#92 Add HAProxy as a private gateway (#96)

Signed-off-by: vityaman <vityaman.dev@yandex.ru>

Author: vityaman

backend/haproxy/Dockerfile

@@ -0,0 +1,6 @@
+FROM haproxy:latest
+
+COPY ./config/itmo-dating-backend.pem       /usr/local/etc/haproxy/itmo-dating-backend.pem
+COPY ./config/itmo-dating-backend-ca.crt    /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+
+COPY ./config/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

backend/haproxy/config/haproxy.cfg

@@ -0,0 +1,55 @@
+global
+  log stdout format raw local0 debug
+
+defaults
+  log global
+  option httplog
+  option dontlognull
+  option logasap
+  mode http
+
+  timeout client 10s
+  timeout connect 5s
+  timeout server 10s
+  timeout http-request 10s
+
+  default-server check inter 10s fall 2 rise 1
+
+frontend internal
+  bind :8445 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
+  bind :8446 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
+  bind :8455 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
+  bind :8456 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
+  bind :8457 ssl crt /usr/local/etc/haproxy/itmo-dating-backend.pem
+
+  use_backend vault         if { dst_port 8445 }
+  use_backend consul        if { dst_port 8446 }
+  use_backend authik        if { dst_port 8455 }
+  use_backend matchmaker    if { dst_port 8456 }
+  use_backend people        if { dst_port 8457 }
+
+backend vault
+  option httpchk GET /v1/sys/health?standbycode=200&sealedcode=200&uninitcode=200&drsecondarycode=200&performancestandbycode=200
+  server vault vault.dating.se.ifmo.ru:8200 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+
+backend consul
+  option httpchk GET /ui
+  server consul server.dc1.consul:8500 check init-addr last,libc,none
+
+backend authik
+  balance roundrobin
+  option httpchk GET /actuator/health
+  server authik-0 authik-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+  server authik-1 authik-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+
+backend matchmaker
+  balance roundrobin
+  option httpchk GET /actuator/health
+  server matchmaker-0 matchmaker-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+  server matchmaker-1 matchmaker-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+
+backend people
+  balance roundrobin
+  option httpchk GET /actuator/health
+  server people-0 people-0.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt
+  server people-1 people-1.dating.se.ifmo.ru:8080 check init-addr last,libc,none ssl verify required ca-file /usr/local/etc/haproxy/itmo-dating-backend-ca.crt

backend/script/crypto/keys.bash

@@ -18,6 +18,7 @@ STARTER_SERVICE_DISCOVERY_INSTALL_PATH="starter-service-discovery/$INTERNAL_INST
 GATEWAY_INSTALL_PATH="gateway/$INTERNAL_INSTALL_PATH"
 CONSUL_INSTALL_PATH="consul/config"
 VAULT_INSTALL_PATH="vault/config"
+HAPROXY_INSTALL_PATH="haproxy/config"
 
 function generate() {
   echo "Phase: Generate"
@@ -74,8 +75,11 @@ function generate() {
     -destkeystore "$ALIAS_BACKEND.jks" \
     -deststorepass "$PASSWORD"
 
-  echo "Copying PKCS12 as external certificate"
+  echo "Copying PKCS12 as external certificate..."
   cp "$ALIAS_BACKEND.p12" "$ALIAS_EXTERNAL.p12"
+
+  echo "Creating unified .pem..."
+  cat "$ALIAS_BACKEND.crt" "$ALIAS_BACKEND.key" > "$ALIAS_BACKEND.pem"
 }
 
 function copy() {
@@ -107,6 +111,10 @@ function distribute() {
   copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.key"
   copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.crt"
   copy "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
+
+  echo "Copying keys to the HAProxy..."
+  copy "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND.pem"
+  copy "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
 }
 
 function remove() {
@@ -126,19 +134,23 @@ function clear() {
   echo "Removing package from the starter-service-discovery..."
   remove "$STARTER_SERVICE_DISCOVERY_INSTALL_PATH" "$ALIAS_BACKEND.jks"
 
-  echo "Removing package from the gateway..."
+  echo "Removing package from the Gateway..."
   remove "$GATEWAY_INSTALL_PATH" "$ALIAS_EXTERNAL.p12"
 
-  echo "Removing keys from the consul..."
+  echo "Removing keys from the Consul..."
   remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.key"
   remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.crt"
   remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
 
-  echo "Removing keys from the vault..."
+  echo "Removing keys from the Vault..."
   remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.key"
   remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND.crt"
   remove "$VAULT_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
 
+  echo "Removing keys from the HAProxy..."
+  remove "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND.pem"
+  remove "$HAPROXY_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
+
   echo "Removing local outputs..."
   rm -rf "$ALIAS_BACKEND.crt"
   rm -rf "$ALIAS_BACKEND.csr"

backend/starter-tls/src/main/resources/application-tls-test.yml

@@ -1,3 +1,6 @@
+client:
+  ssl:
+    key-store-password: testing-keystore-password
 server:
   ssl:
     key-store-password: testing-keystore-password

backend/starter-tls/src/main/resources/application-tls.yml

@@ -10,5 +10,5 @@ client:
   ssl:
     key-store-type: PKCS12
     key-store: classpath:keystore/itmo-dating-backend.p12
-    key-store-password: ${server.ssl.key-store-password}
+    key-store-password: ${ITMO_DATING_KEY_STORE_PASSWORD}
     protocol: TLSv1.3

compose.yml

@@ -8,8 +8,6 @@ services:
       ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
     tty: true
     hostname: authik-0.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18000:8080"
     depends_on:
       database:
         condition: service_healthy
@@ -21,8 +19,6 @@ services:
     extends:
       service: authik-0
     hostname: authik-1.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18001:8080"
     profiles:
       - reliability
   matchmaker-0:
@@ -34,8 +30,6 @@ services:
       ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
     tty: true
     hostname: matchmaker-0.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18010:8080"
     depends_on:
       database:
         condition: service_healthy
@@ -45,8 +39,6 @@ services:
     extends:
       service: matchmaker-0
     hostname: matchmaker-1.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18011:8080"
     profiles:
       - reliability
   people-0:
@@ -58,8 +50,6 @@ services:
       ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
     tty: true
     hostname: people-0.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18020:8080"
     depends_on:
       database:
         condition: service_healthy
@@ -71,8 +61,6 @@ services:
     extends:
       service: people-0
     hostname: people-1.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:18021:8080"
     profiles:
       - reliability
   object-storage:
@@ -93,8 +81,6 @@ services:
       timeout: 5s
       retries: 5
     hostname: object-storage.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:9001:9001"
   database:
     image: postgres
     environment:
@@ -115,9 +101,10 @@ services:
     build:
       context: ./backend/gateway
     environment:
-      ITMO_DATING_EXT_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
+      ITMO_DATING_EXT_KEY_STORE_PASSWORD: ${ITMO_DATING_EXT_KEY_STORE_PASSWORD?:err}
       ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
     tty: true
+    hostname: gateway.dating.se.ifmo.ru
     ports:
       - "444:8080"
   config:
@@ -128,8 +115,6 @@ services:
       ITMO_DATING_KEY_STORE_PASSWORD: ${ITMO_DATING_KEYSTORE_PASSWORD?:err}
     tty: true
     hostname: config.dating.se.ifmo.ru
-    ports:
-      - "127.0.0.1:445:8080"
     depends_on:
       vault:
         condition: service_started
@@ -143,17 +128,24 @@ services:
       - consul-data:/opt/consul/data
     tty: true
     hostname: server.dc1.consul
-    ports:
-      - "127.0.0.1:8500:8500"
-      - "127.0.0.1:8501:8501"
   vault:
     image: ghcr.io/secs-dev/itmo-dating-vault:latest
     build:
       context: ./backend/vault
     tty: true
     hostname: vault.dating.se.ifmo.ru
+  haproxy:
+    image: ghcr.io/secs-dev/itmo-dating-haproxy:latest
+    build:
+      context: ./backend/haproxy
+    tty: true
+    hostname: haproxy.dating.se.ifmo.ru
     ports:
-      - "127.0.0.1:8200:8200"
+      - "127.0.0.1:8445:8445"
+      - "127.0.0.1:8446:8446"
+      - "127.0.0.1:8455:8455"
+      - "127.0.0.1:8456:8456"
+      - "127.0.0.1:8457:8457"
   tg-miniapp:
     image: ghcr.io/secs-dev/itmo-dating-tg-miniapp:latest
     build: