Giter VIP home page Giter VIP logo

certbot-docker-swarm's Introduction

certbot-docker-swarm - Certbot plugin for Docker Swarm Secrets

Build and push to Docker Hub badge Unit tests badge

certbot-docker-swarm is a certbot installer plugin that can be used to automatically deploy TLS certificates as Docker Swarm Secrets. certbot-docker-swarm also automatically updates Swarm services to use the new secrets after renewal.

Usage

Install certbot-docker-swarm by running the following commands:

git clone [email protected]:eerotal/certbot-docker-swarm.git
cd certbot-docker-swarm
python3 setup.py install

After running these commands, you can verify that the installation was successful by running certbot plugins. This should print a list of all plugins certbot is able to find. One of the plugins listed should be docker-swarm. You can tell certbot to use the installer plugin by passing -i docker-swarm when invoking certbot. See the certbot man page for more info.

certbot-docker-swarm also has Docker images on Docker Hub. See the docker/ subdirectory for more info.

Swarm Secrets

When certificates are renewed certbot-docker-swarm creates Docker Swarm Secrets named with the format

{domain}_{name}_v{version}

where

  • {domain} = The domain the certificate authenticates.
  • {name} = The name of the secret. One of: cert, key, chain, fullchain.
  • {version} = The Unix Epoch timestamp of the certificate in seconds.

All generated secrets have a set of labels:

  • certbot.managed = Always "true".
  • certbot.domain = The domain the certificate authenticates.
  • certbot.name = The name of the secret. One of: cert, key, chain, fullchain.
  • certbot.version = The Unix Epoch timestamp of the certificate in seconds.

These labels are used by certbot-docker-swarm for identifying services which need to be updated after certificate renewal.

Configuring Swarm Services

If your domain is example.com, you can create an nginx Swarm service that uses a certificate managed by certbot-docker-swarm by running

docker service create \
    --secret source=example.com_cert_v{version},target=example.com_cert \
    --secret source=example.com_key_v{version},target=example.com_key \
    --secret source=example.com_chain_v{version},target=example.com_chain \
    --secret source=example.com_fullchain_v{version},target=example.com_fullchain \
    --name nginx \
    nginx:alpine

If your service doesn't need all of the secrets you can omit the ones that aren't required. Secrets will still be generated from those files aswell but they won't be attached to your services.

If you deploy your Docker Swarm Services using docker-compose files, you can use a configuration similar to the one below:

...
...

version: '3.9'
services:
  nginx
    image: nginx:alpine

    ...
    ...

    secrets:
      - example.com_cert
      - example.com_key
      - example.com_chain
      - example.com_fullchain

secrets:
  example.com_cert:
    name: example.com_cert_v{version}
    external: true
  example.com_key:
    name: example.com_key_v{version}
    external: true
  example.com_chain:
    name: example.com_chain_v{version}
    external: true
  example.com_fullchain:
    name: example.com_fullchain_v{version}
    external: true

...
...

Dependencies

In addition to Docker with Swarm mode enabled you'll need the following dependencies from PyPI:

  • docker >= 4.4
  • certbot >= 1.10

These are, however, automatically installed by the setup.py script.

Development

Building development Docker images

All Docker related configuration and source files are in docker/. You can run the docker/build.sh script to build a development Docker image tagged with :dev. Note that the included Dockerfile clones the certbot-docker-swarm sources from the remote git repository, which means your local changes won't be included in the built images by default.

Running tests

certbot-docker-swarm uses tox to automate linting, unit tests etc. Install tox with

pip install tox

By default tox tries to use all the environments defined in tox.ini, ie. lint, py27, py35, py36, py37, py38, py39. If you only want to lint the codebase against PEP-8 you can run

python3 -m tox -e lint

To run unit tests using the Python binary in your path run

python3 -m tox -e py

You can also use python in place of python3 if both are in your PATH.

CI/CD pipeline

certbot-docker-swarm uses GitHub Actions for its CI/CD pipeline. The pipeline includes linting and running tests against all commits as well as deploying released Docker images to Docker Hub.

License

certbot-docker-swarm is licensed under the BSD 3-clause license. See the file LICENSE for more information.

Copyright Eero Talus 2021

certbot-docker-swarm's People

Stargazers

avatar avatar avatar

Watchers

avatar avatar

Forkers

shuenhoy

certbot-docker-swarm's Issues

Install fails with "ValueError: ZIP does not support timestamps before 1980"

Hey There,

Trying to install this, is failing with an error:

# python3 setup.py install
running install
running bdist_egg
running egg_info
writing certbot_docker_swarm.egg-info/PKG-INFO
writing dependency_links to certbot_docker_swarm.egg-info/dependency_links.txt
writing entry points to certbot_docker_swarm.egg-info/entry_points.txt
writing requirements to certbot_docker_swarm.egg-info/requires.txt
writing top-level names to certbot_docker_swarm.egg-info/top_level.txt
reading manifest file 'certbot_docker_swarm.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'certbot_docker_swarm.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
copying certbot_docker_swarm.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying certbot_docker_swarm.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying certbot_docker_swarm.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying certbot_docker_swarm.egg-info/entry_points.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying certbot_docker_swarm.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying certbot_docker_swarm.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist/certbot_docker_swarm-0.0.1-py3.7.egg' and adding 'build/bdist.linux-x86_64/egg' to it
Traceback (most recent call last):
  File "setup.py", line 29, in <module>
    'docker-swarm = certbot_docker_swarm:SwarmInstaller'
  File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 145, in setup
    return distutils.core.setup(**attrs)
  File "/usr/lib/python3.7/distutils/core.py", line 148, in setup
    dist.run_commands()
  File "/usr/lib/python3.7/distutils/dist.py", line 966, in run_commands
    self.run_command(cmd)
  File "/usr/lib/python3.7/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 67, in run
    self.do_egg_install()
  File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 109, in do_egg_install
    self.run_command('bdist_egg')
  File "/usr/lib/python3.7/distutils/cmd.py", line 313, in run_command
    self.distribution.run_command(command)
  File "/usr/lib/python3.7/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File "/usr/lib/python3/dist-packages/setuptools/command/bdist_egg.py", line 234, in run
    dry_run=self.dry_run, mode=self.gen_header())
  File "/usr/lib/python3/dist-packages/setuptools/command/bdist_egg.py", line 497, in make_zipfile
    visit(z, dirname, files)
  File "/usr/lib/python3/dist-packages/setuptools/command/bdist_egg.py", line 490, in visit
    z.write(path, p)
  File "/usr/lib/python3.7/zipfile.py", line 1710, in write
    zinfo = ZipInfo.from_file(filename, arcname)
  File "/usr/lib/python3.7/zipfile.py", line 518, in from_file
    zinfo = cls(arcname, date_time)
  File "/usr/lib/python3.7/zipfile.py", line 357, in __init__
    raise ValueError('ZIP does not support timestamps before 1980')
ValueError: ZIP does not support timestamps before 1980

Doing a bit of digging, appears to be the following files causing the issue:

./build/bdist.linux-x86_64/egg/certbot_docker_swarm/_internal/models:
-rw-r--r-- 1 root root    0 Jan  1  1970 __init__.py

./build/bdist.linux-x86_64/egg/certbot_docker_swarm/_internal/util:
-rw-r--r-- 1 root root    0 Jan  1  1970 __init__.py

./build/bdist.linux-x86_64/egg/tests:
-rw-r--r-- 1 root root 0 Jan  1  1970 __init__.py

./build/bdist.linux-x86_64/egg/tests/config:
q-rw-r--r-- 1 root root   0 Jan  1  1970 __init__.py

And about 20 or 30 more similar 0-byte files..

This is Python 3.7.3 with setuptools 40.8.0 (And now just removed the debian version and pip3 installed 57.4.0)

Thanks,

Damien

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.