tls fixes

This commit is contained in:
Piotr Biernat 2022-12-04 07:19:55 +01:00
parent 047888cf47
commit 80e8a2ac4e
2 changed files with 88 additions and 8 deletions

View File

@ -4,18 +4,21 @@ services:
# INFRASTRUCTURE SERVICES # INFRASTRUCTURE SERVICES
api-gateway: api-gateway:
image: git.pbiernat.dev/egommerce/api-gateway:dev image: git.pbiernat.dev/egommerce/api-gateway:dev
hostname: gw.egommerce.pbiernat.dev hostname: egommerce.pbiernat.dev
environment: environment:
- APP_DOMAIN=gw.egommerce.pbiernat.dev - APP_DOMAIN=egommerce.pbiernat.dev
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.api-gateway.rule=PathPrefix(`/admin/gateway`) - traefik.http.routers.api-gateway.rule=PathPrefix(`/admin/gateway`)
- traefik.http.routers.api-gateway.tls=true
- traefik.http.routers.api-gateway.entryPoints=https - traefik.http.routers.api-gateway.entryPoints=https
- traefik.http.routers.api-gateway.service=api-gateway - traefik.http.routers.api-gateway.service=api-gateway
- traefik.http.services.api-gateway.loadbalancer.server.scheme=http - traefik.http.services.api-gateway.loadbalancer.server.scheme=http
- traefik.http.services.api-gateway.loadbalancer.server.port=8080 - traefik.http.services.api-gateway.loadbalancer.server.port=8080
- traefik.tls.certificates.certfile=/certs/client.cert
- traefik.tls.certificates.keyfile=/certs/client.key
volumes: volumes:
- ./certs:/etc/traefik/certs - ./certs/api-gateway:/etc/traefik/certs
api-registry: api-registry:
image: git.pbiernat.dev/egommerce/api-registry:dev image: git.pbiernat.dev/egommerce/api-registry:dev
@ -24,11 +27,20 @@ services:
- APP_DOMAIN=registry.egommerce.pbiernat.dev - APP_DOMAIN=registry.egommerce.pbiernat.dev
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`) # - traefik.http.routers.api-registry.rule=PathPrefix(`/admin/registry`)
- traefik.http.routers.api-registry.rule=Headers(`X-API-SERVICE`, `admin-registry`)
- traefik.http.routers.api-registry.tls=true
- traefik.http.routers.api-registry.tls.domains[0].main=egommerce.pbiernat.dev
- traefik.http.routers.api-registry.entryPoints=https - traefik.http.routers.api-registry.entryPoints=https
- traefik.http.routers.api-registry.service=api-registry - traefik.http.routers.api-registry.service=api-registry
- traefik.http.routers.api-registry.middlewares=registry-stripprefix
- traefik.http.services.api-registry.loadbalancer.server.scheme=http - traefik.http.services.api-registry.loadbalancer.server.scheme=http
- traefik.http.services.api-registry.loadbalancer.server.port=8500 - traefik.http.services.api-registry.loadbalancer.server.port=8500
- traefik.http.middlewares.registry-stripprefix.stripprefix.prefixes=/admin/registry
- traefik.tls.certificates.certfile=/certs/client.cert
- traefik.tls.certificates.keyfile=/certs/client.key
volumes:
- ./certs/api-gateway:/certs
api-eventbus: api-eventbus:
image: git.pbiernat.dev/egommerce/api-eventbus:dev image: git.pbiernat.dev/egommerce/api-eventbus:dev
@ -41,10 +53,18 @@ services:
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.api-eventbus.rule=PathPrefix(`/admin/eventbus`) - traefik.http.routers.api-eventbus.rule=PathPrefix(`/admin/eventbus`)
- traefik.http.routers.api-eventbus.tls=true
- traefik.http.routers.api-eventbus.tls.domains[0].main=egommerce.pbiernat.dev
- traefik.http.routers.api-eventbus.entryPoints=https - traefik.http.routers.api-eventbus.entryPoints=https
- traefik.http.routers.api-eventbus.service=api-eventbus - traefik.http.routers.api-eventbus.service=api-eventbus
- traefik.http.routers.api-eventbus.middlewares=eventbus-stripprefix
- traefik.http.services.api-eventbus.loadbalancer.server.scheme=http - traefik.http.services.api-eventbus.loadbalancer.server.scheme=http
- traefik.http.services.api-eventbus.loadbalancer.server.port=15672 - traefik.http.services.api-eventbus.loadbalancer.server.port=15672
- traefik.http.middlewares.eventbus-stripprefix.stripprefix.prefixes=/admin/eventbus
- traefik.tls.certificates.certfile=/certs/client.cert
- traefik.tls.certificates.keyfile=/certs/client.key
volumes:
- ./certs/api-gateway:/certs
api-logger: api-logger:
image: git.pbiernat.dev/egommerce/api-logger:dev image: git.pbiernat.dev/egommerce/api-logger:dev
@ -83,7 +103,7 @@ services:
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
volumes: volumes:
- ./certs/identity-svc:/certs - ./certs/api-gateway:/certs
basket-svc: basket-svc:
image: git.pbiernat.dev/egommerce/basket-svc:dev image: git.pbiernat.dev/egommerce/basket-svc:dev
@ -93,7 +113,7 @@ services:
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
volumes: volumes:
- ./certs/basket-svc:/certs - ./certs/api-gateway:/certs
catalog-svc: catalog-svc:
image: git.pbiernat.dev/egommerce/catalog-svc:dev image: git.pbiernat.dev/egommerce/catalog-svc:dev
@ -103,7 +123,7 @@ services:
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
volumes: volumes:
- ./certs/catalog-svc:/certs - ./certs/api-gateway:/certs
order-svc: order-svc:
image: git.pbiernat.dev/egommerce/order-svc:dev image: git.pbiernat.dev/egommerce/order-svc:dev
@ -113,7 +133,7 @@ services:
- MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017 - MONGODB_URL=mongodb://mongodb:12345678@mongodb.egommerce.pbiernat.dev:27017
- EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672 - EVENTBUS_URL=amqp://guest:guest@eventbus.egommerce.pbiernat.dev:5672
volumes: volumes:
- ./certs/order-svc:/certs - ./certs/api-gateway:/certs
# Workers (EventBus) # Workers (EventBus)
basket-worker: basket-worker:

60
deploy/make-cert.sh Normal file
View File

@ -0,0 +1,60 @@
# #!/bin/sh
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cert/identity-svc-server.key -out ./cert/identity-svc-server.cert \
-addext "subjectAltName = DNS:identity-svc"
# ^^ GENERATE CERT FOR BACKEND SERVICE (on client side - in traefik - we dont need DNS domain... for now...)
# if [ -z "$SERVICE" ]; then echo "set SERVICE var"; exit 1; fi
# if [ -z "$CA_ROOT" ]; then echo "set CA_ROOT var"; exit 1; fi
# if [ -z "$DOMAIN" ]; then echo "set DOMAIN var"; exit 1; fi
# PASSWORD=V3ryS3cr3tP4ssw0rd
# # sample for registry server (with api-gateway-svc as a client) but using FDN...
# # keytool -genkey -alias api-registry-svc -dname cn=$DOMAIN -validity 365 -keystore tmp/api-registry-svc.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
# # keytool -genkey -alias myClientCertificate -dname cn=$DOMAIN -validity 365 -keystore tmp/myClientCertificate.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
# # keytool -export -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/myClientCertificate.p12 -storepass $PASSWORD
# # keytool -export -alias api-registry-svc -file tmp/api-registry-svc.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD
# # keytool -import -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD # aka myCertificate.p12
# # echo "Done."
# # exit 0
# if [ -d "$SERVICE" ]; then
# echo "$SERVICE directory exists... Quitting."
# exit 1;
# fi
# if [ ! -f "$SERVICE" ]; then
# mkdir -p $SERVICE
# fi
# echo "===================================================================="
# echo "Fake third-party chain generated. Now generating keystore.p12 ..."
# echo "===================================================================="
# # generate private keys (for server)
# keytool -genkeypair -alias $SERVICE -dname cn=$DOMAIN -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -keypass $PASSWORD -storepass $PASSWORD
# # generate a certificate for server signed by ca (root -> ca -> server)
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -certreq -alias $SERVICE \
# | keytool -storetype PKCS12 -keystore "$CA_ROOT/ca.p12" -storepass $PASSWORD -gencert -alias ca -ext ku:c=dig,keyEnc -ext "SAN:c=DNS:$DOMAIN,IP:127.0.0.1" -ext eku=sa,ca -rfc > "$SERVICE/$SERVICE.pem"
# # import server cert chain into ${SERVICE}.p12
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"
# # DEPRECATED - duplicated above section...
# # echo "================================================="
# # echo "Keystore generated. Now generating truststore ..."
# # echo "================================================="
# # import server cert chain into my-truststore.p12
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"