From 8ad3e6d46db3de62f120a823cd944233b14dee70 Mon Sep 17 00:00:00 2001 From: Ismail Khoffi Date: Thu, 17 Aug 2017 19:19:47 +0100 Subject: [PATCH 1/4] WIP: simplify and update docker files --- cmd/keytransparency-server/Dockerfile | 41 ++++--------------- cmd/keytransparency-server/main.go | 2 +- cmd/keytransparency-signer/Dockerfile | 30 ++++---------- cmd/keytransparency-signer/main.go | 2 +- docker-compose.yml | 57 ++++++++++++++------------- 5 files changed, 46 insertions(+), 86 deletions(-) diff --git a/cmd/keytransparency-server/Dockerfile b/cmd/keytransparency-server/Dockerfile index d8ce444ba..aeb066b09 100644 --- a/cmd/keytransparency-server/Dockerfile +++ b/cmd/keytransparency-server/Dockerfile @@ -1,44 +1,17 @@ FROM golang -ENV DB_USER=test \ - DB_PASSWORD=zaphod \ - DB_DATABASE=test \ - DB_HOST=db:3306 - -ENV HOST=0.0.0.0 \ - RPC_PORT=8080 - -# TLS Certificate needs 0.0.0.0 to be in the SAN IP field. -ENV VRF_PRIV=keytransparency/genfiles/vrf-key.pem \ - TLS_KEY_PATH=keytransparency/genfiles/server.key \ - TLS_CRT_PATH=keytransparency/genfiles/server.crt - -ENV MAP_ID=0 \ - MAP_URL="" -ENV LOG_ID=0 \ - LOG_URL=localhost:8090 - -ENV VERBOSITY=1 - ADD keytransparency/genfiles/* /kt/ ADD ./keytransparency /go/src/github.com/google/keytransparency ADD ./trillian /go/src/github.com/google/trillian WORKDIR /go/src/github.com/google/keytransparency -RUN apt-get update && apt-get install -y libtool libltdl-dev RUN go get -tags="mysql" ./cmd/keytransparency-server -ENTRYPOINT /go/bin/keytransparency-server \ - --addr="$HOST:$RPC_PORT" \ - --db="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \ - --vrf="$VRF_PRIV" \ - --key="$TLS_KEY_PATH" --cert="$TLS_CRT_PATH" \ - --log-id="$LOG_ID" --log-url="$LOG_URL" \ - --map-id="$MAP_ID" --map-url="$MAP_URL" \ - --alsologtostderr \ - --v=${VERBOSITY} - -EXPOSE $RPC_PORT +ENTRYPOINT + - /go/bin/keytransparency-server + - --log-id="$LOG_ID" + - --log-url="$LOG_URL" \ + - --map-url="$MAP_URL" \ + - --alsologtostderr -HEALTHCHECK --interval=5m --timeout=3s \ - CMD curl -f http://localhost:$RPC_PORT/debug/vars || exit 1 +EXPOSE 8080 \ No newline at end of file diff --git a/cmd/keytransparency-server/main.go b/cmd/keytransparency-server/main.go index cf0e52b1f..7e84adfb7 100644 --- a/cmd/keytransparency-server/main.go +++ b/cmd/keytransparency-server/main.go @@ -54,7 +54,7 @@ import ( var ( addr = flag.String("addr", ":8080", "The ip:port combination to listen on") metricsAddr = flag.String("metrics-addr", ":8081", "The ip:port to publish metrics on") - serverDBPath = flag.String("db", "db", "Database connection string") + serverDBPath = flag.String("db", "test:zaphod@tcp(localhost:3306)/test", "Database connection string") vrfPath = flag.String("vrf", "genfiles/vrf-key.pem", "Path to VRF private key") keyFile = flag.String("key", "genfiles/server.key", "TLS private key file") certFile = flag.String("cert", "genfiles/server.crt", "TLS cert file") diff --git a/cmd/keytransparency-signer/Dockerfile b/cmd/keytransparency-signer/Dockerfile index ab7f047c0..ed54a754d 100644 --- a/cmd/keytransparency-signer/Dockerfile +++ b/cmd/keytransparency-signer/Dockerfile @@ -1,33 +1,17 @@ FROM golang -ENV DB_USER=test \ - DB_PASSWORD=zaphod \ - DB_DATABASE=test \ - DB_HOST=127.0.0.0:3306 - -ENV MAP_ID=0 \ - MAP_URL="" -ENV LOG_ID=0 \ - LOG_URL=localhost:8090 \ - LOG_KEY=trillian/testdata/log-rpc-server.pubkey.pem - -ENV MIN_SIGN_PERIOD=5s \ - MAX_SIGN_PERIOD=24h - -ENV VERBOSITY=0 - ADD keytransparency/genfiles/* /kt/ ADD ./keytransparency /go/src/github.com/google/keytransparency ADD ./trillian /go/src/github.com/google/trillian WORKDIR /go/src/github.com/google/keytransparency -RUN apt-get update && apt-get install -y libtool libltdl-dev RUN go get -tags="mysql" ./cmd/keytransparency-signer -ENTRYPOINT /go/bin/keytransparency-signer \ - --db="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \ - --min-period="$MIN_SIGN_PERIOD" --max-period="$MAX_SIGN_PERIOD" \ - --log-id="$LOG_ID" --log-url="$LOG_URL" --log-key="$LOG_KEY" \ - --map-id="$MAP_ID" --map-url="$MAP_URL" \ - --alsologtostderr --v=${VERBOSITY} +ENTRYPOINT + - /go/bin/keytransparency-signer + - --log-id="$LOG_ID" + - --log-url="$LOG_URL" + - --log-key="$LOG_KEY" + - --map-id="$MAP_ID" + - --map-url="$MAP_URL" diff --git a/cmd/keytransparency-signer/main.go b/cmd/keytransparency-signer/main.go index ee89763a8..03eeee56b 100644 --- a/cmd/keytransparency-signer/main.go +++ b/cmd/keytransparency-signer/main.go @@ -40,7 +40,7 @@ import ( var ( metricsAddr = flag.String("metrics-addr", ":8081", "The ip:port to publish metrics on") - serverDBPath = flag.String("db", "db", "Database connection string") + serverDBPath = flag.String("db", "test:zaphod@tcp(localhost:3306)/test", "Database connection string") domain = flag.String("domain", "example.com", "Distinguished name for this key server") minEpochDuration = flag.Duration("min-period", time.Second*60, "Minimum time between epoch creation (create epochs only if there where mutations). Expected to be smaller than max-period.") maxEpochDuration = flag.Duration("max-period", time.Hour*12, "Maximum time between epoch creation (independent from mutations). This value should about half the time guaranteed by the policy.") diff --git a/docker-compose.yml b/docker-compose.yml index 861bf56ce..21a50acb4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -109,20 +109,24 @@ services: ports: - "8080:8080" # json & grpc - "8081:8081" # metrics - environment: - LOG_ID: ${LOG_ID} # Update with trillian admin CLI. - LOG_URL: trillian-log:8090 - MAP_ID: ${MAP_ID} # Update with trillian admin CLI. - MAP_URL: trillian-map:8090 - DB_HOST: db:3306 - DB_DATABASE: test - DB_USER: test - DB_PASSWORD: zaphod - VRF_PRIV: /kt/vrf-key.pem - VRF_PUB: /kt/vrf-pubkey.pem - TLS_KEY_PATH: /kt/server.key - TLS_CRT_PATH: /kt/server.crt - VERBOSITY: 5 + entrypoint: + - /go/bin/keytransparency-server + - --addr=0.0.0.0.:8080 + - --db=test:zaphod@tcp(db:3306)/test + - --log-id={$LOG_ID} + - --log-url={$LOG_URL} + - --map-id={$MAP_ID} + - --map-url={$MAP_URL) + - --vrf=/kt/vrf-key.pem + - --key=/kt/server.key + - --cert=/kt/server.crt + - --alsologtostderr + - --v=5 + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/debug/var"] + interval: 30s + timeout: 10s + retries: 5 kt-signer: depends_on: @@ -134,16 +138,15 @@ services: dockerfile: ./keytransparency/cmd/keytransparency-signer/Dockerfile image: us.gcr.io/key-transparency/keytransparency-signer restart: always - environment: - LOG_ID: ${LOG_ID} # Update with trillian admin CLI. - LOG_URL: trillian-log:8090 - MAP_ID: ${MAP_ID} # Update with trillian admin CLI. - MAP_URL: trillian-map:8090 - DB_HOST: db:3306 - DB_DATABASE: test - DB_USER: test - DB_PASSWORD: zaphod - LOG_KEY: /kt/trillian-log.pem - MIN_SIGN_PERIOD: 5s - MAX_SIGN_PERIOD: 5m - VERBOSITY: 5 + entrypoint: + - /go/bin/keytransparency-signer + - --db=test:zaphod@tcp(db:3306)/test + - --log-id={$LOG_ID} + - --log-url={$LOG_URL} + - --map-id={$MAP_ID} + - --map-url={$MAP_URL) + - --log-key=/kt/trillian-log.pem + - --min-period=5s + - --max-period=5m + - --alsologtostderr + - --v=5 From ca7afb166af6bdd00a2251ad0013f7a1a451925b Mon Sep 17 00:00:00 2001 From: Ismail Khoffi Date: Thu, 17 Aug 2017 21:18:56 +0100 Subject: [PATCH 2/4] Everything works as expected --- cmd/keytransparency-server/Dockerfile | 8 ++------ cmd/keytransparency-signer/Dockerfile | 10 ++-------- docker-compose.yml | 16 ++++++++-------- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/cmd/keytransparency-server/Dockerfile b/cmd/keytransparency-server/Dockerfile index aeb066b09..d1b440ff2 100644 --- a/cmd/keytransparency-server/Dockerfile +++ b/cmd/keytransparency-server/Dockerfile @@ -7,11 +7,7 @@ WORKDIR /go/src/github.com/google/keytransparency RUN go get -tags="mysql" ./cmd/keytransparency-server -ENTRYPOINT - - /go/bin/keytransparency-server - - --log-id="$LOG_ID" - - --log-url="$LOG_URL" \ - - --map-url="$MAP_URL" \ - - --alsologtostderr +# Image is not runnable without providing a map-id and log-id +# see Readme.md on how to use docker-compose to run this image. EXPOSE 8080 \ No newline at end of file diff --git a/cmd/keytransparency-signer/Dockerfile b/cmd/keytransparency-signer/Dockerfile index ed54a754d..c3170c6f9 100644 --- a/cmd/keytransparency-signer/Dockerfile +++ b/cmd/keytransparency-signer/Dockerfile @@ -7,11 +7,5 @@ WORKDIR /go/src/github.com/google/keytransparency RUN go get -tags="mysql" ./cmd/keytransparency-signer -ENTRYPOINT - - /go/bin/keytransparency-signer - - --log-id="$LOG_ID" - - --log-url="$LOG_URL" - - --log-key="$LOG_KEY" - - --map-id="$MAP_ID" - - --map-url="$MAP_URL" - +# Image is not runnable without providing a map-id and log-id +# see Readme.md on how to use docker-compose to run this image. \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 21a50acb4..efb3f4e57 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -113,10 +113,10 @@ services: - /go/bin/keytransparency-server - --addr=0.0.0.0.:8080 - --db=test:zaphod@tcp(db:3306)/test - - --log-id={$LOG_ID} - - --log-url={$LOG_URL} - - --map-id={$MAP_ID} - - --map-url={$MAP_URL) + - --log-id=$LOG_ID + - --log-url=trillian-log:8090 + - --map-id=$MAP_ID + - --map-url=trillian-map:8090 - --vrf=/kt/vrf-key.pem - --key=/kt/server.key - --cert=/kt/server.crt @@ -141,10 +141,10 @@ services: entrypoint: - /go/bin/keytransparency-signer - --db=test:zaphod@tcp(db:3306)/test - - --log-id={$LOG_ID} - - --log-url={$LOG_URL} - - --map-id={$MAP_ID} - - --map-url={$MAP_URL) + - --log-id=$LOG_ID + - --log-url=trillian-log:8090 + - --map-id=$MAP_ID + - --map-url=trillian-map:8090 - --log-key=/kt/trillian-log.pem - --min-period=5s - --max-period=5m From 8cf4e17de5b6048714cd17dd722fbb2978fc8ea2 Mon Sep 17 00:00:00 2001 From: Ismail Khoffi Date: Fri, 18 Aug 2017 12:26:46 +0100 Subject: [PATCH 3/4] Add entrypoint to Dockerfiles, update kube config, rename key/cert --- cmd/keytransparency-server/Dockerfile | 5 +- cmd/keytransparency-server/main.go | 4 +- cmd/keytransparency-signer/Dockerfile | 5 +- .../keytransparency-deployment.yml.tmpl | 67 ++++++------------- docker-compose.yml | 4 +- 5 files changed, 31 insertions(+), 54 deletions(-) diff --git a/cmd/keytransparency-server/Dockerfile b/cmd/keytransparency-server/Dockerfile index d1b440ff2..4c476ce47 100644 --- a/cmd/keytransparency-server/Dockerfile +++ b/cmd/keytransparency-server/Dockerfile @@ -7,7 +7,8 @@ WORKDIR /go/src/github.com/google/keytransparency RUN go get -tags="mysql" ./cmd/keytransparency-server -# Image is not runnable without providing a map-id and log-id -# see Readme.md on how to use docker-compose to run this image. +# Specify mandatory flags via the docker command-line or using docker-compose. +# See the README.md file on how to use docker-compose. +ENTRYPOINT ["/go/bin/keytransparency-server"] EXPOSE 8080 \ No newline at end of file diff --git a/cmd/keytransparency-server/main.go b/cmd/keytransparency-server/main.go index 7e84adfb7..44e1e422b 100644 --- a/cmd/keytransparency-server/main.go +++ b/cmd/keytransparency-server/main.go @@ -56,8 +56,8 @@ var ( metricsAddr = flag.String("metrics-addr", ":8081", "The ip:port to publish metrics on") serverDBPath = flag.String("db", "test:zaphod@tcp(localhost:3306)/test", "Database connection string") vrfPath = flag.String("vrf", "genfiles/vrf-key.pem", "Path to VRF private key") - keyFile = flag.String("key", "genfiles/server.key", "TLS private key file") - certFile = flag.String("cert", "genfiles/server.crt", "TLS cert file") + keyFile = flag.String("tls-key", "genfiles/server.key", "TLS private key file") + certFile = flag.String("tls-cert", "genfiles/server.crt", "TLS cert file") authType = flag.String("auth-type", "google", "Sets the type of authentication required from clients to update their entries. Accepted values are google (oauth tokens) and insecure-fake (for testing only).") // Info to connect to sparse merkle tree database. diff --git a/cmd/keytransparency-signer/Dockerfile b/cmd/keytransparency-signer/Dockerfile index c3170c6f9..e9709da89 100644 --- a/cmd/keytransparency-signer/Dockerfile +++ b/cmd/keytransparency-signer/Dockerfile @@ -7,5 +7,6 @@ WORKDIR /go/src/github.com/google/keytransparency RUN go get -tags="mysql" ./cmd/keytransparency-signer -# Image is not runnable without providing a map-id and log-id -# see Readme.md on how to use docker-compose to run this image. \ No newline at end of file +# Specify mandatory flags via the docker command-line or using docker-compose. +# See the README.md file on how to use docker-compose. +ENTRYPOINT ["/go/bin/keytransparency-signer"] \ No newline at end of file diff --git a/deploy/kubernetes/keytransparency-deployment.yml.tmpl b/deploy/kubernetes/keytransparency-deployment.yml.tmpl index 685e57ca0..9d4067921 100644 --- a/deploy/kubernetes/keytransparency-deployment.yml.tmpl +++ b/deploy/kubernetes/keytransparency-deployment.yml.tmpl @@ -28,29 +28,17 @@ spec: name: json-grpc - containerPort: 8081 name: metrics - env: - - name: LOG_URL - value: trillian-log:8090 - - name: LOG_ID - value: "${LOG_ID}" - - name: MAP_URL - value: trillian-map:8090 - - name: MAP_ID - value: "${MAP_ID}" - - name: MYSQL_USER - value: test - - name: MYSQL_DATABASE - value: test - - name: MYSQL_PASSWORD - value: zaphod - - name: DB_HOST - value: mysql:3306 - - name: TLS_KEY_PATH - value: /kt-secrets/server.key - - name: TLS_CRT_PATH - value: /kt-secrets/server.crt - - name: VRF_PRIV - value: /kt-secrets/vrf-key.pem + args: ["--addr=0.0.0.0.:8080", + "--db=test:zaphod@tcp(mysql:3306)/test", + "--log-id=$LOG_ID", + "--log-url=trillian-log:8090", + "--map-id=$MAP_ID", + "--map-url=trillian-map:8090", + "--vrf=/kt-secrets/vrf-key.pem", + "--tls-key=/kt-secrets/server.key", + "--tls-cert=/kt-secrets/server.crt", + "--alsologtostderr", + "--v=5"] initContainers: - name: init-trillian-map image: radial/busyboxplus @@ -107,29 +95,16 @@ spec: ports: - containerPort: 8080 name: json-grpc - env: - - name: LOG_URL - value: trillian-log:8090 - - name: LOG_ID - value: "${LOG_ID}" - - name: MAP_URL - value: trillian-map:8090 - - name: MAP_ID - value: "${MAP_ID}" - - name: MIN_SIGN_PERIOD - value: 5s - - name: MAX_SIGN_PERIOD - value: 12h - - name: MYSQL_USER - value: test - - name: MYSQL_DATABASE - value: test - - name: MYSQL_PASSWORD - value: zaphod - - name: DB_HOST - value: mysql:3306 - - name: LOG_KEY - value: /kt/trillian-log.pem + args: ["--db=test:zaphod@tcp(mysql:3306)/test", + "--log-id=$LOG_ID", + "--log-url=trillian-log:8090", + "--map-id=$MAP_ID", + "--map-url=trillian-map:8090", + "--log-key=/kt/trillian-log.pem", + "--min-period=5s", + "--max-period=12h", + "--alsologtostderr", + "--v=5"] --- apiVersion: v1 kind: Service diff --git a/docker-compose.yml b/docker-compose.yml index efb3f4e57..113c8b4e2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -118,8 +118,8 @@ services: - --map-id=$MAP_ID - --map-url=trillian-map:8090 - --vrf=/kt/vrf-key.pem - - --key=/kt/server.key - - --cert=/kt/server.crt + - --tls-key=/kt/server.key + - --tls-cert=/kt/server.crt - --alsologtostderr - --v=5 healthcheck: From 26a5a8b1dbbb603f3f36b7fa9fae8c6aef9243df Mon Sep 17 00:00:00 2001 From: Ismail Khoffi Date: Fri, 18 Aug 2017 12:34:09 +0100 Subject: [PATCH 4/4] remove log-key from kube config --- deploy/kubernetes/keytransparency-deployment.yml.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/kubernetes/keytransparency-deployment.yml.tmpl b/deploy/kubernetes/keytransparency-deployment.yml.tmpl index 9d4067921..02cee2e5f 100644 --- a/deploy/kubernetes/keytransparency-deployment.yml.tmpl +++ b/deploy/kubernetes/keytransparency-deployment.yml.tmpl @@ -100,7 +100,6 @@ spec: "--log-url=trillian-log:8090", "--map-id=$MAP_ID", "--map-url=trillian-map:8090", - "--log-key=/kt/trillian-log.pem", "--min-period=5s", "--max-period=12h", "--alsologtostderr",