From 97dec341af8ae32441c5342e815ddee527a48ffd Mon Sep 17 00:00:00 2001 From: Piotr Biernat Date: Tue, 24 Dec 2024 14:20:35 +0100 Subject: [PATCH] Refactor --- Dockerfile | 4 +- api-registry/entrypoint.sh | 10 +- api-registry/etc/addons/api-gateway.hcl | 34 ++-- .../{proxy-defaults.hcl => default-proxy.hcl} | 0 ...rvice-defaults.hcl => default-service.hcl} | 0 api-registry/etc/addons/intentions.hcl | 13 ++ .../etc/addons/pricing-intentions.hcl | 13 -- api-registry/etc/addons/routes.hcl | 164 +++++++++--------- api-registry/etc/addons/service-catalog.hcl | 36 ++-- api-registry/etc/addons/service-router.hcl | 23 ++- api-registry/etc/consul-template/catalog.hcl | 21 ++- api-registry/etc/consul/gateway.hcl | 2 +- api-registry/etc/consul/server.hcl | 5 +- api-registry/opt/tpl/catalog.crt.tpl | 2 +- api-registry/opt/tpl/catalog.key.tpl | 2 +- deploy/image-build.sh | 2 +- deploy/image-push.sh | 4 +- 17 files changed, 178 insertions(+), 157 deletions(-) rename api-registry/etc/addons/{proxy-defaults.hcl => default-proxy.hcl} (100%) rename api-registry/etc/addons/{service-defaults.hcl => default-service.hcl} (100%) create mode 100644 api-registry/etc/addons/intentions.hcl delete mode 100644 api-registry/etc/addons/pricing-intentions.hcl diff --git a/Dockerfile b/Dockerfile index 4501cd1..b21b853 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM envoyproxy/envoy:distroless-v1.29-latest AS envoy FROM ubuntu:latest AS base -FROM hashicorp/consul:1.19.2-ubi +FROM hashicorp/consul:1.20.1-ubi USER root @@ -13,7 +13,7 @@ LABEL dev.egommerce.image.version="1.0" ENV CGO_ENABLED=0 COPY ./api-registry/etc/consul /consul/config -# COPY ./api-registry/etc/addons/* /consul/config +COPY ./api-registry/etc/addons/* /consul/config/ COPY ./api-registry/etc/consul-template /consul/template COPY ./api-registry/opt /opt/consul COPY ./api-registry/entrypoint.sh / diff --git a/api-registry/entrypoint.sh b/api-registry/entrypoint.sh index 1b63017..6a6aba9 100755 --- a/api-registry/entrypoint.sh +++ b/api-registry/entrypoint.sh @@ -9,9 +9,9 @@ update-ca-trust echo -e "nameserver 127.0.0.1\n$(cat /etc/resolv.conf)" > /etc/resolv.conf # Install consul-template -# cd ~/ && curl -O https://releases.hashicorp.com/consul-template/0.19.5/consul-template_0.19.5_linux_amd64.zip && \ -# unzip consul-template_0.19.5_linux_amd64.zip && \ -# rm consul-template_0.19.5_linux_amd64.zip && cd - +cd ~/ && curl -O https://releases.hashicorp.com/consul-template/0.39.1/consul-template_0.39.1_linux_amd64.zip && \ +unzip consul-template_0.39.1_linux_amd64.zip && \ +rm consul-template_0.39.1_linux_amd64.zip && cd - # Install glibc # apk add gcompat @@ -25,9 +25,9 @@ if [ $APP_NAME == "api-gateway" ] then # register-service - IP=$(hostname -i) COMMAND="consul connect envoy -gateway api -register -service gateway -address ${IP}:8443 -admin-bind 0.0.0.0:19000 -bind-address gw-listener=0.0.0.0:8443 -ca-file /usr/share/pki/ca-trust-source/anchors/internalCA.crt -client-cert /etc/certs/catalog.crt -client-key /etc/certs/catalog.key -enable-config-gen-logging -- --log-level trace --log-path /var/log/api-gateway.log" ./spawn-process.sh 2>&1 & + IP=$(hostname -i) COMMAND="consul connect envoy -gateway api -register -service gateway -address ${IP}:8443 -admin-bind 0.0.0.0:19000 -bind-address route-listener=0.0.0.0:8443 -ca-file /usr/share/pki/ca-trust-source/anchors/internalCA.crt -enable-config-gen-logging -- --log-level trace --log-path /var/log/api-gateway.log" ./spawn-process.sh 2>&1 & COMMAND="consul connect envoy -sidecar-for catalog -admin-bind 0.0.0.0:20000 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-catalog.log" ./spawn-process.sh 2>&1 & - COMMAND="consul connect envoy -sidecar-for basket -admin-bind 0.0.0.0:20001 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-basket.log" ./spawn-process.sh 2>&1 & + # COMMAND="consul connect envoy -sidecar-for basket -admin-bind 0.0.0.0:20001 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-basket.log" ./spawn-process.sh 2>&1 & fi diff --git a/api-registry/etc/addons/api-gateway.hcl b/api-registry/etc/addons/api-gateway.hcl index a38df62..af47690 100644 --- a/api-registry/etc/addons/api-gateway.hcl +++ b/api-registry/etc/addons/api-gateway.hcl @@ -1,21 +1,15 @@ -config_entries { - bootstrap = [ - { - Kind = "api-gateway" - Name = "gw" +Kind = "api-gateway" +Name = "gw" - Listeners = [ - { - Name = "gw" - Port = 443 - Protocol = "http" - #Services = [ - # { - # Name = "catalog" - # } - #] - } - ] - } - ] -} +Listeners = [ + { + Name = "route-listener" + Port = 8443 + Protocol = "http" + #Services = [ + # { + # Name = "catalog" + # } + #] + } +] \ No newline at end of file diff --git a/api-registry/etc/addons/proxy-defaults.hcl b/api-registry/etc/addons/default-proxy.hcl similarity index 100% rename from api-registry/etc/addons/proxy-defaults.hcl rename to api-registry/etc/addons/default-proxy.hcl diff --git a/api-registry/etc/addons/service-defaults.hcl b/api-registry/etc/addons/default-service.hcl similarity index 100% rename from api-registry/etc/addons/service-defaults.hcl rename to api-registry/etc/addons/default-service.hcl diff --git a/api-registry/etc/addons/intentions.hcl b/api-registry/etc/addons/intentions.hcl new file mode 100644 index 0000000..e4c5feb --- /dev/null +++ b/api-registry/etc/addons/intentions.hcl @@ -0,0 +1,13 @@ +Kind = "service-intentions" +Name = "pricing" + +Sources = [ + { + Name = "basket" + Action = "deny" + } + { + Name = "api" + Action = "allow" + } +] \ No newline at end of file diff --git a/api-registry/etc/addons/pricing-intentions.hcl b/api-registry/etc/addons/pricing-intentions.hcl deleted file mode 100644 index 8c5aeae..0000000 --- a/api-registry/etc/addons/pricing-intentions.hcl +++ /dev/null @@ -1,13 +0,0 @@ -#Kind = "service-intentions" -#Name = "pricing" - -#Sources = [ - #{ - # Name = "basket" - # Action = "deny" - #} - #{ - # Name = "api" - # Action = "allow" - #} -#] \ No newline at end of file diff --git a/api-registry/etc/addons/routes.hcl b/api-registry/etc/addons/routes.hcl index 3d0102e..7f7ebb2 100644 --- a/api-registry/etc/addons/routes.hcl +++ b/api-registry/etc/addons/routes.hcl @@ -1,87 +1,85 @@ -config_entries { - bootstrap = [ - { - Kind = "http-route" - Name = "catalog-routes" +Kind = "http-route" +Name = "route-listener" - Meta = { - "name" = "catalog-routes" +Meta = { + "name" = "catalog" +} +#Hostnames = [""] + +Parents = [ + { + Kind = "api-gateway" + Name = "gw" + SectionName = "route-listener" + } +] + +Rules = [ + { + #Filters = { + #URLRewrite = { + # Path = "/catalog" + #} + #JWT = { + # Providers = [ + # Name = "" + # VerifyClaim = { + # Path = [""] + # Value = "" + # } + # ] + #} + #} + Matches = [ + { + Path = { + Match = "prefix" + Value = "/catalog" + } + # Headers = [ + # { + # Match = "" + # Name = "" + # Value = "" + # } + # ] + # Method = "" + # Path = { + # Match = "" + # Value = "" + # } + # Query = [ + # { + # Match = "" + # Name = "" + # Value = "" + # } + # ] } - #Hostnames = [""] - - Parents = [ - { - Kind = "api-gateway" - Name = "gw" - #SectionName = "" - } - ] - - Rules = [ - { - Filters = { - URLRewrite = { - Path = "/catalog" - } - #JWT = { - # Providers = [ - # Name = "" - # VerifyClaim = { - # Path = [""] - # Value = "" - # } - # ] - #} + ] + Services = [ + { + Name = "catalog" + Weight = 90 + Filters = { + # Headers = [ + # { + # Add = { + # "" = "" + # } + # Remove = [ + # "" + # ] + # Set = { + # "" = "" + # } + # } + # ] + URLRewrite = { + Path = "/" } - #Matches = [ - #{ - # Headers = [ - # { - # Match = "" - # Name = "" - # Value = "" - # } - # ] - # Method = "" - # Path = { - # Match = "" - # Value = "" - # } - # Query = [ - # { - # Match = "" - # Name = "" - # Value = "" - # } - # ] - #} - #] - Services = [ - { - Name = "catalog" - Weight = 90 - Filters = { - # Headers = [ - # { - # Add = { - # "" = "" - # } - # Remove = [ - # "" - # ] - # Set = { - # "" = "" - # } - # } - # ] - URLRewrite = { - Path = "/" - } - } - } - ] } - ] - } - ] -} \ No newline at end of file + } + ] + } +] \ No newline at end of file diff --git a/api-registry/etc/addons/service-catalog.hcl b/api-registry/etc/addons/service-catalog.hcl index f33b62c..dd1a271 100644 --- a/api-registry/etc/addons/service-catalog.hcl +++ b/api-registry/etc/addons/service-catalog.hcl @@ -1,20 +1,20 @@ -services = [ - { - name = "catalog" - port = 443 +Kind = "service-router" +Name = "catalog" + +Routes = [ + { + Match { + HTTP { + PathPrefix = "/catalog" + } } - checks = { - Interval = "10s" - Name = "Connect Sidecar Listening" - TCP = "127.0.0.1:20000" + + Destination { + Service = "catalog" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] } - kind = "connect-proxy" - name = "web-sidecar-proxy" - port = 20000 - proxy = { - destination_service_id = "catalog" - destination_service_name = "catalog" - local_service_address = "127.0.0.1" - local_service_port = 443 - } -] + } +] \ No newline at end of file diff --git a/api-registry/etc/addons/service-router.hcl b/api-registry/etc/addons/service-router.hcl index 258a409..919e41d 100644 --- a/api-registry/etc/addons/service-router.hcl +++ b/api-registry/etc/addons/service-router.hcl @@ -1,5 +1,5 @@ Kind = "service-router" -Name = "service-router" +Name = "main-router" Routes = [ { @@ -10,6 +10,11 @@ Routes = [ }, Destination { Service = "identity" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] + } }, { @@ -20,6 +25,10 @@ Routes = [ }, Destination { Service = "basket" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] } }, { @@ -30,6 +39,10 @@ Routes = [ }, Destination { Service = "catalog" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] } }, { @@ -40,6 +53,10 @@ Routes = [ }, Destination { Service = "order" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] } }, { @@ -50,6 +67,10 @@ Routes = [ }, Destination { Service = "pricing" + RequestTimeout = "5s" + NumRetries = 5 + RetryOnConnectFailure = true + RetryOn = ["reset"] } }, { diff --git a/api-registry/etc/consul-template/catalog.hcl b/api-registry/etc/consul-template/catalog.hcl index 16fbef3..562f442 100644 --- a/api-registry/etc/consul-template/catalog.hcl +++ b/api-registry/etc/consul-template/catalog.hcl @@ -1,11 +1,18 @@ -#vault { -# # root VAUL_TOKEN - PROD CHECK! -# token = "hvs.CAESIA9jPKArVgpCNzvze9ehIiX2gKMnVgu0rtSUw54Wj9HQGh4KHGh2cy5LdmJVRnYzVkQ1UXhDU2FKaEFQMW5UTm0" -# address = "https://api-vault:8200" -# unwrap_token = false -# renew_token = false -#} +vault { + # root VAUL_TOKEN - PROD CHECK! + token = "hvs.dZL3N8PAozQ7EbOYFFDeipui" + address = "https://api-vault:8200" + unwrap_token = false + renew_token = false +} + +consul { + address = "https://127.0.0.1:8501" + ssl { + enabled = true + } +} template { source = "/opt/consul/tpl/catalog.crt.tpl" diff --git a/api-registry/etc/consul/gateway.hcl b/api-registry/etc/consul/gateway.hcl index a086187..ace960d 100644 --- a/api-registry/etc/consul/gateway.hcl +++ b/api-registry/etc/consul/gateway.hcl @@ -13,7 +13,7 @@ ui_config { content_path = "/registry" } -bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.2.0/24\" | attr \"address\" }}" +bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.1.0/24\" | attr \"address\" }}" client_addr = "0.0.0.0" ports { diff --git a/api-registry/etc/consul/server.hcl b/api-registry/etc/consul/server.hcl index 85e7c5f..cd3773f 100644 --- a/api-registry/etc/consul/server.hcl +++ b/api-registry/etc/consul/server.hcl @@ -19,7 +19,7 @@ ui_config { } } -bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.2.0/24\" | attr \"address\" }}" +bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.1.0/24\" | attr \"address\" }}" client_addr = "0.0.0.0" ports { @@ -50,7 +50,8 @@ connect { ca_provider = "vault" ca_config { address = "https://api-vault:8200" - token = "hvs.CAESICxuTO_JieCbpMoZ4_qOPIohxSKim_4V8t11JLg93RtKGh4KHGh2cy5VUUFqUm5CdTQ3V3hMQ3BHSDB4dThNZHE" + #token = "hvs.CAESICxuTO_JieCbpMoZ4_qOPIohxSKim_4V8t11JLg93RtKGh4KHGh2cy5VUUFqUm5CdTQ3V3hMQ3BHSDB4dThNZHE" + token = "hvs.dZL3N8PAozQ7EbOYFFDeipui" root_pki_path = "pki/" intermediate_pki_path = "pki_int/" } diff --git a/api-registry/opt/tpl/catalog.crt.tpl b/api-registry/opt/tpl/catalog.crt.tpl index 68e2f66..2f6ae24 100644 --- a/api-registry/opt/tpl/catalog.crt.tpl +++ b/api-registry/opt/tpl/catalog.crt.tpl @@ -1,3 +1,3 @@ -{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}} +{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=localhost" "ip_sans=127.0.0.1"}} {{ .Data.certificate }} {{ end }} \ No newline at end of file diff --git a/api-registry/opt/tpl/catalog.key.tpl b/api-registry/opt/tpl/catalog.key.tpl index 4fb22ba..ddcd4c6 100644 --- a/api-registry/opt/tpl/catalog.key.tpl +++ b/api-registry/opt/tpl/catalog.key.tpl @@ -1,3 +1,3 @@ -{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}} +{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=localhost" "ip_sans=127.0.0.1"}} {{ .Data.private_key }} {{ end }} diff --git a/deploy/image-build.sh b/deploy/image-build.sh index 507046c..976aec7 100755 --- a/deploy/image-build.sh +++ b/deploy/image-build.sh @@ -1,7 +1,7 @@ #!/bin/sh # RUN IN REPO ROOT DIR !! -export IMAGE_NAME="git.pbiernat.io/egommerce/api-registry" +export IMAGE_NAME="git.ego.cloudns.be/egommerce/api-registry" TARGET=${1:-latest} diff --git a/deploy/image-push.sh b/deploy/image-push.sh index ea40153..8327f19 100755 --- a/deploy/image-push.sh +++ b/deploy/image-push.sh @@ -1,11 +1,11 @@ #!/bin/sh # RUN IN REPO ROOT DIR !! -export IMAGE_NAME="git.pbiernat.io/egommerce/api-registry" +export IMAGE_NAME="git.ego.cloudns.be/egommerce/api-registry" TARGET=${1:-latest} -echo $DOCKER_PASSWORD | docker login git.pbiernat.io -u $DOCKER_USERNAME --password-stdin +echo $DOCKER_PASSWORD | docker login git.ego.cloudns.be -u $DOCKER_USERNAME --password-stdin docker push "$IMAGE_NAME:$TARGET" # Restart container