From 9661d473af8b37c3042ba2c8c95b142cc4aea34c Mon Sep 17 00:00:00 2001
From: Eguzki Astiz Lezaun <eastizle@redhat.com>
Date: Fri, 20 Oct 2023 23:57:14 +0200
Subject: [PATCH] dev-environment: listen-tls

---
 dev-environments/listen-tls/Makefile          | 18 +++++++++
 dev-environments/listen-tls/README.md         | 33 ++++++++++++++++
 .../listen-tls/apicast-config.json            | 31 +++++++++++++++
 dev-environments/listen-tls/cert/Makefile     | 15 ++++++++
 .../listen-tls/docker-compose.yml             | 38 +++++++++++++++++++
 5 files changed, 135 insertions(+)
 create mode 100644 dev-environments/listen-tls/Makefile
 create mode 100644 dev-environments/listen-tls/README.md
 create mode 100644 dev-environments/listen-tls/apicast-config.json
 create mode 100644 dev-environments/listen-tls/cert/Makefile
 create mode 100644 dev-environments/listen-tls/docker-compose.yml

diff --git a/dev-environments/listen-tls/Makefile b/dev-environments/listen-tls/Makefile
new file mode 100644
index 000000000..fe6780662
--- /dev/null
+++ b/dev-environments/listen-tls/Makefile
@@ -0,0 +1,18 @@
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+.DEFAULT_GOAL := gateway
+MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
+WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
+
+gateway: ## run gateway configured to access upstream powered with TLS
+	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+
+clean:
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans
+
+certs:
+	$(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
+	$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com
diff --git a/dev-environments/listen-tls/README.md b/dev-environments/listen-tls/README.md
new file mode 100644
index 000000000..bca33ef59
--- /dev/null
+++ b/dev-environments/listen-tls/README.md
@@ -0,0 +1,33 @@
+# Making APIcast listen on HTTPS
+
+## Create the SSL Certificates
+
+```sh
+make certs
+```
+
+## Run the gateway
+
+Running local `apicast-test` docker image
+
+```sh
+make gateway
+```
+
+Running custom apicast image
+
+```sh
+make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
+```
+
+## Testing
+
+```sh
+curl --resolve example.com:8443:127.0.0.1 -v --cacert cert/rootCA.pem "https://example.com:8443/?user_key=123"
+```
+
+## Clean env
+
+```sh
+make clean
+```
diff --git a/dev-environments/listen-tls/apicast-config.json b/dev-environments/listen-tls/apicast-config.json
new file mode 100644
index 000000000..06014cab0
--- /dev/null
+++ b/dev-environments/listen-tls/apicast-config.json
@@ -0,0 +1,31 @@
+{
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["example.com"],
+        "api_backend": "http://one.upstream/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/dev-environments/listen-tls/cert/Makefile b/dev-environments/listen-tls/cert/Makefile
new file mode 100644
index 000000000..1739aa70b
--- /dev/null
+++ b/dev-environments/listen-tls/cert/Makefile
@@ -0,0 +1,15 @@
+clean:
+	- rm *.crt *.key *.pem *.csr
+
+ca: 
+	openssl genrsa -out rootCA.key 2048 
+	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+
+clientcerts:	
+	openssl req -subj '/CN=$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout $(DOMAIN).key \
+			-out $(DOMAIN).csr 
+	chmod +r $(DOMAIN).key
+	openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
diff --git a/dev-environments/listen-tls/docker-compose.yml b/dev-environments/listen-tls/docker-compose.yml
new file mode 100644
index 000000000..723f71886
--- /dev/null
+++ b/dev-environments/listen-tls/docker-compose.yml
@@ -0,0 +1,38 @@
+---
+version: '3.8'
+services:
+  gateway:
+    image: ${IMAGE_NAME:-apicast-test}
+    depends_on:
+    - one.upstream
+    - two.upstream
+    environment:
+      APICAST_HTTPS_PORT: 8443
+      APICAST_HTTPS_CERTIFICATE: /var/run/secrets/apicast/example.com.crt
+      APICAST_HTTPS_CERTIFICATE_KEY: /var/run/secrets/apicast/example.com.key
+      THREESCALE_CONFIG_FILE: /tmp/config.json
+      THREESCALE_DEPLOYMENT_ENV: staging
+      APICAST_CONFIGURATION_LOADER: lazy
+      APICAST_WORKERS: 1
+      APICAST_LOG_LEVEL: debug
+      APICAST_CONFIGURATION_CACHE: "0"
+    expose:
+      - "8443"
+      - "8090"
+    ports:
+      - "8443:8443"
+      - "8090:8090"
+    volumes:
+      - ./apicast-config.json:/tmp/config.json
+      - ./cert:/var/run/secrets/apicast
+  one.upstream:
+    image: alpine/socat:1.7.4.4
+    container_name: one.upstream
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    expose:
+      - "80"
+    restart: unless-stopped
+  two.upstream:
+    image: kennethreitz/httpbin
+    expose:
+      - "80"