uptane · d80ep08th · Sep 9, 2022 · Sep 9, 2022 · Sep 9, 2022 · Sep 9, 2022
diff --git a/example-modifications-to-upstream-otace.yaml b/example-modifications-to-upstream-otace.yaml
@@ -0,0 +1,128 @@
+# version: '3.8'
+
+
+services:
+  reverse-proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
+    # Enables the web UI and tells Traefik to listen to docker
+    command: 
+      # - "--api.insecure=true"
+      - "--providers.docker"
+      - "--providers.docker.exposedbydefault=false"
+      # on the demo server, define something like:
+      # > OTACE_REVERSEPROXY_EXTRA_COMMANDLINE="--entrypoints.web.address=:80 --entrypoints.websecure.address=:443 --certificatesresolvers.myresolver.acme.httpchallenge=true --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      - "${OTACE_REVERSEPROXY_EXTRA_COMMANDLINE}"
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  gateway:
+    image: nginx:1.13.7
+    restart: always
+    command: ["nginx-debug", "-g", "daemon off;"]      
+    expose:
+      - '80'
+      - '443'
+      - '8443'
+    ports:
+#      - '80'
+      - '8443'
+      - '30443:8443'
+    depends_on:
+      - ota-lith
+      - reverse-proxy
+    volumes:
+      - ./ota-ce/gateway.conf:/etc/nginx/conf.d/gateway.conf:ro
+      - ./ota-ce-gen/server.chain.pem:/etc/ssl/gateway/server.chain.pem:ro
+      - ./ota-ce-gen/server.key:/etc/ssl/gateway/server.key:ro
+      - ./ota-ce-gen/devices/ca.crt:/etc/ssl/gateway/ca.crt:ro
+
+  db:
+    image: mariadb:10.4
+    #restart: always
+    environment:
+      MYSQL_DATABASE: 'ota'
+      MYSQL_USER: 'ota'
+      MYSQL_PASSWORD: 'ota'
+      MYSQL_ROOT_PASSWORD: 'root'
+    command:
+      - docker-entrypoint.sh
+      - --max-connections=10000
+    ports:
+      - '3306:3306'
+    expose:
+      - '3306'
+    volumes:
+      - ./db-bootstrap:/docker-entrypoint-initdb.d:ro
+      - ota-db:/var/lib/mysql
+
+  ota-lith:
+    image: uptane/ota-lith:latest
+    restart: always
+    depends_on:
+      - db
+    command:
+       - "/opt/ota-lith/bin/ota-lith"
+       - "-Dconfig.file=/tmp/ota-lith.conf"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.reposerver.service=reposerver
+      - traefik.http.routers.reposerver.rule=Host(`reposerver.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.reposerver.loadbalancer.server.port=7100
+      - traefik.http.routers.keyserver.service=keyserver
+      - traefik.http.routers.keyserver.rule=Host(`keyserver.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.keyserver.loadbalancer.server.port=7200
+      - traefik.http.routers.director.service=director
+      - traefik.http.routers.director.rule=Host(`director.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.director.loadbalancer.server.port=7300
+      - traefik.http.routers.treehub.service=treehub
+      - traefik.http.routers.treehub.rule=Host(`treehub.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.treehub.loadbalancer.server.port=7400
+      - traefik.http.routers.deviceregistry.service=deviceregistry
+      - traefik.http.routers.deviceregistry.rule=Host(`deviceregistry.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.deviceregistry.loadbalancer.server.port=7500
+      - traefik.http.routers.campaigner.service=campaigner
+      - traefik.http.routers.campaigner.rule=Host(`campaigner.${OTACE_SERVER_BASE_URI:-ota.ce}`)
+      - traefik.http.services.campaigner.loadbalancer.server.port=7600
+      - "${OTALITH_EXTRA_LABELS}"
+    volumes:
+      - ./ota-lith-ce.conf:/tmp/ota-lith.conf
+      - objects:/var/lib/ota-lith
+
+  ota-lith-daemons:
+    image: uptane/ota-lith:latest
+    restart: always
+    depends_on:
+      - db
+      - ota-lith
+    command:
+       - "/opt/ota-lith/bin/ota-lith"
+       - "-main"
+       - "com.advancedtelematic.ota_lith.OtaLithDaemonBoot"
+       - "-Dconfig.file=/tmp/ota-lith.conf"
+    volumes:
+      - ./ota-lith-ce.conf:/tmp/ota-lith.conf
+
+  zookeeper:
+    image: wurstmeister/zookeeper
+    ports:
+      - "2181:2181"
+  kafka:
+    image: wurstmeister/kafka:2.13-2.7.1
+    ports:
+      - "9092:9092"
+    environment:
+      KAFKA_ADVERTISED_HOST_NAME: kafka
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+volumes:
+  ota-db:
+  objects:
diff --git a/ota-ce.yaml b/ota-ce.yaml
@@ -1,34 +1,77 @@
 # version: '3.8'
 
-# TODO: Some proxy for reposerver.ota.ce and such so don't have to use proxies
+# TODO: Some proxy for reposerver.uptanedemo.org and such so don't have to use proxies
 
 # TODO: Kafka
 
 services:
   reverse-proxy:
     # The official v2 Traefik docker image
-    image: traefik:v2.3
+    image: traefik:v2.8
     # Enables the web UI and tells Traefik to listen to docker
-    command: --api.insecure=true --providers.docker --providers.docker.exposedbydefault=false
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
     ports:
       # The HTTP port
       - "80:80"
+      - "443:443"
       # The Web UI (enabled by --api.insecure=true)
       - "8080:8080"
     volumes:
+      - "./letsencrypt:/letsencrypt"
       # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  landing-page:
+    # to host the landing page for uptanedemo.org
+    image: nginx
+    restart: always
+    command: ["nginx-debug", "-g", "daemon off;"]
+    expose:
+      - '80'
+      - '443'
+    ports:
+      - '80'
+      - '443'
+    depends_on:
+      - reverse-proxy
+      - ota-lith
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing-page.rule=Host(`uptanedemo.org`)"
+      - "traefik.http.routers.landing-page.entrypoints=websecure"
+      - "traefik.http.routers.landing-page.tls.certresolver=myresolver"
+    volumes:
+      - ./ota-ce/landing-page.conf:/etc/nginx/conf.d/landing-page.conf:ro
+      - ./ota-ce-gen/server.chain.pem:/etc/ssl/gateway/server.chain.pem:ro
+      - ./ota-ce-gen/server.key:/etc/ssl/gateway/server.key:ro
+      - ./ota-ce-gen/devices/ca.crt:/etc/ssl/gateway/ca.crt:ro
+      - ./ota-ce-gen/devices/ca.crt:/usr/share/nginx/html/ca.crt
+      - ./ota-ce-gen/devices/ca.key:/usr/share/nginx/html/ca.key
+      - ./ota-ce-gen/server_ca.pem:/usr/share/nginx/html/server_ca.pem
+      - ./scripts/certs/client.ext:/usr/share/nginx/html/client.ext
+      - ./scripts/certs/client.cnf:/usr/share/nginx/html/client.cnf
 
   gateway:
     image: nginx:1.13.7
     restart: always
-    command: ["nginx-debug", "-g", "daemon off;"]      
+    command: ["nginx-debug", "-g", "daemon off;"]
     expose:
       - '80'
       - '443'
       - '8443'
     ports:
-#      - '80'
+      - '80'
       - '8443'
       - '30443:8443'
     depends_on:
@@ -40,6 +83,7 @@ services:
       - ./ota-ce-gen/server.key:/etc/ssl/gateway/server.key:ro
       - ./ota-ce-gen/devices/ca.crt:/etc/ssl/gateway/ca.crt:ro
 
+
   db:
     image: mariadb:10.4
     #restart: always
@@ -70,27 +114,39 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.reposerver.service=reposerver
-      - traefik.http.routers.reposerver.rule=Host(`reposerver.ota.ce`)
+      - traefik.http.routers.reposerver.rule=Host(`reposerver.uptanedemo.org`)
+      - traefik.http.routers.reposerver.entrypoints=websecure
+      - traefik.http.routers.reposerver.tls.certresolver=myresolver
       - traefik.http.services.reposerver.loadbalancer.server.port=7100
       - traefik.http.routers.keyserver.service=keyserver
-      - traefik.http.routers.keyserver.rule=Host(`keyserver.ota.ce`)
+      - traefik.http.routers.keyserver.rule=Host(`keyserver.uptanedemo.org`)
+      - traefik.http.routers.keyserver.entrypoints=websecure
+      - traefik.http.routers.keyserver.tls.certresolver=myresolver
       - traefik.http.services.keyserver.loadbalancer.server.port=7200
       - traefik.http.routers.director.service=director
-      - traefik.http.routers.director.rule=Host(`director.ota.ce`)
+      - traefik.http.routers.director.rule=Host(`director.uptanedemo.org`)
+      - traefik.http.routers.director.entrypoints=websecure
+      - traefik.http.routers.director.tls.certresolver=myresolver
       - traefik.http.services.director.loadbalancer.server.port=7300
       - traefik.http.routers.treehub.service=treehub
-      - traefik.http.routers.treehub.rule=Host(`treehub.ota.ce`)
+      - traefik.http.routers.treehub.rule=Host(`treehub.uptanedemo.org`)
+      - traefik.http.routers.treehub.entrypoints=websecure
+      - traefik.http.routers.treehub.tls.certresolver=myresolver
       - traefik.http.services.treehub.loadbalancer.server.port=7400
       - traefik.http.routers.deviceregistry.service=deviceregistry
-      - traefik.http.routers.deviceregistry.rule=Host(`deviceregistry.ota.ce`)
+      - traefik.http.routers.deviceregistry.rule=Host(`deviceregistry.uptanedemo.org`)
+      - traefik.http.routers.deviceregistry.entrypoints=websecure
+      - traefik.http.routers.deviceregistry.tls.certresolver=myresolver
       - traefik.http.services.deviceregistry.loadbalancer.server.port=7500
       - traefik.http.routers.campaigner.service=campaigner
-      - traefik.http.routers.campaigner.rule=Host(`campaigner.ota.ce`)
+      - traefik.http.routers.campaigner.rule=Host(`campaigner.uptanedemo.org`)
+      - traefik.http.routers.campaigner.entrypoints=websecure
+      - traefik.http.routers.campaigner.tls.certresolver=myresolver
       - traefik.http.services.campaigner.loadbalancer.server.port=7600
     volumes:
       - ./ota-lith-ce.conf:/tmp/ota-lith.conf
       - objects:/var/lib/ota-lith
-     
+
   ota-lith-daemons:
     image: uptane/ota-lith:latest
     restart: always

diff --git a/ota-ce/gateway.conf b/ota-ce/gateway.conf
@@ -1,7 +1,7 @@
 server {
     error_log  /var/log/nginx/error.log info;
     listen       8443 ssl;
-    server_name ota.ce;
+    server_name dgw.uptanedemo.org;
     ssl_certificate     /etc/ssl/gateway/server.chain.pem;
     ssl_certificate_key /etc/ssl/gateway/server.key;
     ssl_verify_client on;
@@ -17,7 +17,7 @@ server {
     set $deviceNamespace "default";
 
 
-    # TODO: use proxying through traefik/nginx instea of port numbers 
+    # TODO: use proxying through traefik/nginx instea of port numbers
 
     location /treehub/ {
         rewrite ^/treehub/(.*)$ /api/v2/$1 break;
@@ -36,7 +36,7 @@ server {
     location /director/ {
         rewrite ^/director/(.*)$ /api/v1/device/${deviceUuid}/$1 break;
         proxy_set_header x-ats-namespace $deviceNamespace;
-        proxy_set_header Host director.ota.ce;
+        proxy_set_header Host director.uptanedemo.org;
         proxy_pass http://reverse-proxy;
     }
 

diff --git a/ota-ce/landing-page.conf b/ota-ce/landing-page.conf
@@ -0,0 +1,19 @@
+server {
+    error_log  /var/log/nginx/error.log info;
+    listen       7443 ssl;
+    server_name uptanedemo.org;
+    ssl_certificate     /etc/ssl/gateway/server.chain.pem;
+    ssl_certificate_key /etc/ssl/gateway/server.key;
+    ssl_verify_client on;
+    ssl_verify_depth 10;
+    ssl_client_certificate /etc/ssl/gateway/ca.crt;
+
+    if ($ssl_client_s_dn ~ "CN=(.*)$") {
+        set $deviceUuid $1;
+    }
+    if ($ssl_client_s_dn !~ "CN=(.*)$") {
+        set $deviceUuid $ssl_client_s_dn;
+    }
+    set $deviceNamespace "default";
+
+}