Merge pull request #1400 from 3scale/THREESCALE-9193-upstream-tlsv1.3

[THREESCALE-9193] upstream TLS v1.3

Author: eguzki

.circleci/config.yml

@@ -1,3 +1,4 @@
+---
 perl-cache-paths: &perl-cache-paths
   paths:
     - ./local
@@ -29,14 +30,6 @@ commands:
           - apicast-cpanm-v2-{{ arch }}-{{ .Branch }}
           - apicast-cpanm-v2-{{ arch }}-master
 
-  install-docker-compose:
-    steps:
-      - run: |
-          curl -sLO https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64
-          chmod +x docker-compose-linux-x86_64
-          mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
-          docker-compose version
-
   setup-docker:
     steps:
       - setup_remote_docker:
@@ -51,7 +44,6 @@ commands:
   setup-build-env:
     steps:
       - run: apk update && apk add wget make bash curl git openssh-client
-      - install-docker-compose
       - setup-docker
       - attach-workspace
 
@@ -106,10 +98,9 @@ executors:
   docker:
     working_directory: /opt/app-root/apicast
     docker:
-    - image: docker:stable
+    - image: docker:23.0.2-cli-alpine3.17
     environment:
       COMPOSE_TLS_VERSION: "TLSv1_2"
-      DOCKER_COMPOSE_VERSION: "v2.14.0"
 
   openresty:
     working_directory: /opt/app-root/apicast

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Opentelemetry support. Opentracing is now deprecated [PR #1379](https://github.com/3scale/APIcast/pull/1379) [THREESCALE-7735](https://issues.redhat.com/browse/THREESCALE-7735)
 - `/admin/api/account/proxy_configs` endpoint for configuration loading [PR #1352](https://github.com/3scale/APIcast/pull/1352) [THREESCALE-8508](https://issues.redhat.com/browse/THREESCALE-8508)
 - Pagination of services and proxy config endpoints [PR #1397](https://github.com/3scale/APIcast/pull/1397) [THREESCALE-8373](https://issues.redhat.com/browse/THREESCALE-8373)
+- Upstream TLS v1.3 [PR #1400](https://github.com/3scale/APIcast/pull/1400) [THREESCALE-9193](https://issues.redhat.com/browse/THREESCALE-9193)
 
 ### Removed
 

Makefile

@@ -1,12 +1,13 @@
 MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
 PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
 .DEFAULT_GOAL := help
-DOCKER_COMPOSE = docker-compose
+
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 REGISTRY ?= quay.io/3scale
 export TEST_NGINX_BINARY ?= openresty
 NGINX = $(shell which $(TEST_NGINX_BINARY))
-SHELL=/bin/bash -o pipefail
 
 NPROC ?= $(firstword $(shell nproc 2>/dev/null) 1)
 
@@ -22,6 +23,8 @@ DEVEL_DOCKER_COMPOSE_VOLMOUNT_MAC_FILE ?= docker-compose-devel-volmount-mac.yml
 DEVEL_DOCKER_COMPOSE_VOLMOUNT_DEFAULT_FILE ?= docker-compose-devel-volmount-default.yml
 
 PROVE_DOCKER_COMPOSE_FILE ?= docker-compose.prove.yml
+FORWARD_PROXY_DOCKER_COMPOSE_FILE ?= docker-compose.forward-proxy.yml
+UPSTREAM_TLS_DOCKER_COMPOSE_FILE ?= docker-compose.upstream-tls.yml
 
 DOCKER_VOLUME_NAME ?= apicast-local-volume
 
@@ -143,7 +146,7 @@ prove: $(ROVER) dependencies nginx ## Test nginx
 prove-docker: export IMAGE_NAME ?= $(DEVEL_IMAGE)
 prove-docker: ## Test nginx inside docker
 	make -C $(PROJECT_PATH) -f $(MKFILE_PATH) apicast-source
-	$(DOCKER_COMPOSE) -f $(PROVE_DOCKER_COMPOSE_FILE) run --rm -T \
+	$(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) run --rm -T \
 		-v $(DOCKER_VOLUME_NAME):/opt/app-root/src prove | \
 		awk '/Result: NOTESTS/ { print "FAIL: NOTESTS"; print; exit 1 }; { print }'
 
@@ -158,43 +161,51 @@ push: ## Push image to the registry
 bash: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
 bash: export SERVICE = gateway
 bash: ## Run bash inside the runtime image
-	$(DOCKER_COMPOSE) run --user=root --rm --entrypoint=bash $(SERVICE)
+	$(DOCKER) compose run --user=root --rm --entrypoint=bash $(SERVICE)
 
 gateway-logs: export IMAGE_NAME = does-not-matter
 gateway-logs:
-	$(DOCKER_COMPOSE) logs gateway
+	$(DOCKER) compose logs gateway
 
 opentelemetry-gateway: ## run gateway instrumented with opentelemetry
-	$(DOCKER_COMPOSE) run opentelemetry-instrumented-gateway
+	$(DOCKER) compose run opentelemetry-instrumented-gateway
 
 opentracing-gateway: ## run gateway instrumented with opentracing
-	$(DOCKER_COMPOSE) run opentracing-instrumented-gateway
+	$(DOCKER) compose run opentracing-instrumented-gateway
+
+# Environment described in ./examples/forward-proxy
+forward-proxy-gateway: ## run gateway configured to run along with a forward proxy
+	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) run gateway
+
+# Environment described in ./examples/tlsv1.3-upstream
+upstream-tls-gateway: ## run gateway configured to access upstream powered with TLS
+	$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) run gateway
 
 test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
 test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter.
-	$(DOCKER_COMPOSE) --version
-	$(DOCKER_COMPOSE) run --rm --user 100001 gateway apicast -l -d
+	$(DOCKER) compose --version
+	$(DOCKER) compose run --rm --user 100001 gateway apicast -l -d
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm --user 100002 -e APICAST_CONFIGURATION_LOADER=boot -e THREESCALE_PORTAL_ENDPOINT=https://echo-api.3scale.net gateway bin/apicast -d
+	$(DOCKER) compose run --rm --user 100002 -e APICAST_CONFIGURATION_LOADER=boot -e THREESCALE_PORTAL_ENDPOINT=https://echo-api.3scale.net gateway bin/apicast -d
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm test sh -c 'sleep 5 && curl --fail http://gateway:8090/status/live'
+	$(DOCKER) compose run --rm test sh -c 'sleep 5 && curl --fail http://gateway:8090/status/live'
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm --user 100001 gateway bin/apicast --test
+	$(DOCKER) compose run --rm --user 100001 gateway bin/apicast --test
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm --user 100001 gateway bin/apicast --test --dev
+	$(DOCKER) compose run --rm --user 100001 gateway bin/apicast --test --dev
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm --user 100001 gateway bin/apicast --daemon
+	$(DOCKER) compose run --rm --user 100001 gateway bin/apicast --daemon
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm test bash -c 'for i in {1..5}; do curl --fail http://gateway:8090/status/live && break || sleep 1; done'
-	$(DOCKER_COMPOSE) logs gateway
+	$(DOCKER) compose run --rm test bash -c 'for i in {1..5}; do curl --fail http://gateway:8090/status/live && break || sleep 1; done'
+	$(DOCKER) compose logs gateway
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm test curl --fail -X PUT http://gateway:8090/config --data '{"services":[{"id":42}]}'
+	$(DOCKER) compose run --rm test curl --fail -X PUT http://gateway:8090/config --data '{"services":[{"id":42}]}'
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm test curl --fail http://gateway:8090/status/ready
+	$(DOCKER) compose run --rm test curl --fail http://gateway:8090/status/ready
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm test curl --fail -X POST http://gateway:8090/boot
+	$(DOCKER) compose run --rm test curl --fail -X POST http://gateway:8090/boot
 	@echo -e $(SEPARATOR)
-	$(DOCKER_COMPOSE) run --rm gateway bin/apicast -c http://echo-api.3scale.net -d -b
+	$(DOCKER) compose run --rm gateway bin/apicast -c http://echo-api.3scale.net -d -b
 
 $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache :
 	mkdir -p $@
@@ -207,9 +218,9 @@ development: GROUP := $(shell id -g $(USER))
 endif
 development: ## Run bash inside the development image
 	@echo "Running on $(os)"
-	- $(DOCKER_COMPOSE) -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) up -d
+	- $(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) up -d
 	@ # https://github.com/moby/moby/issues/33794#issuecomment-312873988 for fixing the terminal width
-	$(DOCKER_COMPOSE) -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) exec -e COLUMNS="`tput cols`" -e LINES="`tput lines`" --user $(USER):$(GROUP) development bash
+	$(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) exec -e COLUMNS="`tput cols`" -e LINES="`tput lines`" --user $(USER):$(GROUP) development bash
 
 stop-development: clean-containers ## Stop development environment
 
@@ -233,9 +244,11 @@ lua_modules/bin/rover:
 dependencies: dep_folders lua_modules carton  ## Install project dependencies
 
 clean-containers:
-	- $(DOCKER_COMPOSE) down --volumes --remove-orphans
-	- $(DOCKER_COMPOSE) -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
-	- $(DOCKER_COMPOSE) -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f $(PROVE_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
+	$(DOCKER) compose -f $(DEVEL_DOCKER_COMPOSE_FILE) -f $(DEVEL_DOCKER_COMPOSE_VOLMOUNT_FILE) down --volumes --remove-orphans
+	$(DOCKER) compose -f $(FORWARD_PROXY_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
+	$(DOCKER) compose -f $(UPSTREAM_TLS_DOCKER_COMPOSE_FILE) down --volumes --remove-orphans
 
 clean-deps: ## Remove all local dependency folders
 	- rm -rf $(PROJECT_PATH)/lua_modules $(PROJECT_PATH)/local $(PROJECT_PATH)/.cpanm $(PROJECT_PATH)/vendor/cache $(PROJECT_PATH)/.cache :
@@ -270,12 +283,12 @@ benchmark: export COMPOSE_PROJECT_NAME = apicast-benchmark
 benchmark: export WRK_REPORT ?= $(IMAGE_TAG).csv
 benchmark: export DURATION ?= 300
 benchmark:
-	- $(DOCKER_COMPOSE) up --force-recreate -d apicast
-	$(DOCKER_COMPOSE) run curl
+	- $(DOCKER) compose up --force-recreate -d apicast
+	$(DOCKER) compose run curl
 	## warmup round for $(DURATION)/10 seconds
-	DURATION=$$(( $(DURATION) / 10 )) $(DOCKER_COMPOSE) run wrk
+	DURATION=$$(( $(DURATION) / 10 )) $(DOCKER) compose run wrk
 	## run the real benchmark for $(DURATION) seconds
-	$(DOCKER_COMPOSE) run wrk
+	$(DOCKER) compose run wrk
 
 # Check http://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
 help: ## Print this help

docker-compose.forward-proxy.yml

@@ -0,0 +1,39 @@
+---
+version: '3.8'
+services:
+  gateway:
+    image: ${IMAGE_NAME:-apicast-test}
+    depends_on:
+    - proxy
+    - upstream
+    environment:
+      THREESCALE_CONFIG_FILE: /tmp/config.json
+      THREESCALE_DEPLOYMENT_ENV: staging
+      APICAST_CONFIGURATION_LOADER: lazy
+      APICAST_WORKERS: 1
+      APICAST_LOG_LEVEL: debug
+      APICAST_CONFIGURATION_CACHE: "0"
+    expose:
+      - "8080"
+      - "8090"
+    ports:
+      - "8080:8080"
+      - "8090:8090"
+    volumes:
+      - ./examples/forward-proxy/apicast-config.json:/tmp/config.json
+  upstream:
+    image: nginx:1.23.4
+    expose:
+      - "443"
+    volumes:
+      - ./examples/forward-proxy/proxy-nginx.conf:/etc/nginx/nginx.conf
+      - ./examples/forward-proxy/upstream-cert/upstream.key:/etc/pki/tls.key
+      - ./examples/forward-proxy/upstream-cert/upstream.crt:/etc/pki/tls.crt
+  proxy:
+    build:
+      dockerfile: ./examples/forward-proxy/tinyproxy.Dockerfile
+    expose:
+      - "3128:3128"
+      - "443:443"
+    volumes:
+      - ./examples/forward-proxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf

docker-compose.upstream-tls.yml

@@ -0,0 +1,30 @@
+---
+version: '3.8'
+services:
+  gateway:
+    image: ${IMAGE_NAME:-apicast-test}
+    depends_on:
+    - one.upstream
+    environment:
+      THREESCALE_CONFIG_FILE: /tmp/config.json
+      THREESCALE_DEPLOYMENT_ENV: staging
+      APICAST_CONFIGURATION_LOADER: lazy
+      APICAST_WORKERS: 1
+      APICAST_LOG_LEVEL: debug
+      APICAST_CONFIGURATION_CACHE: "0"
+    expose:
+      - "8080"
+      - "8090"
+    ports:
+      - "8080:8080"
+      - "8090:8090"
+    volumes:
+      - ./examples/tlsv1.3-upstream/apicast-config.json:/tmp/config.json
+  one.upstream:
+    image: nginx:1.23.4
+    expose:
+      - "443"
+    volumes:
+      - ./examples/tlsv1.3-upstream/proxy-nginx.conf:/etc/nginx/nginx.conf
+      - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.key:/etc/pki/tls.key
+      - ./examples/tlsv1.3-upstream/upstream-cert/one.upstream.crt:/etc/pki/tls.crt

docker-compose.yml

@@ -1,4 +1,5 @@
-version: '2.1'
+---
+version: '3.8'
 services:
   gateway:
     image: ${IMAGE_NAME:-apicast-test}

examples/forward-proxy/README.md

@@ -0,0 +1,9 @@
+# PROXY with upstream using TLSv1.3
+
+APIcast --> tiny proxy (connect to 443 but no cert installed) --> upstream (TLSv1.3)
+
+APicast starts SSL tunnel (via HTTP Connect method) against proxy to access upstream configured with TLSv1.3
+
+```
+curl -v -H "Host: one" http://${APICAST_IP}:8080/get?user_key=foo
+```

examples/forward-proxy/apicast-config.json

@@ -0,0 +1,36 @@
+{
+    "services": [
+        {
+            "backend_version": "1",
+            "proxy": {
+                "hosts": ["one"],
+                "api_backend": "https://upstream:443/",
+                "backend": {
+                    "endpoint": "http://127.0.0.1:8081",
+                    "host": "backend"
+                },
+                "policy_chain": [
+                    {
+                        "name": "apicast.policy.apicast"
+                    },
+                    {
+                        "name": "apicast.policy.http_proxy",
+                        "configuration": {
+                            "https_proxy": "http://proxy:443/"
+                        }
+                    }
+                ],
+                "proxy_rules": [
+                    {
+                        "http_method": "GET",
+                        "pattern": "/",
+                        "metric_system_name": "hits",
+                        "delta": 1,
+                        "parameters": [],
+                        "querystring_parameters": {}
+                    }
+                ]
+            }
+        }
+    ]
+}

examples/forward-proxy/proxy-nginx.conf

@@ -0,0 +1,27 @@
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events { worker_connections 1024; }
+
+http {
+    server {
+        listen 443 ssl;
+
+        server_name upstream;
+
+        resolver 8.8.8.8;
+
+        access_log /dev/stdout;
+        error_log /dev/stdout info;
+
+        ssl_certificate /etc/pki/tls.crt;
+        ssl_certificate_key /etc/pki/tls.key;
+        ssl_protocols TLSv1.3;
+
+        location ~ ^/(.*)$  {
+            proxy_pass https://postman-echo.com/get/$1$is_args$args;
+        }
+    }
+}

examples/forward-proxy/tinyproxy.Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.17.3
+
+LABEL summary="Forward proxy based on tinyproxy for development purposes" \
+      description="Forward proxy based on tinyproxy for development purposes" \
+      io.k8s.description="Forward proxy based on tinyproxy for development purposes" \
+      io.k8s.display-name="Forward Proxy (Tinyproxy)" \
+      io.openshift.tags="tinyproxy, proxy" \
+      maintainer="[email protected]"
+
+RUN apk --no-cache add tinyproxy=1.11.1-r2
+ENTRYPOINT ["/usr/bin/tinyproxy"]
+CMD ["-d"]