diff --git a/.gitignore b/.gitignore index 2be252809..483d813f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,13 @@ ## Ignore Visual Studio temporary files, build results, and ## files generated by popular Visual Studio add-ons. +# docker-compose secrets +src/docker-compose.certificates.yml + +# local history +.history +.vshistory + # User-specific files *.suo *.user diff --git a/deploy/certificates/create-docker-certificate.sh b/deploy/certificates/create-docker-certificate.sh new file mode 100644 index 000000000..f29edc1ce --- /dev/null +++ b/deploy/certificates/create-docker-certificate.sh @@ -0,0 +1,22 @@ +echo "creating base certificate (.pem) and private key (.key) files..." +openssl req \ + -x509 \ + -days 365 \ + -out docker-self-signed.pem \ + -keyout docker-self-signed.key \ + -newkey rsa:2048 -nodes -sha256 \ + -subj '/CN=localhost' \ + -extensions EXT \ + -config <( \ + printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:localhost,DNS.2:host.docker.internal'\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") + +echo "printing text version..." +openssl x509 -in docker-self-signed.pem -text -noout > docker-self-signed.txt + +echo "generating certificate container file (.pfx)..." +openssl pkcs12 -export \ + -inkey docker-self-signed.key \ + -in docker-self-signed.pem \ + -out docker-self-signed.pfx \ + -name "Docker development certificate" \ + -password pass:$1 diff --git a/deploy/certificates/import-certificate.ps1 b/deploy/certificates/import-certificate.ps1 new file mode 100644 index 000000000..c9f1a5013 --- /dev/null +++ b/deploy/certificates/import-certificate.ps1 @@ -0,0 +1,8 @@ +param ( + [Parameter(Mandatory = $true)] + [string]$Password +) + +$CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText + +Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword diff --git a/deploy/certificates/media/root-ca-import-warning.png b/deploy/certificates/media/root-ca-import-warning.png new file mode 100644 index 000000000..23fc2140b Binary files /dev/null and b/deploy/certificates/media/root-ca-import-warning.png differ diff --git a/src/ApiGateways/Envoy/config/webshopping/envoy.yaml b/src/ApiGateways/Envoy/config/webshopping/envoy.yaml index 688fb740c..e1780c47d 100644 --- a/src/ApiGateways/Envoy/config/webshopping/envoy.yaml +++ b/src/ApiGateways/Envoy/config/webshopping/envoy.yaml @@ -22,7 +22,13 @@ static_resources: - name: eshop_backend domains: - "*" + # - "host.docker.internal" routes: + # - match: + # prefix: "/" + # redirect: + # path_redirect: "/" + # https_redirect: true - name: "c-short" match: prefix: "/c/" @@ -99,6 +105,13 @@ static_resources: upstream_cluster: "%UPSTREAM_CLUSTER%" upstream_local_address: "%UPSTREAM_LOCAL_ADDRESS%" path: "/tmp/access.log" + tls_context: + common_tls_context: + tls_certificates: + - certificate_chain: + filename: "/https/docker-self-signed.pem" + private_key: + filename: "/https/docker-self-signed.key" clusters: - name: shoppingagg connect_timeout: 0.25s diff --git a/src/docker-compose.certificates.sample.yaml b/src/docker-compose.certificates.sample.yaml new file mode 100644 index 000000000..4e43fd0f2 --- /dev/null +++ b/src/docker-compose.certificates.sample.yaml @@ -0,0 +1,31 @@ +version: '3.4' + +services: + + identity-api: + environment: + - ASPNETCORE_URLS=https://+:443;http://+:80 + - ASPNETCORE_Kestrel__Certificates__Default__Password= + - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx + volumes: + - ~/.aspnet/https:/https:ro + + webstatus: + environment: + - ASPNETCORE_URLS=https://+:443 + - ASPNETCORE_Kestrel__Certificates__Default__Password= + - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx + volumes: + - ~/.aspnet/https:/https:ro + + webmvc: + environment: + - ASPNETCORE_URLS=https://+:443 + - ASPNETCORE_Kestrel__Certificates__Default__Password= + - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx + volumes: + - ~/.aspnet/https:/https:ro + + webshoppingapigw: + volumes: + - ~/.aspnet/https:/https:ro diff --git a/src/docker-compose.override.yml b/src/docker-compose.override.yml index 8ec8426ec..ca3940fcc 100644 --- a/src/docker-compose.override.yml +++ b/src/docker-compose.override.yml @@ -57,8 +57,10 @@ services: - UseCustomizationData=True - ApplicationInsights__InstrumentationKey=${INSTRUMENTATION_KEY} - OrchestratorType=${ORCHESTRATOR_TYPE} + - Serilog__MinimumLevel__Override__Microsoft=Warning ports: - - "5105:80" + - "80" # We need HTTP access for inter-service communications + - "5105:443" basket-api: environment: @@ -336,7 +338,7 @@ services: - ApplicationInsights__InstrumentationKey=${INSTRUMENTATION_KEY} - OrchestratorType=${ORCHESTRATOR_TYPE} ports: - - "5107:80" + - "5107:443" webspa: environment: diff --git a/src/start.ps1 b/src/start.ps1 new file mode 100644 index 000000000..28a4019e2 --- /dev/null +++ b/src/start.ps1 @@ -0,0 +1,8 @@ + +if ($args.Count -eq 0) { + docker-compose.exe -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.certificates.yml up -d +} elseif ($args.Count -eq 1 -and $args[0] -eq "infra") { + docker-compose.exe -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.certificates.yml up -d seq sqldata nosqldata basketdata rabbitmq +} else { + docker-compose.exe -f docker-compose.yml -f docker-compose.override.yml -f docker-compose.certificates.yml up -d $args +}