tls fixes
This commit is contained in:
parent
047888cf47
commit
80e8a2ac4e
@ -4,18 +4,21 @@ services:
|
|||||||
# INFRASTRUCTURE SERVICES
|
# INFRASTRUCTURE SERVICES
|
||||||
api-gateway:
|
api-gateway:
|
||||||
image: git.pbiernat.dev/egommerce/api-gateway:dev
|
image: git.pbiernat.dev/egommerce/api-gateway:dev
|
||||||
hostname: gw.egommerce.pbiernat.dev
|
hostname: egommerce.pbiernat.dev
|
||||||
environment:
|
environment:
|
||||||
- APP_DOMAIN=gw.egommerce.pbiernat.dev
|
- APP_DOMAIN=egommerce.pbiernat.dev
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- traefik.enable=true
|
||||||
- traefik.http.routers.api-gateway.rule=PathPrefix(`/admin/gateway`)
|
- traefik.http.routers.api-gateway.rule=PathPrefix(`/admin/gateway`)
|
||||||
|
- traefik.http.routers.api-gateway.tls=true
|
||||||
- traefik.http.routers.api-gateway.entryPoints=https
|
- traefik.http.routers.api-gateway.entryPoints=https
|
||||||
- traefik.http.routers.api-gateway.service=api-gateway
|
- traefik.http.routers.api-gateway.service=api-gateway
|
||||||
- traefik.http.services.api-gateway.loadbalancer.server.scheme=http
|
- traefik.http.services.api-gateway.loadbalancer.server.scheme=http
|
||||||
- traefik.http.services.api-gateway.loadbalancer.server.port=8080
|
- traefik.http.services.api-gateway.loadbalancer.server.port=8080
|
||||||
|
- traefik.tls.certificates.certfile=/certs/client.cert
|
||||||
|
- traefik.tls.certificates.keyfile=/certs/client.key
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs:/etc/traefik/certs
|
- ./certs/api-gateway:/etc/traefik/certs
|
||||||
|
|
||||||
api-registry:
|
api-registry:
|
||||||
image: git.pbiernat.dev/egommerce/api-registry:dev
|
image: git.pbiernat.dev/egommerce/api-registry:dev
|
||||||
@ -24,11 +27,20 @@ services:
|
|||||||
- APP_DOMAIN=registry.egommerce.pbiernat.dev
|
- APP_DOMAIN=registry.egommerce.pbiernat.dev
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- traefik.enable=true
|
||||||
- traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`)
|
# - traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`)
|
||||||
|
- traefik.http.routers.api-registry.rule=Headers(`X-API-SERVICE`, `admin-registry`)
|
||||||
|
- traefik.http.routers.api-registry.tls=true
|
||||||
|
- traefik.http.routers.api-registry.tls.domains[0].main=egommerce.pbiernat.dev
|
||||||
- traefik.http.routers.api-registry.entryPoints=https
|
- traefik.http.routers.api-registry.entryPoints=https
|
||||||
- traefik.http.routers.api-registry.service=api-registry
|
- traefik.http.routers.api-registry.service=api-registry
|
||||||
|
- traefik.http.routers.api-registry.middlewares=registry-stripprefix
|
||||||
- traefik.http.services.api-registry.loadbalancer.server.scheme=http
|
- traefik.http.services.api-registry.loadbalancer.server.scheme=http
|
||||||
- traefik.http.services.api-registry.loadbalancer.server.port=8500
|
- traefik.http.services.api-registry.loadbalancer.server.port=8500
|
||||||
|
- traefik.http.middlewares.registry-stripprefix.stripprefix.prefixes=/admin/registry
|
||||||
|
- traefik.tls.certificates.certfile=/certs/client.cert
|
||||||
|
- traefik.tls.certificates.keyfile=/certs/client.key
|
||||||
|
volumes:
|
||||||
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
api-eventbus:
|
api-eventbus:
|
||||||
image: git.pbiernat.dev/egommerce/api-eventbus:dev
|
image: git.pbiernat.dev/egommerce/api-eventbus:dev
|
||||||
@ -41,10 +53,18 @@ services:
|
|||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- traefik.enable=true
|
||||||
- traefik.http.routers.api-eventbus.rule=PathPrefix(`/admin/eventbus`)
|
- traefik.http.routers.api-eventbus.rule=PathPrefix(`/admin/eventbus`)
|
||||||
|
- traefik.http.routers.api-eventbus.tls=true
|
||||||
|
- traefik.http.routers.api-eventbus.tls.domains[0].main=egommerce.pbiernat.dev
|
||||||
- traefik.http.routers.api-eventbus.entryPoints=https
|
- traefik.http.routers.api-eventbus.entryPoints=https
|
||||||
- traefik.http.routers.api-eventbus.service=api-eventbus
|
- traefik.http.routers.api-eventbus.service=api-eventbus
|
||||||
|
- traefik.http.routers.api-eventbus.middlewares=eventbus-stripprefix
|
||||||
- traefik.http.services.api-eventbus.loadbalancer.server.scheme=http
|
- traefik.http.services.api-eventbus.loadbalancer.server.scheme=http
|
||||||
- traefik.http.services.api-eventbus.loadbalancer.server.port=15672
|
- traefik.http.services.api-eventbus.loadbalancer.server.port=15672
|
||||||
|
- traefik.http.middlewares.eventbus-stripprefix.stripprefix.prefixes=/admin/eventbus
|
||||||
|
- traefik.tls.certificates.certfile=/certs/client.cert
|
||||||
|
- traefik.tls.certificates.keyfile=/certs/client.key
|
||||||
|
volumes:
|
||||||
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
api-logger:
|
api-logger:
|
||||||
image: git.pbiernat.dev/egommerce/api-logger:dev
|
image: git.pbiernat.dev/egommerce/api-logger:dev
|
||||||
@ -83,7 +103,7 @@ services:
|
|||||||
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
||||||
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs/identity-svc:/certs
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
basket-svc:
|
basket-svc:
|
||||||
image: git.pbiernat.dev/egommerce/basket-svc:dev
|
image: git.pbiernat.dev/egommerce/basket-svc:dev
|
||||||
@ -93,7 +113,7 @@ services:
|
|||||||
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
||||||
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs/basket-svc:/certs
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
catalog-svc:
|
catalog-svc:
|
||||||
image: git.pbiernat.dev/egommerce/catalog-svc:dev
|
image: git.pbiernat.dev/egommerce/catalog-svc:dev
|
||||||
@ -103,7 +123,7 @@ services:
|
|||||||
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
||||||
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs/catalog-svc:/certs
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
order-svc:
|
order-svc:
|
||||||
image: git.pbiernat.dev/egommerce/order-svc:dev
|
image: git.pbiernat.dev/egommerce/order-svc:dev
|
||||||
@ -113,7 +133,7 @@ services:
|
|||||||
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
|
||||||
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs/order-svc:/certs
|
- ./certs/api-gateway:/certs
|
||||||
|
|
||||||
# Workers (EventBus)
|
# Workers (EventBus)
|
||||||
basket-worker:
|
basket-worker:
|
||||||
|
|||||||
60
deploy/make-cert.sh
Normal file
60
deploy/make-cert.sh
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
# #!/bin/sh
|
||||||
|
|
||||||
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cert/identity-svc-server.key -out ./cert/identity-svc-server.cert \
|
||||||
|
-addext "subjectAltName = DNS:identity-svc"
|
||||||
|
# ^^ GENERATE CERT FOR BACKEND SERVICE (on client side - in traefik - we dont need DNS domain... for now...)
|
||||||
|
|
||||||
|
|
||||||
|
# if [ -z "$SERVICE" ]; then echo "set SERVICE var"; exit 1; fi
|
||||||
|
# if [ -z "$CA_ROOT" ]; then echo "set CA_ROOT var"; exit 1; fi
|
||||||
|
# if [ -z "$DOMAIN" ]; then echo "set DOMAIN var"; exit 1; fi
|
||||||
|
|
||||||
|
# PASSWORD=V3ryS3cr3tP4ssw0rd
|
||||||
|
|
||||||
|
# # sample for registry server (with api-gateway-svc as a client) but using FDN...
|
||||||
|
# # keytool -genkey -alias api-registry-svc -dname cn=$DOMAIN -validity 365 -keystore tmp/api-registry-svc.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
|
||||||
|
# # keytool -genkey -alias myClientCertificate -dname cn=$DOMAIN -validity 365 -keystore tmp/myClientCertificate.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
|
||||||
|
|
||||||
|
# # keytool -export -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/myClientCertificate.p12 -storepass $PASSWORD
|
||||||
|
# # keytool -export -alias api-registry-svc -file tmp/api-registry-svc.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD
|
||||||
|
|
||||||
|
# # keytool -import -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD # aka myCertificate.p12
|
||||||
|
|
||||||
|
# # echo "Done."
|
||||||
|
# # exit 0
|
||||||
|
|
||||||
|
# if [ -d "$SERVICE" ]; then
|
||||||
|
# echo "$SERVICE directory exists... Quitting."
|
||||||
|
# exit 1;
|
||||||
|
# fi
|
||||||
|
|
||||||
|
# if [ ! -f "$SERVICE" ]; then
|
||||||
|
# mkdir -p $SERVICE
|
||||||
|
# fi
|
||||||
|
|
||||||
|
# echo "===================================================================="
|
||||||
|
# echo "Fake third-party chain generated. Now generating keystore.p12 ..."
|
||||||
|
# echo "===================================================================="
|
||||||
|
|
||||||
|
# # generate private keys (for server)
|
||||||
|
# keytool -genkeypair -alias $SERVICE -dname cn=$DOMAIN -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -keypass $PASSWORD -storepass $PASSWORD
|
||||||
|
|
||||||
|
# # generate a certificate for server signed by ca (root -> ca -> server)
|
||||||
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -certreq -alias $SERVICE \
|
||||||
|
# | keytool -storetype PKCS12 -keystore "$CA_ROOT/ca.p12" -storepass $PASSWORD -gencert -alias ca -ext ku:c=dig,keyEnc -ext "SAN:c=DNS:$DOMAIN,IP:127.0.0.1" -ext eku=sa,ca -rfc > "$SERVICE/$SERVICE.pem"
|
||||||
|
|
||||||
|
# # import server cert chain into ${SERVICE}.p12
|
||||||
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
|
||||||
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
|
||||||
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"
|
||||||
|
|
||||||
|
|
||||||
|
# # DEPRECATED - duplicated above section...
|
||||||
|
# # echo "================================================="
|
||||||
|
# # echo "Keystore generated. Now generating truststore ..."
|
||||||
|
# # echo "================================================="
|
||||||
|
|
||||||
|
# # import server cert chain into my-truststore.p12
|
||||||
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
|
||||||
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
|
||||||
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"
|
||||||
Loading…
Reference in New Issue
Block a user