Skip to content

Commit

Permalink
dev-environment: upstream-tlsv1.3
Browse files Browse the repository at this point in the history
  • Loading branch information
eguzki committed Oct 21, 2023
1 parent 9661d47 commit bb0687b
Show file tree
Hide file tree
Showing 12 changed files with 179 additions and 155 deletions.
6 changes: 0 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-defa

PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml
FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml
UPSTREAM_TLS_DOCKER_COMPOSE_FILE ?= docker-compose.upstream-tls.yml

DOCKER_VOLUME_NAME ?= apicast-local-volume

Expand Down Expand Up @@ -177,10 +176,6 @@ opentracing-gateway: ## run gateway instrumented with opentracing
forward-proxy-gateway: ## run gateway configured to run along with a forward proxy
$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway

# Environment described in ./examples/tlsv1.3-upstream
upstream-tls-gateway: ## run gateway configured to access upstream powered with TLS
$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) run gateway

test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter.
$(DOCKER) compose --version
Expand Down Expand Up @@ -248,7 +243,6 @@ clean-containers:
$(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
$(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans
$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans

clean-deps: ## Remove all local dependency folders
- rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache :
Expand Down
18 changes: 18 additions & 0 deletions dev-environments/upstream-tlsv1.3/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
SHELL = /usr/bin/env bash -o pipefail
.SHELLFLAGS = -ec
.DEFAULT_GOAL := gateway
MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")

gateway: ## run gateway configured to access upstream powered with TLS
$(DOCKER) compose -f docker-compose.yml run --service-ports gateway

clean:
$(DOCKER) compose down --volumes --remove-orphans
$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans

certs:
$(MAKE) clean -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
$(MAKE) ca -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile
$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/cert/Makefile DOMAIN=example.com
51 changes: 51 additions & 0 deletions dev-environments/upstream-tlsv1.3/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Upstream using TLSv1.3

APIcast --> upstream (TLSv1.3)

APIcast configured with TLSv1.3 powered upstream . TLS termination endpoint is `socat`.

## Create the SSL Certificates

```sh
make certs
```

## Run the gateway

Running local `apicast-test` docker image

```sh
make gateway
```

Running custom apicast image

```sh
make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
```

Traffic between the proxy and upstream can be inspected looking at logs from `example.com` service

```
docker compose -p upstream-tlsv13 logs -f example.com
```

## Testing

`GET` request

```sh
curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"
```

`POST` request

```sh
curl --resolve post.example.com:8080:127.0.0.1 -v -X POST "http://post.example.com:8080/?user_key=123"
```

## Clean env

```sh
make clean
```
58 changes: 58 additions & 0 deletions dev-environments/upstream-tlsv1.3/apicast-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"services": [
{
"id": "1",
"backend_version": "1",
"proxy": {
"hosts": ["get.example.com"],
"api_backend": "https://example.com/get",
"backend": {
"endpoint": "http://127.0.0.1:8081",
"host": "backend"
},
"policy_chain": [
{
"name": "apicast.policy.apicast"
}
],
"proxy_rules": [
{
"http_method": "GET",
"pattern": "/",
"metric_system_name": "hits",
"delta": 1,
"parameters": [],
"querystring_parameters": {}
}
]
}
},
{
"id": "2",
"backend_version": "1",
"proxy": {
"hosts": ["post.example.com"],
"api_backend": "https://example.com/post",
"backend": {
"endpoint": "http://127.0.0.1:8081",
"host": "backend"
},
"policy_chain": [
{
"name": "apicast.policy.apicast"
}
],
"proxy_rules": [
{
"http_method": "POST",
"pattern": "/",
"metric_system_name": "hits",
"delta": 1,
"parameters": [],
"querystring_parameters": {}
}
]
}
}
]
}
16 changes: 16 additions & 0 deletions dev-environments/upstream-tlsv1.3/cert/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
clean:
- rm *.crt *.key *.pem *.csr

ca:
openssl genrsa -out rootCA.key 2048
openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

clientcerts:
openssl req -subj '/CN=$(DOMAIN)' -newkey rsa:4096 -nodes \
-sha256 \
-days 3650 \
-keyout $(DOMAIN).key \
-out $(DOMAIN).csr
chmod +r $(DOMAIN).key
openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
cat $(DOMAIN).key $(DOMAIN).crt >$(DOMAIN).pem
36 changes: 36 additions & 0 deletions dev-environments/upstream-tlsv1.3/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
version: '3.8'
services:
gateway:
image: ${IMAGE_NAME:-apicast-test}
depends_on:
- example.com
- two.upstream
environment:
THREESCALE_CONFIG_FILE: /tmp/config.json
THREESCALE_DEPLOYMENT_ENV: staging
APICAST_CONFIGURATION_LOADER: lazy
APICAST_WORKERS: 1
APICAST_LOG_LEVEL: debug
APICAST_CONFIGURATION_CACHE: "0"
expose:
- "8080"
- "8090"
ports:
- "8080:8080"
- "8090:8090"
volumes:
- ./apicast-config.json:/tmp/config.json
example.com:
image: alpine/socat:1.7.4.4
container_name: example.com
command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
expose:
- "443"
restart: unless-stopped
volumes:
- ./cert/example.com.pem:/etc/pki/example.com.pem
two.upstream:
image: kennethreitz/httpbin
expose:
- "80"
30 changes: 0 additions & 30 deletions docker-compose.upstream-tls.yml

This file was deleted.

11 changes: 0 additions & 11 deletions examples/tlsv1.3-upstream/README.md

This file was deleted.

30 changes: 0 additions & 30 deletions examples/tlsv1.3-upstream/apicast-config.json

This file was deleted.

27 changes: 0 additions & 27 deletions examples/tlsv1.3-upstream/proxy-nginx.conf

This file was deleted.

23 changes: 0 additions & 23 deletions examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt

This file was deleted.

28 changes: 0 additions & 28 deletions examples/tlsv1.3-upstream/upstream-cert/one.upstream.key

This file was deleted.

0 comments on commit bb0687b

Please sign in to comment.