Add a gunicorn server with a flask app using mTLS

Fixes smallstep/ca-component#139
2019-02-22 10:47:37 -08:00 · 2019-02-22 10:47:37 -08:00 · b140fe63bd
commit b140fe63bd
parent fcd1da970f
5 changed files with 71 additions and 0 deletions
--- a/autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server
+++ b/autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server
@ -0,0 +1,14 @@
+FROM python:alpine
+
+RUN mkdir /src
+
+# Gunicorn configuration
+ADD gunicorn.conf /src
+
+# Flask app
+ADD server.py /src
+ADD requirements.txt /src
+RUN pip3 install -r /src/requirements.txt
+
+# app, certificate watcher and envoy
+CMD ["gunicorn", "--config", "/src/gunicorn.conf", "--pythonpath", "/src", "server:app"]
--- a/autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf
+++ b/autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf
@ -0,0 +1,13 @@
+bind = '0.0.0.0:443'
+workers = 2
+
+# mTLS configuration with TLSv1.2 and requiring and validating client
+# certificates
+ssl_version = 5 # ssl.PROTOCOL_TLSv1_2
+cert_reqs = 2   # ssl.CERT_REQUIRED
+ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256'
+ca_certs = '/var/run/autocert.step.sm/root.crt'
+certfile = '/var/run/autocert.step.sm/site.crt'
+keyfile = '/var/run/autocert.step.sm/site.key'
+
+
--- a/autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml
+++ b/autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml
@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {app: hello-mtls}
+  name: hello-mtls
+spec:
+  type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: 443
+  selector: {app: hello-mtls}
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-mtls
+  labels: {app: hello-mtls}
+spec:
+  replicas: 1
+  selector: {matchLabels: {app: hello-mtls}}
+  template:
+    metadata:
+      annotations:
+        autocert.step.sm/name: hello-mtls.default.svc.cluster.local
+      labels: {app: hello-mtls}
+    spec:
+      containers:
+      - name: hello-mtls
+        image: hello-mtls-server-py-gunicorn:latest
+        imagePullPolicy: Never
+        resources: {requests: {cpu: 10m, memory: 20Mi}}
--- a/autocert/examples/hello-mtls/py-gunicorn/requirements.txt
+++ b/autocert/examples/hello-mtls/py-gunicorn/requirements.txt
@ -0,0 +1,2 @@
+Flask
+gunicorn
--- a/autocert/examples/hello-mtls/py-gunicorn/server.py
+++ b/autocert/examples/hello-mtls/py-gunicorn/server.py
@ -0,0 +1,9 @@
+from flask import Flask
+app = Flask(__name__)
+
+@app.route("/")
+def hello():
+    return "Hello World!\n"
+
+if __name__ == "__main__":
+    app.run(host='127.0.0.1', port=8080, debug=False)