yaasita/Dockerfile

## README.md

      
    Raw
  

              README.md
            
          
    Node-REDをk8sで動かす

反映
kubectl create secret generic ssh-ca-key --from-file=ssh-privatekey=/path/to/.ssh/ca.key
kubectl apply -k .

参考

APP_IDの取得
curl --request POST \
     --url $BUDIBASE_BASE_URL/api/public/v1/applications/search \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --header "x-budibase-api-key: $BUDIBASE_API_KEY" \
     --data '{"name":"ssh"}' | jq .

TABLE_IDの取得
curl --request POST \
     --url $BUDIBASE_BASE_URL/api/public/v1/tables/search \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --header "x-budibase-api-key: $BUDIBASE_API_KEY" \
     --header "x-budibase-app-id: $BUDIBASE_APP_ID" \
     --data '{ "name": "signing" }' --compressed | 
     jq .data[0]._id


## conf.sh
BUDIBASE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BUDIBASE_APP_ID=app_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BUDIBASE_BASE_URL=http://proxy-service.budibase.svc.cluster.local:10000
BUDIBASE_TABLE_ID=ta_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BUDIBASE_TRIGGER_URL=/api/webhooks/trigger/app_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/wh_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GCS_BUCKET=cert-ssh-pub-key

## Dockerfile
FROM debian:bullseye

RUN apt-get update && apt-get install -y \
  apt-transport-https ca-certificates gnupg curl openssh-client jq liburi-perl

RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | \
  tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
  curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
  apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - && \
  apt-get update -y && apt-get install google-cloud-sdk -y

RUN curl -sL https://deb.nodesource.com/setup_16.x | bash -
RUN apt-get install -y nodejs && npm install -g --unsafe-perm node-red
COPY sign.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/sign.sh
CMD node-red

## kustomization.yaml
namespace: budibase

resources:
- node-red.yaml
- pvc.yaml

secretGenerator:
- name: node-red
  envs:
    - conf.sh

## node-red.yaml
apiVersion: v1
kind: Service
metadata:
  name: node-red
spec:
  selector:
    app: node-red
  ports:
  - port: 80
    targetPort: 1880
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: node-red
  labels:
    app: node-red
spec:
  replicas: 1
  selector:
    matchLabels:
      app: node-red
  template:
    metadata:
      labels:
        app: node-red
    spec:
      containers:
      - name: node-red
        image: asia-northeast1-docker.pkg.dev/your-project/k8s/node-red:latest
        envFrom:
          - secretRef:
              name: node-red
        volumeMounts:
        - mountPath: "/root/.node-red"
          name: settings
        - mountPath: "/mnt"
          name: ssh-ca-key
      volumes:
      - name: settings
        persistentVolumeClaim:
          claimName: node-red
      - name: ssh-ca-key
        secret:
          secretName: ssh-ca-key
          defaultMode: 0400

## pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: node-red
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 100Mi

## sign.sh
#!/bin/bash
set -exuo pipefail

id=$1

# 行取得
row=$(curl -s --request GET \
     --url $BUDIBASE_BASE_URL/api/public/v1/tables/$BUDIBASE_TABLE_ID/rows/$id \
     --header 'Accept: application/json' \
     --header "x-budibase-api-key: $BUDIBASE_API_KEY" \
     --header "x-budibase-app-id: $BUDIBASE_APP_ID" \
     --compressed | jq -r '.data')

## ssh鍵をダウンロード
tempfile=$(mktemp)
download_path=$(echo $row | jq -r '.ssh_pub_key[0].url')
echo $download_path
curl -s -L $BUDIBASE_BASE_URL$download_path -o $tempfile

# 有効期間、princinpal取得
month=$(echo $row | jq -r '.validity_interval_month')
principal=$(echo $row | jq -r .principals)
email=$(echo $row | jq -r .email)

# ssh鍵に署名
ssh-keygen -s /mnt/ssh-privatekey -I $email -n $principal -V +${month}m $tempfile

# gcsにアップロード 日付+email
gcs_path=$(date +%s)-$email-cert.pub
gsutil cp ${tempfile}-cert.pub gs://$GCS_BUCKET/$gcs_path
gcs_url="https://storage.googleapis.com/$GCS_BUCKET/$(echo $gcs_path | perl -MURI::Escape -nlE 'chomp;say uri_escape $_')"

# statusをacceptに変更
curl --request PUT \
     --url $BUDIBASE_BASE_URL/api/public/v1/tables/$BUDIBASE_TABLE_ID/rows/$id \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --header "x-budibase-api-key: $BUDIBASE_API_KEY" \
     --header "x-budibase-app-id: $BUDIBASE_APP_ID" \
     --data '{"status":"accept"}'

# こちらからbudibase側のwebhookを叩いてSMTP出す
curl --request POST \
     --url $BUDIBASE_BASE_URL$BUDIBASE_TRIGGER_URL \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --header "x-budibase-api-key: $BUDIBASE_API_KEY" \
     --header "x-budibase-app-id: $BUDIBASE_APP_ID" \
     --data "{\"url\": \"$gcs_url\", \"address\": \"$email\"}"
	BUDIBASE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	BUDIBASE_APP_ID=app_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	BUDIBASE_BASE_URL=http://proxy-service.budibase.svc.cluster.local:10000
	BUDIBASE_TABLE_ID=ta_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	BUDIBASE_TRIGGER_URL=/api/webhooks/trigger/app_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/wh_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	GCS_BUCKET=cert-ssh-pub-key
	FROM debian:bullseye

	RUN apt-get update && apt-get install -y \
	apt-transport-https ca-certificates gnupg curl openssh-client jq liburi-perl

	RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" \| \
	tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
	curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \| \
	apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - && \
	apt-get update -y && apt-get install google-cloud-sdk -y

	RUN curl -sL https://deb.nodesource.com/setup_16.x \| bash -
	RUN apt-get install -y nodejs && npm install -g --unsafe-perm node-red
	COPY sign.sh /usr/local/bin/
	RUN chmod +x /usr/local/bin/sign.sh
	CMD node-red
	namespace: budibase

	resources:
	- node-red.yaml
	- pvc.yaml

	secretGenerator:
	- name: node-red
	envs:
	- conf.sh
	apiVersion: v1
	kind: Service
	metadata:
	name: node-red
	spec:
	selector:
	app: node-red
	ports:
	- port: 80
	targetPort: 1880
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: node-red
	labels:
	app: node-red
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: node-red
	template:
	metadata:
	labels:
	app: node-red
	spec:
	containers:
	- name: node-red
	image: asia-northeast1-docker.pkg.dev/your-project/k8s/node-red:latest
	envFrom:
	- secretRef:
	name: node-red
	volumeMounts:
	- mountPath: "/root/.node-red"
	name: settings
	- mountPath: "/mnt"
	name: ssh-ca-key
	volumes:
	- name: settings
	persistentVolumeClaim:
	claimName: node-red
	- name: ssh-ca-key
	secret:
	secretName: ssh-ca-key
	defaultMode: 0400
	kind: PersistentVolumeClaim
	apiVersion: v1
	metadata:
	name: node-red
	spec:
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 100Mi
	#!/bin/bash
	set -exuo pipefail

	id=$1

	# 行取得
	row=$(curl -s --request GET \
	--url $BUDIBASE_BASE_URL/api/public/v1/tables/$BUDIBASE_TABLE_ID/rows/$id \
	--header 'Accept: application/json' \
	--header "x-budibase-api-key: $BUDIBASE_API_KEY" \
	--header "x-budibase-app-id: $BUDIBASE_APP_ID" \
	--compressed \| jq -r '.data')

	## ssh鍵をダウンロード
	tempfile=$(mktemp)
	download_path=$(echo $row \| jq -r '.ssh_pub_key[0].url')
	echo $download_path
	curl -s -L $BUDIBASE_BASE_URL$download_path -o $tempfile

	# 有効期間、princinpal取得
	month=$(echo $row \| jq -r '.validity_interval_month')
	principal=$(echo $row \| jq -r .principals)
	email=$(echo $row \| jq -r .email)

	# ssh鍵に署名
	ssh-keygen -s /mnt/ssh-privatekey -I $email -n $principal -V +${month}m $tempfile

	# gcsにアップロード日付+email
	gcs_path=$(date +%s)-$email-cert.pub
	gsutil cp ${tempfile}-cert.pub gs://$GCS_BUCKET/$gcs_path
	gcs_url="https://storage.googleapis.com/$GCS_BUCKET/$(echo $gcs_path \| perl -MURI::Escape -nlE 'chomp;say uri_escape $_')"

	# statusをacceptに変更
	curl --request PUT \
	--url $BUDIBASE_BASE_URL/api/public/v1/tables/$BUDIBASE_TABLE_ID/rows/$id \
	--header 'Accept: application/json' \
	--header 'Content-Type: application/json' \
	--header "x-budibase-api-key: $BUDIBASE_API_KEY" \
	--header "x-budibase-app-id: $BUDIBASE_APP_ID" \
	--data '{"status":"accept"}'

	# こちらからbudibase側のwebhookを叩いてSMTP出す
	curl --request POST \
	--url $BUDIBASE_BASE_URL$BUDIBASE_TRIGGER_URL \
	--header 'Accept: application/json' \
	--header 'Content-Type: application/json' \
	--header "x-budibase-api-key: $BUDIBASE_API_KEY" \
	--header "x-budibase-app-id: $BUDIBASE_APP_ID" \
	--data "{\"url\": \"$gcs_url\", \"address\": \"$email\"}"