Moved ssl settings to deploy config (#12)

Signed-off-by: Alexander Piskun <[email protected]> Co-authored-by: Alexander Piskun <[email protected]>
nextcloud · Jul 14, 2023 · 47e9111 · 47e9111
1 parent e8ff4c6
commit 47e9111
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 41 deletions.
diff --git a/.github/workflows/tests-deploy.yml b/.github/workflows/tests-deploy.yml
@@ -156,7 +156,8 @@ jobs:
           docker exec nextcloud patch -p 1 -i apps/${{ env.APP_NAME }}/base_php.patch
           docker exec nextcloud sudo -u www-data php occ app:enable app_ecosystem_v2
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:daemon:register \
-          docker_local_sock Docker docker-install unix-socket /var/run/docker.sock http://nextcloud/index.php --net=master_bridge
+            docker_local_sock Docker docker-install unix-socket /var/run/docker.sock http://nextcloud/index.php \
+            --net=master_bridge
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:register \
           "$(docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_local_sock --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml)"
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:enable app_python_skeleton
@@ -230,9 +231,10 @@ jobs:
           docker cp docker-remote-api-tls/certs/client/ nextcloud:/
           docker exec nextcloud sudo -u www-data php occ security:certificates:import /client/ca.pem
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:daemon:register \
-          docker_by_port Docker docker-install https host.docker.internal:8443 http://nextcloud/index.php --net=master_bridge
+            docker_by_port Docker docker-install https host.docker.internal:8443 http://nextcloud/index.php \
+            --net=master_bridge --ssl_cert /client/cert.pem --ssl_key /client/key.pem
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:register \
-          "$(docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_by_port --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml --ssl_cert /client/cert.pem --ssl_key /client/key.pem)"
+          "$(docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_by_port --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml)"
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:enable app_python_skeleton
           docker exec nextcloud sudo -u www-data php occ app_ecosystem_v2:app:disable app_python_skeleton
 

diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ node_modules
 .venv
 vendor
 _build
+certs
diff --git a/Makefile b/Makefile
@@ -1,12 +1,134 @@
 .DEFAULT_GOAL := help
 
-.PHONY: doc
+.PHONY: docs
 .PHONY: html
-doc html:
+docs html:
 	$(MAKE) -C docs html
 
 .PHONY: help
 help:
 	@echo "Welcome to AppEcosystemV2 development. Please use \`make <target>\` where <target> is one of"
-	@echo "  doc                make HTML docs"
+	@echo "  docs               make HTML docs"
 	@echo "  html               make HTML docs"
+	@echo " "
+	@echo " "
+	@echo "  Next commands are only for dev environment with nextcloud-docker-dev!"
+	@echo "  Daemon register(Linux, socket):"
+	@echo "  dock-sock          create docker daemon for Nextcloud 28, 27, 26 (/var/run/docker.sock)"
+	@echo "  dock-sock28        create docker daemon for Nextcloud 28 (/var/run/docker.sock)"
+	@echo "  dock-sock27        create docker daemon for Nextcloud 27 (/var/run/docker.sock)"
+	@echo "  dock-sock26        create docker daemon for Nextcloud 26 (/var/run/docker.sock)"
+	@echo " "
+	@echo "  Daemon register(any OS, host:port)"
+	@echo "  dock2port          will map docker socket to port. first use this!"
+	@echo "  dock-certs         deploy certs, second use this!"
+	@echo "  dock-port          create docker daemons for Nextcloud 28, 27, 26 (host.docker.internal:8443)"
+	@echo "  dock-port28        create docker daemon for Nextcloud 28 (host.docker.internal:8443)"
+	@echo "  dock-port27        create docker daemon for Nextcloud 27 (host.docker.internal:8443)"
+	@echo "  dock-port26        create docker daemon for Nextcloud 26 (host.docker.internal:8443)"
+	@echo " "
+	@echo " "
+	@echo "  example-deploy     pull Example App to docker"
+	@echo "  example28          register Example App to Nextcloud 28"
+	@echo "  example27          register Example App to Nextcloud 27"
+	@echo "  example26          register Example App to Nextcloud 26"
+
+.PHONY: dock-sock
+dock-sock:
+	$(MAKE) dock-sock28 dock-sock27 dock-sock26
+
+.PHONY: dock-sock28
+dock-sock28:
+	@echo "creating daemon for nextcloud 'master' container"
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+		docker_dev Docker docker-install unix-socket /var/run/docker.sock http://nextcloud/index.php --net=master_default
+
+.PHONY: dock-sock27
+dock-sock27:
+	@echo "creating daemon for nextcloud 'stable27' container"
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+		docker_dev Docker docker-install unix-socket /var/run/docker.sock http://stable27/index.php --net=master_default
+
+.PHONY: dock-sock26
+dock-sock26:
+	@echo "creating daemon for nextcloud 'stable26' container"
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-stable6-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+		docker_dev Docker docker-install unix-socket /var/run/docker.sock http://stable26/index.php --net=master_default
+
+.PHONY: dock2port
+dock2port:
+	@echo "deploying kekru/docker-remote-api-tls..."
+	docker pull kekru/docker-remote-api-tls:master
+	docker run --name dock_api2port -d -p 6443:443 -v /var/run/docker.sock:/var/run/docker.sock:ro \
+		--env CREATE_CERTS_WITH_PW=supersecret --env CERT_HOSTNAME=host.docker.internal \
+		-v ./certs:/data/certs kekru/docker-remote-api-tls:master
+	@echo "waiting 20 seconds to finish generating certificates..."
+	sleep 20
+
+.PHONE: dock-certs
+dock-certs:
+	@echo "copying certs to Nextcloud Master"
+	docker cp certs/client/ master-nextcloud-1:/ || echo "Failed copying certs to Nextcloud 'master'"
+	docker exec master-nextcloud-1 sudo -u www-data php occ security:certificates:import /client/ca.pem || true
+	@echo "copying certs to Nextcloud 27"
+	docker cp certs/client/ master-stable27-1:/ || echo "Failed copying certs to Nextcloud 27"
+	docker exec master-stable27-1 sudo -u www-data php occ security:certificates:import /client/ca.pem || true
+	@echo "copying certs to Nextcloud 26"
+	docker cp certs/client/ master-stable26-1:/ || echo "Failed copying certs to Nextcloud 26"
+	docker exec master-stable26-1 sudo -u www-data php occ security:certificates:import /client/ca.pem || true
+
+.PHONY: dock-port
+dock-port:
+	$(MAKE) dock-port28 dock-port27 dock-port26
+
+.PHONY: dock-port28
+dock-port28:
+	@echo "creating daemon for nextcloud 'master' container"
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+    	docker_dev Docker docker-install https host.docker.internal:6443 http://nextcloud/index.php \
+    	--net=master_default --ssl_cert /client/cert.pem --ssl_key /client/key.pem
+
+.PHONY: dock-port27
+dock-port27:
+	@echo "creating daemon for nextcloud '27' container"
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+        docker_dev Docker docker-install https host.docker.internal:6443 http://stable27/index.php \
+        --net=master_default --ssl_cert /client/cert.pem --ssl_key /client/key.pem
+
+.PHONY: dock-port26
+dock-port26:
+	@echo "creating daemon for nextcloud '26' container"
+	docker exec master-stable26-1 sudo -u www-data php occ app_ecosystem_v2:daemon:unregister docker_dev || true
+	docker exec master-stable26-1 sudo -u www-data php occ app_ecosystem_v2:daemon:register \
+        docker_dev Docker docker-install https host.docker.internal:6443 http://stable26/index.php \
+        --net=master_default --ssl_cert /client/cert.pem --ssl_key /client/key.pem
+
+.PHONY: example-deploy
+example-deploy:
+	$(MAKE) example28 example27 example26
+
+.PHONY: example28
+example28:
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:unregister app_python_skeleton --silent || true
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:register \
+		"`docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_dev --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml`"
+	docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:enable app_python_skeleton
+
+.PHONY: example27
+example27:
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:app:unregister app_python_skeleton --silent || true
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:app:register \
+		"`docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_dev --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml`"
+	docker exec master-stable27-1 sudo -u www-data php occ app_ecosystem_v2:app:enable app_python_skeleton
+
+.PHONY: example26
+example26:
+	docker exec master-stable26-1 sudo -u www-data php occ app_ecosystem_v2:app:unregister app_python_skeleton --silent || true
+	docker exec master-stable26-1 sudo -u www-data php occ app_ecosystem_v2:app:register \
+		"`docker exec master-nextcloud-1 sudo -u www-data php occ app_ecosystem_v2:app:deploy app_python_skeleton docker_dev --info-xml https://raw.githubusercontent.com/cloud-py-api/py_app_v2-skeleton/main/appinfo/info.xml`"
+	docker exec master-stable26-1 sudo -u www-data php occ app_ecosystem_v2:app:enable app_python_skeleton
diff --git a/docs/deploy/index.rst b/docs/deploy/index.rst
@@ -24,7 +24,7 @@ This can be done by `occ` CLI command **app_ecosystem_v2:daemon:register**:
 
 .. code-block:: bash
 
-	app_ecosystem_v2:daemon:register <name> <display-name> <accepts-deploy-id> <protocol> <host> <nextcloud_url> [--net NET] [--host HOST] [--]
+	app_ecosystem_v2:daemon:register <name> <display-name> <accepts-deploy-id> <protocol> <host> <nextcloud_url> [--net NET] [--host HOST] [--ssl_key SSL_KEY] [--ssl_key_password SSL_KEY_PASSWORD] [--ssl_cert SSL_CERT] [--ssl_cert_password SSL_CERT_PASSWORD] [--]
 
 Arguments
 *********
@@ -41,6 +41,10 @@ Options
 
 	* `--net [network-name]`  - `[required]` network name to bind docker container to (default: `host`)
 	* `--host HOST` - `[required]` host to expose daemon to (defaults to ExApp appid)
+	* `--ssl_key SSL_KEY` - `[optional]` path to SSL key file (local absolute path)
+	* `--ssl_password SSL_PASSWORD` - `[optional]` SSL key password
+	* `--ssl_cert SSL_CERT` - `[optional]` path to SSL cert file (local absolute path)
+	* `--ssl_cert_password SSL_CERT_PASSWORD` - `[optional]` SSL cert password
 
 Deploy config
 *************
@@ -53,7 +57,11 @@ ExApp container.
 	{
 		"net": "nextcloud",
 		"host": null,
-		"nextcloud_url": "https://nextcloud.local"
+		"nextcloud_url": "https://nextcloud.local",
+		"ssl_key": "/path/to/ssl/key.pem",
+		"ssl_key_password": "ssl_key_password",
+		"ssl_cert": "/path/to/ssl/cert.pem",
+		"ssl_cert_password": "ssl_cert_password"
 	}
 
 
@@ -63,7 +71,10 @@ Deploy config options
 	* `net` - `[required]` network name to bind docker container to (default: `host`)
 	* `host` - `[optional]` in case Docker is on remote host, this should be a hostname of remote machine
 	* `nextcloud_url` - `[required]` Nextcloud URL (e.g. `https://nextcloud.local`)
-
+	* `ssl_key` - `[optional]` path to SSL key file (local absolute path)
+	* `ssl_key_password` - `[optional]` SSL key password
+	* `ssl_cert` - `[optional]` path to SSL cert file (local absolute path)
+	* `ssl_cert_password` - `[optional]` SSL cert password
 
 .. note::
 	Common configurations are tested by CI in our repository, see `workflow on github <https://github.com/cloud-py-api/app_ecosystem_v2/blob/main/.github/workflows/tests-deploy.yml>`_
@@ -86,7 +97,7 @@ This can be done by `occ` CLI command **app_ecosystem_v2:app:deploy**:
 
 .. code-block:: bash
 
-	app_ecosystem_v2:app:deploy <appid> <daemon-config-name> [--info-xml INFO-XML] [--ssl_key SSL_KEY] [--ssl_password SSL_PASSWORD] [--ssl_cert SSL_CERT] [--ssl_cert_password SSL_CERT_PASSWORD] [-e|--env ENV] [--]
+	app_ecosystem_v2:app:deploy <appid> <daemon-config-name> [--info-xml INFO-XML] [-e|--env ENV] [--]
 
 .. warning::
 	After successful deployment (pull, create and start container), there is a heartbeat check with 1 hour timeout (will be configurable).
@@ -105,10 +116,6 @@ Options
 *******
 
 	* `--info-xml INFO-XML` - `[required]` path to info.xml file (url or local absolute path)
-	* `--ssl_key SSL_KEY` - `[optional]` path to SSL key file (local absolute path)
-	* `--ssl_password SSL_PASSWORD` - `[optional]` SSL key password
-	* `--ssl_cert SSL_CERT` - `[optional]` path to SSL cert file (local absolute path)
-	* `--ssl_cert_password SSL_CERT_PASSWORD` - `[optional]` SSL cert password
 	* `-e|--env ENV` - `[optional]` additional environment variables (e.g. `-e "MY_VAR=123" -e "MY_VAR2=456"`)
 
 Deploy result JSON output

diff --git a/lib/Command/Daemon/RegisterDaemon.php b/lib/Command/Daemon/RegisterDaemon.php
@@ -63,6 +63,12 @@ protected function configure() {
 		$this->addOption('net', null, InputOption::VALUE_REQUIRED, 'DeployConfig, docker network name');
 		$this->addOption('host', null, InputOption::VALUE_REQUIRED, 'DeployConfig, docker daemon host (e.g. host.docker.internal)');
 
+		// ssl settings
+		$this->addOption('ssl_key', null, InputOption::VALUE_REQUIRED, 'SSL key for daemon connection (local absolute path)');
+		$this->addOption('ssl_key_password', null, InputOption::VALUE_REQUIRED, 'SSL key password for daemon connection');
+		$this->addOption('ssl_cert', null, InputOption::VALUE_REQUIRED, 'SSL cert for daemon connection (local absolute path)');
+		$this->addOption('ssl_cert_password', null, InputOption::VALUE_REQUIRED, 'SSL cert password for daemon connection');
+
 		$this->addUsage('local_docker "Docker local" "docker-install" "unix-socket" "/var/run/docker.sock" "http://nextcloud.local" --net "nextcloud" --host "host.docker.internal"');
 	}
 
@@ -78,7 +84,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 			'net' => $input->getOption('net') ?? 'host',
 			'host' => $input->getOption('host'),
 			'nextcloud_url' => $nextcloudUrl,
-			// TODO: Add SSL cert config here
+			'ssl_key' => $input->getOption('ssl_key'),
+			'ssl_key_password' => $input->getOption('ssl_key_password'),
+			'ssl_cert' => $input->getOption('ssl_cert'),
+			'ssl_cert_password' => $input->getOption('ssl_cert_password'),
 		];
 
 		$daemonConfig = $this->daemonConfigService->registerDaemonConfig([

diff --git a/lib/Command/ExApp/Deploy.php b/lib/Command/ExApp/Deploy.php
@@ -79,10 +79,6 @@ protected function configure() {
 		$this->addArgument('daemon-config-name', InputArgument::REQUIRED);
 
 		$this->addOption('info-xml', null, InputOption::VALUE_REQUIRED, '[required] Path to ExApp info.xml file (url or local absolute path)');
-		$this->addOption('ssl_key', null, InputOption::VALUE_REQUIRED, 'SSL key for daemon connection (local absolute path)');
-		$this->addOption('ssl_key_password', null, InputOption::VALUE_REQUIRED, 'SSL key password for daemon connection');
-		$this->addOption('ssl_cert', null, InputOption::VALUE_REQUIRED, 'SSL cert for daemon connection (local absolute path)');
-		$this->addOption('ssl_cert_password', null, InputOption::VALUE_REQUIRED, 'SSL cert password for daemon connection');
 		$this->addOption('env', 'e', InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'Docker container environment variables', []);
 	}
 
@@ -140,15 +136,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 		], $envParams, $deployConfig);
 		$containerParams['env'] = $envs;
 
-		// TODO: Move SSL part to DaemonConfig->deployConfig
-		$sslParams = [
-			'ssl_key' => $input->getOption('ssl_key'),
-			'ssl_key_password' => $input->getOption('ssl_key_password'),
-			'ssl_cert' => $input->getOption('ssl_cert'),
-			'ssl_cert_password' => $input->getOption('ssl_cert_password'),
-		];
-
-		[$pullResult, $createResult, $startResult] = $this->dockerActions->deployExApp($daemonConfig, $imageParams, $containerParams, $sslParams);
+		[$pullResult, $createResult, $startResult] = $this->dockerActions->deployExApp($daemonConfig, $imageParams, $containerParams);
 
 		if (isset($pullResult['error'])) {
 			$output->writeln(sprintf('ExApp %s deployment failed. Error: %s', $appId, $pullResult['error']));

diff --git a/lib/Docker/DockerActions.php b/lib/Docker/DockerActions.php
@@ -62,15 +62,13 @@ public function __construct(
 	 * @param DaemonConfig $daemonConfig
 	 * @param array $imageParams
 	 * @param array $containerParams
-	 * @param array $sslParams
 	 *
 	 * @return array
 	 */
 	public function deployExApp(
 		DaemonConfig $daemonConfig,
 		array $imageParams,
 		array $containerParams,
-		array $sslParams,
 	): array {
 		if ($daemonConfig->getAcceptsDeployId() !== 'docker-install') {
 			throw new \Exception('Only docker-install is supported for now.');
@@ -85,7 +83,7 @@ public function deployExApp(
 			];
 		} else if (in_array($daemonConfig->getProtocol(), ['http', 'https'])) {
 			$dockerUrl = $daemonConfig->getProtocol() . '://' . $daemonConfig->getHost();
-			$guzzleParams = $this->setupCerts($guzzleParams, $sslParams);
+			$guzzleParams = $this->setupCerts($guzzleParams, $daemonConfig->getDeployConfig());
 		}
 		$this->guzzleClient = new Client($guzzleParams);
 
@@ -191,27 +189,27 @@ public function inspectContainer(string $dockerUrl, string $containerId): array
 
 	/**
 	 * @param array $guzzleParams
-	 * @param array $sslParams ['ssl_key', 'ssl_password', 'ssl_cert', 'ssl_cert_password']
+	 * @param array $deployConfig
 	 *
 	 * @return array
 	 */
-	private function setupCerts(array $guzzleParams, array $sslParams): array {
+	private function setupCerts(array $guzzleParams, array $deployConfig): array {
 		if (!$this->config->getSystemValueBool('installed', false)) {
 			$certs =  \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
 		} else {
 			$certs = $this->certificateManager->getAbsoluteBundlePath();
 		}
 
 		$guzzleParams['verify'] = $certs;
-		if (isset($sslParams['ssl_key'])) {
-			$guzzleParams['ssl_key'] = !isset($sslParams['ssl_key_password'])
-				? $sslParams['ssl_key']
-				: [$sslParams['ssl_key'], $sslParams['ssl_key_password']];
+		if (isset($deployConfig['ssl_key'])) {
+			$guzzleParams['ssl_key'] = !isset($deployConfig['ssl_key_password'])
+				? $deployConfig['ssl_key']
+				: [$deployConfig['ssl_key'], $deployConfig['ssl_key_password']];
 		}
-		if (isset($sslParams['ssl_cert'])) {
-			$guzzleParams['cert'] = !isset($sslParams['ssl_cert_password'])
-				? $sslParams['ssl_cert']
-				: [$sslParams['ssl_cert'], $sslParams['ssl_cert_password']];
+		if (isset($deployConfig['ssl_cert'])) {
+			$guzzleParams['cert'] = !isset($deployConfig['ssl_cert_password'])
+				? $deployConfig['ssl_cert']
+				: [$deployConfig['ssl_cert'], $deployConfig['ssl_cert_password']];
 		}
 		return $guzzleParams;
 	}