diff --git a/.env b/.env deleted file mode 100644 index 03eba8d..0000000 --- a/.env +++ /dev/null @@ -1,5 +0,0 @@ -CA_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -SERVER_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.lokiserver.com" -SERVER_DNS="DNS:lokiserver.com,DNS:www.lokiserver.com" -CLIENT_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.promtailclient.com" -CLIENT_DNS="DNS:promtailclient.com,DNS:www.promtailclient.com" \ No newline at end of file diff --git a/README.md b/README.md index 644e78b..a568e1e 100644 --- a/README.md +++ b/README.md @@ -68,10 +68,10 @@ Ajouter une datasource en entrant l'URI du serveur Loki ainsi que le certificat - Create certs: -> Renseigner les nom du serveur LOKI ainsi que son DNS, idem pour l'agent Promtail dans le .env +> Renseigner les nom du serveur LOKI ainsi que son DNS, idem pour l'agent Promtail et lançer le script: ```bash -./certificates.sh +sudo ./certificates.sh ``` - TLS config: @@ -86,9 +86,9 @@ clients: # DISTANT TLS - url: https://loki-dns-serveur:3100/loki/api/v1/push tls_config: - ca_file: /usr/allen/loki/cert/ca.crt - cert_file: /usr/allen/loki/cert/promtail.client.crt - key_file: /usr/allen/loki/cert/client.key + ca_file: /etc/promtail/cert/ca.crt + cert_file: /etc/promtail/cert/promtail.client.crt + key_file: /etc/promtail/cert/client.key server_name: loki-dns-serveur insecure_skip_verify: false ``` diff --git a/certificates.sh b/certificates.sh index 460452f..f8e5180 100755 --- a/certificates.sh +++ b/certificates.sh @@ -1,29 +1,31 @@ #!/bin/bash -# Load .env -if [ -f .env ]; then - export $(grep -v '^#' .env | xargs -0) -else - echo "Error: .env file not found." +if [ "$(id -u)" -ne 0 ] +then + echo "Ce script doit être exécuté en tant qu'utilisateur root" exit 1 fi -CERT_DIR="loki/cert" -mkdir -p "$CERT_DIR" +generate_certificates() { + domain=$1 + key_file="${domain}.key" + csr_file="${domain}.csr" + crt_file="${domain}.crt" -# Root CA certificate -openssl req -newkey rsa:4096 -nodes -keyout ca.key -subj "$CA_SUBJECT" -out ca.csr -openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out "$CERT_DIR/ca.crt" + openssl req -newkey rsa:4096 -nodes -keyout "${key_file}" -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=${domain}" -out "${csr_file}" + openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain},DNS:www.${domain}") -days 1365 -in "${csr_file}" -CA ca.crt -CAkey ca.key -CAcreateserial -out "${crt_file}" -# Server certificate -openssl req -newkey rsa:4096 -nodes -keyout "$CERT_DIR/server.key" -subj "$SERVER_SUBJECT" -out "$CERT_DIR/server.csr" -openssl x509 -req -extfile <(printf "subjectAltName=$SERVER_DNS") -days 1365 -in "$CERT_DIR/server.csr" -CA "$CERT_DIR/ca.crt" -CAkey ca.key -CAcreateserial -out "$CERT_DIR/server.crt" + mv "${crt_file}" "${key_file}" "${2}/cert/" +} -# Client certificate -openssl req -newkey rsa:4096 -nodes -keyout "$CERT_DIR/client.key" -subj "$CLIENT_SUBJECT" -out "$CERT_DIR/client.csr" -openssl x509 -req -extfile <(printf "subjectAltName=$CLIENT_DNS") -days 1365 -in "$CERT_DIR/client.csr" -CA "$CERT_DIR/ca.crt" -CAkey ca.key -CAcreateserial -out "$CERT_DIR/client.crt" +openssl genrsa -out ca.key 4096 +openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt -# Clean up! -rm -f ca.csr "$CERT_DIR/server.csr" "$CERT_DIR/client.csr" ca.srl +mkdir -p loki/cert +mkdir -p promtail/cert -echo "Certificate generation completed successfully. Certificates are stored in the '$CERT_DIR' directory." \ No newline at end of file +generate_certificates "lokiserver.com" "loki" +generate_certificates "promtailclient.com" "promtail" + +cp ca.crt loki/cert/ +cp ca.crt promtail/cert/ diff --git a/docker-compose.yml b/docker-compose.yml index a79fdf6..a463ace 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,12 +5,12 @@ services: nginx-app: container_name: nginx-app image: nginx + ports: + - 8080:80 # NECESSARY FOR LOKI labels: logging: "promtail" logging_jobname: "containerlogs" - ports: - - 8080:80 grafana: image: grafana/grafana:latest @@ -28,7 +28,7 @@ services: - 3100:3100 volumes: - ./loki/config:/etc/loki - - ./loki/cert:/etc/loki/cert + - ./loki/cert:/etc/loki/cert:ro command: -config.file=/etc/loki/config.yml promtail: @@ -38,7 +38,8 @@ services: - ./promtail/config.yml:/etc/promtail/config.yml - /var/lib/docker/containers:/var/lib/docker/containers:ro - /var/run/docker.sock:/var/run/docker.sock - - /var/log:/var/log + - /var/log:/var/log:ro + - ./promtail/cert:/etc/promtail/cert command: -config.file=/etc/promtail/config.yml depends_on: - loki diff --git a/loki/cert/ca.crt b/loki/cert/ca.crt new file mode 100644 index 0000000..d86a7de --- /dev/null +++ b/loki/cert/ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIUWEzDZNqMbKoBCs/UHfEPZeeF838wDQYJKoZIhvcNAQEL +BQAwUzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQHDAJTWjETMBEG +A1UECgwKQWNtZSwgSW5jLjEVMBMGA1UEAwwMQWNtZSBSb290IENBMB4XDTI0MDIw +OTEwMDE1MFoXDTI1MDIwODEwMDE1MFowUzELMAkGA1UEBhMCQ04xCzAJBgNVBAgM +AkdEMQswCQYDVQQHDAJTWjETMBEGA1UECgwKQWNtZSwgSW5jLjEVMBMGA1UEAwwM +QWNtZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYlH +CvN9x6GUrXo568xazEfhy5MBXe21YT8fpBP4vmb9Xyl2VF6s+zVzJqoQHnKUxGVU +WquU7yHqepABrggxwd1zgKnjjPzzBFLbvdKKVOUtfDO0IVQEGLicHrU5dE1tgI6G ++zyi9qmmoqZ3WXdOvhZAbyoE14jaO3dkI9tMBHRBPo+bbKq0B4V8Tga5TI4yEZHg +w+k4i83E/WJ9E+Wz9HE5fGmfXnCKgJuS5KqeDWWpX65Jcg3RJuOjY387nMyKdcT6 +FXX0//hoUftgO4zycWWRzh0CLxuOjVarouSx+mZ66OXAxDxkM2zNK0eN0S+j9Wwn +NUwqexkQzrP3OVdcmQIDAQABo1MwUTAdBgNVHQ4EFgQUhvfSgqCngM7SaNvBRUVE +yxKJlVEwHwYDVR0jBBgwFoAUhvfSgqCngM7SaNvBRUVEyxKJlVEwDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAG/JKJ0usuXO7+gB+mmFnnuctvaqd +UtCQgdwRv+EzPUyfgq7YHW3RfHowFwsRxjJDuOOWwDlKDjRKGPABXbqWG/c+BFvR +HqWxUcbcXbfaBnNmVFBECdBNgr8yPeOBuEqdeqLQsEeIumxonDO5MQIZE7NyOEVr +lnTzqlbi+YwMPCr6CCXI75eqbht7z2L6JCvaWdQfqKTGiJVFCqQJmj3X1Vs1ibRN +l+/6oWriDvjucP7B7YDKPNFJp4MjHWGB9PbW+kVeQAnQDl1s4IkLDl0aaNVAI8Jf +gHlqGGQjk3Lba7FrQqZ3cU8zIHj4s3cwvlWFLmPRg8DHaFIf+/9OKzQkUw== +-----END CERTIFICATE-----