Final working version (docker-compose)

4 years ago · d0f6a04b3f
--- a/deploy/certificates/.gitignore
+++ b/deploy/certificates/.gitignore
@ -0,0 +1,4 @@
 *.key
 *.pem
 *.pfx
 *.txt
--- a/deploy/certificates/README.md
+++ b/deploy/certificates/README.md
@ -0,0 +1,34 @@
 # Dev certificates for Docker

 1. Create a self-signed certificate
 2. Install certificates
 3. Configure the services

 ## 1 - Create the self-signed certificate (`.pem + .key`) and its `.pfx` file

 **From WSL**, run the `create-docker-certificate.sh` script with a strong password for the certificate.

 ```bash
 ./create-docker-certificate.sh "secure-COMPLEX-and-SECRET-password"
 ```

 The script creates a certificate for both `host.docker.internal` and `localhost`.

 ### 2 - Install the certificates

 Run the `install-docker-certificate.ps1` with the same password you used above:

 ```powershell
 .\install-docker-certificate.ps1 "secure-COMPLEX-and-SECRET-password"
 ```

 The above script:

 1. Imports the certificate in the current user root CA store.
 2. Copies the certificate files to the `%USERPROFILE%\.aspnet\https` folder. Servers will serve the certificate from this folder.
 3. Copies the `.pem` file as `.crt` to the src\certificates folder to add it as a root CA when building the images for some services.

 ### 3 - Configure some services to serve the certificates

 1. Copy the `src\docker-compose.certificates.sample.yaml` file as `src\docker-compose.certificates.yaml`
 2. Configure the password you assigned to the certificates in the settings `ASPNETCORE_Kestrel__Certificates__Default__Password`
--- a/deploy/certificates/create-docker-certificate.sh
+++ b/deploy/certificates/create-docker-certificate.sh
@ -5,10 +5,10 @@ openssl req \
  -out docker-self-signed.pem \
  -keyout docker-self-signed.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' \
  -subj '/CN=host.docker.internal' \
  -extensions EXT \
  -config <( \
    printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:localhost,DNS.2:host.docker.internal'\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
    printf "[dn]\nCN=host.docker.internal\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:host.docker.internal,DNS.2:localhost'\nkeyUsage=digitalSignature,keyCertSign\nextendedKeyUsage=serverAuth")

 echo "printing text version..."
 openssl x509 -in docker-self-signed.pem -text -noout > docker-self-signed.txt
--- a/deploy/certificates/import-certificate.ps1
+++ b/deploy/certificates/import-certificate.ps1
@ -1,8 +0,0 @@
 param (
    [Parameter(Mandatory = $true)]
    [string]$Password
 )

 $CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText

 Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword
--- a/deploy/certificates/install-docker-certificate.ps1
+++ b/deploy/certificates/install-docker-certificate.ps1
@ -0,0 +1,17 @@
 param (
    [Parameter(Mandatory = $true)]
    [string]$Password
 )

 # Import into current user root CA store
 $CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText
 Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword

 # Copy to user profile to use as HTTPS certificate in server containers
 mkdir $env:USERPROFILE\.aspnet\https -Force
 Copy-Item docker-self-signed.pem $env:USERPROFILE\.aspnet\https -Force
 Copy-Item docker-self-signed.key $env:USERPROFILE\.aspnet\https -Force
 Copy-Item docker-self-signed.pfx $env:USERPROFILE\.aspnet\https -Force

 # Copy to src folder to register as a root CA in client containers
 Copy-Item docker-self-signed.pem ..\..\src\certificates  -Force
--- a/deploy/certificates/media/root-ca-import-warning.png
+++ b/deploy/certificates/media/root-ca-import-warning.png
--- a/src/.gitignore
+++ b/src/.gitignore
@ -0,0 +1 @@
 certificates
--- a/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
+++ b/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
 WORKDIR /app
 WORKDIR /usr/local/share/ca-certificates
 COPY "certificates/docker-self-signed.crt" .
 RUN update-ca-certificates
 EXPOSE 80

 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
--- a/src/Services/Identity/Identity.API/Configuration/Config.cs
+++ b/src/Services/Identity/Identity.API/Configuration/Config.cs
@ -41,7 +41,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
                // JavaScript Client
                new Client
                {
                    ClientId = "spa",
                    ClientId = "js",
                    ClientName = "eShop SPA OpenId Client",
                    AllowedGrantTypes = GrantTypes.Implicit,
                    AllowAccessTokensViaBrowser = true,
--- a/src/Web/WebMVC/Dockerfile
+++ b/src/Web/WebMVC/Dockerfile
@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
 WORKDIR /app
 WORKDIR /usr/local/share/ca-certificates
 COPY "certificates/docker-self-signed.crt" .
 RUN update-ca-certificates
 EXPOSE 80

 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
--- a/src/docker-compose.certificates.sample.yaml
+++ b/src/docker-compose.certificates.sample.yaml
@ -10,25 +10,25 @@ services:
    volumes:
      - ~/.aspnet/https:/https:ro

  ordering-api:
  webstatus:
    environment:
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_URLS=https://+:443
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
    volumes:
      - ~/.aspnet/https:/https:ro

  webstatus:
  webmvc:
    environment:
      - ASPNETCORE_URLS=https://+:443
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
    volumes:
      - ~/.aspnet/https:/https:ro

  webmvc:
  webspa:
    environment:
      - ASPNETCORE_URLS=https://+:443
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
    volumes:
--- a/src/docker-compose.override.yml
+++ b/src/docker-compose.override.yml
@ -46,10 +46,10 @@ services:
      - XamarinCallback=https://${ESHOP_PROD_EXTERNAL_DNS_NAME_OR_IP}:5105/xamarincallback
      - ConnectionString=${ESHOP_AZURE_IDENTITY_DB:-Server=sqldata;Database=Microsoft.eShopOnContainers.Service.IdentityDb;User Id=sa;Password=Pass@word}
      - MvcClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5100
      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5109/locations-api
      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5110/marketing-api
      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5103/basket-api
      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5102/ordering-api
      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/locations-api
      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/marketing-api
      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/basket-api
      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/ordering-api
      - MobileShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5120
      - WebShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5121
      - WebhooksApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5113