summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTommy Carpenter <tommy@research.att.com>2018-06-29 16:08:34 -0400
committerTommy Carpenter <tommy@research.att.com>2018-07-02 10:46:01 -0400
commit0d2fdb1d8bd120c2966365f0d90e63c35951e667 (patch)
tree90c6e82951e9e32527f477d126cb281c2c3a110e
parent8984604d52cd9354897b48b783dfd8610c5c5758 (diff)
Add HTTPS support.
Change-Id: I3a2f950c5031878c53b98f66450d859c007be77d Issue-ID: DCAEGEN2-562 Signed-off-by: Tommy Carpenter <tommy@research.att.com>
-rw-r--r--Dockerfile12
-rw-r--r--README.md63
-rw-r--r--nginxhttps.conf17
3 files changed, 73 insertions, 19 deletions
diff --git a/Dockerfile b/Dockerfile
index df5a4f0..ae2f079 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,4 +10,14 @@ RUN pip install /app/app
RUN mkdir -p /opt/logs/
-ENV LISTEN_PORT 10000
+# create the dir for the ssl certs
+RUN mkdir -p /etc/nginx/ssl
+
+COPY nginxhttps.conf /etc/nginx/conf.d/nginxhttps.conf
+
+ENV LISTEN_PORT 10000
+EXPOSE 443
+EXPOSE 10000
+
+#this is a registrator flag that tells it to ignore 80 from service discovery. Nothing is listening on 80, but the parent Dockerfile here exposes it. This container is internally listening on 10000 and 443.
+ENV SERVICE_80_IGNORE true
diff --git a/README.md b/README.md
index a37303e..cffbe73 100644
--- a/README.md
+++ b/README.md
@@ -47,33 +47,60 @@ X's configuration:
This project uses https://hub.docker.com/r/tiangolo/uwsgi-nginx-flask/
This is a solution that runs a productionalized setup using NGINX+uwsgi+Flask (Flask is not meant to be run as a real webserver per their docs). This project requires the app/app structure. Tox still works from the root due to tox magic.
-# Running
-
-## Locally (no docker)
-It is recommended that you do this step in a virtualenv.
-(set -x is Fish notaion, change for Bash etc. accordingly)
+# Testing
+You need tox:
```
-pip install --ignore-installed .; set -x CONSUL_HOST <YOUR_HOST>; ./main.py
+pip install tox
```
-
-## Docker
-## building
+Then from the root dir, *not in a virtual env*, just run:
```
-docker build -t config_binding_service:myversion .
+tox
```
-## running
+You may have to alter the tox.ini for the python envs you wish to test with.
+
+# Deployment information
+
+## Ports, HTTPS key/cert location
+
+The CBS frontend (NGINX) exposes 10000 and 443. It runs HTTP on 10000 and HTTPS on 443. 80 is also exposed by the parent Dockerfile but nothing is listening there so it can be ignored.
+
+If you wish to use HTTPS, it expects a key to be mounted at `/etc/nginx/ssl/nginx.key` and a cert to be mounted at `/etc/nginx/ssl/nginx.crt`. For example, a snippet from a `docker run` command:
+
```
-docker run -dt -p myextport:80 config_binding_service:myversion
+... -v /host/path/to/nginx.key:/etc/nginx/ssl/nginx.key -v /host/path/to/nginx.crt:/etc/nginx/ssl/nginx.crt ...
```
-# Testing
-You need tox:
+These ports can be mapped to whatever extnernally. To keep the legacy behavior of prior ONAP releases of HTTP on 10000, map 10000:10000. Or, you can now make 10000 HTTPS by mapping 10000:443. This is determined by the deployment blueprint.
+
+## Non-K8, Registrator, Consul setup
+This section only pertains to a very specific setup of using Registrator and Consul (registrator to register a Consul healthcheck, and relying on Consul health checking). This section does *not* pertain to a Kubernetes deployment that uses K8 "readiness probes" instead of Consul.
+
+There is a combination of issues, rooting from a bug in registrator:
+1. https://jira.onap.org/browse/DCAEGEN2-482
+2. https://github.com/gliderlabs/registrator/issues/605
+
+That causes the Consul registration to be suffixed with ports, breaking the expected service name (`config_binding_service`), **even if** those ports are not mapped externally. That is, even if only one of the two ports (10000,443) is mapped, due to the above-linked bug, the service name will be wrong in Consul.
+
+The solution is to run the container with a series of ENV variables. If you want the healthchecks to go over HTTPS, you also need to run the latest version on `master` in registrator. The old (3 year old) release of `v7` does not allow for HTTPS healthchecks. The below example fixes the service name, turns OFF HTTP healthchecks, and turns ON HTTPS healthchecks (only works with latest registrator):
+
```
-pip install tox
+ENV SERVICE_10000_IGNORE true
+ENV SERVICE_443_NAME config_binding_service
+ENV SERVICE_443_CHECK_HTTPS /healthcheck
+ENV SERVICE_443_CHECK_INTERVAL 15s
```
-Then from the root dir, *not in a virtual env*, just run:
+
+E.g., in Docker run terminology:
+
```
-tox
+... -e SERVICE_10000_IGNORE=true -e SERVICE_443_NAME=config_binding_service -e SERVICE_443_CHECK_HTTPS=/healthcheck -e SERVICE_443_CHECK_INTERVAL=15s ...
```
-You may have to alter the tox.ini for the python envs you wish to test with.
+If you wish to turn ON HTTP healthchecks and turn OFF HTTPS healthchecks, swith 10000 and 443 above. That will work even with `v7` of registrator (that is, `SERVICE_x_CHECK_HTTP` was already supported)
+
+## Running locally for development (no docker)
+It is recommended that you do this step in a virtualenv.
+(set -x is Fish notaion, change for Bash etc. accordingly)
+```
+pip install --ignore-installed .; set -x CONSUL_HOST <YOUR_HOST>; ./main.py
+```
diff --git a/nginxhttps.conf b/nginxhttps.conf
new file mode 100644
index 0000000..9795f19
--- /dev/null
+++ b/nginxhttps.conf
@@ -0,0 +1,17 @@
+server {
+ listen 443 ssl;
+
+ location / {
+ try_files $uri @app;
+ }
+ location @app {
+ include uwsgi_params;
+ uwsgi_pass unix:///tmp/uwsgi.sock;
+ }
+ location /static {
+ alias /app/static;
+ }
+ server_name configbinding;
+ ssl_certificate /etc/nginx/ssl/nginx.crt;
+ ssl_certificate_key /etc/nginx/ssl/nginx.key;
+}