Enable single-level DNS domains (*.domain.tld) in SINGLE_PORT mode to simplify HTTPS setup (#8983)

Enable single-level DNS domains (*.domain.tld) in SINGLE_PORT mode to simplify HTTPS setup. Use whole folder for traefik conf to inject SSL certificates and custom configuration. CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS to che.env. Signed-off-by: Hanno Kolvenbach <kolvenbach@silexica.com>
2018-04-03 12:50:58 +02:00 · 2018-04-03 12:50:58 +02:00 · 3d841d5a2e
parent 2ae3c357c5
commit 3d841d5a2e
7 changed files with 35 additions and 15 deletions
--- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
+++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
@ -471,3 +471,6 @@ che.infra.openshift.tls_enabled=false
 # Single port mode wildcard domain host & port. nip.io is used by default
 che.singleport.wildcard_domain.host=NULL
 che.singleport.wildcard_domain.port=NULL
+
+# Enable single port custom DNS without inserting the IP
+che.singleport.wildcard_domain.ipless=false
--- a/dockerfiles/init/manifests/che.env
+++ b/dockerfiles/init/manifests/che.env
@ -249,6 +249,10 @@ CHE_SINGLE_PORT=false
 #CHE_SINGLEPORT_WILDCARD__DOMAIN_HOST=NULL
 #CHE_SINGLEPORT_WILDCARD__DOMAIN_PORT=NULL

+# IP-less wildcard dns in single mode. This needs a *.domain.tld DNS entry. (Use it instead of
+# nip.io)
+#CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS=false
+
 # Default rewriter for URLs in links.
 # This variable is automatically overridden in single port mode.
 #CHE_INFRA_DOCKER_URL__REWRITER=DEFAULT
--- a/dockerfiles/init/manifests/che.pp
+++ b/dockerfiles/init/manifests/che.pp
@ -40,6 +40,7 @@ node default {
  #
  $che_single_port = getValue("CHE_SINGLE_PORT","false")
  $che_single_port_wildcard_domain_host = getValue("CHE_SINGLEPORT_WILDCARD__DOMAIN_HOST","nip.io")
+  $che_single_port_wildcard_domain_ipless = getValue("CHE_SINGLEPORT_WILDCARD__DOMAIN_IPLESS","false")

  ###############################
  # Che multiuser
--- a/dockerfiles/init/modules/che/templates/che.env.erb
+++ b/dockerfiles/init/modules/che/templates/che.env.erb
@ -90,7 +90,9 @@ CHE_WORKSPACE_HTTP__PROXY__JAVA__OPTIONS=<% if ! @http_proxy_for_che_workspaces.
 CHE_INFRA_DOCKER_URL__REWRITER=singleport

 <% if scope.lookupvar('che::che_multiuser') == 'true' -%>
-<% if ! @che_docker_ip_external.empty? -%>
+<% if scope.lookupvar('che::che_single_port') == 'true' and scope.lookupvar('che::che_single_port_wildcard_domain_ipless') == 'true' -%>
+CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>/auth
+<% elsif ! @che_docker_ip_external.empty? -%>
 CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak.<%= scope.lookupvar('che::che_docker_ip_external') -%>.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>:<%= scope.lookupvar('che::che_port') -%>/auth
 <% else -%>
 CHE_KEYCLOAK_AUTH__SERVER__URL=http://keycloak.<%= scope.lookupvar('che::docker_ip') -%>.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>:<%= scope.lookupvar('che::che_port') -%>/auth
--- a/dockerfiles/init/modules/compose/templates/docker-compose.yml.erb
+++ b/dockerfiles/init/modules/compose/templates/docker-compose.yml.erb
@ -100,7 +100,7 @@ services:
 <% end -%>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - '<%= scope.lookupvar('che::che_instance') -%>/config/traefik/traefik.toml:/etc/traefik/traefik.toml'
+      - '<%= scope.lookupvar('che::che_instance') -%>/config/traefik:/etc/traefik'
    restart: always
 <% end -%>

@ -168,7 +168,9 @@ services:
    labels:
      traefik.keycloak.frontend.entryPoints: "http"
      traefik.keycloak.port: "8080"
-<% if ! @che_docker_ip_external.empty? -%>
+<% if scope.lookupvar('che::che_single_port') == 'true' and scope.lookupvar('che::che_single_port_wildcard_domain_ipless') == 'true' -%>
+      traefik.keycloak.frontend.rule: "Host:keycloak.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>"
+<% elsif ! @che_docker_ip_external.empty? -%>
      traefik.keycloak.frontend.rule: "Host:keycloak.<%= scope.lookupvar('che::che_docker_ip_external') -%>.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>"
 <% else -%>
      traefik.keycloak.frontend.rule: "Host:keycloak.<%= scope.lookupvar('che::docker_ip') -%>.<%= scope.lookupvar('che::che_single_port_wildcard_domain_host') -%>"
--- a/infrastructures/docker/infrastructure/src/main/java/org/eclipse/che/workspace/infrastructure/docker/provisioner/labels/SinglePortLabelsProvisioner.java
+++ b/infrastructures/docker/infrastructure/src/main/java/org/eclipse/che/workspace/infrastructure/docker/provisioner/labels/SinglePortLabelsProvisioner.java
@ -94,10 +94,12 @@ public class SinglePortLabelsProvisioner implements ConfigurationProvisioner {
   * exec-agent-http-dev-machine-workspaceao6k83hkdav975g5
   */
  private String getServiceName(String host) {
-    int idx =
-        (externalIpOfContainers != null && host.contains(externalIpOfContainers))
-            ? host.indexOf(externalIpOfContainers)
-            : host.indexOf(internalIpOfContainers);
-    return host.substring(0, idx - 1).replaceAll("\\.", "-");
+    int idx = host.indexOf(".");
+    if (idx > 1) {
+      return host.substring(0, idx - 1);
+    } else {
+      // the hostname does not contain the external or internal IPs (or in general any dots)
+      return host;
+    }
  }
 }
--- a/infrastructures/docker/infrastructure/src/main/java/org/eclipse/che/workspace/infrastructure/docker/server/mapping/SinglePortHostnameBuilder.java
+++ b/infrastructures/docker/infrastructure/src/main/java/org/eclipse/che/workspace/infrastructure/docker/server/mapping/SinglePortHostnameBuilder.java
@ -22,7 +22,7 @@ import org.eclipse.che.inject.ConfigurationException;

 /**
 * Produces host names in form:
- * [serverName].[machineName].[workspaceId].<external_or_internal_address>.<wildcardNipDomain> If
+ * [serverName]-[machineName]-[workspaceId].<external_or_internal_address>.<wildcardNipDomain> If
 * some of the server name or machine name or workspace id is null, they will be not included.
 *
 * @author Max Shaposhnik (mshaposh@redhat.com)
@ -54,7 +54,7 @@ public class SinglePortHostnameBuilder {
   * @return composite hostname
   */
  public String build(String serverName, String machineName, String workspaceID) {
-    StringJoiner joiner = new StringJoiner(".");
+    StringJoiner joiner = new StringJoiner("-");
    if (serverName != null) {
      joiner.add(normalize(serverName));
    }
@ -64,18 +64,24 @@ public class SinglePortHostnameBuilder {
    if (workspaceID != null) {
      joiner.add(normalize(workspaceID));
    }
-    joiner.add(wildcardDomain);
-    return joiner.toString();
+    return joiner.toString() + "." + wildcardDomain;
  }

  /**
-   * Gets a Wildcard domain based on the ip using an external provider like nip.io
+   * Gets a Wildcard domain based on the ip using an external provider like nip.io or by providing
+   * an IP-less DNS yourself
   *
   * @return wildcard domain
   */
  private String getWildcardDomain(String localAddress, String wildcardHost) {
-    return String.format(
-        "%s.%s", getExternalIp(localAddress), wildcardHost == null ? "nip.io" : wildcardHost);
+    if (wildcardHost == null) {
+      return String.format("%s.%s", getExternalIp(localAddress), "nip.io");
+    } else if (wildcardHost.contains("nip.io") || wildcardHost.contains("xip.io")) {
+      return String.format("%s.%s", getExternalIp(localAddress), wildcardHost);
+    } else {
+      // IP-less DNS
+      return wildcardHost;
+    }
  }

  private String getExternalIp(String localAddress) {