Merge branch 'develop'

Reviewed-on: https://git.pbiernat.dev/egommerce/apigw-service/pulls/1

Dockerfile

@@ -1,18 +1,8 @@
-FROM envoyproxy/envoy:v1.22.8
+FROM nginx:alpine
 
-ARG BUILD_TIME
+LABEL author="Piotr Biernat"
+LABEL service="api-gw"
+LABEL vendor="Egommerce"
+LABEL version="1.0"
 
-LABEL dev.egommerce.image.author="Piotr Biernat"
-LABEL dev.egommerce.image.vendor="Egommerce"
-LABEL dev.egommerce.image.service="api-gateway"
-LABEL dev.egommerce.image.version="1.0"
-LABEL dev.egommerce.image.build_time=${BUILD_TIME}
-
-COPY ./api-gateway/etc /etc/envoy
-# COPY ./api-gateway/plugins /plugins-local
-COPY ./api-gateway/entrypoint.sh ./api-gateway/wait-for-it.sh /
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"]
-
-EXPOSE 443 8080
+COPY ./data/etc/nginx/ /etc/nginx/

README.md

@@ -1,3 +1,12 @@
-# API Gateway
+# apigw-service
 
-API Gateway - API Gateway based on Envoy service
+API Gateway - simple Nginx image with pre-configured reverse proxy's
+
+Generowanie Klucza autoryzacji
+$ openssl rand -base64 24
+
+Budowanie obrazu: 
+$ sh deploy/image-build.sh
+
+Opublikowanie obrazu:
+$ sh deploy/image-push.sh

api-gateway/entrypoint.sh

@@ -1,36 +0,0 @@
-#!/bin/sh
-set +e 
-
-waitForService()
-{
-    ./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
-    status=$?
-    while [ $status != 0 ]
-    do
-        echo "[x] wating for $1..."
-        sleep 1
-        ./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
-        status=$?
-    done
-}
-
-# waitForService "api-registry:8500"
-
-set -e
-
-# first arg is `-f` or `--some-option`
-if [ "${1#-}" != "$1" ]; then
-    set -- envoy "$@"
-fi
-
-# if our command is a valid Envoy subcommand, let's invoke it through Envoy instead
-# (this allows for "docker run envoy version", etc)
-if envoy "$1" --help >/dev/null 2>&1
-then
-    set -- envoy "$@"
-else
-    echo "= '$1' is not a Envoy command: assuming shell execution." 1>&2
-fi
-
-# echo "Executing: $@"
-exec "$@"

api-gateway/etc/cds.yaml

@@ -1,23 +0,0 @@
-resources:
-- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
-  name: example_proxy_cluster
-  type: STRICT_DNS
-  typed_extension_protocol_options:
-    envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
-      "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
-      explicit_http_config:
-        http2_protocol_options: {}
-  load_assignment:
-    cluster_name: example_proxy_cluster
-    endpoints:
-    - lb_endpoints:
-      - endpoint:
-          address:
-            socket_address:
-              address: www.envoyproxy.io
-              port_value: 443
-  transport_socket:
-    name: envoy.transport_sockets.tls
-    typed_config:
-      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-      sni: www.envoyproxy.io

api-gateway/etc/envoy.yaml

@@ -1,12 +0,0 @@
-dynamic_resources:
-  cds_config:
-    path: /etc/envoy/cds.yaml
-  lds_config:
-    path: /etc/envoy/lds.yaml
-
-admin:
-  address:
-    socket_address:
-      address: 0.0.0.0
-      port_value: 8080
-

api-gateway/etc/lds.yaml

@@ -1,29 +0,0 @@
-resources:
-- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
-  name: listener_0
-  address:
-    socket_address:
-      address: 0.0.0.0
-      port_value: 8443
-  filter_chains:
-  - filters:
-    - name: envoy.http_connection_manager
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-        stat_prefix: ingress_http
-        http_filters:
-        - name: envoy.router
-          typed_config:
-            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
-        route_config:
-          name: local_route
-          virtual_hosts:
-          - name: local_service
-            domains:
-            - "*"
-            routes:
-            - match:
-                prefix: "/"
-              route:
-                host_rewrite_literal: www.envoyproxy.io
-                cluster: example_proxy_cluster

api-gateway/wait-for-it.sh

@@ -1,165 +0,0 @@
-#!/usr/bin/env sh
-#   Use this script to test if a given TCP host/port are available
-
-set -e
-
-cmdname=$(basename "$0")
-
-echoerr() {
-    if [ "$QUIET" -ne 1 ]; then
-        printf "%s\n" "$*" 1>&2;
-    fi
-}
-
-usage()
-{
-    exitcode="$1"
-    cat << USAGE >&2
-Usage:
-    $cmdname host:port [-s] [-t timeout] [-- command args]
-    -h HOST | --host=HOST       Host or IP under test
-    -p PORT | --port=PORT       TCP port under test
-                                Alternatively, you specify the host and port as host:port
-    -s | --strict               Only execute subcommand if the test succeeds
-    -q | --quiet                Don't output any status messages
-    -t TIMEOUT | --timeout=TIMEOUT
-                                Timeout in seconds, zero for no timeout
-    -- COMMAND ARGS             Execute command with args after the test finishes
-USAGE
-    exit "$exitcode"
-}
-
-wait_for()
-{
-    if [ "$TIMEOUT" -gt 0 ]; then
-        echoerr "$cmdname: waiting $TIMEOUT seconds for $HOST:$PORT"
-    else
-        echoerr "$cmdname: waiting for $HOST:$PORT without a timeout"
-    fi
-    start_ts=$(date +%s)
-    while true
-    do
-        nc -z "$HOST" "$PORT" >/dev/null 2>&1
-        result=$?
-        if [ $result -eq 0 ]; then
-            end_ts=$(date +%s)
-            echoerr "$cmdname: $HOST:$PORT is available after $((end_ts - start_ts)) seconds"
-            break
-        fi
-        sleep 1
-    done
-    return $result
-}
-
-wait_for_wrapper()
-{
-    # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
-    if [ "$QUIET" -eq 1 ]; then
-        timeout "$TIMEOUT" "$0" -q -child "$HOST":"$PORT" -t "$TIMEOUT" &
-    else
-        timeout "$TIMEOUT" "$0" --child "$HOST":"$PORT" -t "$TIMEOUT" &
-    fi
-    PID=$!
-    trap 'kill -INT -$PID' INT
-    wait $PID
-    RESULT=$?
-    if [ $RESULT -ne 0 ]; then
-        echoerr "$cmdname: timeout occurred after waiting $TIMEOUT seconds for $HOST:$PORT"
-    fi
-    return $RESULT
-}
-
-TIMEOUT=15
-STRICT=0
-CHILD=0
-QUIET=0
-# process arguments
-while [ $# -gt 0 ]
-do
-    case "$1" in
-        *:* )
-        HOST=$(printf "%s\n" "$1"| cut -d : -f 1)
-        PORT=$(printf "%s\n" "$1"| cut -d : -f 2)
-        shift 1
-        ;;
-        --child)
-        CHILD=1
-        shift 1
-        ;;
-        -q | --quiet)
-        QUIET=1
-        shift 1
-        ;;
-        -s | --strict)
-        STRICT=1
-        shift 1
-        ;;
-        -h)
-        HOST="$2"
-        if [ "$HOST" = "" ]; then break; fi
-        shift 2
-        ;;
-        --host=*)
-        HOST=$(printf "%s" "$1" | cut -d = -f 2)
-        shift 1
-        ;;
-        -p)
-        PORT="$2"
-        if [ "$PORT" = "" ]; then break; fi
-        shift 2
-        ;;
-        --port=*)
-        PORT="${1#*=}"
-        shift 1
-        ;;
-        -t)
-        TIMEOUT="$2"
-        if [ "$TIMEOUT" = "" ]; then break; fi
-        shift 2
-        ;;
-        --timeout=*)
-        TIMEOUT="${1#*=}"
-        shift 1
-        ;;
-        --)
-        shift
-        break
-        ;;
-        --help)
-        usage 0
-        ;;
-        *)
-        echoerr "Unknown argument: $1"
-        usage 1
-        ;;
-    esac
-done
-
-if [ "$HOST" = "" -o "$PORT" = "" ]; then
-    echoerr "Error: you need to provide a host and port to test."
-    usage 2
-fi
-
-if [ $CHILD -gt 0 ]; then
-    wait_for
-    RESULT=$?
-    exit $RESULT
-else
-    if [ "$TIMEOUT" -gt 0 ]; then
-        wait_for_wrapper
-        RESULT=$?
-    else
-        wait_for
-        RESULT=$?
-    fi
-fi
-
-if [ "$*" != "" ]; then
-    if [ $RESULT -ne 0 -a $STRICT -eq 1 ]; then
-        echoerr "$cmdname: strict mode, refusing to execute subprocess"
-        exit $RESULT
-    fi
-    exec "$@"
-else
-    exit $RESULT
-fi

data/etc/nginx/apigw.conf

@@ -0,0 +1,43 @@
+include apigw_backends.conf;
+include apigw_keys.conf;
+
+server {
+    access_log /var/log/nginx/apigw_access.log main;
+        error_log /var/log/nginx/apigw_error.log warn;
+
+    listen 80;
+    # listen 443 ssl;
+    # server_name apigw_svc; # container name from stack config
+    # server_name api.example.com;
+
+    # TLS config
+    # ssl_certificate      /etc/ssl/certs/apigw.example.com.crt;
+    # ssl_certificate_key  /etc/ssl/private/apigw.example.com.key;
+    # ssl_session_cache    shared:SSL:10m;
+    # ssl_session_timeout  5m;
+    # ssl_ciphers          HIGH:!aNULL:!MD5;
+    # ssl_protocols        TLSv1.2 TLSv1.3;
+
+    # API definitions, one per file
+    include apigw_conf.d/*.conf;
+
+    # Error responses
+    # error_page 404 = @400;         # Treat invalid paths as bad requests
+    proxy_intercept_errors on;     # Do not send backend errors to client
+    include apigw_json_errors.conf;  # API client-friendly JSON errors
+    default_type application/json; # If no content-type, assume JSON
+
+    # API key validation
+    location = /_validate_apikey {
+        internal;
+
+        if ($http_apikey = "") {
+            return 401; # Unauthorized
+        }
+        if ($apigw_client_name = "") {
+            return 403; # Forbidden
+        }
+
+        return 204; # OK (no content)
+    }
+}

data/etc/nginx/apigw_backends.conf

@@ -0,0 +1,9 @@
+upstream identity_api {
+    # zone inventory_service 64k;
+    server identity_svc:8080; # container name from stack config
+}
+
+upstream basket_api {
+    # zone pricing_service 64k;
+    server basket_svc:8080; # container name from stack config
+}

data/etc/nginx/apigw_conf.d/basket_api.conf

@@ -0,0 +1,14 @@
+# Basket API
+#
+location /api/basket/ {
+    access_log /var/log/nginx/basket_access.log main;
+    error_log /var/log/nginx/basket_error.log warn;
+    
+    auth_request /_validate_apikey;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header User-Agent "api-gw"; # TMP - FIXME
+    
+    proxy_pass http://basket_api/;
+}

data/etc/nginx/apigw_conf.d/identity_api.conf

@@ -0,0 +1,32 @@
+# Identity API
+#
+location /api/identity/ {
+    access_log /var/log/nginx/identity_access.log main;
+    error_log /var/log/nginx/identity_error.log warn;
+
+    auth_request /_validate_apikey;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header User-Agent "egommerce-api-gateway/0.1"; # TMP - FIXME
+
+    proxy_pass http://identity_api/;
+}
+
+# # URI routing
+# #
+# location = /api/warehouse/inventory { # Complete inventory
+#     proxy_pass http://warehouse_inventory;
+# }
+
+# location ~ ^/api/warehouse/inventory/shelf/[^/]+$ { # Shelf inventory
+#     proxy_pass http://warehouse_inventory;
+# }
+
+# location ~ ^/api/warehouse/inventory/shelf/[^/]+/box/[^/]+$ { # Box on shelf
+#     proxy_pass http://warehouse_inventory;
+# }
+
+# location ~ ^/api/warehouse/pricing/[^/]+$ { # Price for specific item
+#     proxy_pass http://warehouse_pricing;
+# }

data/etc/nginx/apigw_json_errors.conf

@@ -0,0 +1,11 @@
+error_page 400 = @400;
+location @400 { return 400 '{"status":400,"message":"Bad request"}\n'; }
+
+error_page 401 = @401;
+location @401 { return 401 '{"status":401,"message":"Unauthorized"}\n'; }
+
+error_page 403 = @403;
+location @403 { return 403 '{"status":403,"message":"Forbidden"}\n'; }
+
+error_page 404 = @404;
+location @404 { return 404 '{"status":404,"message":"Resource not found"}\n'; }

data/etc/nginx/apigw_keys.conf

@@ -0,0 +1,9 @@
+map $http_apikey $apigw_client_name {
+    default "";
+
+    "R7HVf14WE5m4d5L3uv2sZU8Y" "identity_api";
+    "fd7uAN3/GKIfvFrOdfEAoo1y" "basket_api";
+}
+
+# $ openssl rand -base64 18
+# 7B5zIqmRGXmrJTFmKa99vcit

data/etc/nginx/nginx.conf

@@ -0,0 +1,32 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/apigw.conf;
+}

deploy/image-build.sh

@@ -1,17 +1,16 @@
 #!/bin/sh
 # RUN IN REPO ROOT DIR !!
 
-export IMAGE_NAME="git.pbiernat.dev/egommerce/api-gateway"
-export BUILD_TIME=$(date +"%Y%m%d%H%M%S")
+export IMAGE_NAME="git.pbiernat.dev/egommerce/apigw-svc"
 
 TARGET=${1:-latest}
 
 echo "Building: $IMAGE_NAME:$TARGET"
 if [ $TARGET = "dev" ]
 then
-    docker build --build-arg BUILD_TIME --rm --no-cache -t "$IMAGE_NAME:dev" . # >/dev/null 2>&1
+    docker build --rm --no-cache -t "$IMAGE_NAME:dev" . >/dev/null 2>&1
 else
-    docker build --build-arg BUILD_TIME --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
+    docker build --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
 fi
 
 echo "Done."

deploy/image-push.sh

@@ -1,9 +1,7 @@
 #!/bin/sh
 # RUN IN REPO ROOT DIR !!
 
-export IMAGE_NAME="git.pbiernat.dev/egommerce/api-gateway"
-
-TARGET=${1:-latest}
+export IMAGE_NAME="git.pbiernat.dev/egommerce/apigw-svc"
 
 echo $DOCKER_PASSWORD | docker login git.pbiernat.dev -u $DOCKER_USERNAME --password-stdin
-docker push "$IMAGE_NAME:$TARGET"
+docker push "$IMAGE_NAME:latest"