This commit is contained in:
Piotr Biernat 2024-12-24 14:20:35 +01:00
parent 0accb265d7
commit 97dec341af
17 changed files with 178 additions and 157 deletions

View File

@ -1,7 +1,7 @@
FROM envoyproxy/envoy:distroless-v1.29-latest AS envoy FROM envoyproxy/envoy:distroless-v1.29-latest AS envoy
FROM ubuntu:latest AS base FROM ubuntu:latest AS base
FROM hashicorp/consul:1.19.2-ubi FROM hashicorp/consul:1.20.1-ubi
USER root USER root
@ -13,7 +13,7 @@ LABEL dev.egommerce.image.version="1.0"
ENV CGO_ENABLED=0 ENV CGO_ENABLED=0
COPY ./api-registry/etc/consul /consul/config COPY ./api-registry/etc/consul /consul/config
# COPY ./api-registry/etc/addons/* /consul/config COPY ./api-registry/etc/addons/* /consul/config/
COPY ./api-registry/etc/consul-template /consul/template COPY ./api-registry/etc/consul-template /consul/template
COPY ./api-registry/opt /opt/consul COPY ./api-registry/opt /opt/consul
COPY ./api-registry/entrypoint.sh / COPY ./api-registry/entrypoint.sh /

View File

@ -9,9 +9,9 @@ update-ca-trust
echo -e "nameserver 127.0.0.1\n$(cat /etc/resolv.conf)" > /etc/resolv.conf echo -e "nameserver 127.0.0.1\n$(cat /etc/resolv.conf)" > /etc/resolv.conf
# Install consul-template # Install consul-template
# cd ~/ && curl -O https://releases.hashicorp.com/consul-template/0.19.5/consul-template_0.19.5_linux_amd64.zip && \ cd ~/ && curl -O https://releases.hashicorp.com/consul-template/0.39.1/consul-template_0.39.1_linux_amd64.zip && \
# unzip consul-template_0.19.5_linux_amd64.zip && \ unzip consul-template_0.39.1_linux_amd64.zip && \
# rm consul-template_0.19.5_linux_amd64.zip && cd - rm consul-template_0.39.1_linux_amd64.zip && cd -
# Install glibc # Install glibc
# apk add gcompat # apk add gcompat
@ -25,9 +25,9 @@ if [ $APP_NAME == "api-gateway" ]
then then
# register-service # register-service
IP=$(hostname -i) COMMAND="consul connect envoy -gateway api -register -service gateway -address ${IP}:8443 -admin-bind 0.0.0.0:19000 -bind-address gw-listener=0.0.0.0:8443 -ca-file /usr/share/pki/ca-trust-source/anchors/internalCA.crt -client-cert /etc/certs/catalog.crt -client-key /etc/certs/catalog.key -enable-config-gen-logging -- --log-level trace --log-path /var/log/api-gateway.log" ./spawn-process.sh 2>&1 & IP=$(hostname -i) COMMAND="consul connect envoy -gateway api -register -service gateway -address ${IP}:8443 -admin-bind 0.0.0.0:19000 -bind-address route-listener=0.0.0.0:8443 -ca-file /usr/share/pki/ca-trust-source/anchors/internalCA.crt -enable-config-gen-logging -- --log-level trace --log-path /var/log/api-gateway.log" ./spawn-process.sh 2>&1 &
COMMAND="consul connect envoy -sidecar-for catalog -admin-bind 0.0.0.0:20000 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-catalog.log" ./spawn-process.sh 2>&1 & COMMAND="consul connect envoy -sidecar-for catalog -admin-bind 0.0.0.0:20000 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-catalog.log" ./spawn-process.sh 2>&1 &
COMMAND="consul connect envoy -sidecar-for basket -admin-bind 0.0.0.0:20001 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-basket.log" ./spawn-process.sh 2>&1 & # COMMAND="consul connect envoy -sidecar-for basket -admin-bind 0.0.0.0:20001 -enable-config-gen-logging -- --log-level trace --log-path /var/log/sidecar-basket.log" ./spawn-process.sh 2>&1 &
fi fi

View File

@ -1,13 +1,10 @@
config_entries { Kind = "api-gateway"
bootstrap = [ Name = "gw"
{
Kind = "api-gateway"
Name = "gw"
Listeners = [ Listeners = [
{ {
Name = "gw" Name = "route-listener"
Port = 443 Port = 8443
Protocol = "http" Protocol = "http"
#Services = [ #Services = [
# { # {
@ -15,7 +12,4 @@ config_entries {
# } # }
#] #]
} }
] ]
}
]
}

View File

@ -0,0 +1,13 @@
Kind = "service-intentions"
Name = "pricing"
Sources = [
{
Name = "basket"
Action = "deny"
}
{
Name = "api"
Action = "allow"
}
]

View File

@ -1,13 +0,0 @@
#Kind = "service-intentions"
#Name = "pricing"
#Sources = [
#{
# Name = "basket"
# Action = "deny"
#}
#{
# Name = "api"
# Action = "allow"
#}
#]

View File

@ -1,28 +1,25 @@
config_entries { Kind = "http-route"
bootstrap = [ Name = "route-listener"
{
Kind = "http-route"
Name = "catalog-routes"
Meta = { Meta = {
"name" = "catalog-routes" "name" = "catalog"
} }
#Hostnames = ["<hostnames for which this HTTPRoute should respond to requests>"] #Hostnames = ["<hostnames for which this HTTPRoute should respond to requests>"]
Parents = [ Parents = [
{ {
Kind = "api-gateway" Kind = "api-gateway"
Name = "gw" Name = "gw"
#SectionName = "<optional name of a specific listener on the api-gateway to bind to>" SectionName = "route-listener"
} }
] ]
Rules = [ Rules = [
{ {
Filters = { #Filters = {
URLRewrite = { #URLRewrite = {
Path = "/catalog" # Path = "/catalog"
} #}
#JWT = { #JWT = {
# Providers = [ # Providers = [
# Name = "<name of the provider>" # Name = "<name of the provider>"
@ -32,9 +29,13 @@ config_entries {
# } # }
# ] # ]
#} #}
#}
Matches = [
{
Path = {
Match = "prefix"
Value = "/catalog"
} }
#Matches = [
#{
# Headers = [ # Headers = [
# { # {
# Match = "<type of match: exact, prefix or regex>" # Match = "<type of match: exact, prefix or regex>"
@ -54,8 +55,8 @@ config_entries {
# Value = "<value of query parameter to match on>" # Value = "<value of query parameter to match on>"
# } # }
# ] # ]
#} }
#] ]
Services = [ Services = [
{ {
Name = "catalog" Name = "catalog"
@ -81,7 +82,4 @@ config_entries {
} }
] ]
} }
] ]
}
]
}

View File

@ -1,20 +1,20 @@
services = [ Kind = "service-router"
Name = "catalog"
Routes = [
{ {
name = "catalog" Match {
port = 443 HTTP {
PathPrefix = "/catalog"
} }
checks = {
Interval = "10s"
Name = "Connect Sidecar Listening"
TCP = "127.0.0.1:20000"
} }
kind = "connect-proxy"
name = "web-sidecar-proxy" Destination {
port = 20000 Service = "catalog"
proxy = { RequestTimeout = "5s"
destination_service_id = "catalog" NumRetries = 5
destination_service_name = "catalog" RetryOnConnectFailure = true
local_service_address = "127.0.0.1" RetryOn = ["reset"]
local_service_port = 443 }
} }
] ]

View File

@ -1,5 +1,5 @@
Kind = "service-router" Kind = "service-router"
Name = "service-router" Name = "main-router"
Routes = [ Routes = [
{ {
@ -10,6 +10,11 @@ Routes = [
}, },
Destination { Destination {
Service = "identity" Service = "identity"
RequestTimeout = "5s"
NumRetries = 5
RetryOnConnectFailure = true
RetryOn = ["reset"]
} }
}, },
{ {
@ -20,6 +25,10 @@ Routes = [
}, },
Destination { Destination {
Service = "basket" Service = "basket"
RequestTimeout = "5s"
NumRetries = 5
RetryOnConnectFailure = true
RetryOn = ["reset"]
} }
}, },
{ {
@ -30,6 +39,10 @@ Routes = [
}, },
Destination { Destination {
Service = "catalog" Service = "catalog"
RequestTimeout = "5s"
NumRetries = 5
RetryOnConnectFailure = true
RetryOn = ["reset"]
} }
}, },
{ {
@ -40,6 +53,10 @@ Routes = [
}, },
Destination { Destination {
Service = "order" Service = "order"
RequestTimeout = "5s"
NumRetries = 5
RetryOnConnectFailure = true
RetryOn = ["reset"]
} }
}, },
{ {
@ -50,6 +67,10 @@ Routes = [
}, },
Destination { Destination {
Service = "pricing" Service = "pricing"
RequestTimeout = "5s"
NumRetries = 5
RetryOnConnectFailure = true
RetryOn = ["reset"]
} }
}, },
{ {

View File

@ -1,11 +1,18 @@
#vault { vault {
# # root VAUL_TOKEN - PROD CHECK! # root VAUL_TOKEN - PROD CHECK!
# token = "hvs.CAESIA9jPKArVgpCNzvze9ehIiX2gKMnVgu0rtSUw54Wj9HQGh4KHGh2cy5LdmJVRnYzVkQ1UXhDU2FKaEFQMW5UTm0" token = "hvs.dZL3N8PAozQ7EbOYFFDeipui"
# address = "https://api-vault:8200" address = "https://api-vault:8200"
# unwrap_token = false unwrap_token = false
# renew_token = false renew_token = false
#} }
consul {
address = "https://127.0.0.1:8501"
ssl {
enabled = true
}
}
template { template {
source = "/opt/consul/tpl/catalog.crt.tpl" source = "/opt/consul/tpl/catalog.crt.tpl"

View File

@ -13,7 +13,7 @@ ui_config {
content_path = "/registry" content_path = "/registry"
} }
bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.2.0/24\" | attr \"address\" }}" bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.1.0/24\" | attr \"address\" }}"
client_addr = "0.0.0.0" client_addr = "0.0.0.0"
ports { ports {

View File

@ -19,7 +19,7 @@ ui_config {
} }
} }
bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.2.0/24\" | attr \"address\" }}" bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.1.0/24\" | attr \"address\" }}"
client_addr = "0.0.0.0" client_addr = "0.0.0.0"
ports { ports {
@ -50,7 +50,8 @@ connect {
ca_provider = "vault" ca_provider = "vault"
ca_config { ca_config {
address = "https://api-vault:8200" address = "https://api-vault:8200"
token = "hvs.CAESICxuTO_JieCbpMoZ4_qOPIohxSKim_4V8t11JLg93RtKGh4KHGh2cy5VUUFqUm5CdTQ3V3hMQ3BHSDB4dThNZHE" #token = "hvs.CAESICxuTO_JieCbpMoZ4_qOPIohxSKim_4V8t11JLg93RtKGh4KHGh2cy5VUUFqUm5CdTQ3V3hMQ3BHSDB4dThNZHE"
token = "hvs.dZL3N8PAozQ7EbOYFFDeipui"
root_pki_path = "pki/" root_pki_path = "pki/"
intermediate_pki_path = "pki_int/" intermediate_pki_path = "pki_int/"
} }

View File

@ -1,3 +1,3 @@
{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}} {{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=localhost" "ip_sans=127.0.0.1"}}
{{ .Data.certificate }} {{ .Data.certificate }}
{{ end }} {{ end }}

View File

@ -1,3 +1,3 @@
{{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=catalog.service.ego.io" "ip_sans=127.0.0.1"}} {{ with secret "pki_int/issue/ego.io" "common_name=catalog.service.ego.io" "ttl=72h" "alt_names=localhost" "ip_sans=127.0.0.1"}}
{{ .Data.private_key }} {{ .Data.private_key }}
{{ end }} {{ end }}

View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# RUN IN REPO ROOT DIR !! # RUN IN REPO ROOT DIR !!
export IMAGE_NAME="git.pbiernat.io/egommerce/api-registry" export IMAGE_NAME="git.ego.cloudns.be/egommerce/api-registry"
TARGET=${1:-latest} TARGET=${1:-latest}

View File

@ -1,11 +1,11 @@
#!/bin/sh #!/bin/sh
# RUN IN REPO ROOT DIR !! # RUN IN REPO ROOT DIR !!
export IMAGE_NAME="git.pbiernat.io/egommerce/api-registry" export IMAGE_NAME="git.ego.cloudns.be/egommerce/api-registry"
TARGET=${1:-latest} TARGET=${1:-latest}
echo $DOCKER_PASSWORD | docker login git.pbiernat.io -u $DOCKER_USERNAME --password-stdin echo $DOCKER_PASSWORD | docker login git.ego.cloudns.be -u $DOCKER_USERNAME --password-stdin
docker push "$IMAGE_NAME:$TARGET" docker push "$IMAGE_NAME:$TARGET"
# Restart container # Restart container