Skip to content

Draft: Containerize and k8sitize Onionspray

Silvio Rhattorequested to merge
rhatto/onionspray:feat/containerize-k8sitize into main

Summary

This is a port of EOTK's pull request #110, updated and adapted to Onionspray.

Changes done in the original pull request

Features:

  • Add k8s kustomize definition.
  • Add a Dockerfile to faciliate HARICA's onion csr validation.
  • Add Docker entrypoint script to handle initialization and secrets.
  • Add LOG_STDOUT config option for NGINX.
  • Modernize the build scripts for Docker.
  • Update Dockerfile for the main container.
  • Update Makefile with Docker build/test commands.
  • Update NGINX and Tor templates for the related changes.

Other:

  • Add a renovate config.
  • Update install details for docker/k8s.
  • Add helper files and references for environment setup.
  • Update some more docs, add proxy debugging notes.
  • Update docs.
  • Add modern dockerization.

Additional changes done in this merge request

General:

  • Paths have changed from EOTK to Onionspray:
    • All .d folders had this suffix removed.
    • Folder demo.d renamed to examples.
    • Moved the DH params template into templates/dhparams.pem.tmpl.
  • The documentation was also heavily changed, but the changes in the docs have been picked.

Tor:

  • ExportCircuitID support is already on Onionspray, disabled by default. This can be enabled in a per-project basis with set tor_export_circuit_id haproxy and set nginx_x_onion_circuit_id 1.

NGINX:

  • Upgraded Tor and OpenResty to recent versions.
  • OpenSSL upgraded to 3.4.1.
  • Renamed environment variable ONION_HEADER_SECRET to X_FROM_ONION_VALUE, defaulting to whatever is set with x_from_onion_value config param.
  • Parameter log_stdout was set to 0 by default (disabled).
  • Added log_json, set to 0 by default (disabled).
  • Simplified ExportCircuitID handling.

What needs to be done

General:

  • Testing and thorough review.
  • Cleaning up an some reorganizing.
  • Check why allow "unix:"; deny all; was removed.

NGINX:

  • Add CI tests for the container build.
  • Add CI tests for builds with ConfigureOpenRestyWithOpenSSL.
  • Only the Docker build script is invoking ConfigureOpenRestyWithOpenSSL, when this could be controlled by a setting also available for other build scripts. Need to decide how this setting should be controlled.

Containerization:

  • Needs to support Podman as well, and remove "dockerisms" when possible.
Edited by Silvio Rhatto

Merge request reports