Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-11412] Migrate to lua-resty-openssl #1502

Merged
merged 3 commits into from
Nov 4, 2024
Merged

[THREESCALE-11412] Migrate to lua-resty-openssl #1502

merged 3 commits into from
Nov 4, 2024

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Oct 18, 2024
edited
Loading

What

https://issues.redhat.com/browse/THREESCALE-11412

Verification steps

  • Checkout this branch
  • Build runtime-image
make runtime-image IMAGE_NAME=apicast-test
  • Move into development environment
cd dev-environments/upstream-tlsv1.3
  • Update apicast-config.json file as follow
diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json 
index 5227c5aa..09fb1ab9 100644                                                                                                                    
--- a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
+++ b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
@@ -11,6 +11,15 @@                                                                                                                                 
           "host": "backend"                                                                                                                       
         },                                                                                                                                        
         "policy_chain": [                                                                                                                         
+          {                                                                                                                                       
+            "name": "apicast.policy.upstream_mtls",                                                                                               
+            "configuration": {                                                                                                                    
+                "certificate": "/tmp/example.com.crt",                                                                                            
+                "certificate_type": "path",                                                                                                       
+                "certificate_key": "/tmp/example.com.key",                                                                                        
+                "certificate_key_type": "path"                                                                                                    
+            }                                                                                                                                     
+          },                                                                                                                                      
           {                                                                                                                                       
             "name": "apicast.policy.http_proxy",                                                                                                  
             "configuration": {
  • Update docker-compose file as follow
diff --git a/dev-environments/upstream-tlsv1.3/docker-compose.yml b/dev-environments/upstream-tlsv1.3/docker-compose.yml
index 5daf958f..fc03f24b 100644
--- a/dev-environments/upstream-tlsv1.3/docker-compose.yml
+++ b/dev-environments/upstream-tlsv1.3/docker-compose.yml
@@ -23,15 +23,19 @@ services:
       - "8090:8090"
     volumes:
       - ./apicast-config.json:/tmp/config.json
+      - ./cert/example.com.crt:/tmp/example.com.crt
+      - ./cert/example.com.key:/tmp/example.com.key
+      - ./cert/rootCA.pem:/tmp/rootCA.pem
   example.com:
     image: alpine/socat:1.7.4.4
     container_name: example.com
-    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
+    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,cafile=/etc/pki/rootCA.pem,verify=1,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
     expose:
       - "443"
     restart: unless-stopped
     volumes:
       - ./cert/example.com.pem:/etc/pki/example.com.pem
+      - ./cert/rootCA.pem:/etc/pki/rootCA.pem
   two.upstream:
     image: kennethreitz/httpbin
     expose:
(END)
  • Start gateway
make certs
make gateway IMAGE_NAME=apicast-test
  • Send request
curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"

You should see 200 OK

< HTTP/1.1 200 OK                         
< Server: openresty                       
< Date: Tue, 29 Oct 2024 03:59:19 GMT     
< Content-Type: application/json          
< Content-Length: 220                     
< Connection: keep-alive                  
< Access-Control-Allow-Origin: *          
< Access-Control-Allow-Credentials: true

@tkan145 tkan145 requested a review from a team as a code owner October 18, 2024 06:16
@tkan145 tkan145 force-pushed the THREESCALE-11412-lua-resty-openssl branch 3 times, most recently from bf5f5a9 to aa5248a Compare October 24, 2024 06:27
@tkan145 tkan145 changed the title [WIP] [THREESCALE-11412] Migrate to lua-resty-openssl [THREESCALE-11412] Migrate to lua-resty-openssl Oct 25, 2024
@tkan145 tkan145 force-pushed the THREESCALE-11412-lua-resty-openssl branch from 1b499fc to 3af4e2d Compare October 29, 2024 02:16
eguzki
eguzki approved these changes Oct 31, 2024
View reviewed changes
Copy link
Member

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I love this kind of changes, a lot less code to maintain.

One comment left.

Verification steps worked, but the patch is defined on dev-environments/https-proxy-upstream-tlsv1.3 and should be dev-environments/upstream-tlsv1.3

Dockerfile Show resolved Hide resolved
@tkan145 tkan145 merged commit 58d15ec into 3scale:master Nov 4, 2024
12 checks passed
@tkan145 tkan145 deleted the THREESCALE-11412-lua-resty-openssl branch November 4, 2024 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tkan145 @eguzki