Fix usage of Docker Compose (#139)
* Fix GitHub PR workflow - Use "docker compose" rather than "docker-compose" command to be compatible with latest Docker versions - Bump actions versions to latest Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> Signed-off-by: Sorin Dumitru <sorin@returnze.ro> Co-authored-by: Sorin Dumitru <sorin@returnze.ro>
This commit is contained in:
Ryan Turner
GitHub
parent
ee7bf2a53f
commit
01f85ba953
|
|
@ -15,9 +15,9 @@ jobs:
|
|||
timeout-minutes: 30
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup go
|
||||
uses: actions/setup-go@v3
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: ${{ env.GO_VERSION }}
|
||||
- name: install minikube
|
||||
|
|
|
|||
|
|
@ -7,21 +7,21 @@ nn=$(tput sgr0)
|
|||
|
||||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show
|
||||
|
||||
# Bootstrap trust to the SPIRE server for each agent by copying over the
|
||||
# trust bundle into each agent container.
|
||||
echo "${bb}Bootstrapping trust between SPIRE agents and SPIRE servers...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show |
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp tee conf/agent/bootstrap.crt
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show |
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp tee conf/agent/bootstrap.crt
|
||||
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server bundle show |
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T stock-quotes-service tee conf/agent/bootstrap.crt
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server bundle show |
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T stock-quotes-service tee conf/agent/bootstrap.crt
|
||||
|
||||
# Start up the broker-webapp SPIRE agent.
|
||||
echo "${bb}Starting broker-webapp SPIRE agent...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -d broker-webapp bin/spire-agent run
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -d broker-webapp bin/spire-agent run
|
||||
|
||||
# Start up the stock-quotes-service SPIRE agent.
|
||||
echo "${bb}Starting stock-quotes-service SPIRE agent...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -d stock-quotes-service bin/spire-agent run
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -d stock-quotes-service bin/spire-agent run
|
||||
|
|
|
|||
|
|
@ -8,13 +8,13 @@ nn=$(tput sgr0)
|
|||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
|
||||
echo "${bb}bootstrapping bundle from broker to quotes-service server...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \
|
||||
/opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-stockmarket.example/conf/broker.example.bundle
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \
|
||||
/opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://broker.example -path /opt/spire/conf/server/broker.example.bundle
|
||||
|
||||
echo "${bb}bootstrapping bundle from quotes-service to broker server...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \
|
||||
/opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-broker.example/conf/stockmarket.example.bundle
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \
|
||||
/opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://stockmarket.example -path /opt/spire/conf/server/stockmarket.example.bundle
|
||||
|
|
|
|||
|
|
@ -18,14 +18,14 @@ BROKER_WEBAPP_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/broker-webapp/conf/a
|
|||
QUOTES_SERVICE_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/stock-quotes-service/conf/agent.crt.pem)
|
||||
|
||||
echo "${bb}Creating registration entry for the broker-webapp...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server entry create \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server entry create \
|
||||
-parentID spiffe://broker.example/spire/agent/x509pop/${BROKER_WEBAPP_AGENT_FINGERPRINT} \
|
||||
-spiffeID spiffe://broker.example/webapp \
|
||||
-selector unix:uid:0 \
|
||||
-federatesWith "spiffe://stockmarket.example"
|
||||
|
||||
echo "${bb}Creating registration entry for the stock-quotes-service...${nn}"
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server entry create \
|
||||
docker compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server entry create \
|
||||
-parentID spiffe://stockmarket.example/spire/agent/x509pop/${QUOTES_SERVICE_AGENT_FINGERPRINT} \
|
||||
-spiffeID spiffe://stockmarket.example/quotes-service \
|
||||
-selector unix:uid:0 \
|
||||
|
|
|
|||
|
|
@ -289,7 +289,7 @@ $ ./build.sh
|
|||
Run the following command to start the SPIRE Servers and the applications:
|
||||
|
||||
```
|
||||
$ docker-compose up -d
|
||||
$ docker compose up -d
|
||||
```
|
||||
|
||||
## Start SPIRE Agents
|
||||
|
|
@ -327,7 +327,7 @@ Open up a browser to http://localhost:8080/quotes and you should see a grid of r
|
|||
To see the broker's SPIRE Server configuration you can run:
|
||||
|
||||
```
|
||||
$ docker-compose exec spire-server-broker cat conf/server/server.conf
|
||||
$ docker compose exec spire-server-broker cat conf/server/server.conf
|
||||
```
|
||||
|
||||
You should see:
|
||||
|
|
@ -385,7 +385,7 @@ plugins {
|
|||
To see the stock market's SPIRE Server configuration you can run:
|
||||
|
||||
```
|
||||
$ docker-compose exec spire-server-stock cat conf/server/server.conf
|
||||
$ docker compose exec spire-server-stock cat conf/server/server.conf
|
||||
```
|
||||
|
||||
You should see:
|
||||
|
|
@ -445,7 +445,7 @@ plugins {
|
|||
To see the broker's SPIRE Server registration entries you can run:
|
||||
|
||||
```
|
||||
$ docker-compose exec spire-server-broker bin/spire-server entry show
|
||||
$ docker compose exec spire-server-broker bin/spire-server entry show
|
||||
```
|
||||
|
||||
You should see something like this:
|
||||
|
|
@ -464,7 +464,7 @@ FederatesWith : spiffe://stockmarket.example
|
|||
To see the stock martket's SPIRE Server registration entries you can run:
|
||||
|
||||
```
|
||||
$ docker-compose exec spire-server-stock bin/spire-server entry show
|
||||
$ docker compose exec spire-server-stock bin/spire-server entry show
|
||||
```
|
||||
|
||||
You should see something like this:
|
||||
|
|
@ -483,5 +483,5 @@ FederatesWith : spiffe://broker.example
|
|||
## Cleanup
|
||||
|
||||
```
|
||||
$ docker-compose down
|
||||
$ docker compose down
|
||||
```
|
||||
|
|
|
|||
|
|
@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
|||
(cd "${DIR}"/src/broker-webapp && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/broker-webapp/broker-webapp)
|
||||
(cd "${DIR}"/src/stock-quotes-service && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/stock-quotes-service/stock-quotes-service)
|
||||
|
||||
docker-compose -f "${DIR}"/docker-compose.yaml build
|
||||
docker compose -f "${DIR}"/docker-compose.yaml build
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
version: '3'
|
||||
services:
|
||||
|
||||
spire-server-stock:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")"
|
|||
norm=$(tput sgr0) || true
|
||||
green=$(tput setaf 2) || true
|
||||
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
|
||||
echo "${green}Cleaning completed.${norm}"
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ check-entry-is-propagated() {
|
|||
# Wait one second between checks.
|
||||
log "Checking registration entry is propagated..."
|
||||
for ((i=1;i<=30;i++)); do
|
||||
if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T $1 cat /opt/spire/agent.log 2>&1 | grep -qe "$2"; then
|
||||
if docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T $1 cat /opt/spire/agent.log 2>&1 | grep -qe "$2"; then
|
||||
log "${green}Entry is propagated.${nn}"
|
||||
return 0
|
||||
fi
|
||||
|
|
@ -40,7 +40,7 @@ log "Building"
|
|||
bash "${PARENT_DIR}"/build.sh
|
||||
|
||||
log "Starting container"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d
|
||||
|
||||
bash "${PARENT_DIR}"/1-start-spire-agents.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ clean-env
|
|||
bash "${DIR}"/scripts/set-env.sh
|
||||
|
||||
for ((i=0;i<60;i++)); do
|
||||
if docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp wget localhost:8080/quotes -O - 2>&1 | grep -qe "Quotes service unavailable"; then
|
||||
if docker compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp wget localhost:8080/quotes -O - 2>&1 | grep -qe "Quotes service unavailable"; then
|
||||
log "Service not found, retrying..."
|
||||
sleep 1
|
||||
continue
|
||||
|
|
|
|||
|
|
@ -128,7 +128,7 @@ $ bash scripts/set-env.sh
|
|||
|
||||
Once the script is completed, in another terminal run the following command to review the logs from all the services:
|
||||
```console
|
||||
$ docker-compose logs -f -t
|
||||
$ docker compose logs -f -t
|
||||
```
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
version: '3'
|
||||
services:
|
||||
graphite-statsd:
|
||||
image: graphiteapp/graphite-statsd:1.1.7-6
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")"
|
|||
norm=$(tput sgr0) || true
|
||||
green=$(tput setaf 2) || true
|
||||
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
|
||||
echo "${green}Cleaning completed.${norm}"
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ check-entry-is-propagated() {
|
|||
# Wait one second between checks.
|
||||
log "Checking registration entry is propagated..."
|
||||
for ((i=1;i<=30;i++)); do
|
||||
if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
log "${green}Entry is propagated.${nn}"
|
||||
return 0
|
||||
fi
|
||||
|
|
@ -43,7 +43,7 @@ check-entry-is-propagated() {
|
|||
|
||||
# Workload for workload-A deployment
|
||||
log "creating workload-A workload registration entries..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server \
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/spire/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/workload-A" \
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ set -e
|
|||
|
||||
echo "Will call api fetch x509 100 times in a random interval between 1 and 10 of seconds."
|
||||
for ((i=0;i<100;i++)); do
|
||||
docker-compose exec -u 1001 -T spire-agent \
|
||||
docker compose exec -u 1001 -T spire-agent \
|
||||
/opt/spire/bin/spire-agent api fetch x509 \
|
||||
-socketPath /opt/spire/sockets/workload_api.sock > /dev/null
|
||||
sleep $(( $RANDOM % 10 + 1 ))
|
||||
|
|
|
|||
|
|
@ -12,16 +12,16 @@ log() {
|
|||
}
|
||||
|
||||
log "Start StatsD-Graphite server"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d graphite-statsd
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d graphite-statsd
|
||||
|
||||
log "Start prometheus server"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d prometheus
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d prometheus
|
||||
|
||||
log "Start SPIRE Server"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-server
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-server
|
||||
|
||||
log "bootstrapping SPIRE Agent..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/spire/agent/bootstrap.crt
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T spire-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/spire/agent/bootstrap.crt
|
||||
|
||||
log "Start SPIRE Agent"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-agent
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d spire-agent
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ log "Checking Statsd received metrics pushed by SPIRE..."
|
|||
|
||||
STATSD_LOG_LINE="MetricLineReceiver connection with .* established"
|
||||
for ((i=0;i<60;i++)); do
|
||||
if ! docker-compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then
|
||||
if ! docker compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then
|
||||
sleep 1
|
||||
continue
|
||||
fi
|
||||
|
|
@ -43,7 +43,7 @@ fi
|
|||
|
||||
log "Checking that Prometheus can reach the endpoint exposed by SPIRE..."
|
||||
for ((i=0;i<60;i++)); do
|
||||
if ! docker-compose -f "${DIR}"/docker-compose.yaml exec -T prometheus wget -S spire-server:8088/ 2>&1 | grep -qe "200 OK" ; then
|
||||
if ! docker compose -f "${DIR}"/docker-compose.yaml exec -T prometheus wget -S spire-server:8088/ 2>&1 | grep -qe "200 OK" ; then
|
||||
sleep 1
|
||||
continue
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ The Docker Compose definition for the `nestedA-server` service in the [docker-co
|
|||
The `nestedA-server` must be registered on the `root-server` to obtain its identity which will be used to mint SVIDs. We achieve this by creating a registration entry in the root SPIRE Server for the `nestedA-server`.
|
||||
|
||||
```console
|
||||
docker-compose exec -T root-server \
|
||||
docker compose exec -T root-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint root/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedA" \
|
||||
|
|
@ -132,7 +132,7 @@ Ensure that the current working directory is `.../spire-tutorials/docker-compose
|
|||
Once the script is completed, in another terminal run the following command to review the logs from all the services:
|
||||
|
||||
```console
|
||||
docker-compose logs -f -t
|
||||
docker compose logs -f -t
|
||||
```
|
||||
|
||||
|
||||
|
|
@ -146,14 +146,14 @@ To test the scenario we create two workload registration entries, one entry for
|
|||
|
||||
```console
|
||||
# Workload for nestedA deployment
|
||||
docker-compose exec -T nestedA-server \
|
||||
docker compose exec -T nestedA-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedA/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedA/workload" \
|
||||
-selector "unix:uid:1001" \
|
||||
|
||||
# Workload for nestedB deployment
|
||||
docker-compose exec -T nestedB-server \
|
||||
docker compose exec -T nestedB-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedB/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedB/workload" \
|
||||
|
|
@ -177,14 +177,14 @@ The test consists of getting a JWT-SVID from the `nestedA-agent` SPIRE Agent and
|
|||
Type this command to fetch the JWT-SVID on the `nestedA` SPIRE Agent and extract the token from the JWT-SVID:
|
||||
|
||||
```console
|
||||
token=$(docker-compose exec -u 1001 -T nestedA-agent \
|
||||
token=$(docker compose exec -u 1001 -T nestedA-agent \
|
||||
/opt/spire/bin/spire-agent api fetch jwt -audience nested-test -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p')
|
||||
```
|
||||
|
||||
Run the following command to validate the token from `nestedA` on the `nestedB` SPIRE Agent:
|
||||
|
||||
```console
|
||||
docker-compose exec -u 1001 -T nestedB-agent \
|
||||
docker compose exec -u 1001 -T nestedB-agent \
|
||||
/opt/spire/bin/spire-agent api validate jwt -audience nested-test -svid "${token}" \
|
||||
-socketPath /opt/spire/sockets/workload_api.sock
|
||||
```
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
version: '3'
|
||||
services:
|
||||
# Root
|
||||
root-server:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@ PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")"
|
|||
norm=$(tput sgr0) || true
|
||||
green=$(tput setaf 2) || true
|
||||
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml down
|
||||
|
||||
echo "${green}Cleaning completed.${norm}"
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ check-entry-is-propagated() {
|
|||
# Wait one second between checks.
|
||||
log "Checking registration entry is propagated..."
|
||||
for ((i=1;i<=30;i++)); do
|
||||
if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
log "${green}Entry is propagated.${nn}"
|
||||
return 0
|
||||
fi
|
||||
|
|
@ -43,7 +43,7 @@ check-entry-is-propagated() {
|
|||
|
||||
# Workload for nestedA deployment
|
||||
log "creating nestedA workload registration entry..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server \
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/nestedA/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedA/workload" \
|
||||
|
|
@ -54,7 +54,7 @@ check-entry-is-propagated nestedA-agent spiffe://example.org/nestedA/workload
|
|||
|
||||
# Workload for nestedB deployment
|
||||
log "creating nestedB workload registration entry..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server \
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/nestedB/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedB/workload" \
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ check-entry-is-propagated() {
|
|||
# Wait one second between checks.
|
||||
log "Checking registration entry is propagated..."
|
||||
for ((i=1;i<=30;i++)); do
|
||||
if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
if docker compose -f "${PARENT_DIR}"/docker-compose.yaml logs $1 | grep -qe "$2"; then
|
||||
log "${green}Entry is propagated.${nn}"
|
||||
return 0
|
||||
fi
|
||||
|
|
@ -66,17 +66,17 @@ log "Generate certificates for the root SPIRE deployment"
|
|||
setup "${PARENT_DIR}"/root/server "${PARENT_DIR}"/root/agent
|
||||
|
||||
log "Start root server"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-server
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-server
|
||||
|
||||
log "bootstrapping root-agent."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/root/agent/bootstrap.crt
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/root/agent/bootstrap.crt
|
||||
|
||||
log "Start root agent"
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-agent
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d root-agent
|
||||
|
||||
# Creates registration entries for the nested servers
|
||||
log "creating nestedA downstream registration entry..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/root/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedA" \
|
||||
|
|
@ -86,7 +86,7 @@ docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \
|
|||
check-entry-is-propagated root-agent spiffe://example.org/nestedA
|
||||
|
||||
log "creating nestedB downstream registration entry..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T root-server \
|
||||
/opt/spire/bin/spire-server entry create \
|
||||
-parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint "${PARENT_DIR}"/root/agent/agent.crt.pem)" \
|
||||
-spiffeID "spiffe://example.org/nestedB" \
|
||||
|
|
@ -101,13 +101,13 @@ log "Generate certificates for the nestedA deployment"
|
|||
setup "${PARENT_DIR}"/nestedA/server "${PARENT_DIR}"/nestedA/agent
|
||||
|
||||
log "Starting nestedA-server.."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-server
|
||||
|
||||
log "bootstrapping nestedA agent..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedA-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedA/agent/bootstrap.crt
|
||||
|
||||
log "Starting nestedA-agent..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-agent
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedA-agent
|
||||
|
||||
|
||||
# Starts nestedB SPIRE deployment
|
||||
|
|
@ -115,10 +115,10 @@ log "Generate certificates for the nestedB deployment"
|
|||
setup "${PARENT_DIR}"/nestedB/server "${PARENT_DIR}"/nestedB/agent
|
||||
|
||||
log "Starting nestedB-server.."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-server
|
||||
|
||||
log "bootstrapping nestedB agent..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T nestedB-server /opt/spire/bin/spire-server bundle show > "${PARENT_DIR}"/nestedB/agent/bootstrap.crt
|
||||
|
||||
log "Starting nestedB-agent..."
|
||||
docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-agent
|
||||
docker compose -f "${PARENT_DIR}"/docker-compose.yaml up -d nestedB-agent
|
||||
|
|
|
|||
|
|
@ -37,11 +37,11 @@ bash "${DIR}"/scripts/create-workload-registration-entries.sh
|
|||
|
||||
log "checking nested JWT-SVID..."
|
||||
# Fetch JWT-SVID and extract token
|
||||
token=$(docker-compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \
|
||||
token=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedA-agent \
|
||||
/opt/spire/bin/spire-agent api fetch jwt -audience testIt -socketPath /opt/spire/sockets/workload_api.sock | sed -n '2p') || fail "JWT-SVID check failed"
|
||||
|
||||
# Validate token
|
||||
validation_result=$(docker-compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \
|
||||
validation_result=$(docker compose -f "${DIR}"/docker-compose.yaml exec -u 1001 -T nestedB-agent \
|
||||
/opt/spire/bin/spire-agent api validate jwt -audience testIt -svid "${token}" -socketPath /opt/spire/sockets/workload_api.sock)
|
||||
|
||||
if echo $validation_result | grep -qe "SVID is valid."; then
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
FROM golang:bookworm as build-stage
|
||||
FROM golang:bookworm AS build-stage
|
||||
|
||||
WORKDIR /app
|
||||
COPY . .
|
||||
RUN go mod download
|
||||
RUN go build
|
||||
|
||||
FROM debian:bookworm-slim as production-stage
|
||||
FROM debian:bookworm-slim AS production-stage
|
||||
RUN apt update && DEBIAN_FRONTEND=noninteractive apt full-upgrade -y && \
|
||||
apt install -y dumb-init iputils-ping curl procps
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ wait_for_envoy() {
|
|||
LOGLINE="all dependencies initialized. starting workers"
|
||||
LOGLINE2="membership update for TLS cluster backend added 1 removed 1"
|
||||
for ((i=0;i<30;i++)); do
|
||||
if ! kubectl logs --tail=100 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then
|
||||
if ! kubectl logs --tail=1000 --selector=app=backend -c envoy | grep -qe "${LOGLINE}" ; then
|
||||
sleep 5
|
||||
echo "Waiting until backend envoy instance is ready..."
|
||||
continue
|
||||
|
|
|
|||
Loading…
Reference in New Issue