VQhr8IpHeCkuSt22aFErLfsjzXWZIewK2tqZN1QUjdc5
-EJHOD4UDSwKBgFYRYvgZ72NlOzFAw0kkE7YiSWy8Vbtjdr8A6JHs2KNRt9+Sfc8d
-Eut8dfqjnI5eIpkccCY1rwpnCtBCjRG3moHprl4k0Co/OgGAYKxG4TuFOM8W4xb7
-hNH+BqQqko4Vh7D8Zk0KKL6v/1n5RvhssoSzzVlfg1PLux3G5VLWggB7AoGAAP/N
-OORN27Y07kCBGCoHuFtLECU72znEDOT6rKvXQ7KJ45diKk2z/182tZSqX3XBOWxL
-Lu7Z2I5MJKri/xLplIAm3uJ/GhsVuagTjl81s36gMFXLAKyxNG+gjfqQYykh5dbn
-jfyBABRAXjR4JaqFBrda6fvZIA5RuytbuvNOwGkCgYAUs82tDGLiqyMPd2jgYS3k
-aL62f0TLKHjmTCmRca7IqXbqcMbAj+LgAHI2HfCfjc4KWd68ZGRLcpDlehMcis1f
-PQi3HW+2b9dAZX6+HAIGiVem//ckYXgUza4MMosh0hXquGs1yJ/VNWC+HPIHrj6X
-9tvvvHnGKav329q/Z/8K/A==
------END PRIVATE KEY-----
diff --git a/src/Bouncer.php b/src/Bouncer.php
index ccbaf13..273f8d9 100644
--- a/src/Bouncer.php
+++ b/src/Bouncer.php
@@ -8,16 +8,19 @@ use AdamBrett\ShellWrapper\Command\Builder as CommandBuilder;
use AdamBrett\ShellWrapper\Runners\Exec;
use Aws\S3\S3Client;
use Bouncer\Logger\AbstractLogger;
+use Bouncer\Logger\Formatter;
+use Bouncer\Logger\Logger;
+use Bouncer\Settings\Settings;
use GuzzleHttp\Client as Guzzle;
use GuzzleHttp\Exception\ConnectException;
+use GuzzleHttp\Exception\GuzzleException;
use GuzzleHttp\Exception\ServerException;
use League\Flysystem\AwsS3V3\AwsS3V3Adapter;
use League\Flysystem\FileAttributes;
use League\Flysystem\Filesystem;
use League\Flysystem\FilesystemException;
use League\Flysystem\Local\LocalFilesystemAdapter;
-use Bouncer\Logger\Logger;
-use Bouncer\Logger\Formatter;
+use Monolog\Processor;
use Spatie\Emoji\Emoji;
use Symfony\Component\Yaml\Yaml;
use Twig\Environment as Twig;
@@ -25,9 +28,6 @@ use Twig\Error\LoaderError;
use Twig\Error\RuntimeError;
use Twig\Error\SyntaxError;
use Twig\Loader\FilesystemLoader as TwigLoader;
-use GuzzleHttp\Exception\GuzzleException;
-use Monolog\Processor;
-use Bouncer\Settings\Settings;
class Bouncer
{
@@ -186,6 +186,7 @@ class Bouncer
public function findContainersContainerMode(): array
{
$bouncerTargets = [];
+ $this->logger->warning('Interrogating CONTAINERS for BOUNCER_* environment variables.', ['emoji' => Emoji::magnifyingGlassTiltedLeft()]);
$containers = json_decode($this->docker->request('GET', 'containers/json')->getBody()->getContents(), true);
foreach ($containers as $container) {
@@ -210,6 +211,8 @@ class Bouncer
}
// If BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
+ $this->logger->warning('Container {container_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'container_name' => $container['Name']]);
+
continue;
}
@@ -262,16 +265,19 @@ class Bouncer
}
}
+ $this->logger->warning('Interrogating CONTAINERS for BOUNCER_* environment variables found {count} containers.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
+
return $validBouncerTargets;
}
public function findContainersSwarmMode(): array
{
+ $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables.', ['emoji' => Emoji::magnifyingGlassTiltedLeft()]);
$bouncerTargets = [];
$services = json_decode($this->docker->request('GET', 'services')->getBody()->getContents(), true);
if (isset($services['message'])) {
- $this->logger->debug('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' Bouncer.php', 'message' => $services['message']]);
+ $this->logger->debug('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' ', 'message' => $services['message']]);
} else {
foreach ($services as $service) {
$envs = [];
@@ -283,6 +289,7 @@ class Bouncer
) {
continue;
}
+
// Parse all the environment variables and store them in an array.
foreach ($service['Spec']['TaskTemplate']['ContainerSpec']['Env'] as $env) {
[$envKey, $envVal] = explode('=', $env, 2);
@@ -291,12 +298,18 @@ class Bouncer
}
}
ksort($envs);
+
// If there are no BOUNCER_* environment variables, skip this service.
if (count($envs) == 0) {
+ $this->logger->debug('Service {service_name} has no BOUNCER_* envs set, skipping.', ['emoji' => Emoji::ghost() . ' ', 'service_name' => $service['Spec']['Name']]);
+
continue;
}
+
// if BOUNCER_IGNORE is set, skip this service.
if (isset($envs['BOUNCER_IGNORE'])) {
+ $this->logger->debug('Service {service_name} has BOUNCER_IGNORE set, skipping.', ['emoji' => Emoji::warning() . ' ', 'service_name' => $service['Spec']['Name']]);
+
continue;
}
@@ -325,7 +338,7 @@ class Bouncer
$bouncerTarget->setEndpoints(['172.17.0.1']);
$bouncerTarget->setPort(intval($service['Endpoint']['Ports'][0]['PublishedPort']));
} else {
- $this->logger->warning('{label}: ports block missing for {target_name}. Try setting BOUNCER_TARGET_PORT.', ['emoji' => Emoji::warning() . ' Bouncer.php', 'label' => $bouncerTarget->getLabel(), 'target_name' => $bouncerTarget->getName()]);
+ $this->logger->warning('{label}: ports block missing for {target_name}. Try setting BOUNCER_TARGET_PORT.', ['emoji' => Emoji::warning() . ' ', 'label' => $bouncerTarget->getLabel(), 'target_name' => $bouncerTarget->getName()]);
\Kint::dump(
$bouncerTarget->getId(),
$bouncerTarget->getLabel(),
@@ -344,6 +357,10 @@ class Bouncer
unset($bouncerTarget);
}
}
+
+ if (isset($bouncerTarget)) {
+ $bouncerTargets[] = $bouncerTarget;
+ }
}
}
}
@@ -364,13 +381,16 @@ class Bouncer
);
}
}
+ $this->logger->debug('There are {count} bouncer targets, of which {validCount} are valid', ['count' => count($bouncerTargets), 'validCount' => count($validBouncerTargets)]);
+
+ $this->logger->warning('Interrogating SERVICES for BOUNCER_* environment variables found {count} services.', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'count' => count($validBouncerTargets)]);
return $validBouncerTargets;
}
public function run(): void
{
- $this->logger->info('Starting Bouncer. Built {build_id} on {build_date}, {build_ago}', ['emoji' => Emoji::redHeart() . ' Bouncer.php', 'build_id' => $this->settings->get('build/id'), 'build_date' => $this->settings->get('build/date')->toDateTimeString(), 'build_ago' => $this->settings->get('build/date')->ago()]);
+ $this->logger->info('Starting Bouncer. Built {build_id} on {build_date}, {build_ago}', ['emoji' => Emoji::redHeart() . ' ', 'build_id' => $this->settings->get('build/id'), 'build_date' => $this->settings->get('build/date')->toDateTimeString(), 'build_ago' => $this->settings->get('build/date')->ago()]);
$this->logger->info('Build #{git_sha}: "{build_message}"', ['emoji' => Emoji::memo(), 'git_sha' => $this->settings->get('build/sha_short'), 'build_message' => $this->settings->get('build/message')]);
$this->logger->debug(' > HTTPS Listener is on {https_port}', ['emoji' => Emoji::ship(), 'https_port' => $this->settings->get('bouncer/https_port')]);
$this->logger->debug(' > HTTP Listener is on {http_port}', ['emoji' => Emoji::ship(), 'http_port' => $this->settings->get('bouncer/http_port')]);
@@ -586,7 +606,7 @@ class Bouncer
$containerStateDiff = $this->diff($this->previousContainerState, $newContainerState);
if (!$isTainted && !empty($containerStateDiff)) {
if ($this->settings->if('logger/show_state_deltas')) {
- $this->logger->warning('Container state has changed', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->warning('Container state has changed', ['emoji' => Emoji::warning() . ' ']);
echo $containerStateDiff;
}
$isTainted = true;
@@ -598,7 +618,7 @@ class Bouncer
if ($this->isSwarmMode()) {
$services = json_decode($this->docker->request('GET', 'services')->getBody()->getContents(), true);
if (isset($services['message'])) {
- $this->logger->warning('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' Bouncer.php', 'message' => $services['message']]);
+ $this->logger->warning('Something happened while interrogating services.. This node is not a swarm node, cannot have services: {message}', ['emoji' => Emoji::warning() . ' ', 'message' => $services['message']]);
} else {
foreach ($services as $service) {
$name = $service['Spec']['Name'];
@@ -626,7 +646,7 @@ class Bouncer
$swarmStateDiff = $this->diff($this->previousSwarmState, $newSwarmState);
if ($this->isSwarmMode() && !$isTainted && !empty($swarmStateDiff)) {
if ($this->settings->if('logger/show_state_deltas')) {
- $this->logger->warning('Swarm state has changed', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->warning('Swarm state has changed', ['emoji' => Emoji::warning() . ' ']);
echo $swarmStateDiff;
}
$isTainted = true;
@@ -662,7 +682,7 @@ class Bouncer
} catch (ServerException $exception) {
$this->setSwarmMode(false);
} catch (ConnectException $exception) {
- $this->logger->critical('Unable to connect to docker socket!', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->critical('Unable to connect to docker socket!', ['emoji' => Emoji::warning() . ' ']);
$this->logger->critical($exception->getMessage());
exit(1);
@@ -670,6 +690,7 @@ class Bouncer
$this->logger->debug(' > Swarm mode is {enabled}.', ['emoji' => Emoji::honeybee(), 'enabled' => $this->isSwarmMode() ? 'enabled' : 'disabled']);
+ /** @var Target[] $targets */
$targets = array_values(
array_merge(
$this->findContainersContainerMode(),
@@ -677,6 +698,10 @@ class Bouncer
)
);
+ foreach ($targets as $target) {
+ $this->logger->info('Found target {target}', ['emoji' => Emoji::magnifyingGlassTiltedLeft(), 'target' => $target->getName()]);
+ }
+
// Use some bs to sort the targets by domain from right to left.
$sortedTargets = [];
foreach ($targets as $target) {
@@ -702,7 +727,7 @@ class Bouncer
}
if ($this->isTestMode()) {
- $this->logger->info('Test mode enabled, not restarting nginx. Infact, I\'ll die now..', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->info('Test mode enabled, not restarting nginx. Infact, I\'ll die now..', ['emoji' => Emoji::warning() . ' ']);
$this->dumpConfigs();
exit(0);
@@ -818,15 +843,15 @@ class Bouncer
'file' => $target->getNginxConfigFileName(),
'config_dir' => Bouncer::FILESYSTEM_CONFIG_DIR,
];
- $this->logger->info('Created {label}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
- $this->logger->debug(' -> {config_dir}/{file}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
- $this->logger->debug(' -> {domain}', $context + ['emoji' => Emoji::pencil() . ' Bouncer.php']);
+ $this->logger->info('Created {label}', $context + ['emoji' => Emoji::pencil() . ' ']);
+ $this->logger->debug(' -> {config_dir}/{file}', $context + ['emoji' => Emoji::pencil() . ' ']);
+ $this->logger->debug(' -> {domain}', $context + ['emoji' => Emoji::pencil() . ' ']);
$this->logger->critical('{label} cert type is {cert_type}', $context + ['emoji' => Emoji::catFace(), 'cert_type' => $target->getTypeCertInUse()->name]);
}
} else {
- $this->logger->info('More than {num_max} Nginx configs generated.. Too many to show them all!', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'num_max' => $this->getMaximumNginxConfigCreationNotices()]);
+ $this->logger->info('More than {num_max} Nginx configs generated.. Too many to show them all!', ['emoji' => Emoji::pencil() . ' ', 'num_max' => $this->getMaximumNginxConfigCreationNotices()]);
}
- $this->logger->info('Updated {num_created} Nginx configs, {num_changed} changed..', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'num_created' => count($targets), 'num_changed' => count($changedTargets)]);
+ $this->logger->info('Updated {num_created} Nginx configs, {num_changed} changed..', ['emoji' => Emoji::pencil() . ' ', 'num_created' => count($targets), 'num_changed' => count($changedTargets)]);
$this->pruneNonExistentConfigs($targets);
}
@@ -949,13 +974,13 @@ class Bouncer
$command->addFlag('n');
$command->addFlag('m', $this->environment['BOUNCER_LETSENCRYPT_EMAIL']);
$command->addArgument('agree-tos');
- $this->logger->info('Generating letsencrypt for {target_name} - {command}', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'target_name' => $target->getName(), 'command' => $command->__toString()]);
+ $this->logger->info('Generating letsencrypt for {target_name} - {command}', ['emoji' => Emoji::pencil() . ' ', 'target_name' => $target->getName(), 'command' => $command->__toString()]);
$shell->run($command);
if ($shell->getReturnValue() == 0) {
$this->logger->info('Generating successful', ['emoji' => Emoji::partyPopper()]);
} else {
- $this->logger->critical('Generating failed!', ['emoji' => Emoji::warning() . ' Bouncer.php']);
+ $this->logger->critical('Generating failed!', ['emoji' => Emoji::warning() . ' ']);
}
// Re-enable nginx tweaks
@@ -977,7 +1002,7 @@ class Bouncer
$shell = new Exec();
$command = new CommandBuilder('/usr/sbin/nginx');
$command->addFlag('s', 'reload');
- $this->logger->info('Restarting nginx', ['emoji' => Emoji::timerClock() . ' Bouncer.php']);
+ $this->logger->info('Restarting nginx', ['emoji' => Emoji::timerClock() . ' ']);
$nginxRestartOutput = $shell->run($command);
$this->logger->debug('Nginx restarted {restart_output}', ['restart_output' => $nginxRestartOutput, 'emoji' => Emoji::partyPopper()]);
}
@@ -990,7 +1015,7 @@ class Bouncer
if ($file['path'] == 'default.conf') {
continue;
}
- $this->logger->info('Dumping {file}', ['emoji' => Emoji::pencil() . ' Bouncer.php', 'file' => $file['path']]);
+ $this->logger->info('Dumping {file}', ['emoji' => Emoji::pencil() . ' ', 'file' => $file['path']]);
echo $this->configFilesystem->read($file['path']);
}
}