camel proxy dev environment

3scale · Feb 2, 2024 · 9f28cc9 · 9f28cc9
1 parent 29f8755
commit 9f28cc9
Show file tree

Hide file tree

Showing 13 changed files with 299 additions and 7 deletions.
diff --git a/dev-environments/camel-proxy/.gitignore b/dev-environments/camel-proxy/.gitignore
@@ -0,0 +1 @@
+cert/
diff --git a/dev-environments/camel-proxy/Makefile b/dev-environments/camel-proxy/Makefile
@@ -0,0 +1,63 @@
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+.DEFAULT_GOAL := gateway
+MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
+WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
+
+gateway: ## run gateway configured to access upstream powered with TLS
+	@if [ ! -d "$(WORKDIR)/cert" ]; then \
+       echo "$(WORKDIR)/cert does not exist! run make certs!"; \
+       exit 1; \
+  fi
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
+
+clientcerts:
+	openssl req -subj '/CN=$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-keyout $(DOMAIN).key \
+			-out $(DOMAIN).csr
+	chmod +r $(DOMAIN).key
+	openssl x509 -req -in $(DOMAIN).csr -CA $(WORKDIR)/cert/rootCA.pem -CAkey $(WORKDIR)/cert/rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
+
+$(WORKDIR)/cert:
+	mkdir -p cert
+
+$(WORKDIR)/cert/rootCA.pem $(WORKDIR)/cert/rootCA.key:
+	$(MAKE) $(WORKDIR)/cert -f $(WORKDIR)/Makefile
+	openssl genrsa -out $(WORKDIR)/cert/rootCA.key 2048
+	openssl req -batch -subj '/CN=caeguzki' -new -x509 -nodes -key $(WORKDIR)/cert/rootCA.key -sha256 -days 1024 -out $(WORKDIR)/cert/rootCA.pem
+
+$(WORKDIR)/cert/tls.example.com.key $(WORKDIR)/cert/tls.example.com.crt:
+	$(MAKE) $(WORKDIR)/cert/rootCA.pem $(WORKDIR)/cert/rootCA.key -f $(WORKDIR)/Makefile
+	$(MAKE) clientcerts -C $(WORKDIR)/cert -f $(WORKDIR)/Makefile DOMAIN=tls.example.com
+
+$(WORKDIR)/cert/tls.example.com.pem: $(WORKDIR)/cert/tls.example.com.key $(WORKDIR)/cert/tls.example.com.crt
+	cat $(WORKDIR)/cert/tls.example.com.key $(WORKDIR)/cert/tls.example.com.crt >$@
+
+ifeq ($(origin USER),environment)
+$(WORKDIR)/cert/keystore.jks: USER := $(shell id -u $(USER))
+$(WORKDIR)/cert/keystore.jks: GROUP := $(shell id -g $(USER))
+endif
+$(WORKDIR)/cert/keystore.jks: ## use same JVM version as camel-netty-proxy, currently openjdk 11.0.9
+	$(DOCKER) run -t --rm \
+		-v $(WORKDIR)/cert:/tmp/cert \
+		--user $(USER):$(GROUP) \
+		openjdk:11.0.9 \
+		keytool -genkeypair -keystore /tmp/cert/keystore.jks -dname "CN=tls.camel.proxy" -keypass changeit -storepass changeit -alias camel -keyalg RSA -ext SAN=dns:tls.camel.proxy
+	$(DOCKER) run -t --rm \
+		-v $(WORKDIR)/cert:/tmp/cert \
+		--user $(USER):$(GROUP) \
+		openjdk:11.0.9 \
+		keytool -list -v -keystore /tmp/cert/keystore.jks -storepass changeit
+
+.PHONY: certs
+certs:
+	$(MAKE) $(WORKDIR)/cert/tls.example.com.pem -f $(WORKDIR)/Makefile
+	$(MAKE) $(WORKDIR)/cert/keystore.jks -f $(WORKDIR)/Makefile
+
+clean:
+	$(DOCKER) compose down --volumes --remove-orphans
+	$(DOCKER) compose -f docker-compose.yml down --volumes --remove-orphans
+	- rm -rf $(WORKDIR)/cert
+
diff --git a/dev-environments/camel-proxy/README.md b/dev-environments/camel-proxy/README.md
@@ -0,0 +1,69 @@
+# Camel PROXY
+
+`http_proxy` use case: APIcast --> camel proxy --> upstream (plain HTTP/1.1)
+
+`https_proxy` use case: APIcast --> camel proxy --> upstream (TLS)
+
+## Create the SSL Certificates
+
+```sh
+make certs
+```
+
+## Run the gateway
+
+Running local `apicast-test` docker image
+
+```sh
+make gateway
+```
+
+Running custom apicast image
+
+```sh
+make gateway IMAGE_NAME=quay.io/3scale/apicast:latest
+```
+
+## Testing `http_proxy` use case: APIcast --> camel proxy --> upstream (plain HTTP/1.1)
+
+```sh
+curl --resolve http-proxy.example.com:8080:127.0.0.1 -v "http://http-proxy.example.com:8080/?user_key=123"
+```
+
+Traffic between APIcast and the camel proxy can be inspected looking at logs from `proxy.socat` service
+
+```
+docker compose -p camel-proxy logs -f proxy.socat
+```
+
+Traffic between the camel proxy and upstream can be inspected looking at logs from `example.com` service
+
+```
+docker compose -p camel-proxy logs -f example.com
+```
+
+Camel proxy can be inspected looking at logs from `camel.proxy` service
+
+```
+docker compose -p camel-proxy logs -f camel.proxy
+```
+
+## Testing `https_proxy` use case: APIcast --> camel proxy --> upstream (TLS)
+
+```sh
+curl --resolve https-proxy.example.com:8080:127.0.0.1 -v "http://https-proxy.example.com:8080/?user_key=123"
+```
+
+Camel proxy can be inspected looking at logs from `tls.camel.proxy` service
+
+```
+docker compose -p camel-proxy logs -f tls.camel.proxy
+```
+
+> Upstream based on service with trusted CA certificate. Failed trying to setup connection between camel proxy and service with self-signed cert.
+
+## Clean env
+
+```sh
+make clean
+```
diff --git a/dev-environments/camel-proxy/apicast-config.json b/dev-environments/camel-proxy/apicast-config.json
@@ -0,0 +1,70 @@
+{
+  "services": [
+    {
+      "id": "1",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["http-proxy.example.com"],
+        "api_backend": "http://example.com:80/get",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.camel",
+            "configuration": {
+              "http_proxy": "http://proxy.socat:8080/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    },
+    {
+      "id": "2",
+      "backend_version": "1",
+      "proxy": {
+        "hosts": ["https-proxy.example.com"],
+        "api_backend": "https://echo-api.3scale.net:443",
+        "backend": {
+          "endpoint": "http://127.0.0.1:8081",
+          "host": "backend"
+        },
+        "policy_chain": [
+          {
+            "name": "apicast.policy.camel",
+            "configuration": {
+              "https_proxy": "http://tls.camel.proxy:8443/"
+            }
+          },
+          {
+            "name": "apicast.policy.apicast"
+          }
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1,
+            "parameters": [],
+            "querystring_parameters": {}
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/dev-environments/camel-proxy/docker-compose.yml b/dev-environments/camel-proxy/docker-compose.yml
@@ -0,0 +1,61 @@
+---
+version: '3.8'
+services:
+  gateway:
+    image: ${IMAGE_NAME:-apicast-test}
+    depends_on:
+    - proxy.socat
+    - camel.proxy
+    - tls.camel.proxy
+    - example.com
+    - actual.upstream
+    environment:
+      THREESCALE_CONFIG_FILE: /tmp/config.json
+      THREESCALE_DEPLOYMENT_ENV: staging
+      APICAST_CONFIGURATION_LOADER: lazy
+      APICAST_WORKERS: 1
+      APICAST_LOG_LEVEL: debug
+      APICAST_CONFIGURATION_CACHE: "0"
+    expose:
+      - "8080"
+      - "8090"
+    ports:
+      - "8080:8080"
+      - "8090:8090"
+    volumes:
+      - ./apicast-config.json:/tmp/config.json
+  proxy.socat:
+    image: alpine/socat:1.7.4.4
+    container_name: proxy
+    restart: unless-stopped
+    command: "-d -v -d TCP-LISTEN:8080,reuseaddr,fork TCP:camel.proxy:8080"
+  camel.proxy:
+    image: zregvart/camel-netty-proxy
+    container_name: camel.proxy
+    expose:
+      - "8080:8080"
+  tls.camel.proxy:
+    image: quay.io/zregvart/camel-netty-proxy
+    container_name: tls.camel.proxy
+    entrypoint:
+      - java
+      - -Dcom.sun.net.ssl.checkRevocation=false
+      - -cp
+      - camel-netty-proxy.jar:lib/*
+      - com.github.zregvart.cnp.ProxyApp
+    expose:
+      - "8443:8443"
+    volumes:
+      - ./cert/keystore.jks:/tls/keystore.jks
+  example.com:
+    image: alpine/socat:1.7.4.4
+    container_name: example.com
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:actual.upstream:80"
+    expose:
+      - "443"
+    restart: unless-stopped
+  actual.upstream:
+    image: kennethreitz/httpbin
+    container_name: actual.upstream
+    expose:
+      - "80"
diff --git a/dev-environments/camel-proxy/rootCA.key b/dev-environments/camel-proxy/rootCA.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCLnET7Oq9vEVnd
+mfzo2OxuGLqjKZ7QfUCLjb0VjB4/+bGbyag0ndZznwozZDBuLOzoMCMJxq0aI4c1
+d8YZMnqbQY8w9FdxCVUxi7jr+PC4ZDsZj64/ZS+sw4Mi17+p1Yjr/FAdJW4yR8e1
+Rgp2pwNxhcDBinE4pSHcEamMrP7SfqTgBbVG7z/5EyvmQY0jH1/dLiJ4g0W5tici
+YRHk/uRYWyyWGeeAJtgjkVlvr6DYZWV2H5su+IkCumFAXqEH/GRONehynZbuffTR
+vj/AxEjr8OmNokw/DpQt0Xh1DdjtDYH/ilfelwpOpymaCXqWSyx+lCwAyq9eBQ6I
+0iVdCVLVAgMBAAECggEAGInT+hBbi3sSP4f0UvzluYgxLcJ//oc1VBIKnQHuwzHh
+DM/J982SRuo6QcQnWwYcccccMXixLjn2ZuhxcjZUJHvGbkVUJTMNvVKgoyEzNkWv
+uZNufggL9CK9Jt+i+XflxAyqDCVrE/1X1b3E0wwR598pfRsXQWyM4gBcu7QgaeDE
+JLYC21inUVjKPQoRcwzRAflQZMHTL7UsIQrQwiA07jau9g/Y8I31BtDENieGWMEK
+A7mhppuIqUNyMAREZ4ggn4qD9jBkkx4rwiiR5vxqkr1UV9/iGyxIJ4hhYVIY4y2N
+hi2Z4I45eK4gSTYWsLvb4UV3FtjzKt1t5K53F/uvYQKBgQDAFB45fDHEQodjDp9+
+9zQ+z6dqfrITl0nOa1K03POvMNL1zprV4Zyd6kYEuivqPYKBJFfqXiznxZ/8BKxf
+yQDU8xmG3x44E7BY3ph9PlNqkclcPTrgG3SepzvoVlORV3d3InU2ku/9NocW6PY/
+r13CLhmpKpPxipTaaKIar8UCnQKBgQC6EjIfMrzkAtEiE3nRm62FwU/+n/XHLhU7
+Q2chj5bzrDgGfeqciJW0VA6GZ2y47q9b9RGZkFdejGsxQ0lvuKA3HHU43jq/YpN+
+6vCCZxkdfM3afng5bBw1IqcOKOr9hv9NebF/el2OJunNaVl16T+s6tFPg6Z2RK3n
+OksG3dTfmQKBgQCItwkYU4y8q7nfyM2/ukaGmpkIFOu9RAa1lPBGaapNPQw7B3Zv
+2+j1AYYa4URWsrdMIkktOSDvS1vnLpBekRw1dl7p/69rrJ/tcWrKYm1PQjs3myFn
+2EL2lgPvCFrs7XvL4Uvar1WAPqqCpQh5JeIvT07WeMbauo/esXEIW6l3hQKBgFeZ
+lWtGsdMO2HKYhLN//VOJTSXtHQLm2SwLcZRFS6XwoHe99CQ50XESWbxBGNh/1qMO
+X3jSka97oEOTEBG+8/6+MRnS1gmgWRxZc12ROCu/xBJnlCZElYsWg1uRPACb+7n3
+3u7LJxxziYMhY/K1GztHWb97lXT8pHrF4Oicq0mRAoGAEepFh+vSXzbydMmjD+te
+PELty7uXdZBwWgPvB5chXOw8Ihj1S1zvkQeC9E1FRCx/qWTTen6awq5MJqy4VFPi
+BzUx22PXfkCkzlo2l5ciiO3fkArD0jt2j/21MyxwMMEfXr/71Zevud4CkkF9I0A0
+fQACPI7ufsFL7W6L/hBVe0I=
+-----END PRIVATE KEY-----
diff --git a/dev-environments/http-proxy-plain-http-upstream/Makefile b/dev-environments/http-proxy-plain-http-upstream/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access upstream powered with TLS
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans

diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/Makefile b/dev-environments/https-proxy-upstream-tlsv1.3/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access upstream powered with TLS
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans

diff --git a/dev-environments/keycloak-env/Makefile b/dev-environments/keycloak-env/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to keycloak integration
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 keycloak-data: ## Keycloak provisioning
 	# Keycloak 23.0.4 REST API reference

diff --git a/dev-environments/listen-tls/Makefile b/dev-environments/listen-tls/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access upstream powered with TLS
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans

diff --git a/dev-environments/opentelemetry-instrumented-gateway/Makefile b/dev-environments/opentelemetry-instrumented-gateway/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access plain HTTP 1.1 upstream
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans

diff --git a/dev-environments/plain-http-upstream/Makefile b/dev-environments/plain-http-upstream/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access plain HTTP 1.1 upstream
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans

diff --git a/dev-environments/upstream-tlsv1.3/Makefile b/dev-environments/upstream-tlsv1.3/Makefile
@@ -6,7 +6,7 @@ WORKDIR := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 gateway: ## run gateway configured to access upstream powered with TLS
-	$(DOCKER) compose -f docker-compose.yml run --service-ports gateway
+	$(DOCKER) compose -f docker-compose.yml up --attach gateway
 
 clean:
 	$(DOCKER) compose down --volumes --remove-orphans