Final working version (docker-compose)

2020-09-28 23:35:30 +01:00 · 2020-09-28 23:35:30 +01:00 · d0f6a04b3f
commit d0f6a04b3f
parent 83c1e7909f
12 changed files with 78 additions and 26 deletions
--- a/deploy/certificates/.gitignore
+++ b/deploy/certificates/.gitignore
@ -0,0 +1,4 @@
+*.key
+*.pem
+*.pfx
+*.txt
--- a/deploy/certificates/README.md
+++ b/deploy/certificates/README.md
@ -0,0 +1,34 @@
+# Dev certificates for Docker
+
+1. Create a self-signed certificate
+2. Install certificates
+3. Configure the services
+
+## 1 - Create the self-signed certificate (`.pem + .key`) and its `.pfx` file
+
+**From WSL**, run the `create-docker-certificate.sh` script with a strong password for the certificate.
+
+```bash
+./create-docker-certificate.sh "secure-COMPLEX-and-SECRET-password"
+```
+
+The script creates a certificate for both `host.docker.internal` and `localhost`.
+
+### 2 - Install the certificates
+
+Run the `install-docker-certificate.ps1` with the same password you used above:
+
+```powershell
+.\install-docker-certificate.ps1 "secure-COMPLEX-and-SECRET-password"
+```
+
+The above script:
+
+1. Imports the certificate in the current user root CA store.
+2. Copies the certificate files to the `%USERPROFILE%\.aspnet\https` folder. Servers will serve the certificate from this folder.
+3. Copies the `.pem` file as `.crt` to the src\certificates folder to add it as a root CA when building the images for some services.
+
+### 3 - Configure some services to serve the certificates
+
+1. Copy the `src\docker-compose.certificates.sample.yaml` file as `src\docker-compose.certificates.yaml`
+2. Configure the password you assigned to the certificates in the settings `ASPNETCORE_Kestrel__Certificates__Default__Password`
--- a/deploy/certificates/create-docker-certificate.sh
+++ b/deploy/certificates/create-docker-certificate.sh
@ -5,10 +5,10 @@ openssl req \
  -out docker-self-signed.pem \
  -keyout docker-self-signed.key \
  -newkey rsa:2048 -nodes -sha256 \
-  -subj '/CN=localhost' \
+  -subj '/CN=host.docker.internal' \
  -extensions EXT \
  -config <( \
-    printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:localhost,DNS.2:host.docker.internal'\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
+    printf "[dn]\nCN=host.docker.internal\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:host.docker.internal,DNS.2:localhost'\nkeyUsage=digitalSignature,keyCertSign\nextendedKeyUsage=serverAuth")

 echo "printing text version..."
 openssl x509 -in docker-self-signed.pem -text -noout > docker-self-signed.txt
--- a/deploy/certificates/import-certificate.ps1
+++ b/deploy/certificates/import-certificate.ps1
@ -1,8 +0,0 @@
-param (
-    [Parameter(Mandatory = $true)]
-    [string]$Password
-)
-
-$CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText
-
-Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword
--- a/deploy/certificates/install-docker-certificate.ps1
+++ b/deploy/certificates/install-docker-certificate.ps1
@ -0,0 +1,17 @@
+param (
+    [Parameter(Mandatory = $true)]
+    [string]$Password
+)
+
+# Import into current user root CA store
+$CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText
+Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword
+
+# Copy to user profile to use as HTTPS certificate in server containers
+mkdir $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.pem $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.key $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.pfx $env:USERPROFILE\.aspnet\https -Force
+
+# Copy to src folder to register as a root CA in client containers
+Copy-Item docker-self-signed.pem ..\..\src\certificates  -Force
--- a/deploy/certificates/media/root-ca-import-warning.png
+++ b/deploy/certificates/media/root-ca-import-warning.png
--- a/src/.gitignore
+++ b/src/.gitignore
@ -0,0 +1 @@
+certificates
--- a/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
+++ b/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
-WORKDIR /app
+WORKDIR /usr/local/share/ca-certificates
+COPY "certificates/docker-self-signed.crt" .
+RUN update-ca-certificates
 EXPOSE 80

 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
--- a/src/Services/Identity/Identity.API/Configuration/Config.cs
+++ b/src/Services/Identity/Identity.API/Configuration/Config.cs
@ -41,7 +41,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
                // JavaScript Client
                new Client
                {
-                    ClientId = "spa",
+                    ClientId = "js",
                    ClientName = "eShop SPA OpenId Client",
                    AllowedGrantTypes = GrantTypes.Implicit,
                    AllowAccessTokensViaBrowser = true,
--- a/src/Web/WebMVC/Dockerfile
+++ b/src/Web/WebMVC/Dockerfile
@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
-WORKDIR /app
+WORKDIR /usr/local/share/ca-certificates
+COPY "certificates/docker-self-signed.crt" .
+RUN update-ca-certificates
 EXPOSE 80

 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
--- a/src/docker-compose.certificates.sample.yaml
+++ b/src/docker-compose.certificates.sample.yaml
@ -10,14 +10,6 @@ services:
    volumes:
      - ~/.aspnet/https:/https:ro

-  ordering-api:
-    environment:
-      - ASPNETCORE_URLS=https://+:443;http://+:80
-      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
-      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
-    volumes:
-      - ~/.aspnet/https:/https:ro
-
  webstatus:
    environment:
      - ASPNETCORE_URLS=https://+:443
@ -28,7 +20,15 @@ services:

  webmvc:
    environment:
-      - ASPNETCORE_URLS=https://+:443
+      - ASPNETCORE_URLS=https://+:443;http://+:80
+      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
+      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
+    volumes:
+      - ~/.aspnet/https:/https:ro
+
+  webspa:
+    environment:
+      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
    volumes:
--- a/src/docker-compose.override.yml
+++ b/src/docker-compose.override.yml
@ -46,10 +46,10 @@ services:
      - XamarinCallback=https://${ESHOP_PROD_EXTERNAL_DNS_NAME_OR_IP}:5105/xamarincallback
      - ConnectionString=${ESHOP_AZURE_IDENTITY_DB:-Server=sqldata;Database=Microsoft.eShopOnContainers.Service.IdentityDb;User Id=sa;Password=Pass@word}
      - MvcClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5100
-      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5109/locations-api
-      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5110/marketing-api
-      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5103/basket-api
-      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5102/ordering-api
+      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/locations-api
+      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/marketing-api
+      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/basket-api
+      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/ordering-api
      - MobileShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5120
      - WebShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5121
      - WebhooksApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5113