diff --git a/dev-environments/grpc/Makefile b/dev-environments/grpc/Makefile index 089dab1ae..74552b571 100644 --- a/dev-environments/grpc/Makefile +++ b/dev-environments/grpc/Makefile @@ -11,33 +11,56 @@ gateway: ## run gateway configured to access upstream powered with TLS clean: $(DOCKER) compose down --volumes --remove-orphans $(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans - $(MAKE) cleancerts -C $(WORKDIR)/gateway-cert -f $(WORKDIR)/Makefile - $(MAKE) cleancerts -C $(WORKDIR)/upstream-cert -f $(WORKDIR)/Makefile + - rm -rf gateway-cert + - rm -rf upstream-cert + - rm -rf bin -cleancerts: - - rm *.crt *.key *.pem *.csr - -ca: - openssl genrsa -out rootCA.key 2048 +ca: + openssl genrsa -out rootCA.key 2048 openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -clientcerts: +clientcerts: openssl req -subj '/CN=$(DOMAIN)' -newkey rsa:4096 -nodes \ -sha256 \ -days 3650 \ -keyout $(DOMAIN).key \ - -out $(DOMAIN).csr + -out $(DOMAIN).csr chmod +r $(DOMAIN).key openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256 -gateway-certs: +$(WORKDIR)/gateway-cert: mkdir -p gateway-cert - $(MAKE) cleancerts -C $(WORKDIR)/gateway-cert -f $(WORKDIR)/Makefile + +.PHONY: gateway-certs +gateway-certs: $(WORKDIR)/gateway-cert $(MAKE) ca -C $(WORKDIR)/gateway-cert -f $(WORKDIR)/Makefile $(MAKE) clientcerts -C $(WORKDIR)/gateway-cert -f $(WORKDIR)/Makefile DOMAIN=gateway.example.com -upstream-certs: +$(WORKDIR)/upstream-cert: mkdir -p upstream-cert - $(MAKE) cleancerts -C $(WORKDIR)/upstream-cert -f $(WORKDIR)/Makefile + +.PHONY: upstream-certs +upstream-certs: $(WORKDIR)/upstream-cert $(MAKE) ca -C $(WORKDIR)/upstream-cert -f $(WORKDIR)/Makefile $(MAKE) clientcerts -C $(WORKDIR)/upstream-cert -f $(WORKDIR)/Makefile DOMAIN=upstream.example.com + cat $(WORKDIR)/upstream-cert/upstream.example.com.key $(WORKDIR)/upstream-cert/upstream.example.com.crt >$(WORKDIR)/upstream-cert/upstream.example.com.pem + +GRPCURL=$(WORKDIR)/bin/grpcurl +$(GRPCURL): + $(call go-install-tool,$(GRPCURL),github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9) + +.PHONY: grpcurl +grpcurl: $(GRPCURL) ## Download grpcurl locally if necessary. + +# go-install-tool will 'go install' any package $2 and install it to $1. +define go-install-tool +@[ -f $(1) ] || { \ +set -e ;\ +TMP_DIR=$$(mktemp -d) ;\ +cd $$TMP_DIR ;\ +go mod init tmp ;\ +echo "Downloading $(2)" ;\ +GOBIN=$(WORKDIR)/bin go install $(2) ;\ +rm -rf $$TMP_DIR ;\ +} +endef diff --git a/dev-environments/grpc/README.md b/dev-environments/grpc/README.md index 58c18b7a0..0ecf0a83a 100644 --- a/dev-environments/grpc/README.md +++ b/dev-environments/grpc/README.md @@ -24,10 +24,25 @@ Running custom apicast image make gateway IMAGE_NAME=quay.io/3scale/apicast:latest ``` +Traffic between the gateway and upstream can be inspected looking at logs from `one.upstream` service + +``` +docker compose -p grpc logs -f one.upstream +``` + ## Testing + +Get `grpcurl` + +```sh +make grpcurl +``` + +Run request + ```sh -curl --resolve gateway.example.com:8443:127.0.0.1 -v --cacert gateway-cert/rootCA.pem "https://gateway.example.com:8443/?user_key=123" +bin/grpcurl -insecure -authority gateway.example.com 127.0.0.1:8443 main.HelloWorld/Greeting ``` ## Clean env diff --git a/dev-environments/grpc/apicast-config.json b/dev-environments/grpc/apicast-config.json index d01b11693..22abd8dc0 100644 --- a/dev-environments/grpc/apicast-config.json +++ b/dev-environments/grpc/apicast-config.json @@ -4,7 +4,8 @@ "id": "1", "backend_version": "1", "proxy": { - "hosts": ["example.com"], + "hosts": ["gateway.example.com"], + "credentials_location": "headers", "api_backend": "https://one.upstream:443", "backend": { "endpoint": "http://127.0.0.1:8081", diff --git a/dev-environments/grpc/docker-compose.yml b/dev-environments/grpc/docker-compose.yml index 3da4f6248..352e9a994 100644 --- a/dev-environments/grpc/docker-compose.yml +++ b/dev-environments/grpc/docker-compose.yml @@ -8,8 +8,8 @@ services: - two.upstream environment: APICAST_HTTPS_PORT: 8443 - APICAST_HTTPS_CERTIFICATE: /var/run/secrets/apicast/example.com.crt - APICAST_HTTPS_CERTIFICATE_KEY: /var/run/secrets/apicast/example.com.key + APICAST_HTTPS_CERTIFICATE: /var/run/secrets/apicast/gateway.example.com.crt + APICAST_HTTPS_CERTIFICATE_KEY: /var/run/secrets/apicast/gateway.example.com.key THREESCALE_CONFIG_FILE: /tmp/config.json THREESCALE_DEPLOYMENT_ENV: staging APICAST_CONFIGURATION_LOADER: lazy @@ -24,7 +24,7 @@ services: - "8090:8090" volumes: - ./apicast-config.json:/tmp/config.json - - ./cert:/var/run/secrets/apicast + - ./gateway-cert:/var/run/secrets/apicast one.upstream: image: alpine/socat:1.7.4.4 container_name: one.upstream @@ -33,7 +33,7 @@ services: - "443" restart: unless-stopped volumes: - - ./cert/upstream.example.com.pem:/etc/pki/upstream.example.com.pem + - ./upstream-cert/upstream.example.com.pem:/etc/pki/upstream.example.com.pem two.upstream: image: kalmhq/echoserver expose: