From 741e1f22e406fc258325e20b50333ebb34afd06f Mon Sep 17 00:00:00 2001
From: Piotr Biernat <keedosn@gmail.com>
Date: Sat, 20 Jul 2024 13:05:13 +0200
Subject: [PATCH] refactor

---
 api-registry/entrypoint.sh                   |  24 +++
 api-registry/etc/consul-template/catalog.hcl |  28 ++++
 api-registry/etc/consul/server.hcl           | 130 +++++++++++++++
 api-registry/etc/server.json                 |  14 --
 api-registry/opt/tpl/ca.crt.tpl              |   3 +
 api-registry/opt/tpl/catalog.crt.tpl         |   3 +
 api-registry/opt/tpl/catalog.key.tpl         |   3 +
 api-registry/wait-for-it.sh                  | 165 +++++++++++++++++++
 8 files changed, 356 insertions(+), 14 deletions(-)
 create mode 100755 api-registry/entrypoint.sh
 create mode 100644 api-registry/etc/consul-template/catalog.hcl
 create mode 100644 api-registry/etc/consul/server.hcl
 delete mode 100644 api-registry/etc/server.json
 create mode 100644 api-registry/opt/tpl/ca.crt.tpl
 create mode 100644 api-registry/opt/tpl/catalog.crt.tpl
 create mode 100644 api-registry/opt/tpl/catalog.key.tpl
 create mode 100755 api-registry/wait-for-it.sh

diff --git a/api-registry/entrypoint.sh b/api-registry/entrypoint.sh
new file mode 100755
index 0000000..b872c77
--- /dev/null
+++ b/api-registry/entrypoint.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+
+apk add zip
+
+# exec register-service
+update-ca-certificates
+echo -e "nameserver 127.0.0.1\n$(cat /etc/resolv.conf)" > /etc/resolv.conf
+
+# Install consul-template
+cd ~/ && curl -O https://releases.hashicorp.com/consul-template/0.19.5/consul-template_0.19.5_linux_amd64.zip && \
+unzip consul-template_0.19.5_linux_amd64.zip && \
+rm consul-template_0.19.5_linux_amd64.zip && cd -
+
+# Install glibc
+# apk add gcompat
+
+# Install Envoy
+# curl -L https://func-e.io/install.sh | sh -s -- -b /usr/local/bin
+# func-e use $ENVOY_VERSION_STRING
+# cp ~/.func-e/versions/$ENVOY_VERSION_STRING/bin/envoy /usr/local/bin/
+
+exec "$@"
diff --git a/api-registry/etc/consul-template/catalog.hcl b/api-registry/etc/consul-template/catalog.hcl
new file mode 100644
index 0000000..16fbef3
--- /dev/null
+++ b/api-registry/etc/consul-template/catalog.hcl
@@ -0,0 +1,28 @@
+
+#vault {
+#  # root VAUL_TOKEN - PROD CHECK!
+#  token        = "hvs.CAESIA9jPKArVgpCNzvze9ehIiX2gKMnVgu0rtSUw54Wj9HQGh4KHGh2cy5LdmJVRnYzVkQ1UXhDU2FKaEFQMW5UTm0"
+#  address      = "https://api-vault:8200"
+#  unwrap_token = false
+#  renew_token  = false
+#}
+
+template {
+  source = "/opt/consul/tpl/catalog.crt.tpl"
+  destination = "/opt/consul/certs/catalog.crt"
+  perms       = 0700
+  command     = "sh -c 'date && consul reload'"
+}
+
+template {
+  source      = "/opt/consul/tpl/catalog.key.tpl"
+  destination = "/opt/consul/certs/catalog.key"
+  perms       = 0700
+  command     = "sh -c 'date && consul reload'"
+}
+
+template {
+  source      = "/opt/consul/tpl/ca.crt.tpl"
+  destination = "/opt/consul/certs/ca.crt"
+  command     = "sh -c 'date && consul reload'"
+}
diff --git a/api-registry/etc/consul/server.hcl b/api-registry/etc/consul/server.hcl
new file mode 100644
index 0000000..c66f077
--- /dev/null
+++ b/api-registry/etc/consul/server.hcl
@@ -0,0 +1,130 @@
+# Datacenter configuration
+datacenter = "ego"
+domain = "ego.io"
+node_name = "registry"
+
+data_dir = "/consul/data"
+log_level = "DEBUG"
+enable_local_script_checks = true
+
+# Server configuration
+server = true
+bootstrap = true
+bootstrap_expect = 1
+acl_master_token = "784746ec-0d5d-fb12-1a79-95f912dcaabd"
+acl_token = "784746ec-0d5d-fb12-1a79-95f912dcaabd"
+
+ui_config {
+   enabled = true
+}
+
+bind_addr = "127.0.0.1"
+client_addr = "0.0.0.0"
+
+ports {
+   dns = 53
+   server = 8300
+   https = 8501
+   grpc_tls = 8503
+}
+
+dns_config {
+  service_ttl {
+    "*" = "10s"
+  }
+  node_ttl = "0s"
+}
+
+#enable_central_service_config = true
+
+# Connect settings
+#connect {
+   #enabled = true
+   #ca_provider = "vault"
+   #ca_config {
+   #   address = "https://api-vault:8200"
+   #   token = "hvs.CAESIA9jPKArVgpCNzvze9ehIiX2gKMnVgu0rtSUw54Wj9HQGh4KHGh2cy5LdmJVRnYzVkQ1UXhDU2FKaEFQMW5UTm0"
+   #   root_pki_path = "pki/"
+   #   intermediate_pki_path = "pki_int/"
+   #   ca_file = "/usr/local/share/ca-certificates/internalCA.crt"
+   #}
+#}
+
+# TLS Encryption configuration
+tls {
+   defaults {
+      ca_file = "/usr/local/share/ca-certificates/internalCA.crt"
+      cert_file = "/etc/certs/registry.crt"
+      key_file = "/etc/certs/registry.key"
+
+      verify_incoming        = false
+      verify_outgoing        = false
+      #verify_incoming        = true
+      #verify_outgoing        = true
+   }
+   internal_rpc {
+      verify_server_hostname = false
+      verify_incoming        = false
+      #verify_server_hostname = true
+      #verify_incoming        = true
+   }
+}
+
+auto_encrypt {
+  allow_tls = true
+}
+
+# ACL configuration
+# After startup, bootstrap the ACL system with `consul acl bootstrap` command
+acl = {
+  enabled = true
+  default_policy = "allow"
+  enable_token_persistence = true
+}
+
+# Gossip Encryption
+#encrypt = "tRgXSb6ClvzV1myhc75rWIdwx8tTmUI8UxySKecxiQA="
+
+# If running Consul 1.8.x or below, enable central service configuration
+#enable_central_service_config = true
+
+recursors = ["127.0.0.11", "8.8.8.8", "8.8.4.4"]
+
+#config_entries {
+   #bootstrap = [
+      #{
+      #   Kind = "api-gateway"
+      #   Name = "gw"
+
+      #   Listeners = [
+      #      {
+      #         Name     = "http"
+      #         Port     = 443
+      #         Protocol = "http"
+      #      }
+      #   ]
+      #}
+      #{
+      #   Kind = "service-defaults"
+      #   Name = "defaults"
+      #   Protocol = "http"
+      #},
+      #{
+      #   Kind = "service-router"
+      #   Name = "service-router"
+      #   #Hostnames = ["catalog", "catalog-svc", "catalog.service.ego.io"]
+      #   Routes = [
+      #      {
+      #         Match = {
+      #            HTTP {
+      #               PathPrefix = "/catalog"
+      #            }
+      #         }
+      #         Destination {
+      #            Service = "catalog"
+      #         }
+      #      }
+      #   ]
+      #}
+   #]
+#}
\ No newline at end of file
diff --git a/api-registry/etc/server.json b/api-registry/etc/server.json
deleted file mode 100644
index ba08340..0000000
--- a/api-registry/etc/server.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "node_name": "api-registry",
-    "server": true,
-    "bootstrap" : true,
-    "ui_config": {
-        "enabled" : true
-    },
-    "data_dir": "/consul/data",
-    "addresses": {
-        "http" : "0.0.0.0"
-    },
-    "bind_addr": "0.0.0.0",
-    "advertise_addr": "127.0.0.1"
-}
\ No newline at end of file
diff --git a/api-registry/opt/tpl/ca.crt.tpl b/api-registry/opt/tpl/ca.crt.tpl
new file mode 100644
index 0000000..b199ab6
--- /dev/null
+++ b/api-registry/opt/tpl/ca.crt.tpl
@@ -0,0 +1,3 @@
+{{ with secret "pki_int/issue/ego-io" "common_name=server.me.registry" "ttl=72h"}}
+{{ .Data.issuing_ca }}
+{{ end }}
diff --git a/api-registry/opt/tpl/catalog.crt.tpl b/api-registry/opt/tpl/catalog.crt.tpl
new file mode 100644
index 0000000..a1755b9
--- /dev/null
+++ b/api-registry/opt/tpl/catalog.crt.tpl
@@ -0,0 +1,3 @@
+{{ with secret "pki_int/issue/ego-io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}}
+{{ .Data.certificate }}
+{{ end }}
\ No newline at end of file
diff --git a/api-registry/opt/tpl/catalog.key.tpl b/api-registry/opt/tpl/catalog.key.tpl
new file mode 100644
index 0000000..7e45e1e
--- /dev/null
+++ b/api-registry/opt/tpl/catalog.key.tpl
@@ -0,0 +1,3 @@
+{{ with secret "pki_int/issue/ego-io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}}
+{{ .Data.private_key }}
+{{ end }}
diff --git a/api-registry/wait-for-it.sh b/api-registry/wait-for-it.sh
new file mode 100755
index 0000000..fff13c9
--- /dev/null
+++ b/api-registry/wait-for-it.sh
@@ -0,0 +1,165 @@
+#!/usr/bin/env sh
+#   Use this script to test if a given TCP host/port are available
+
+set -e
+
+cmdname=$(basename "$0")
+
+echoerr() {
+    if [ "$QUIET" -ne 1 ]; then
+        printf "%s\n" "$*" 1>&2;
+    fi
+}
+
+usage()
+{
+    exitcode="$1"
+    cat << USAGE >&2
+Usage:
+    $cmdname host:port [-s] [-t timeout] [-- command args]
+    -h HOST | --host=HOST       Host or IP under test
+    -p PORT | --port=PORT       TCP port under test
+                                Alternatively, you specify the host and port as host:port
+    -s | --strict               Only execute subcommand if the test succeeds
+    -q | --quiet                Don't output any status messages
+    -t TIMEOUT | --timeout=TIMEOUT
+                                Timeout in seconds, zero for no timeout
+    -- COMMAND ARGS             Execute command with args after the test finishes
+USAGE
+    exit "$exitcode"
+}
+
+wait_for()
+{
+    if [ "$TIMEOUT" -gt 0 ]; then
+        echoerr "$cmdname: waiting $TIMEOUT seconds for $HOST:$PORT"
+    else
+        echoerr "$cmdname: waiting for $HOST:$PORT without a timeout"
+    fi
+    start_ts=$(date +%s)
+    while true
+    do
+        nc -z "$HOST" "$PORT" >/dev/null 2>&1
+        result=$?
+        if [ $result -eq 0 ]; then
+            end_ts=$(date +%s)
+            echoerr "$cmdname: $HOST:$PORT is available after $((end_ts - start_ts)) seconds"
+            break
+        fi
+        sleep 1
+    done
+    return $result
+}
+
+wait_for_wrapper()
+{
+    # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
+    if [ "$QUIET" -eq 1 ]; then
+        timeout "$TIMEOUT" "$0" -q -child "$HOST":"$PORT" -t "$TIMEOUT" &
+    else
+        timeout "$TIMEOUT" "$0" --child "$HOST":"$PORT" -t "$TIMEOUT" &
+    fi
+    PID=$!
+    trap 'kill -INT -$PID' INT
+    wait $PID
+    RESULT=$?
+    if [ $RESULT -ne 0 ]; then
+        echoerr "$cmdname: timeout occurred after waiting $TIMEOUT seconds for $HOST:$PORT"
+    fi
+    return $RESULT
+}
+
+TIMEOUT=15
+STRICT=0
+CHILD=0
+QUIET=0
+# process arguments
+while [ $# -gt 0 ]
+do
+    case "$1" in
+        *:* )
+        HOST=$(printf "%s\n" "$1"| cut -d : -f 1)
+        PORT=$(printf "%s\n" "$1"| cut -d : -f 2)
+        shift 1
+        ;;
+        --child)
+        CHILD=1
+        shift 1
+        ;;
+        -q | --quiet)
+        QUIET=1
+        shift 1
+        ;;
+        -s | --strict)
+        STRICT=1
+        shift 1
+        ;;
+        -h)
+        HOST="$2"
+        if [ "$HOST" = "" ]; then break; fi
+        shift 2
+        ;;
+        --host=*)
+        HOST=$(printf "%s" "$1" | cut -d = -f 2)
+        shift 1
+        ;;
+        -p)
+        PORT="$2"
+        if [ "$PORT" = "" ]; then break; fi
+        shift 2
+        ;;
+        --port=*)
+        PORT="${1#*=}"
+        shift 1
+        ;;
+        -t)
+        TIMEOUT="$2"
+        if [ "$TIMEOUT" = "" ]; then break; fi
+        shift 2
+        ;;
+        --timeout=*)
+        TIMEOUT="${1#*=}"
+        shift 1
+        ;;
+        --)
+        shift
+        break
+        ;;
+        --help)
+        usage 0
+        ;;
+        *)
+        echoerr "Unknown argument: $1"
+        usage 1
+        ;;
+    esac
+done
+
+if [ "$HOST" = "" -o "$PORT" = "" ]; then
+    echoerr "Error: you need to provide a host and port to test."
+    usage 2
+fi
+
+if [ $CHILD -gt 0 ]; then
+    wait_for
+    RESULT=$?
+    exit $RESULT
+else
+    if [ "$TIMEOUT" -gt 0 ]; then
+        wait_for_wrapper
+        RESULT=$?
+    else
+        wait_for
+        RESULT=$?
+    fi
+fi
+
+if [ "$*" != "" ]; then
+    if [ $RESULT -ne 0 -a $STRICT -eq 1 ]; then
+        echoerr "$cmdname: strict mode, refusing to execute subprocess"
+        exit $RESULT
+    fi
+    exec "$@"
+else
+    exit $RESULT
+fi