Compare commits

..

10 Commits

Author SHA1 Message Date
bf913bc358 migrate to envoy in progress... 2023-02-28 01:29:06 +01:00
a5f126a510 Updated port 2023-02-25 02:01:59 +01:00
d8fd717c92 Added metrics endpoint 2023-02-06 03:18:32 +01:00
07a137df8f fixes 2022-12-16 01:00:36 +01:00
7fb75167d4 Added wait-for-it.sh script 2022-12-06 06:16:56 +01:00
85377e241b deploy script fix 2022-12-02 22:39:13 +01:00
933dfbced6 Updated README.md 2022-12-02 22:17:05 +01:00
9d46b89873 fixes 2022-12-02 22:04:41 +01:00
1c68b310b7 Migrated to traefik proxy 2022-11-30 02:22:50 +01:00
943b1cb30e fixes 2022-11-13 03:34:53 +01:00
17 changed files with 291 additions and 172 deletions

View File

@ -1,8 +1,18 @@
FROM nginx:alpine
FROM envoyproxy/envoy:v1.22.8
LABEL author="Piotr Biernat"
LABEL service="api-gw"
LABEL vendor="Egommerce"
LABEL version="1.0"
ARG BUILD_TIME
COPY ./data/etc/nginx/ /etc/nginx/
LABEL dev.egommerce.image.author="Piotr Biernat"
LABEL dev.egommerce.image.vendor="Egommerce"
LABEL dev.egommerce.image.service="api-gateway"
LABEL dev.egommerce.image.version="1.0"
LABEL dev.egommerce.image.build_time=${BUILD_TIME}
COPY ./api-gateway/etc /etc/envoy
# COPY ./api-gateway/plugins /plugins-local
COPY ./api-gateway/entrypoint.sh ./api-gateway/wait-for-it.sh /
ENTRYPOINT ["/entrypoint.sh"]
CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"]
EXPOSE 443 8080

View File

@ -1,12 +1,3 @@
# apigw-service
# API Gateway
API Gateway - simple Nginx image with pre-configured reverse proxy's
Generowanie Klucza autoryzacji
$ openssl rand -base64 24
Budowanie obrazu:
$ sh deploy/image-build.sh
Opublikowanie obrazu:
$ sh deploy/image-push.sh
API Gateway - API Gateway based on Envoy service

36
api-gateway/entrypoint.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/sh
set +e
waitForService()
{
./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
status=$?
while [ $status != 0 ]
do
echo "[x] wating for $1..."
sleep 1
./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
status=$?
done
}
# waitForService "api-registry:8500"
set -e
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- envoy "$@"
fi
# if our command is a valid Envoy subcommand, let's invoke it through Envoy instead
# (this allows for "docker run envoy version", etc)
if envoy "$1" --help >/dev/null 2>&1
then
set -- envoy "$@"
else
echo "= '$1' is not a Envoy command: assuming shell execution." 1>&2
fi
# echo "Executing: $@"
exec "$@"

23
api-gateway/etc/cds.yaml Normal file
View File

@ -0,0 +1,23 @@
resources:
- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
name: example_proxy_cluster
type: STRICT_DNS
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: {}
load_assignment:
cluster_name: example_proxy_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.envoyproxy.io
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: www.envoyproxy.io

View File

@ -0,0 +1,12 @@
dynamic_resources:
cds_config:
path: /etc/envoy/cds.yaml
lds_config:
path: /etc/envoy/lds.yaml
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 8080

29
api-gateway/etc/lds.yaml Normal file
View File

@ -0,0 +1,29 @@
resources:
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8443
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
- name: envoy.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains:
- "*"
routes:
- match:
prefix: "/"
route:
host_rewrite_literal: www.envoyproxy.io
cluster: example_proxy_cluster

165
api-gateway/wait-for-it.sh Executable file
View File

@ -0,0 +1,165 @@
#!/usr/bin/env sh
# Use this script to test if a given TCP host/port are available
set -e
cmdname=$(basename "$0")
echoerr() {
if [ "$QUIET" -ne 1 ]; then
printf "%s\n" "$*" 1>&2;
fi
}
usage()
{
exitcode="$1"
cat << USAGE >&2
Usage:
$cmdname host:port [-s] [-t timeout] [-- command args]
-h HOST | --host=HOST Host or IP under test
-p PORT | --port=PORT TCP port under test
Alternatively, you specify the host and port as host:port
-s | --strict Only execute subcommand if the test succeeds
-q | --quiet Don't output any status messages
-t TIMEOUT | --timeout=TIMEOUT
Timeout in seconds, zero for no timeout
-- COMMAND ARGS Execute command with args after the test finishes
USAGE
exit "$exitcode"
}
wait_for()
{
if [ "$TIMEOUT" -gt 0 ]; then
echoerr "$cmdname: waiting $TIMEOUT seconds for $HOST:$PORT"
else
echoerr "$cmdname: waiting for $HOST:$PORT without a timeout"
fi
start_ts=$(date +%s)
while true
do
nc -z "$HOST" "$PORT" >/dev/null 2>&1
result=$?
if [ $result -eq 0 ]; then
end_ts=$(date +%s)
echoerr "$cmdname: $HOST:$PORT is available after $((end_ts - start_ts)) seconds"
break
fi
sleep 1
done
return $result
}
wait_for_wrapper()
{
# In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
if [ "$QUIET" -eq 1 ]; then
timeout "$TIMEOUT" "$0" -q -child "$HOST":"$PORT" -t "$TIMEOUT" &
else
timeout "$TIMEOUT" "$0" --child "$HOST":"$PORT" -t "$TIMEOUT" &
fi
PID=$!
trap 'kill -INT -$PID' INT
wait $PID
RESULT=$?
if [ $RESULT -ne 0 ]; then
echoerr "$cmdname: timeout occurred after waiting $TIMEOUT seconds for $HOST:$PORT"
fi
return $RESULT
}
TIMEOUT=15
STRICT=0
CHILD=0
QUIET=0
# process arguments
while [ $# -gt 0 ]
do
case "$1" in
*:* )
HOST=$(printf "%s\n" "$1"| cut -d : -f 1)
PORT=$(printf "%s\n" "$1"| cut -d : -f 2)
shift 1
;;
--child)
CHILD=1
shift 1
;;
-q | --quiet)
QUIET=1
shift 1
;;
-s | --strict)
STRICT=1
shift 1
;;
-h)
HOST="$2"
if [ "$HOST" = "" ]; then break; fi
shift 2
;;
--host=*)
HOST=$(printf "%s" "$1" | cut -d = -f 2)
shift 1
;;
-p)
PORT="$2"
if [ "$PORT" = "" ]; then break; fi
shift 2
;;
--port=*)
PORT="${1#*=}"
shift 1
;;
-t)
TIMEOUT="$2"
if [ "$TIMEOUT" = "" ]; then break; fi
shift 2
;;
--timeout=*)
TIMEOUT="${1#*=}"
shift 1
;;
--)
shift
break
;;
--help)
usage 0
;;
*)
echoerr "Unknown argument: $1"
usage 1
;;
esac
done
if [ "$HOST" = "" -o "$PORT" = "" ]; then
echoerr "Error: you need to provide a host and port to test."
usage 2
fi
if [ $CHILD -gt 0 ]; then
wait_for
RESULT=$?
exit $RESULT
else
if [ "$TIMEOUT" -gt 0 ]; then
wait_for_wrapper
RESULT=$?
else
wait_for
RESULT=$?
fi
fi
if [ "$*" != "" ]; then
if [ $RESULT -ne 0 -a $STRICT -eq 1 ]; then
echoerr "$cmdname: strict mode, refusing to execute subprocess"
exit $RESULT
fi
exec "$@"
else
exit $RESULT
fi

View File

@ -1,43 +0,0 @@
include apigw_backends.conf;
include apigw_keys.conf;
server {
access_log /var/log/nginx/apigw_access.log main;
error_log /var/log/nginx/apigw_error.log warn;
listen 80;
# listen 443 ssl;
# server_name apigw_svc; # container name from stack config
# server_name api.example.com;
# TLS config
# ssl_certificate /etc/ssl/certs/apigw.example.com.crt;
# ssl_certificate_key /etc/ssl/private/apigw.example.com.key;
# ssl_session_cache shared:SSL:10m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_protocols TLSv1.2 TLSv1.3;
# API definitions, one per file
include apigw_conf.d/*.conf;
# Error responses
# error_page 404 = @400; # Treat invalid paths as bad requests
proxy_intercept_errors on; # Do not send backend errors to client
include apigw_json_errors.conf; # API client-friendly JSON errors
default_type application/json; # If no content-type, assume JSON
# API key validation
location = /_validate_apikey {
internal;
if ($http_apikey = "") {
return 401; # Unauthorized
}
if ($apigw_client_name = "") {
return 403; # Forbidden
}
return 204; # OK (no content)
}
}

View File

@ -1,9 +0,0 @@
upstream identity_api {
# zone inventory_service 64k;
server identity_svc:8080; # container name from stack config
}
upstream basket_api {
# zone pricing_service 64k;
server basket_svc:8080; # container name from stack config
}

View File

@ -1,14 +0,0 @@
# Basket API
#
location /api/basket/ {
access_log /var/log/nginx/basket_access.log main;
error_log /var/log/nginx/basket_error.log warn;
auth_request /_validate_apikey;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent "api-gw"; # TMP - FIXME
proxy_pass http://basket_api/;
}

View File

@ -1,32 +0,0 @@
# Identity API
#
location /api/identity/ {
access_log /var/log/nginx/identity_access.log main;
error_log /var/log/nginx/identity_error.log warn;
auth_request /_validate_apikey;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent "egommerce-api-gateway/0.1"; # TMP - FIXME
proxy_pass http://identity_api/;
}
# # URI routing
# #
# location = /api/warehouse/inventory { # Complete inventory
# proxy_pass http://warehouse_inventory;
# }
# location ~ ^/api/warehouse/inventory/shelf/[^/]+$ { # Shelf inventory
# proxy_pass http://warehouse_inventory;
# }
# location ~ ^/api/warehouse/inventory/shelf/[^/]+/box/[^/]+$ { # Box on shelf
# proxy_pass http://warehouse_inventory;
# }
# location ~ ^/api/warehouse/pricing/[^/]+$ { # Price for specific item
# proxy_pass http://warehouse_pricing;
# }

View File

@ -1,11 +0,0 @@
error_page 400 = @400;
location @400 { return 400 '{"status":400,"message":"Bad request"}\n'; }
error_page 401 = @401;
location @401 { return 401 '{"status":401,"message":"Unauthorized"}\n'; }
error_page 403 = @403;
location @403 { return 403 '{"status":403,"message":"Forbidden"}\n'; }
error_page 404 = @404;
location @404 { return 404 '{"status":404,"message":"Resource not found"}\n'; }

View File

@ -1,9 +0,0 @@
map $http_apikey $apigw_client_name {
default "";
"R7HVf14WE5m4d5L3uv2sZU8Y" "identity_api";
"fd7uAN3/GKIfvFrOdfEAoo1y" "basket_api";
}
# $ openssl rand -base64 18
# 7B5zIqmRGXmrJTFmKa99vcit

View File

@ -1,32 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/apigw.conf;
}

View File

@ -1,16 +1,17 @@
#!/bin/sh
# RUN IN REPO ROOT DIR !!
export IMAGE_NAME="git.pbiernat.dev/egommerce/apigw-svc"
export IMAGE_NAME="git.pbiernat.dev/egommerce/api-gateway"
export BUILD_TIME=$(date +"%Y%m%d%H%M%S")
TARGET=${1:-latest}
echo "Building: $IMAGE_NAME:$TARGET"
if [ $TARGET = "dev" ]
then
docker build --rm --no-cache -t "$IMAGE_NAME:dev" . >/dev/null 2>&1
docker build --build-arg BUILD_TIME --rm --no-cache -t "$IMAGE_NAME:dev" . # >/dev/null 2>&1
else
docker build --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
docker build --build-arg BUILD_TIME --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
fi
echo "Done."

View File

@ -1,7 +1,9 @@
#!/bin/sh
# RUN IN REPO ROOT DIR !!
export IMAGE_NAME="git.pbiernat.dev/egommerce/apigw-svc"
export IMAGE_NAME="git.pbiernat.dev/egommerce/api-gateway"
TARGET=${1:-latest}
echo $DOCKER_PASSWORD | docker login git.pbiernat.dev -u $DOCKER_USERNAME --password-stdin
docker push "$IMAGE_NAME:latest"
docker push "$IMAGE_NAME:$TARGET"

0
test
View File