tljh/traefik.py

"""Traefik installation and setup"""
import hashlib
import os
from glob import glob

from jinja2 import Template
from passlib.apache import HtpasswdFile
import backoff
import requests
import toml

from .config import CONFIG_DIR
from tljh.configurer import load_config, _merge_dictionaries

# FIXME: support more than one platform here
plat = "linux-amd64"
traefik_version = "1.7.18"

# record sha256 hashes for supported platforms here
checksums = {
    "linux-amd64": "3c2d153d80890b6fc8875af9f8ced32c4d684e1eb5a46d9815337cb343dfd92e"
}

def checksum_file(path):
    """Compute the sha256 checksum of a path"""
    hasher = hashlib.sha256()
    with open(path, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hasher.update(chunk)
    return hasher.hexdigest()

def fatal_error(e):
    # Retry only when connection is reset or we think we didn't download entire file
    return str(e) != "ContentTooShort" and not isinstance(e, ConnectionResetError)

@backoff.on_exception(
    backoff.expo,
    Exception,
    max_tries=2,
    giveup=fatal_error
)
def ensure_traefik_binary(prefix):
    """Download and install the traefik binary"""
    traefik_bin = os.path.join(prefix, "bin", "traefik")
    if os.path.exists(traefik_bin):
        checksum = checksum_file(traefik_bin)
        if checksum == checksums[plat]:
            # already have the right binary
            # ensure permissions and we're done
            os.chmod(traefik_bin, 0o755)
            return
        else:
            print(f"checksum mismatch on {traefik_bin}")
            os.remove(traefik_bin)

    traefik_url = (
        "https://github.com/containous/traefik/releases"
        f"/download/v{traefik_version}/traefik_{plat}"
    )
    print(f"Downloading traefik {traefik_version}...")
    # download the file
    response = requests.get(traefik_url)
    if response.status_code == 206:
        raise Exception("ContentTooShort")
    with open(traefik_bin, 'wb') as f:
        f.write(response.content)
    os.chmod(traefik_bin, 0o755)

    # verify that we got what we expected
    checksum = checksum_file(traefik_bin)
    if checksum != checksums[plat]:
        raise IOError(f"Checksum failed {traefik_bin}: {checksum} != {checksums[plat]}")


def compute_basic_auth(username, password):
    """Generate hashed HTTP basic auth from traefik_api username+password"""
    ht = HtpasswdFile()
    # generate htpassword
    ht.set_password(username, password)
    hashed_password = str(ht.to_string()).split(":")[1][:-3]
    return username + ":" + hashed_password


def load_extra_config(extra_config_dir):
    extra_configs = sorted(glob(os.path.join(extra_config_dir, '*.toml')))
    # Load the toml list of files into dicts and merge them
    config = toml.load(extra_configs)
    return config


def ensure_traefik_config(state_dir):
    """Render the traefik.toml config file"""
    traefik_std_config_file = os.path.join(state_dir, "traefik.toml")
    traefik_extra_config_dir = os.path.join(CONFIG_DIR, "traefik_config.d")
    traefik_dynamic_config_dir = os.path.join(state_dir, "rules")

    config = load_config()
    config['traefik_api']['basic_auth'] = compute_basic_auth(
        config['traefik_api']['username'],
        config['traefik_api']['password'],
    )

    with open(os.path.join(os.path.dirname(__file__), "traefik.toml.tpl")) as f:
        template = Template(f.read())
    std_config = template.render(config)
    https = config["https"]
    letsencrypt = https["letsencrypt"]
    tls = https["tls"]
    # validate https config
    if https["enabled"]:
        if not tls["cert"] and not letsencrypt["email"]:
            raise ValueError(
                "To enable https, you must set tls.cert+key or letsencrypt.email+domains"
            )
        if (letsencrypt["email"] and not letsencrypt["domains"]) or (
            letsencrypt["domains"] and not letsencrypt["email"]
        ):
            raise ValueError("Both email and domains must be set for letsencrypt")

    # Ensure traefik extra static config dir exists and is private
    os.makedirs(traefik_extra_config_dir, mode=0o700, exist_ok=True)

    # Ensure traefik dynamic config dir exists and is private
    os.makedirs(traefik_dynamic_config_dir, mode=0o700, exist_ok=True)

    try:
        # Load standard config file merge it with the extra config files into a dict
        extra_config = load_extra_config(traefik_extra_config_dir)
        new_toml = _merge_dictionaries(toml.loads(std_config), extra_config)
    except FileNotFoundError:
        new_toml = toml.loads(std_config)

    # Dump the dict into a toml-formatted string and write it to file
    with open(traefik_std_config_file, "w") as f:
        os.fchmod(f.fileno(), 0o600)
        toml.dump(new_toml, f)

    with open(os.path.join(traefik_dynamic_config_dir, "rules.toml"), "w") as f:
        os.fchmod(f.fileno(), 0o600)

    # ensure acme.json exists and is private
    with open(os.path.join(state_dir, "acme.json"), "a") as f:
        os.fchmod(f.fileno(), 0o600)
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`"""Traefik installation and setup"""`
			`import hashlib`
			`import os`
Allow extra traefik config 2020-05-29 17:59:20 +03:00			`from glob import glob`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00
unittests for traefik 2018-08-01 17:06:52 +02:00			`from jinja2 import Template`
move generating traefik basic auth to traefik.py compute this when we write the template, not when we load config 2019-02-22 10:53:36 +01:00			`from passlib.apache import HtpasswdFile`
Retry downloading traefik if it fails Fixes #314 2019-05-19 22:29:18 -07:00			`import backoff`
replace urllib with requests 2019-05-24 14:37:42 +03:00			`import requests`
Allow extra traefik config 2020-05-29 17:59:20 +03:00			`import toml`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00
Allow extra traefik config 2020-05-29 17:59:20 +03:00			`from .config import CONFIG_DIR`
Import merge dicts method 2020-06-08 12:15:42 +03:00			`from tljh.configurer import load_config, _merge_dictionaries`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00
			`# FIXME: support more than one platform here`
			`plat = "linux-amd64"`
Upgrade traefik version 2019-10-01 11:00:28 +03:00			`traefik_version = "1.7.18"`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00
			`# record sha256 hashes for supported platforms here`
			`checksums = {`
Upgrade traefik version 2019-10-01 11:00:28 +03:00			`"linux-amd64": "3c2d153d80890b6fc8875af9f8ced32c4d684e1eb5a46d9815337cb343dfd92e"`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`}`

			`def checksum_file(path):`
			`"""Compute the sha256 checksum of a path"""`
			`hasher = hashlib.sha256()`
			`with open(path, "rb") as f:`
			`for chunk in iter(lambda: f.read(4096), b""):`
			`hasher.update(chunk)`
			`return hasher.hexdigest()`

replace urllib with requests 2019-05-24 14:37:42 +03:00			`def fatal_error(e):`
			`# Retry only when connection is reset or we think we didn't download entire file`
			`return str(e) != "ContentTooShort" and not isinstance(e, ConnectionResetError)`

Retry downloading traefik if it fails Fixes #314 2019-05-19 22:29:18 -07:00			`@backoff.on_exception(`
			`backoff.expo,`
replace urllib with requests 2019-05-24 14:37:42 +03:00			`Exception,`
			`max_tries=2,`
			`giveup=fatal_error`
Retry downloading traefik if it fails Fixes #314 2019-05-19 22:29:18 -07:00			`)`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`def ensure_traefik_binary(prefix):`
			`"""Download and install the traefik binary"""`
			`traefik_bin = os.path.join(prefix, "bin", "traefik")`
			`if os.path.exists(traefik_bin):`
			`checksum = checksum_file(traefik_bin)`
			`if checksum == checksums[plat]:`
			`# already have the right binary`
			`# ensure permissions and we're done`
			`os.chmod(traefik_bin, 0o755)`
			`return`
			`else:`
			`print(f"checksum mismatch on {traefik_bin}")`
			`os.remove(traefik_bin)`

			`traefik_url = (`
			`"https://github.com/containous/traefik/releases"`
			`f"/download/v{traefik_version}/traefik_{plat}"`
			`)`
			`print(f"Downloading traefik {traefik_version}...")`
			`# download the file`
replace urllib with requests 2019-05-24 14:37:42 +03:00			`response = requests.get(traefik_url)`
			`if response.status_code == 206:`
			`raise Exception("ContentTooShort")`
			`with open(traefik_bin, 'wb') as f:`
			`f.write(response.content)`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`os.chmod(traefik_bin, 0o755)`

			`# verify that we got what we expected`
			`checksum = checksum_file(traefik_bin)`
			`if checksum != checksums[plat]:`
			`raise IOError(f"Checksum failed {traefik_bin}: {checksum} != {checksums[plat]}")`


move generating traefik basic auth to traefik.py compute this when we write the template, not when we load config 2019-02-22 10:53:36 +01:00			`def compute_basic_auth(username, password):`
			`"""Generate hashed HTTP basic auth from traefik_api username+password"""`
			`ht = HtpasswdFile()`
			`# generate htpassword`
			`ht.set_password(username, password)`
			`hashed_password = str(ht.to_string()).split(":")[1][:-3]`
			`return username + ":" + hashed_password`

Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00
			`def load_extra_config(extra_config_dir):`
Traefik config files are .toml 2020-06-02 19:09:19 +03:00			`extra_configs = sorted(glob(os.path.join(extra_config_dir, '*.toml')))`
Refactor 2020-06-02 11:38:32 +03:00			`# Load the toml list of files into dicts and merge them`
Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00			`config = toml.load(extra_configs)`
Allow extra traefik config 2020-05-29 17:59:20 +03:00			`return config`
move generating traefik basic auth to traefik.py compute this when we write the template, not when we load config 2019-02-22 10:53:36 +01:00
Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`def ensure_traefik_config(state_dir):`
			`"""Render the traefik.toml config file"""`
Refactor 2020-06-02 11:38:32 +03:00			`traefik_std_config_file = os.path.join(state_dir, "traefik.toml")`
			`traefik_extra_config_dir = os.path.join(CONFIG_DIR, "traefik_config.d")`
Ensure dynamic config dir exists 2020-06-18 17:44:12 +03:00			`traefik_dynamic_config_dir = os.path.join(state_dir, "rules")`
Refactor 2020-06-02 11:38:32 +03:00
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`config = load_config()`
move generating traefik basic auth to traefik.py compute this when we write the template, not when we load config 2019-02-22 10:53:36 +01:00			`config['traefik_api']['basic_auth'] = compute_basic_auth(`
			`config['traefik_api']['username'],`
			`config['traefik_api']['password'],`
			`)`

Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`with open(os.path.join(os.path.dirname(__file__), "traefik.toml.tpl")) as f:`
			`template = Template(f.read())`
Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00			`std_config = template.render(config)`
Add traefik in front of CHP introduces configuration for manual tls and letsencrypt 2018-07-21 00:20:29 -07:00			`https = config["https"]`
			`letsencrypt = https["letsencrypt"]`
			`tls = https["tls"]`
			`# validate https config`
			`if https["enabled"]:`
			`if not tls["cert"] and not letsencrypt["email"]:`
			`raise ValueError(`
			`"To enable https, you must set tls.cert+key or letsencrypt.email+domains"`
			`)`
			`if (letsencrypt["email"] and not letsencrypt["domains"]) or (`
			`letsencrypt["domains"] and not letsencrypt["email"]`
			`):`
			`raise ValueError("Both email and domains must be set for letsencrypt")`
Allow extra traefik config 2020-05-29 17:59:20 +03:00
Ensure dynamic config dir exists 2020-06-18 17:44:12 +03:00			`# Ensure traefik extra static config dir exists and is private`
Refactor 2020-06-02 11:38:32 +03:00			`os.makedirs(traefik_extra_config_dir, mode=0o700, exist_ok=True)`
Allow extra traefik config 2020-05-29 17:59:20 +03:00
Ensure dynamic config dir exists 2020-06-18 17:44:12 +03:00			`# Ensure traefik dynamic config dir exists and is private`
			`os.makedirs(traefik_dynamic_config_dir, mode=0o700, exist_ok=True)`

Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00			`try:`
			`# Load standard config file merge it with the extra config files into a dict`
			`extra_config = load_extra_config(traefik_extra_config_dir)`
			`new_toml = _merge_dictionaries(toml.loads(std_config), extra_config)`
			`except FileNotFoundError:`
			`new_toml = toml.loads(std_config)`
Allow extra traefik config 2020-05-29 17:59:20 +03:00
Refactor 2020-06-02 11:38:32 +03:00			`# Dump the dict into a toml-formatted string and write it to file`
			`with open(traefik_std_config_file, "w") as f:`
Fixed some issues 2019-02-11 09:24:16 +02:00			`os.fchmod(f.fileno(), 0o600)`
Use merge func instead for multi level dicts 2020-06-08 11:41:22 +03:00			`toml.dump(new_toml, f)`
grant traefik write access to state/acme.json and ensure the file exists and is private before launching 2018-07-30 15:26:09 +02:00
Ensure dynamic config dir exists 2020-06-18 17:44:12 +03:00			`with open(os.path.join(traefik_dynamic_config_dir, "rules.toml"), "w") as f:`
Fixed some issues 2019-02-11 09:24:16 +02:00			`os.fchmod(f.fileno(), 0o600)`
Replace chp with traefik-proxy 2019-01-22 16:24:38 +02:00
grant traefik write access to state/acme.json and ensure the file exists and is private before launching 2018-07-30 15:26:09 +02:00			`# ensure acme.json exists and is private`
			`with open(os.path.join(state_dir, "acme.json"), "a") as f:`
			`os.fchmod(f.fileno(), 0o600)`