Skip to content

acep-devops/acep-caddy

BranchesTags

Repository files navigation

acep-caddy

Initial cookbook for setting up caddy reverse proxy service for ACEP.

This currently has a few assumptions in place:

  1. Using wildcard cert for all reverse proxy targets which means they have to all fall under the same root domain i.e. *.lab.acep.uaf.edu
  2. Wildcard cert we will need to use the DNS-01 verification process for Let's Encrypt and is configured to use GCP Cloud DNS module.

Credentials

Currently this is cookbook has to create dns entires in the GCP CloudDomain in order to handle wildcard certificates as such we need to provide the cookbook a service account json block.

When creating a service account in GCP you can create a service key JSON this should be downloaded and a chef-vault created using the a command similar to the following.

Note: Replace any value encased in [] with an the desired names

Set the correct attribute value for the cookbook to use in the nodes Policyfile

default['gcp']['project'] = "[GCP_PROJECT_NAME]"
default['gcp']['service_account_vault'] = "[GCP_SECRET_VAULT_NAME]"

Once a node is provisioned it can be given access to the vault by adding the clouddns tag and refreshing the vault

knife tag create NODE_NAME clouddns
knife vault refresh credentials [GCP_SECRET_VAULT_NAME]

To create the chef vault use the following command

knife vault create credentials [GCP_SECRET_VAULT_NAME] -m client -S "tags:clouddns" -A "[admin1],[admin2],[admin3]" --file /path/to/credentials/file

Configs

You can control which data bag is used for the caddy config by specifying the following attribute:

default['caddy']['sites_data_bag'] = '[NAME]_sites'

Example config for the sites data bag:

{
    "id": "[NAME]_sites",
    "domains": {
        "*.camio.lab.alaska.edu": [{
            "name": "test_site",
            "upstream": "http://localhost:8080",
            "fqdn": "test.camio.lab.alaska.edu",
            "self_signed": false
        }]
    }
}
  • wildcard_domain - This is the domain that will be used to request a wildcard ssl certificate. Currently this cookbook assumes it's hosted in GCP CloudDomain and will need the appropriate credentials in order to set txt records for Let's Encrypt.
  • gcp_project - the GCP project hosting the wildcard domain
  • sites - An array of site configs that the caddy instance will proxy.
    • name - Unique name for the reverse proxy site
    • upstream - URL for the remote site to proxy
    • fqdn - The url that will be used for the proxy to the remote site. Must be covered by the wildcard host or cause SSL errors
    • self_signed - If the remote site for the proxy uses a self-signed proxy then this must be set to true in order to allow caddy to trust the remote site. Otherwise this should be false if using a real SSL certificate or is not using SSL.

About

Chef cookbook for installing and configuring caddy

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages