Add build variant with acme.sh script included

processone · Jul 25, 2023 · 46a2241 · 46a2241
1 parent cc25bb0
commit 46a2241
Show file tree

Hide file tree

Showing 12 changed files with 522 additions and 26 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -9,6 +9,7 @@
 /*.cache
 /doc
 /hello-eturnal.png
+/docker-k8s/image/Dockerfile
 
 #
 # ExDoc:

diff --git a/.github/workflows/container-build-publish.yml b/.github/workflows/container-build-publish.yml
@@ -239,11 +239,13 @@ jobs:
 ################################################################################
   #' build actual images for x64/arm64 with built binary tarballs
   build-ctr-binary-based:
-    name: ${{ matrix.arch }} - build & publish container image (binary-based)
+    name: ${{ matrix.arch }} - build ${{ matrix.variant }} ${{ matrix.method }}-based variant
     runs-on: ubuntu-latest
     strategy:
       matrix:
         arch: [x64, arm64]
+        method: [package]
+        variant: [standalone, acmesh]
       fail-fast: false
     needs: [detect-change, build-musl-binary-archives]
     steps:
@@ -295,37 +297,40 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           build-args: |
-            METHOD=package
+            METHOD=${{ matrix.method }}
             VERSION=${{ env.TAG_VERSION }}
             REPOSITORY=https://github.com/${{ github.repository }}.git
+            VARIANT=${{ matrix.variant }}
           context: .
           file: ${{ env.DOCKERFILE_PATH }}/Dockerfile
           platforms: linux/${{ env.ARCH }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
       -
-        name: Export digest | ${{ matrix.arch }}
+        name: Export digest | ${{ matrix.arch }}-${{ matrix.variant }}
         run: |
           mkdir -p /tmp/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
       -
-        name: Upload digest | ${{ matrix.arch }}
+        name: Upload digest | ${{ matrix.arch }}-${{ matrix.variant }}
         uses: actions/upload-artifact@v3
         with:
-          name: digests
+          name: digests-${{ matrix.variant }}
           path: /tmp/digests/*
           if-no-files-found: error
           retention-days: 1
 
 ################################################################################
   #' build container images with local source files
   build-ctr:
-    name: ${{ matrix.arch }} - build & publish container image (non-binary-based)
+    name: ${{ matrix.arch }} - build ${{ matrix.variant }} ${{ matrix.method }}-based variant
     runs-on: ubuntu-latest
     strategy:
       matrix:
         arch: [386, arm/v7, ppc64le, s390x]
+        method: [build]
+        variant: [standalone, acmesh]
       fail-fast: false
     needs: [detect-change]
     steps:
@@ -401,34 +406,36 @@ jobs:
             OTP_VSN=${{ env.OTP_VSN }}
             REPOSITORY=https://github.com/${{ github.repository }}.git
             REBAR_CT=${{ env.REBAR_CT }}
+            VARIANT=${{ matrix.variant }}
           context: .
           file: ${{ env.DOCKERFILE_PATH }}/Dockerfile
           platforms: linux/${{ matrix.arch }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
       -
-        name: Export digest | ${{ matrix.arch }}
+        name: Export digest | ${{ matrix.arch }}-${{ matrix.variant }}
         run: |
           mkdir -p /tmp/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
       -
-        name: Upload digest | ${{ matrix.arch }}
+        name: Upload digest | ${{ matrix.arch }}-${{ matrix.variant }}
         uses: actions/upload-artifact@v3
         with:
-          name: digests
+          name: digests-${{ matrix.variant }}
           path: /tmp/digests/*
           if-no-files-found: error
           retention-days: 1
 
 ################################################################################
   ## merge single images to only advertise one image plus tag
   publish:
-    name: ${{ matrix.registry }} - publish image manifest
+    name: ${{ matrix.registry }} - publish manifest ${{ matrix.variant }} variant
     runs-on: ubuntu-latest
     strategy:
       matrix:
         registry: [ghcr.io, docker.io]
+        variant: [standalone, acmesh]
       fail-fast: false
     if: github.event_name != 'pull_request' && github.event_name != 'schedule'
     needs: [detect-change, build-musl-binary-archives, build-ctr-binary-based, build-ctr]
@@ -467,14 +474,18 @@ jobs:
                          && secrets.DOCKERHUB_TOKEN)
                      || secrets.GITHUB_TOKEN }}
       -
-        name: Download digests
+        name: Download digests | ${{ matrix.variant }}
         uses: actions/download-artifact@v3
         with:
-          name: digests
+          name: digests-${{ matrix.variant }}
           path: /tmp/digests
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
+      -
+        name: For variant == 'acmesh' add a special tag suffix
+        if: matrix.variant == 'acmesh'
+        run: echo "TAG_ACMESH=-acmesh" >> $GITHUB_ENV
       -
         name: On push master | Docker meta
         id: meta
@@ -485,7 +496,7 @@ jobs:
                                         && env.DOCKERHUB_REPO)
                                         || env.IMAGE_NAME }}
           tags: |
-            edge
+            edge${{ env.TAG_ACMESH }}
       -
         name: On release | Docker meta
         id: meta-rel
@@ -496,11 +507,11 @@ jobs:
                                         && env.DOCKERHUB_REPO)
                                         || env.IMAGE_NAME }}
           tags: |
-            latest
-            ${{ env.TAG_PKGREL }}
-            ${{ env.TAG_VERSION }}
-            ${{ env.TAG_MINOR }}
-            ${{ env.TAG_MAJOR }}
+            latest${{ env.TAG_ACMESH }}
+            ${{ env.TAG_PKGREL }}${{ env.TAG_ACMESH }}
+            ${{ env.TAG_VERSION }}${{ env.TAG_ACMESH }}
+            ${{ env.TAG_MINOR }}${{ env.TAG_ACMESH }}
+            ${{ env.TAG_MAJOR }}${{ env.TAG_ACMESH }}
       -
         name: Create manifest list and push
         if: |

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ project adheres to [Semantic Versioning][SemVer].
 ### Added
 - Allow for overriding the `build.config` settings using environment variables
   (of the same name, but upper-case).
+- Docker: Offer a container `VARIANT` which includes the `acme.sh` cert creation
+  script. The variant has a tag suffix `-acmesh` and can be configured with
+  environment variables.
 - Docker: Container images can now be pulled from Dockerhub as well. The name
   is `docker.io/eturnal/eturnal:latest`. When pulling with `Docker`, `docker.io`
   may be omitted.

diff --git a/docker-k8s/ACMESH.md b/docker-k8s/ACMESH.md
@@ -0,0 +1,165 @@
+# [eturnal](https://eturnal.net) container image with `acme.sh`
+
+This variant includes the `acme.sh` [script](https://github.com/acmesh-official/acme.sh).
+It works like the [standalone eturnal container image](https://github.com/processone/eturnal/tree/master/docker-k8s),
+but contains a cron job for creating/renewing TLS certificates.
+
+These images have a tag suffix `-acmesh`.
+
+## Who could profit from this variant?
+
+This image is suited for those, who would like to have a convenient way to
+manage TLS certificates and infusing them to eturnal without e.g. an external
+cron job on the host machine.
+
+## Configuration
+
+The `acme.sh` script within this image can be customized with the following
+environment variables.
+
+eturnal may be configured with the environment variables mentioned below as well
+or by simply mounting an `eturnal.yml` configuration file (recommended).
+
+**Note:** All variables can be defined as secrets with a `__FILE` suffix:
+
+```shell
+printf "secret" | podman secret create cf_token -
+podman run \
+    ... \
+    --secret cf_token \
+    -e CF_Token__FILE='/run/secrets/cf_token' \
+  ghcr.io/processone/eturnal:latest-acmesh
+```
+
+### ACME options
+
+| Name  | Description  |  Default value | Additional notes  |
+| ------------ | ------------ | ------------ | ------------ |
+| `ACME_EMAIL`  | a valid email address  | `admin@example.com` |   |
+| `ACME_DOMAIN`  | domain(s) for the issued certificates  | `turn.example.com` | when using multiple domains, please use the following syntax: `ACME_DOMAIN="turn.example.com -d turn2.example.com -d turn3.example.com"`  |
+| `ACME_KEY_SIZE`  | [key lengths](https://github.com/acmesh-official/acme.sh#10-issue-ecc-certificates)  | `4096` |   |
+| `ACME_SH_UPGRADE`  | defines, whether the cron job also upgrades `acme.sh`  | `true` |  |
+| `ACME_CA`  | defines the [CA](https://github.com/acmesh-official/acme.sh/wiki/CA)  | `zerossl` |   |
+| `ACME_CRON_PERIOD`  | defines renewal interval  | `60d` |   |
+| `ACME_CHALLENGE`  | either `http` (default), `https` or `dns`. | `http` | When using `http` or `https` it must not interfere with the `LISTEN_TCP_TLS_PORT` (default: `3478`) |
+| `DNS_PROVIDER`  | only needed if `ACME_CHALLENGE=dns`, specifies the [DNS service](https://github.com/acmesh-official/acme.sh/wiki/dnsapi) to be used, e.g. `DNS_PROVIDER=dns_cf`  |  | the respective API keys, token, etc. must be defined as environment variables in the `docker run` cmd, e.g. `-e CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" -e CF_Account_ID="xxxxxxxxxxxxx"`  |
+
+### eturnal related configurations
+
+#### Using a custom `eturnal.yml` configuration file
+
+Just mount your `eturnal.yml` configuration file into the running container at
+the following path:
+
+    -v /path/to/eturnal.yml:/etc/eturnal.yml
+
+Values specified in the `eturnal.yml` file prevail `ETURNAL_*` environment
+variables (see variables below).
+
+**Hint:** If you use a custom `eturnal.yml` configuration file, TLS [cert](https://eturnal.net/documentation/#tls_crt_file)
+and [key](https://eturnal.net/documentation/#tls_key_file) paths **must not**
+be set. They are appended by the startup script. Therefore, make sure the file
+is writable by the eturnal user `uid=9000`.
+
+The following variables can be omitted, if a custom `eturnal.yml` configuration
+file is mounted into the container.
+
+#### Listener options
+
+| Name  | Description  |  Default value | Additional notes  |
+| ------------ | ------------ | ------------ | ------------ |
+| `LISTEN_UDP_PORT`  | Defines the UDP listener [here](https://eturnal.net/documentation/#listen)  | `3478` |  |
+| `LISTEN_TCP_TLS_PORT`  | Defines the multiplex TCP/TLS listener [here](https://eturnal.net/documentation/#listen)  | `3478` | This may be used for port `443` (https) |
+| `ETURNAL_RELAY_IPV4_ADDR`  | More infos [here](https://eturnal.net/documentation/#relay_ipv4_addr)  |  | no default, auto-detected if possible |
+| `ETURNAL_RELAY_IPV6_ADDR`  | More infos [here](https://eturnal.net/documentation/#relay_ipv6_addr)  |  | no default, auto-detected if possible |
+| `ETURNAL_RELAY_MAX_PORT`  | More infos [here](https://eturnal.net/documentation/#relay_max_port)  | `65535` |  |
+| `ETURNAL_RELAY_MIN_PORT`  | More infos [here](https://eturnal.net/documentation/#relay_min_port)  | `49152` |  |
+| `ETURNAL_SECRET`  | More infos [here](https://eturnal.net/documentation/#secret)  |  | no default, auto-generated |
+
+#### module `mod_stats_prometheus`
+
+| Name  | Description  |  Default value | Additional notes  |
+| ------------ | ------------ | ------------ | ------------ |
+| `MOD_STATS_PROMETHEUS_ENABLE`  | enable (`true`) or disable the module  | `false` |  |
+| `MOD_STATS_PROMETHEUS_IP`  | More infos [here](https://eturnal.net/documentation/#mod_stats_prometheus)  | `any` |  |
+| `MOD_PROMETHEUS_PORT`  | see above  | `8081` |  |
+| `MOD_PROMETHEUS_TLS`  | see above  | `false` |  |
+| `MOD_PROMETHEUS_VM_METRICS`  | see above  | `true` |  |
+
+#### additional configuration options
+
+| Name  | Description  |  Default value | Additional notes  |
+| ------------ | ------------ | ------------ | ------------ |
+| `BLACKLIST`  | Options: `default` or `recommended`, more infos [here](https://eturnal.net/documentation/#blacklist)  | `default` |  |
+| `LOG_LEVEL`  | Sets [log level](https://eturnal.net/documentation/#log_level)  | `info` |  |
+| `CREDENTIALS_STRICT_EXPIRY`  | More infos [here](https://eturnal.net/documentation/#strict_expiry)  | `false` |  |
+| `STUN_SERVICE`  | External IP address lookup, more infos [here](https://github.com/processone/eturnal/tree/master/docker-k8s#general-hints))  | `stun.conversations.im 3478` | Set to `false` to disable, or us another STUN service |
+| `REALM`  | This option defines the [realm](https://eturnal.net/documentation/#realm)  | | no default |
+
+### Limitations
+
+* No support for providing custom TLS certificates.
+
+## Examples
+
+The image works with `docker` or `podman`.
+
+```
+docker run -d --rm \
+    --name eturnal \
+    --read-only \
+    --cap-drop=ALL \
+    --cap-add=NET_BIND_SERVICE \
+    -p 80:80/udp \
+    -e LISTEN_UDP_PORT=80 \
+    -p 443:443 \
+    -e LISTEN_TCP_TLS_PORT=443 \
+    -p 50000-50500:50000-50500/udp \
+    -e ETURNAL_RELAY_MIN_PORT=50000 \
+    -e ETURNAL_RELAY_MAX_PORT=50500 \
+    -e ETURNAL_SECRET=super-secret-password \
+    -p 80:80 \
+    -e ACME_CHALLENGE=http \
+    -e ACME_EMAIL=admin@example.com \
+    -e ACME_DOMAIN=turn.example.com \
+  ghcr.io/sando38/docker-eturnal
+```
+
+Or consider using the host network instead ([more info here](https://github.com/processone/eturnal/tree/master/docker-k8s#usage-with-docker-or-podman)):
+
+```
+docker run -d --rm \
+    --name eturnal \
+    --read-only \
+    --cap-drop=ALL \
+    --cap-add=NET_BIND_SERVICE \
+    --network=host \
+    -e LISTEN_UDP_PORT=80 \
+    -e LISTEN_TCP_TLS_PORT=443 \
+    -e ETURNAL_RELAY_MIN_PORT=50000 \
+    -e ETURNAL_RELAY_MAX_PORT=50500 \
+    -e ETURNAL_SECRET=super-secret-password \
+    -e ACME_CHALLENGE=http \
+    -e ACME_EMAIL=admin@example.com \
+    -e ACME_DOMAIN=turn.example.com \
+  ghcr.io/sando38/docker-eturnal
+```
+
+And an example with a custom `eturnal.yml` configuration file and `dns`:
+
+```
+docker run -d --rm \
+    --name eturnal \
+    --read-only \
+    --cap-drop=ALL \
+    --cap-add=NET_BIND_SERVICE \
+    --network=host \
+    -e ACME_CHALLENGE=dns \
+    -e DNS_PROVIDER="dns_cf" \
+    -e CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" \
+    -e CF_Account_ID="xxxxxxxxxxxxx" \
+    -e ACME_EMAIL=admin@example.com \
+    -e ACME_DOMAIN=turn.example.com \
+    -v /path/to/eturnal.yml:/etc/eturnal.yml \
+  ghcr.io/sando38/docker-eturnal
+```
diff --git a/docker-k8s/README.md b/docker-k8s/README.md
@@ -14,6 +14,7 @@ version of a particular release in case of any bug fix etc. of the image.
 | ------------ | ------------ | ------------ |
 | `edge`  | Built from `master` branch, see [changelog](https://github.com/processone/eturnal/blob/master/CHANGELOG.md)  | For testing purposes. |
 | `1.10.1`, `latest`  | [Release changelog](https://github.com/processone/eturnal/releases/tag/1.10.1)  |   |
+| `1.10.1-acmesh`, `latest-acmesh`  | As the standalone image, but including the [acme.sh](https://github.com/acmesh-official/acme.sh) | [Variant specific documentation](https://github.com/sando38/eturnal/blob/acmesh/docker-k8s/ACMESH.md)  |
 
 Images are scanned daily by [Trivy](https://www.aquasec.com/products/trivy) and,
 if necessary, the `latest` release will be rebuilt and updated.