push certificates + README OK

8 months ago · 33cb713a6f
parent c3c5684b56
commit 33cb713a6f
5 changed files with 52 additions and 33 deletions
--- a/.env
+++ b/.env
@ -1,5 +0,0 @@
-CA_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA"
-SERVER_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.lokiserver.com"
-SERVER_DNS="DNS:lokiserver.com,DNS:www.lokiserver.com"
-CLIENT_SUBJECT="/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.promtailclient.com"
-CLIENT_DNS="DNS:promtailclient.com,DNS:www.promtailclient.com"
--- a/README.md
+++ b/README.md
@ -68,10 +68,10 @@ Ajouter une datasource en entrant l'URI du serveur Loki ainsi que le certificat

 - Create certs:

-> Renseigner les nom du serveur LOKI ainsi que son DNS, idem pour l'agent Promtail dans le .env
+> Renseigner les nom du serveur LOKI ainsi que son DNS, idem pour l'agent Promtail et lançer le script:

 ```bash
-./certificates.sh
+sudo ./certificates.sh
 ```

 - TLS config:
@ -86,9 +86,9 @@ clients:
  # DISTANT TLS
  - url: https://loki-dns-serveur:3100/loki/api/v1/push
    tls_config:
-      ca_file: /usr/allen/loki/cert/ca.crt
-      cert_file: /usr/allen/loki/cert/promtail.client.crt
-      key_file: /usr/allen/loki/cert/client.key
+      ca_file: /etc/promtail/cert/ca.crt
+      cert_file: /etc/promtail/cert/promtail.client.crt
+      key_file: /etc/promtail/cert/client.key
      server_name: loki-dns-serveur
      insecure_skip_verify: false
 ```
--- a/certificates.sh
+++ b/certificates.sh
@ -1,29 +1,31 @@
 #!/bin/bash

-# Load .env
-if [ -f .env ]; then
-    export $(grep -v '^#' .env | xargs -0)
-else
-    echo "Error: .env file not found."
+if [ "$(id -u)" -ne 0 ]
+then
+    echo "Ce script doit être exécuté en tant qu'utilisateur root"
    exit 1
 fi

-CERT_DIR="loki/cert"
-mkdir -p "$CERT_DIR"
+generate_certificates() {
+    domain=$1
+    key_file="${domain}.key"
+    csr_file="${domain}.csr"
+    crt_file="${domain}.crt"

-# Root CA certificate
-openssl req -newkey rsa:4096 -nodes -keyout ca.key -subj "$CA_SUBJECT" -out ca.csr
-openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out "$CERT_DIR/ca.crt"
+    openssl req -newkey rsa:4096 -nodes -keyout "${key_file}" -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=${domain}" -out "${csr_file}"
+    openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain},DNS:www.${domain}") -days 1365 -in "${csr_file}" -CA ca.crt -CAkey ca.key -CAcreateserial -out "${crt_file}"

-# Server certificate
-openssl req -newkey rsa:4096 -nodes -keyout "$CERT_DIR/server.key" -subj "$SERVER_SUBJECT" -out "$CERT_DIR/server.csr"
-openssl x509 -req -extfile <(printf "subjectAltName=$SERVER_DNS") -days 1365 -in "$CERT_DIR/server.csr" -CA "$CERT_DIR/ca.crt" -CAkey ca.key -CAcreateserial -out "$CERT_DIR/server.crt"
+    mv "${crt_file}" "${key_file}" "${2}/cert/"
+}

-# Client certificate
-openssl req -newkey rsa:4096 -nodes -keyout "$CERT_DIR/client.key" -subj "$CLIENT_SUBJECT" -out "$CERT_DIR/client.csr"
-openssl x509 -req -extfile <(printf "subjectAltName=$CLIENT_DNS") -days 1365 -in "$CERT_DIR/client.csr" -CA "$CERT_DIR/ca.crt" -CAkey ca.key -CAcreateserial -out "$CERT_DIR/client.crt"
+openssl genrsa -out ca.key 4096
+openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt

-# Clean up!
-rm -f ca.csr "$CERT_DIR/server.csr" "$CERT_DIR/client.csr" ca.srl
+mkdir -p loki/cert
+mkdir -p promtail/cert

-echo "Certificate generation completed successfully. Certificates are stored in the '$CERT_DIR' directory."
+generate_certificates "lokiserver.com" "loki"
+generate_certificates "promtailclient.com" "promtail"
+
+cp ca.crt loki/cert/
+cp ca.crt promtail/cert/
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -5,12 +5,12 @@ services:
  nginx-app:
    container_name: nginx-app
    image: nginx
+    ports:
+      - 8080:80
    # NECESSARY FOR LOKI
    labels:
      logging: "promtail"
      logging_jobname: "containerlogs"
-    ports:
-      - 8080:80

  grafana:
    image: grafana/grafana:latest
@ -28,7 +28,7 @@ services:
      - 3100:3100
    volumes:
      - ./loki/config:/etc/loki
-      - ./loki/cert:/etc/loki/cert
+      - ./loki/cert:/etc/loki/cert:ro
    command: -config.file=/etc/loki/config.yml

  promtail:
@ -38,7 +38,8 @@ services:
      - ./promtail/config.yml:/etc/promtail/config.yml
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
      - /var/run/docker.sock:/var/run/docker.sock
-      - /var/log:/var/log
+      - /var/log:/var/log:ro
+      - ./promtail/cert:/etc/promtail/cert
    command: -config.file=/etc/promtail/config.yml
    depends_on:
      - loki
--- a/loki/cert/ca.crt
+++ b/loki/cert/ca.crt
@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUWEzDZNqMbKoBCs/UHfEPZeeF838wDQYJKoZIhvcNAQEL
+BQAwUzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQHDAJTWjETMBEG
+A1UECgwKQWNtZSwgSW5jLjEVMBMGA1UEAwwMQWNtZSBSb290IENBMB4XDTI0MDIw
+OTEwMDE1MFoXDTI1MDIwODEwMDE1MFowUzELMAkGA1UEBhMCQ04xCzAJBgNVBAgM
+AkdEMQswCQYDVQQHDAJTWjETMBEGA1UECgwKQWNtZSwgSW5jLjEVMBMGA1UEAwwM
+QWNtZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYlH
+CvN9x6GUrXo568xazEfhy5MBXe21YT8fpBP4vmb9Xyl2VF6s+zVzJqoQHnKUxGVU
+WquU7yHqepABrggxwd1zgKnjjPzzBFLbvdKKVOUtfDO0IVQEGLicHrU5dE1tgI6G
+zyi9qmmoqZ3WXdOvhZAbyoE14jaO3dkI9tMBHRBPo+bbKq0B4V8Tga5TI4yEZHg
+w+k4i83E/WJ9E+Wz9HE5fGmfXnCKgJuS5KqeDWWpX65Jcg3RJuOjY387nMyKdcT6
+FXX0//hoUftgO4zycWWRzh0CLxuOjVarouSx+mZ66OXAxDxkM2zNK0eN0S+j9Wwn
+NUwqexkQzrP3OVdcmQIDAQABo1MwUTAdBgNVHQ4EFgQUhvfSgqCngM7SaNvBRUVE
+yxKJlVEwHwYDVR0jBBgwFoAUhvfSgqCngM7SaNvBRUVEyxKJlVEwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAG/JKJ0usuXO7+gB+mmFnnuctvaqd
+UtCQgdwRv+EzPUyfgq7YHW3RfHowFwsRxjJDuOOWwDlKDjRKGPABXbqWG/c+BFvR
+HqWxUcbcXbfaBnNmVFBECdBNgr8yPeOBuEqdeqLQsEeIumxonDO5MQIZE7NyOEVr
+lnTzqlbi+YwMPCr6CCXI75eqbht7z2L6JCvaWdQfqKTGiJVFCqQJmj3X1Vs1ibRN
+l+/6oWriDvjucP7B7YDKPNFJp4MjHWGB9PbW+kVeQAnQDl1s4IkLDl0aaNVAI8Jf
+gHlqGGQjk3Lba7FrQqZ3cU8zIHj4s3cwvlWFLmPRg8DHaFIf+/9OKzQkUw==
+-----END CERTIFICATE-----