From b140fe63bd2684b8ea5920bf806087d3443cad35 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 22 Feb 2019 10:47:37 -0800 Subject: [PATCH] Add a gunicorn server with a flask app using mTLS Fixes smallstep/ca-component#139 --- .../hello-mtls/py-gunicorn/Dockerfile.server | 14 ++++++++ .../hello-mtls/py-gunicorn/gunicorn.conf | 13 ++++++++ .../py-gunicorn/hello-mtls.server.yaml | 33 +++++++++++++++++++ .../hello-mtls/py-gunicorn/requirements.txt | 2 ++ .../examples/hello-mtls/py-gunicorn/server.py | 9 +++++ 5 files changed, 71 insertions(+) create mode 100644 autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server create mode 100644 autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf create mode 100644 autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml create mode 100644 autocert/examples/hello-mtls/py-gunicorn/requirements.txt create mode 100644 autocert/examples/hello-mtls/py-gunicorn/server.py diff --git a/autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server b/autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server new file mode 100644 index 00000000..d99c972f --- /dev/null +++ b/autocert/examples/hello-mtls/py-gunicorn/Dockerfile.server @@ -0,0 +1,14 @@ +FROM python:alpine + +RUN mkdir /src + +# Gunicorn configuration +ADD gunicorn.conf /src + +# Flask app +ADD server.py /src +ADD requirements.txt /src +RUN pip3 install -r /src/requirements.txt + +# app, certificate watcher and envoy +CMD ["gunicorn", "--config", "/src/gunicorn.conf", "--pythonpath", "/src", "server:app"] diff --git a/autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf b/autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf new file mode 100644 index 00000000..1b6b7490 --- /dev/null +++ b/autocert/examples/hello-mtls/py-gunicorn/gunicorn.conf @@ -0,0 +1,13 @@ +bind = '0.0.0.0:443' +workers = 2 + +# mTLS configuration with TLSv1.2 and requiring and validating client +# certificates +ssl_version = 5 # ssl.PROTOCOL_TLSv1_2 +cert_reqs = 2 # ssl.CERT_REQUIRED +ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256' +ca_certs = '/var/run/autocert.step.sm/root.crt' +certfile = '/var/run/autocert.step.sm/site.crt' +keyfile = '/var/run/autocert.step.sm/site.key' + + diff --git a/autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml b/autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml new file mode 100644 index 00000000..14e675df --- /dev/null +++ b/autocert/examples/hello-mtls/py-gunicorn/hello-mtls.server.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {app: hello-mtls} + name: hello-mtls +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: 443 + selector: {app: hello-mtls} + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hello-mtls + labels: {app: hello-mtls} +spec: + replicas: 1 + selector: {matchLabels: {app: hello-mtls}} + template: + metadata: + annotations: + autocert.step.sm/name: hello-mtls.default.svc.cluster.local + labels: {app: hello-mtls} + spec: + containers: + - name: hello-mtls + image: hello-mtls-server-py-gunicorn:latest + imagePullPolicy: Never + resources: {requests: {cpu: 10m, memory: 20Mi}} diff --git a/autocert/examples/hello-mtls/py-gunicorn/requirements.txt b/autocert/examples/hello-mtls/py-gunicorn/requirements.txt new file mode 100644 index 00000000..cef5a165 --- /dev/null +++ b/autocert/examples/hello-mtls/py-gunicorn/requirements.txt @@ -0,0 +1,2 @@ +Flask +gunicorn diff --git a/autocert/examples/hello-mtls/py-gunicorn/server.py b/autocert/examples/hello-mtls/py-gunicorn/server.py new file mode 100644 index 00000000..7e44425f --- /dev/null +++ b/autocert/examples/hello-mtls/py-gunicorn/server.py @@ -0,0 +1,9 @@ +from flask import Flask +app = Flask(__name__) + +@app.route("/") +def hello(): + return "Hello World!\n" + +if __name__ == "__main__": + app.run(host='127.0.0.1', port=8080, debug=False)