nginx

Paddy 2015-06-30 Parent:68478c1bddde

1:ac9c19126939 tip Browse Files

Make nginx kubernetes-ready. We had to update to use a ubuntu-based image to build nginx into, because (and I kid you not) alpine linux straight-up ignores your resolv.conf file, meaning any attempt to use it with kubernetes DNS is doomed to fail. Who thought this was a good idea? So we're using a bloated image instead. Oh well. We also are running a wrapper script instead of nginx directly, so we can inject the JWT_SECRET environment variable based on a kubernetes secret file. We define the secret file (using a placeholder secret, obvs) so that future-Paddy can remember what the hell it looks like, when he inevitably loses the file and needs to sin up a new cluster. Or whatever. Finally, we updated the token expiration error message to be in an errors array, as God (and our API conventions) intended.

Dockerfile nginx-jwt.lua secrets/jwt.json wrapper.sh

Diff to previous Statistics

     1.1 --- a/Dockerfile	Mon Jun 22 00:42:40 2015 -0400
     1.2 +++ b/Dockerfile	Tue Jun 30 00:27:03 2015 -0400
     1.3 @@ -1,4 +1,10 @@
     1.4 -FROM alpine:3.1
     1.5 +FROM ubuntu:trusty
     1.6 +
     1.7 +RUN apt-get update \
     1.8 + && apt-get install -y --no-install-recommends \
     1.9 +    curl perl make build-essential procps \
    1.10 +    libreadline-dev libncurses5-dev libpcre3-dev libssl-dev \
    1.11 + && rm -rf /var/lib/apt/lists/*
    1.12  
    1.13  ENV OPENRESTY_VERSION 1.7.10.1
    1.14  ENV OPENRESTY_PREFIX /opt/secondbit
    1.15 @@ -12,18 +18,13 @@
    1.16  ADD jwt-lib/basexx.lua $OPENRESTY_PREFIX/lualib/basexx.lua
    1.17  ADD jwt-lib/resty/hmac.lua $OPENRESTY_PREFIX/lualib/resty/hmac.lua
    1.18  ADD jwt-lib/resty/jwt.lua $OPENRESTY_PREFIX/lualib/resty/jwt.lua
    1.19 +ADD wrapper.sh /bin/run.sh
    1.20  
    1.21 -RUN echo "==> Installing dependencies..." \
    1.22 - && apk update \
    1.23 - && apk add make gcc musl-dev \
    1.24 -    pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev \
    1.25 -    curl perl \
    1.26 - && mkdir -p /root/ngx_openresty \
    1.27 - && cd /root/ngx_openresty \
    1.28 +RUN cd /root \
    1.29   && echo "==> Downloading OpenResty..." \
    1.30   && curl -sSL http://openresty.org/download/ngx_openresty-${OPENRESTY_VERSION}.tar.gz | tar -xvz \
    1.31 + && echo "==> Configuring OpenResty..." \
    1.32   && cd ngx_openresty-* \
    1.33 - && echo "==> Configuring OpenResty..." \
    1.34   && readonly NPROC=$(grep -c ^processor /proc/cpuinfo 2>/dev/null || 1) \
    1.35   && echo "using upto $NPROC threads" \
    1.36   && ./configure \
    1.37 @@ -55,16 +56,11 @@
    1.38   && ln -sf $OPENRESTY_PREFIX/bin/resty /usr/local/bin/resty \
    1.39   && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* $OPENRESTY_PREFIX/luajit/bin/lua \
    1.40   && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* /usr/local/bin/lua \
    1.41 - && apk del \
    1.42 -    make gcc musl-dev pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev curl perl \
    1.43 - && apk add \
    1.44 -    libpcrecpp libpcre16 libpcre32 openssl libssl1.0 pcre libgcc libstdc++ \
    1.45 - && rm -rf /var/cache/apk/* \
    1.46 - && rm -rf /root/ngx_openresty
    1.47 + && rm -rf /root/ngx_openresty*
    1.48  
    1.49  WORKDIR $NGINX_PREFIX/
    1.50  
    1.51  ONBUILD RUN rm -rf conf/* html/*
    1.52  ONBUILD COPY nginx $NGINX_PREFIX/
    1.53  
    1.54 -CMD ["nginx", "-g", "daemon off; error_log /dev/stderr info;"]
    1.55 +CMD ["run.sh"]

     2.1 --- a/nginx-jwt.lua	Mon Jun 22 00:42:40 2015 -0400
     2.2 +++ b/nginx-jwt.lua	Tue Jun 30 00:27:03 2015 -0400
     2.3 @@ -58,7 +58,7 @@
     2.4              if jwt_obj.verified == false then
     2.5                  if string.find(jwt_obj.reason, "expired at") ~= nil then
     2.6                      ngx.status = ngx.HTTP_UNAUTHORIZED
     2.7 -		    ngx.say('{"error": "access_denied", "header": "authorization"}')
     2.8 +		    ngx.say('{"errors": [{"error": "access_denied", "header": "authorization"}]}')
     2.9                      return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    2.10  		else
    2.11                      ngx.log(ngx.WARN, "Invalid token: ".. jwt_obj.reason)

     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/secrets/jwt.json	Tue Jun 30 00:27:03 2015 -0400
     3.3 @@ -0,0 +1,11 @@
     3.4 +{
     3.5 +  "apiVersion": "v1",
     3.6 +  "kind": "Secret",
     3.7 +  "metadata" : {
     3.8 +    "name": "jwt",
     3.9 +    "namespace": "default"
    3.10 +  },
    3.11 +  "data": {
    3.12 +    "secret": "INSERT BASE64 ENCODED SECRET HERE"
    3.13 +  }
    3.14 +}

     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/wrapper.sh	Tue Jun 30 00:27:03 2015 -0400
     4.3 @@ -0,0 +1,7 @@
     4.4 +#!/bin/sh
     4.5 +
     4.6 +SECRET_FILE=${SECRET_FILE:-/private/kubernetes/jwt/secret}
     4.7 +
     4.8 +SECRET=`cat ${SECRET_FILE}`
     4.9 +
    4.10 +JWT_SECRET="${SECRET}" JWT_SECRET_IS_BASE64_ENCODED="true" nginx -g "daemon off; error_log /dev/stderr info;"