#68 Register all backend instances at Consul (#69)

Author: vityaman

backend/.gitignore

@@ -31,6 +31,11 @@ build/
 # Secrets
 *.pem
 *.p12
+*.key
+*.crt
+*.csr
+*.srl
+*.jks
 
 # Java
 *.hprof

backend/authik/src/main/resources/application.yml

@@ -1,6 +1,8 @@
 spring:
   config:
     import: application-foundation.yml
+  application:
+    name: authik
   datasource:
     url: jdbc:postgresql://authik-database:5432/${POSTGRES_DB}
     username: ${POSTGRES_USER}

backend/config/crypto/ca.cnf

@@ -0,0 +1,21 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+x509_extensions = v3_ca
+
+[dn]
+C = RU
+ST = Saint-Petersburg
+L = Saint-Petersburg
+O = ITMO Dating
+OU = IT
+CN = ITMO Dating Root CA
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign

backend/config/crypto/csr.cnf

@@ -0,0 +1,24 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+C = RU
+ST = Saint-Petersburg
+L = Saint-Petersburg
+O = ITMO Dating
+OU = IT
+CN = dating.se.ifmo.ru
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = authik
+DNS.3 = matchmaker
+DNS.4 = people
+DNS.5 = server.dc1.consul

backend/config/crypto/keys.bash

@@ -7,54 +7,129 @@ ENV="$2"
 
 ALIAS="itmo-dating"
 ALIAS_BACKEND="$ALIAS-backend"
-KEYSTORE="keystore.p12"
+VALIDITY=1
 BACKEND_INSTALL_PATH="foundation/src/main/resources/keystore"
+CONSUL_INSTALL_PATH="consul/config"
 GATEWAY_INSTALL_PATH="gateway/src/main/resources/keystore"
 PASSWORD="$ITMO_DATING_KEY_STORE_PASSWORD"
 
+function generate() {
+  echo "Phase: Generate"
+
+  echo "Generating the private key for CA certificate..."
+  openssl genpkey \
+    -algorithm RSA \
+    -out "$ALIAS_BACKEND-ca.key" 2> /dev/null
+
+  echo "Generating the self-signed CA certificate..."
+  openssl req -x509 -new \
+    -nodes \
+    -days "$VALIDITY" \
+    -config ca.cnf \
+    -key "$ALIAS_BACKEND-ca.key" \
+    -out "$ALIAS_BACKEND-ca.crt"
+
+  echo "Generating the private key for services..."
+  openssl genpkey \
+    -algorithm RSA \
+    -out "$ALIAS_BACKEND.key" 2> /dev/null
+
+  echo "Generating the Certificate Signing Request (CSR)..."
+  openssl req -new \
+    -config csr.cnf \
+    -key "$ALIAS_BACKEND.key" \
+    -out "$ALIAS_BACKEND.csr"
+
+  echo "Signing the CSR with self-signed CA to create a certificate..."
+  openssl x509 -req \
+    -sha256 \
+    -days "$VALIDITY" \
+    -extfile csr.cnf -extensions req_ext \
+    -CAcreateserial \
+    -CA "$ALIAS_BACKEND-ca.crt" \
+    -CAkey "$ALIAS_BACKEND-ca.key" \
+    -in "$ALIAS_BACKEND.csr" \
+    -out "$ALIAS_BACKEND.crt"
+
+  echo "Packaging keys and certificates..."
+  openssl pkcs12 -export \
+    -password pass:"$PASSWORD" \
+    -inkey "$ALIAS_BACKEND.key" \
+    -in "$ALIAS_BACKEND.crt" \
+    -certfile "$ALIAS_BACKEND-ca.crt" \
+    -out "$ALIAS_BACKEND.p12"
+
+  echo "Converting PKCS12 to JKS..."
+  keytool -importkeystore \
+    -srcstoretype PKCS12 \
+    -srckeystore "$ALIAS_BACKEND.p12" \
+    -srcstorepass "$PASSWORD" \
+    -deststoretype JKS \
+    -destkeystore "$ALIAS_BACKEND.jks" \
+    -deststorepass "$PASSWORD"
+}
+
 function copy() {
-  mkdir -p "../../$BACKEND_INSTALL_PATH"
-  mkdir -p "../../$GATEWAY_INSTALL_PATH"
-  cp "$1" "../../$BACKEND_INSTALL_PATH/$1"
-  cp "$1" "../../$GATEWAY_INSTALL_PATH/$1"
+  DIR="$1"
+  FILE="$2"
+
+  mkdir -p "../../$DIR"
+  cp "$FILE" "../../$DIR/$FILE"
 }
 
-function remove() {
-  rm -f "$1" "../../$BACKEND_INSTALL_PATH/$1" "../../$GATEWAY_INSTALL_PATH/$1"
+function distribute() {
+  echo "Phase: Distribute"
+
+  echo "Copying package to the backend..."
+  copy "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.p12"
+  copy "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.jks"
+  copy "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+
+  echo "Copying package to the gateway..."
+  copy "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.p12"
+  copy "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.jks"
+  copy "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+
+  echo "Copying keys to the consul..."
+  copy "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.key"
+  copy "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+  copy "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
 }
 
-function generate() {
-  echo "Generating the backend key pair keystore..."
-  keytool \
-    -genkeypair \
-    -alias      "$ALIAS" \
-    -keyalg     RSA \
-    -keysize    4096 \
-    -validity   1 \
-    -dname      "CN=localhost" \
-    -ext        "san=dns:localhost,dns:authik,dns:matchmaker,dns:people" \
-    -keypass    "$PASSWORD" \
-    -keystore   "$KEYSTORE" \
-    -storeType  PKCS12 \
-    -storepass  "$PASSWORD"
-
-  echo "Exporting the backend private key..."
-  openssl pkcs12 -in "$KEYSTORE" -nocerts -out "$ALIAS_BACKEND-private.pem" \
-    -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
-
-  echo "Exporting the backend public key..."
-  openssl pkcs12 -in "$KEYSTORE" -nokeys  -out "$ALIAS_BACKEND-public.pem"  \
-    -passin pass:"$PASSWORD" -passout pass:"$PASSWORD"
-
-  copy "$KEYSTORE"
-  copy "$ALIAS_BACKEND-private.pem"
-  copy "$ALIAS_BACKEND-public.pem"
+function remove() {
+  DIR="$1"
+  FILE="$2"
+
+  rm -rf "../../$DIR/$FILE"
+  rm -rf "$FILE"
 }
 
 function clear() {
-  remove "$KEYSTORE"
-  remove "$ALIAS_BACKEND-private.pem"
-  remove "$ALIAS_BACKEND-public.pem"
+  echo "Phase: Clear"
+
+  echo "Removing package from the backend..."
+  remove "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.p12"
+  remove "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.jks"
+  remove "$BACKEND_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+
+  echo "Removing package from the gateway..."
+  remove "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.p12"
+  remove "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.jks"
+  remove "$GATEWAY_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+
+  echo "Removing keys from the consul..."
+  remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.key"
+  remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND.crt"
+  remove "$CONSUL_INSTALL_PATH" "$ALIAS_BACKEND-ca.crt"
+
+  echo "Removing local outputs..."
+  rm -rf "$ALIAS_BACKEND.crt"
+  rm -rf "$ALIAS_BACKEND.csr"
+  rm -rf "$ALIAS_BACKEND.key"
+  rm -rf "$ALIAS_BACKEND.p12"
+  rm -rf "$ALIAS_BACKEND-ca.key"
+  rm -rf "$ALIAS_BACKEND-ca.crt"
+  rm -rf "$ALIAS_BACKEND-ca.srl"
 }
 
 if [ "$ENV" = "test" ]; then
@@ -63,6 +138,7 @@ fi
 
 if [ "$MODE" = "generate" ]; then
   generate
+  distribute
 elif [ "$MODE" = "clean" ]; then
   clear
 else

backend/consul/Dockerfile

@@ -0,0 +1,14 @@
+FROM hashicorp/consul
+
+COPY ./config/itmo-dating-backend.key /consul/config/itmo-dating-backend.key
+COPY ./config/itmo-dating-backend.crt /consul/config/itmo-dating-backend.crt
+COPY ./config/itmo-dating-backend-ca.crt /consul/config/itmo-dating-backend-ca.crt
+COPY ./config/consul.hcl /consul/config/consul.hcl
+
+COPY ./run.sh /consul/run.sh
+
+RUN chmod -R 755 /consul/config && \
+    chmod 644 /consul/config/itmo-dating-backend.key && \
+    chmod 644 /consul/config/itmo-dating-backend.crt && \
+    chmod 644 /consul/config/itmo-dating-backend-ca.crt && \
+    chmod 644 /consul/config/consul.hcl

backend/consul/config/consul.hcl

@@ -0,0 +1,66 @@
+server = true
+bind_addr = "0.0.0.0"
+client_addr = "0.0.0.0"
+
+ports {
+  http = 8500
+  https = 8501
+  grpc = -1
+}
+
+acl {
+  enabled = true
+  default_policy = "allow"
+  enable_token_persistence = true
+}
+
+data_dir = "/opt/consul/data"
+
+ui = true
+
+verify_incoming = true
+verify_outgoing = true
+verify_server_hostname = true
+tls_min_version = "TLSv1_3"
+key_file = "/consul/config/itmo-dating-backend.key"
+cert_file = "/consul/config/itmo-dating-backend.crt"
+ca_file = "/consul/config/itmo-dating-backend-ca.crt"
+
+services = [
+  {
+    name = "authik-database"
+    address = "authik-database"
+    port = 5432
+    check = {
+      id = "authik-database-check"
+      name = "Authik PostgreSQL Health Check"
+      tcp = "authik-database:5432"
+      interval = "10s"
+      timeout = "1s"
+    }
+  },
+  {
+    name = "matchmaker-database"
+    address = "matchmaker-database"
+    port = 5432
+    check = {
+      id = "matchmaker-database-check"
+      name = "Matchmaker PostgreSQL Health Check"
+      tcp = "matchmaker-database:5432"
+      interval = "10s"
+      timeout = "1s"
+    }
+  },
+  {
+    name = "people-database"
+    address = "people-database"
+    port = 5432
+    check = {
+      id = "people-database-check"
+      name = "People PostgreSQL Health Check"
+      tcp = "people-database:5432"
+      interval = "10s"
+      timeout = "1s"
+    }
+  },
+]

backend/consul/run.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+consul agent -config-file=/consul/config/consul.hcl -bootstrap-expect=1 \
+  | grep -v "This request used the token query parameter which is deprecated and will be removed"

backend/foundation/build.gradle.kts

@@ -9,10 +9,13 @@ dependencies {
     api(libs.org.springframework.boot.spring.boot.starter.webflux)
     api(libs.org.springframework.boot.spring.boot.starter.data.r2dbc)
     api(libs.org.springframework.boot.spring.boot.starter.security)
+    api(libs.org.springframework.boot.spring.boot.starter.actuator)
 
     api(libs.org.springframework.spring.web)
     api(libs.org.springframework.spring.context)
 
+    api(libs.org.springframework.cloud.spring.cloud.starter.consul.discovery)
+
     api(libs.org.springdoc.springdoc.openapi.starter.webflux.ui)
 
     api(libs.io.swagger.core.v3.swagger.annotations)

backend/foundation/src/main/kotlin/ru/ifmo/se/dating/spring/SpringConfiguration.kt

@@ -1,12 +1,14 @@
 package ru.ifmo.se.dating.spring
 
+import org.springframework.cloud.client.discovery.EnableDiscoveryClient
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.scheduling.annotation.EnableScheduling
 import java.time.Clock
 
 @Configuration
 @EnableScheduling
+@EnableDiscoveryClient
 class SpringConfiguration {
     @Bean
     fun clock(): Clock = Clock.systemDefaultZone()

backend/foundation/src/main/kotlin/ru/ifmo/se/dating/spring/security/ssl/KeyStoreExtractor.kt

@@ -0,0 +1,36 @@
+package ru.ifmo.se.dating.spring.security.ssl
+
+import jakarta.annotation.PostConstruct
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.stereotype.Component
+import ru.ifmo.se.dating.logging.Log
+import ru.ifmo.se.dating.logging.Log.Companion.autoLog
+import java.io.File
+import java.nio.file.Files
+import java.nio.file.Paths
+import java.nio.file.StandardCopyOption
+
+@Component
+class KeyStoreExtractor(
+    @Value("\${spring.cloud.consul.tls.certificate-path}")
+    private val certificatePath: String,
+
+    @Value("\${spring.cloud.consul.tls.key-store-path}")
+    private val keystorePath: String,
+) {
+    private val log = Log.autoLog()
+
+    @PostConstruct
+    fun extractCertificate() {
+        extract(certificatePath)
+        extract(keystorePath)
+    }
+
+    private fun extract(path: String) {
+        log.info("Extracting file '$path' from the jar...")
+        val inputStream = javaClass.classLoader.getResourceAsStream(certificatePath)!!
+        File(certificatePath).parentFile?.mkdirs()
+        Files.copy(inputStream, Paths.get(certificatePath), StandardCopyOption.REPLACE_EXISTING)
+        log.info("File '$path' extracted successfully!")
+    }
+}