diff --git a/docker-compose/federation/1-start-spire-agents.sh b/docker-compose/federation/1-start-spire-agents.sh index f6f652f..7f5b979 100755 --- a/docker-compose/federation/1-start-spire-agents.sh +++ b/docker-compose/federation/1-start-spire-agents.sh @@ -1,4 +1,3 @@ - #!/bin/bash set -e @@ -6,18 +5,23 @@ set -e bb=$(tput bold) nn=$(tput sgr0) +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show + # Bootstrap trust to the SPIRE server for each agent by copying over the # trust bundle into each agent container. echo "${bb}Bootstrapping trust between SPIRE agents and SPIRE servers...${nn}" -docker-compose exec -T spire-server-broker bin/spire-server bundle show | - docker-compose exec -T broker-webapp tee conf/agent/bootstrap.crt > /dev/null -docker-compose exec -T spire-server-stock bin/spire-server bundle show | - docker-compose exec -T stock-quotes-service tee conf/agent/bootstrap.crt > /dev/null +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server bundle show | + docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp tee conf/agent/bootstrap.crt + +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server bundle show | + docker-compose -f "${DIR}"/docker-compose.yaml exec -T stock-quotes-service tee conf/agent/bootstrap.crt # Start up the broker-webapp SPIRE agent. echo "${bb}Starting broker-webapp SPIRE agent...${nn}" -docker-compose exec -d broker-webapp bin/spire-agent run +docker-compose -f "${DIR}"/docker-compose.yaml exec -d broker-webapp bin/spire-agent run # Start up the stock-quotes-service SPIRE agent. echo "${bb}Starting stock-quotes-service SPIRE agent...${nn}" -docker-compose exec -d stock-quotes-service bin/spire-agent run +docker-compose -f "${DIR}"/docker-compose.yaml exec -d stock-quotes-service bin/spire-agent run diff --git a/docker-compose/federation/2-bootstrap-federation.sh b/docker-compose/federation/2-bootstrap-federation.sh index 5651454..d8134ea 100755 --- a/docker-compose/federation/2-bootstrap-federation.sh +++ b/docker-compose/federation/2-bootstrap-federation.sh @@ -5,14 +5,16 @@ set -e bb=$(tput bold) nn=$(tput sgr0) +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + echo "${bb}bootstrapping bundle from broker to quotes-service server...${nn}" -docker-compose exec -T spire-server-broker \ - /opt/spire/bin/spire-server bundle show -format spiffe > docker/spire-server-stockmarket.example/conf/broker.example.bundle -docker-compose exec -T spire-server-stock \ +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ + /opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-stockmarket.example/conf/broker.example.bundle +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://broker.example -path /opt/spire/conf/server/broker.example.bundle echo "${bb}bootstrapping bundle from quotes-service to broker server...${nn}" -docker-compose exec -T spire-server-stock \ - /opt/spire/bin/spire-server bundle show -format spiffe > docker/spire-server-broker.example/conf/stockmarket.example.bundle -docker-compose exec -T spire-server-broker \ +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock \ + /opt/spire/bin/spire-server bundle show -format spiffe > "${DIR}"/docker/spire-server-broker.example/conf/stockmarket.example.bundle +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker \ /opt/spire/bin/spire-server bundle set -format spiffe -id spiffe://stockmarket.example -path /opt/spire/conf/server/stockmarket.example.bundle diff --git a/docker-compose/federation/3-create-registration-entries.sh b/docker-compose/federation/3-create-registration-entries.sh index 3b4e38f..e951241 100755 --- a/docker-compose/federation/3-create-registration-entries.sh +++ b/docker-compose/federation/3-create-registration-entries.sh @@ -5,6 +5,8 @@ set -e bb=$(tput bold) nn=$(tput sgr0) +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + fingerprint() { # calculate the SHA1 digest of the DER bytes of the certificate using the # "coreutils" output format (`-r`) to provide uniform output from @@ -12,18 +14,18 @@ fingerprint() { cat $1 | openssl x509 -outform DER | openssl sha1 -r | awk '{print $1}' } -BROKER_WEBAPP_AGENT_FINGERPRINT=$(fingerprint docker/broker-webapp/conf/agent.crt.pem) -QUOTES_SERVICE_AGENT_FINGERPRINT=$(fingerprint docker/stock-quotes-service/conf/agent.crt.pem) +BROKER_WEBAPP_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/broker-webapp/conf/agent.crt.pem) +QUOTES_SERVICE_AGENT_FINGERPRINT=$(fingerprint ${DIR}/docker/stock-quotes-service/conf/agent.crt.pem) echo "${bb}Creating registration entry for the broker-webapp...${nn}" -docker-compose exec spire-server-broker bin/spire-server entry create \ +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-broker bin/spire-server entry create \ -parentID spiffe://broker.example/spire/agent/x509pop/${BROKER_WEBAPP_AGENT_FINGERPRINT} \ -spiffeID spiffe://broker.example/webapp \ -selector unix:user:root \ -federatesWith "spiffe://stockmarket.example" echo "${bb}Creating registration entry for the stock-quotes-service...${nn}" -docker-compose exec spire-server-stock bin/spire-server entry create \ +docker-compose -f "${DIR}"/docker-compose.yaml exec -T spire-server-stock bin/spire-server entry create \ -parentID spiffe://stockmarket.example/spire/agent/x509pop/${QUOTES_SERVICE_AGENT_FINGERPRINT} \ -spiffeID spiffe://stockmarket.example/quotes-service \ -selector unix:user:root \ diff --git a/docker-compose/federation/build.sh b/docker-compose/federation/build.sh index e195c80..c6c96be 100755 --- a/docker-compose/federation/build.sh +++ b/docker-compose/federation/build.sh @@ -4,7 +4,7 @@ set -e DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -(cd src/broker-webapp && CGO_ENABLED=0 GOOS=linux go build -v -o $DIR/docker/broker-webapp/broker-webapp) -(cd src/stock-quotes-service && CGO_ENABLED=0 GOOS=linux go build -v -o $DIR/docker/stock-quotes-service/stock-quotes-service) +(cd "${DIR}"/src/broker-webapp && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/broker-webapp/broker-webapp) +(cd "${DIR}"/src/stock-quotes-service && CGO_ENABLED=0 GOOS=linux go build -v -o "${DIR}"/docker/stock-quotes-service/stock-quotes-service) -docker-compose -f docker-compose.yml build +docker-compose -f "${DIR}"/docker-compose.yaml build diff --git a/docker-compose/federation/docker-compose.yml b/docker-compose/federation/docker-compose.yaml similarity index 100% rename from docker-compose/federation/docker-compose.yml rename to docker-compose/federation/docker-compose.yaml diff --git a/docker-compose/federation/scripts/clean-env.sh b/docker-compose/federation/scripts/clean-env.sh new file mode 100644 index 0000000..4dbe321 --- /dev/null +++ b/docker-compose/federation/scripts/clean-env.sh @@ -0,0 +1,12 @@ +#/bin/bash + +set -e + +PARENT_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")" + +norm=$(tput sgr0) || true +green=$(tput setaf 2) || true + +docker-compose -f "${PARENT_DIR}"/docker-compose.yaml down + +echo "${green}Cleaning completed.${norm}" diff --git a/docker-compose/federation/scripts/set-env.sh b/docker-compose/federation/scripts/set-env.sh new file mode 100755 index 0000000..b15e7f5 --- /dev/null +++ b/docker-compose/federation/scripts/set-env.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +set -e + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +PARENT_DIR="$(dirname "$DIR")" + +norm=$(tput sgr0) || true +green=$(tput setaf 2) || true +red=$(tput setaf 1) || true +bold=$(tput bold) || true + + +timestamp() { + date -u "+[%Y-%m-%dT%H:%M:%SZ]" +} + +log() { + echo "${bold}$(timestamp) $*${norm}" +} + +check-entry-is-propagated() { + # Check at most 30 times that the agent has successfully synced down the workload entry. + # Wait one second between checks. + log "Checking registration entry is propagated..." + for ((i=1;i<=30;i++)); do + if docker-compose -f "${PARENT_DIR}"/docker-compose.yaml exec -T $1 cat /opt/spire/agent.log 2>&1 | grep -qe "$2"; then + log "${green}Entry is propagated.${nn}" + return 0 + fi + sleep 1 + done + + log "${red}timed out waiting for the entry to be progagated to the agent${norm}" + exit 1 +} + + +log "Building" +bash "${PARENT_DIR}"/build.sh + +log "Starting container" +docker-compose -f "${PARENT_DIR}"/docker-compose.yaml up -d + +bash "${PARENT_DIR}"/1-start-spire-agents.sh + +bash "${PARENT_DIR}"/2-bootstrap-federation.sh + +bash "${PARENT_DIR}"/3-create-registration-entries.sh + +check-entry-is-propagated stock-quotes-service spiffe://stockmarket.example/quotes-service +check-entry-is-propagated broker-webapp spiffe://broker.example/webapp diff --git a/docker-compose/federation/test.sh b/docker-compose/federation/test.sh new file mode 100755 index 0000000..6b02e7c --- /dev/null +++ b/docker-compose/federation/test.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +norm=$(tput sgr0) || true +green=$(tput setaf 2) || true +red=$(tput setaf 1) || true +bold=$(tput bold) || true + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +timestamp() { + date -u "+[%Y-%m-%dT%H:%M:%SZ]" +} + +log() { + echo "${bold}$(timestamp) $*${norm}" +} + +fail() { + echo "${red}$(timestamp) $*${norm}" + exit 1 +} + +clean-env() { + log "Cleaning up..." + bash "${DIR}"/scripts/clean-env.sh +} + +trap clean-env EXIT + + +log "Preparing Nested SPIRE environment..." +clean-env + +bash "${DIR}"/scripts/set-env.sh + +for ((i=0;i<60;i++)); do + if docker-compose -f "${DIR}"/docker-compose.yaml exec -T broker-webapp wget localhost:8080/quotes -O - 2>&1 | grep -qe "Quotes service unavailable"; then + log "Service not found, retrying..." + sleep 1 + continue + fi + CONNECTION_OK=1 + break +done + +if [ "${CONNECTION_OK}" ]; then + echo "${green}Success${norm}" + exit 0 +fi + +fail "Failed!. Timed out waiting quote service communicate with webapp from SPIRE." +exit 1