diff --git a/deploy/egommerce-stack.dev.yml b/deploy/egommerce-stack.dev.yml index a39063e..3324b04 100644 --- a/deploy/egommerce-stack.dev.yml +++ b/deploy/egommerce-stack.dev.yml @@ -4,18 +4,21 @@ services: # INFRASTRUCTURE SERVICES api-gateway: image: git.pbiernat.dev/egommerce/api-gateway:dev - hostname: gw.egommerce.pbiernat.dev + hostname: egommerce.pbiernat.dev environment: - - APP_DOMAIN=gw.egommerce.pbiernat.dev + - APP_DOMAIN=egommerce.pbiernat.dev labels: - traefik.enable=true - traefik.http.routers.api-gateway.rule=PathPrefix(`/admin/gateway`) + - traefik.http.routers.api-gateway.tls=true - traefik.http.routers.api-gateway.entryPoints=https - traefik.http.routers.api-gateway.service=api-gateway - traefik.http.services.api-gateway.loadbalancer.server.scheme=http - traefik.http.services.api-gateway.loadbalancer.server.port=8080 + - traefik.tls.certificates.certfile=/certs/client.cert + - traefik.tls.certificates.keyfile=/certs/client.key volumes: - - ./certs:/etc/traefik/certs + - ./certs/api-gateway:/etc/traefik/certs api-registry: image: git.pbiernat.dev/egommerce/api-registry:dev @@ -24,11 +27,20 @@ services: - APP_DOMAIN=registry.egommerce.pbiernat.dev labels: - traefik.enable=true - - traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`) + # - traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`) + - traefik.http.routers.api-registry.rule=Headers(`X-API-SERVICE`, `admin-registry`) + - traefik.http.routers.api-registry.tls=true + - traefik.http.routers.api-registry.tls.domains[0].main=egommerce.pbiernat.dev - traefik.http.routers.api-registry.entryPoints=https - traefik.http.routers.api-registry.service=api-registry + - traefik.http.routers.api-registry.middlewares=registry-stripprefix - traefik.http.services.api-registry.loadbalancer.server.scheme=http - traefik.http.services.api-registry.loadbalancer.server.port=8500 + - traefik.http.middlewares.registry-stripprefix.stripprefix.prefixes=/admin/registry + - traefik.tls.certificates.certfile=/certs/client.cert + - traefik.tls.certificates.keyfile=/certs/client.key + volumes: + - ./certs/api-gateway:/certs api-eventbus: image: git.pbiernat.dev/egommerce/api-eventbus:dev @@ -41,10 +53,18 @@ services: labels: - traefik.enable=true - traefik.http.routers.api-eventbus.rule=PathPrefix(`/admin/eventbus`) + - traefik.http.routers.api-eventbus.tls=true + - traefik.http.routers.api-eventbus.tls.domains[0].main=egommerce.pbiernat.dev - traefik.http.routers.api-eventbus.entryPoints=https - traefik.http.routers.api-eventbus.service=api-eventbus + - traefik.http.routers.api-eventbus.middlewares=eventbus-stripprefix - traefik.http.services.api-eventbus.loadbalancer.server.scheme=http - traefik.http.services.api-eventbus.loadbalancer.server.port=15672 + - traefik.http.middlewares.eventbus-stripprefix.stripprefix.prefixes=/admin/eventbus + - traefik.tls.certificates.certfile=/certs/client.cert + - traefik.tls.certificates.keyfile=/certs/client.key + volumes: + - ./certs/api-gateway:/certs api-logger: image: git.pbiernat.dev/egommerce/api-logger:dev @@ -83,7 +103,7 @@ services: - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 volumes: - - ./certs/identity-svc:/certs + - ./certs/api-gateway:/certs basket-svc: image: git.pbiernat.dev/egommerce/basket-svc:dev @@ -93,7 +113,7 @@ services: - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 volumes: - - ./certs/basket-svc:/certs + - ./certs/api-gateway:/certs catalog-svc: image: git.pbiernat.dev/egommerce/catalog-svc:dev @@ -103,7 +123,7 @@ services: - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 volumes: - - ./certs/catalog-svc:/certs + - ./certs/api-gateway:/certs order-svc: image: git.pbiernat.dev/egommerce/order-svc:dev @@ -113,7 +133,7 @@ services: - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 volumes: - - ./certs/order-svc:/certs + - ./certs/api-gateway:/certs # Workers (EventBus) basket-worker: diff --git a/deploy/make-cert.sh b/deploy/make-cert.sh new file mode 100644 index 0000000..48825e5 --- /dev/null +++ b/deploy/make-cert.sh @@ -0,0 +1,60 @@ +# #!/bin/sh + +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cert/identity-svc-server.key -out ./cert/identity-svc-server.cert \ + -addext "subjectAltName = DNS:identity-svc" +# ^^ GENERATE CERT FOR BACKEND SERVICE (on client side - in traefik - we dont need DNS domain... for now...) + + +# if [ -z "$SERVICE" ]; then echo "set SERVICE var"; exit 1; fi +# if [ -z "$CA_ROOT" ]; then echo "set CA_ROOT var"; exit 1; fi +# if [ -z "$DOMAIN" ]; then echo "set DOMAIN var"; exit 1; fi + +# PASSWORD=V3ryS3cr3tP4ssw0rd + +# # sample for registry server (with api-gateway-svc as a client) but using FDN... +# # keytool -genkey -alias api-registry-svc -dname cn=$DOMAIN -validity 365 -keystore tmp/api-registry-svc.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1" +# # keytool -genkey -alias myClientCertificate -dname cn=$DOMAIN -validity 365 -keystore tmp/myClientCertificate.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1" + +# # keytool -export -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/myClientCertificate.p12 -storepass $PASSWORD +# # keytool -export -alias api-registry-svc -file tmp/api-registry-svc.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD + +# # keytool -import -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD # aka myCertificate.p12 + +# # echo "Done." +# # exit 0 + +# if [ -d "$SERVICE" ]; then +# echo "$SERVICE directory exists... Quitting." +# exit 1; +# fi + +# if [ ! -f "$SERVICE" ]; then +# mkdir -p $SERVICE +# fi + +# echo "====================================================================" +# echo "Fake third-party chain generated. Now generating keystore.p12 ..." +# echo "====================================================================" + +# # generate private keys (for server) +# keytool -genkeypair -alias $SERVICE -dname cn=$DOMAIN -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -keypass $PASSWORD -storepass $PASSWORD + +# # generate a certificate for server signed by ca (root -> ca -> server) +# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -certreq -alias $SERVICE \ +# | keytool -storetype PKCS12 -keystore "$CA_ROOT/ca.p12" -storepass $PASSWORD -gencert -alias ca -ext ku:c=dig,keyEnc -ext "SAN:c=DNS:$DOMAIN,IP:127.0.0.1" -ext eku=sa,ca -rfc > "$SERVICE/$SERVICE.pem" + +# # import server cert chain into ${SERVICE}.p12 +# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem" +# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem" +# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem" + + +# # DEPRECATED - duplicated above section... +# # echo "=================================================" +# # echo "Keystore generated. Now generating truststore ..." +# # echo "=================================================" + +# # import server cert chain into my-truststore.p12 +# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem" +# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem" +# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"