feat: refactor Traefik route configuration and update lets_encrypt handling #121

NethServer/dev#7669

Author: stephdl

build-images.sh

@@ -75,7 +75,7 @@ buildah add "${container}" ui/dist /ui
 # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container
 buildah config --entrypoint=/ \
     --label="org.nethserver.authorizations=traefik@any:routeadm node:tunadm,portsadm" \
-    --label="org.nethserver.min-core=3.1.0" \
+    --label="org.nethserver.min-core=3.12.4-0" \
     --label="org.nethserver.tcp-ports-demand=11" \
     --label="org.nethserver.images=ghcr.io/nethserver/nethsecurity-vpn:$controller_version ghcr.io/nethserver/nethsecurity-api:$controller_version ghcr.io/nethserver/nethsecurity-ui:$controller_version ghcr.io/nethserver/nethsecurity-proxy:$controller_version $promtail_image $loki_image $prometheus_image $grafana_image ghcr.io/nethserver/webssh:${IMAGETAG:-latest} $timescale_image" \
     "${container}"

imageroot/actions/configure-module/20configure

@@ -28,72 +28,78 @@ for path in ['loki_path', 'prometheus_path', 'webssh_path']:
         config[path] = f'/{uuid.uuid4()}'
 
 # Configure Traefik to route requests to the nethsec-controller service
-response = agent.tasks.run(
-    agent_id=agent.resolve_agent_id('traefik@node'),
-    action='set-route',
-    data={
-        'instance': os.environ['MODULE_ID'],
-        'url':  f'http://127.0.0.1:{ports[3]}',
-        'http2https': True,
-        'lets_encrypt': request["lets_encrypt"],
-        'host': request["host"],
-    },
-)
-agent.assert_exp(response['exit_code'] == 0)
-response = agent.tasks.run(
-    agent_id=agent.resolve_agent_id('traefik@node'),
-    action='set-route',
-    data={
-        'instance': os.environ['MODULE_ID'] + '_grafana',
-        'url':  f'http://127.0.0.1:{ports[8]}',
-        'http2https': True,
-        'lets_encrypt': request["lets_encrypt"],
-        'host': request["host"],
-        'path': '/grafana'
-    },
-)
-agent.assert_exp(response['exit_code'] == 0)
-response = agent.tasks.run(
-    agent_id=agent.resolve_agent_id('traefik@node'),
-    action='set-route',
-    data={
-        'instance': os.environ['MODULE_ID'] + '_loki',
-        'url':  f'http://127.0.0.1:{ports[5]}',
-        'http2https': True,
-        'lets_encrypt': request["lets_encrypt"],
-        'host': request["host"],
-        'path': config['loki_path']
-    },
-)
-agent.assert_exp(response['exit_code'] == 0)
-response = agent.tasks.run(
-    agent_id=agent.resolve_agent_id('traefik@node'),
-    action='set-route',
-    data={
-        'instance': os.environ['MODULE_ID'] + '_prometheus',
-        'url':  f'http://127.0.0.1:{ports[7]}',
-        'http2https': True,
-        'lets_encrypt': request["lets_encrypt"],
-        'host': request["host"],
-        'path': config['prometheus_path']
-    },
-)
-agent.assert_exp(response['exit_code'] == 0)
-
-response = agent.tasks.run(
-    agent_id=agent.resolve_agent_id('traefik@node'),
-    action='set-route',
-    data={
-        'instance': os.environ['MODULE_ID'] + '_webssh',
-        'url':  f'http://127.0.0.1:{ports[9]}',
-        'http2https': True,
-        'lets_encrypt': request["lets_encrypt"],
-        'host': request["host"],
-        'path': config['webssh_path'],
-        'strip_prefix': True
-    },
-)
-agent.assert_exp(response['exit_code'] == 0)
+set_route_data = {
+    'instance': os.environ['MODULE_ID'],
+    'url':  f'http://127.0.0.1:{ports[3]}',
+    'http2https': True,
+    'host': request["host"],
+    'lets_encrypt_check': True,
+    'lets_encrypt_cleanup': True,
+}
+if 'lets_encrypt' in request:
+    set_route_data['lets_encrypt'] = request['lets_encrypt']
+
+agent.set_route(set_route_data)
+
+# Configure Traefik to route requests to the grafana service
+set_route_data = {
+    'instance': os.environ['MODULE_ID'] + '_grafana',
+    'url':  f'http://127.0.0.1:{ports[8]}',
+    'http2https': True,
+    'host': request["host"],
+    'path': '/grafana',
+    'lets_encrypt_check': True,
+    'lets_encrypt_cleanup': True,
+}
+if 'lets_encrypt' in request:
+    set_route_data['lets_encrypt'] = request['lets_encrypt']
+
+agent.set_route(set_route_data)
+
+# Configure Traefik to route requests to the loki service
+set_route_data = {
+    'instance': os.environ['MODULE_ID'] + '_loki',
+    'url':  f'http://127.0.0.1:{ports[5]}',
+    'http2https': True,
+    'host': request["host"],
+    'path': config['loki_path'],
+    'lets_encrypt_check': True,
+    'lets_encrypt_cleanup': True,
+}
+if 'lets_encrypt' in request:
+    set_route_data['lets_encrypt'] = request['lets_encrypt']
+
+agent.set_route(set_route_data)
+
+# Configure Traefik to route requests to the prometheus service
+set_route_data = {
+    'instance': os.environ['MODULE_ID'] + '_prometheus',
+    'url':  f'http://127.0.0.1:{ports[7]}',
+    'http2https': True,
+    'host': request["host"],
+    'path': config['prometheus_path'],
+    'lets_encrypt_check': True,
+    'lets_encrypt_cleanup': True,
+}
+if 'lets_encrypt' in request:
+    set_route_data['lets_encrypt'] = request['lets_encrypt']
+
+agent.set_route(set_route_data)
+
+# Configure Traefik to route requests to the webssh service
+set_route_data = {
+    'instance': os.environ['MODULE_ID'] + '_webssh',
+    'url':  f'http://127.0.0.1:{ports[9]}',
+    'http2https': True,
+    'lets_encrypt': request["lets_encrypt"],
+    'host': request["host"],
+    'path': config['webssh_path'],
+    'strip_prefix': True,
+    'lets_encrypt_check': True,
+    'lets_encrypt_cleanup': True,
+}
+if 'lets_encrypt' in request:
+    set_route_data['lets_encrypt'] = request['lets_encrypt']
 
 config["allowed_ips"] = request.get("allowed_ips", [])
 

imageroot/actions/configure-module/validate-input.json

@@ -8,7 +8,6 @@
             "api_user": "admin",
             "api_password": "admin",
             "host": "controller.nethserver.org",
-            "lets_encrypt": true,
             "ovpn_network": "127.2.10.0",
             "ovpn_netmask": "255.255.0.0",
             "ovpn_cn": "nethsec",
@@ -19,7 +18,7 @@
         }
     ],
     "type": "object",
-    "required": [ "host", "lets_encrypt", "api_user", "ovpn_network", "ovpn_netmask", "ovpn_cn" ],
+    "required": [ "host", "api_user", "ovpn_network", "ovpn_netmask", "ovpn_cn" ],
     "properties": {
         "host": {
             "type": "string",

imageroot/actions/get-configuration/20read

@@ -23,6 +23,7 @@ if os.path.isfile('config.json'):
     config['api_password'] = ''
     network = agent.read_envfile('network.env')
     config['vpn_port'] = network['OVPN_UDP_PORT']
+    config["lets_encrypt"] = agent.get_route(os.environ['MODULE_ID']).get('lets_encrypt', False)
 else:
     # Prepare random values for first-configuration
     # Pick a newtork inside 172.16.0.0/12 (range 172.16.0.0-172.31.255.255)

imageroot/actions/restore-module/20configure

@@ -15,5 +15,7 @@ config = {}
 # Read current configuration from config file
 with open('config.json', 'r') as cf:
     config = json.loads(cf.read())
+    if 'lets_encrypt' in config:
+        del config['lets_encrypt']
 
 agent.tasks.run(agent_id=os.environ['AGENT_ID'], action='configure-module', data=config)

ui/package.json

@@ -11,7 +11,7 @@
   "dependencies": {
     "@carbon/icons-vue": "^10.37.0",
     "@carbon/vue": "^2.40.0",
-    "@nethserver/ns8-ui-lib": "^1.3.1",
+    "@nethserver/ns8-ui-lib": "^1.4.1",
     "await-to-js": "^3.0.0",
     "axios": "^0.30.0",
     "carbon-components": "^10.41.0",