Skip to content

Commit

Permalink
feat: support set self-signed cert for service (#3568)
Browse files Browse the repository at this point in the history
Signed-off-by: Gaius <gaius.qi@gmail.com>
  • Loading branch information
gaius-qi authored Oct 11, 2024
1 parent da10972 commit e3b8583
Show file tree
Hide file tree
Showing 43 changed files with 512 additions and 2,953 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/compatibility-e2e-v1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ jobs:
include:
- module: manager
image: manager
image-tag: v2.1.55-alpha
image-tag: v2.1.60
chart-name: manager
- module: scheduler
image: scheduler
image-tag: v2.1.55-alpha
image-tag: v2.1.60
chart-name: scheduler
- module: dfdaemon
image: dfdaemon
Expand Down
8 changes: 0 additions & 8 deletions .github/workflows/e2e-v1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,7 @@ jobs:
module:
- "normal"
- "concurent-back-source"
- "grpc-tls"
- "disable-seed-peer"
- "grpc-tls-ipv6"
- "ipv6"
- "split-running-tasks"
- "cache-list-metadata"
Expand All @@ -45,18 +43,12 @@ jobs:
- module: concurent-back-source
charts-config: test/testdata/charts/config-concurent-back-source.yaml
skip: ""
- module: grpc-tls
charts-config: test/testdata/charts/config-grpc-tls.yaml
skip: ""
- module: disable-seed-peer
charts-config: test/testdata/charts/config-disable-seed-peer.yaml
skip: preheat
- module: ipv6
charts-config: test/testdata/charts/config-ipv6.yaml
skip: ""
- module: grpc-tls-ipv6
charts-config: test/testdata/charts/config-grpc-tls-ipv6.yaml
skip: ""
- module: split-running-tasks
charts-config: test/testdata/charts/config-split-running-tasks.yaml
skip: ""
Expand Down
69 changes: 12 additions & 57 deletions client/config/peerhost.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,19 +70,18 @@ type DaemonOption struct {
DataDirMode uint32 `mapstructure:"dataDirMode" yaml:"dataDirMode"`
KeepStorage bool `mapstructure:"keepStorage" yaml:"keepStorage"`

Security GlobalSecurityOption `mapstructure:"security" yaml:"security"`
Scheduler SchedulerOption `mapstructure:"scheduler" yaml:"scheduler"`
Host HostOption `mapstructure:"host" yaml:"host"`
Download DownloadOption `mapstructure:"download" yaml:"download"`
Proxy *ProxyOption `mapstructure:"proxy" yaml:"proxy"`
Upload UploadOption `mapstructure:"upload" yaml:"upload"`
ObjectStorage ObjectStorageOption `mapstructure:"objectStorage" yaml:"objectStorage"`
Storage StorageOption `mapstructure:"storage" yaml:"storage"`
Health *HealthOption `mapstructure:"health" yaml:"health"`
Reload ReloadOption `mapstructure:"reload" yaml:"reload"`
Network *NetworkOption `mapstructure:"network" yaml:"network"`
Announcer AnnouncerOption `mapstructure:"announcer" yaml:"announcer"`
PeerExchange PeerExchangeOption `mapstructure:"peerExchange" yaml:"peerExchange"`
Scheduler SchedulerOption `mapstructure:"scheduler" yaml:"scheduler"`
Host HostOption `mapstructure:"host" yaml:"host"`
Download DownloadOption `mapstructure:"download" yaml:"download"`
Proxy *ProxyOption `mapstructure:"proxy" yaml:"proxy"`
Upload UploadOption `mapstructure:"upload" yaml:"upload"`
ObjectStorage ObjectStorageOption `mapstructure:"objectStorage" yaml:"objectStorage"`
Storage StorageOption `mapstructure:"storage" yaml:"storage"`
Health *HealthOption `mapstructure:"health" yaml:"health"`
Reload ReloadOption `mapstructure:"reload" yaml:"reload"`
Network *NetworkOption `mapstructure:"network" yaml:"network"`
Announcer AnnouncerOption `mapstructure:"announcer" yaml:"announcer"`
PeerExchange PeerExchangeOption `mapstructure:"peerExchange" yaml:"peerExchange"`
}

func NewDaemonConfig() *DaemonOption {
Expand Down Expand Up @@ -207,57 +206,13 @@ func (p *DaemonOption) Validate() error {
return errors.New("gcInterval must be greater than 0")
}

if p.Security.AutoIssueCert {
if p.Security.CACert == "" {
return errors.New("security requires parameter caCert")
}

if len(p.Security.CertSpec.IPAddresses) == 0 {
return errors.New("certSpec requires parameter ipAddresses")
}

if len(p.Security.CertSpec.DNSNames) == 0 {
return errors.New("certSpec requires parameter dnsNames")
}

if p.Security.CertSpec.ValidityPeriod <= 0 {
return errors.New("certSpec requires parameter validityPeriod")
}
}

return nil
}

func (p *DaemonOption) IsSupportPeerExchange() bool {
return p.PeerExchange.Enable && p.Scheduler.Manager.Enable && p.Scheduler.Manager.SeedPeer.Enable
}

type GlobalSecurityOption struct {
// AutoIssueCert indicates to issue client certificates for all grpc call
// if AutoIssueCert is false, any other option in Security will be ignored
AutoIssueCert bool `mapstructure:"autoIssueCert" yaml:"autoIssueCert"`
// CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string
CACert types.PEMContent `mapstructure:"caCert" yaml:"caCert"`
// TLSVerify indicates to verify client certificates.
TLSVerify bool `mapstructure:"tlsVerify" yaml:"tlsVerify"`
// TLSPolicy controls the grpc shandshake behaviors:
// force: both ClientHandshake and ServerHandshake are only support tls
// prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
// default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
TLSPolicy string `mapstructure:"tlsPolicy" yaml:"tlsPolicy"`
// CertSpec is the desired state of certificate.
CertSpec *CertSpec `mapstructure:"certSpec" yaml:"certSpec"`
}

type CertSpec struct {
// DNSNames is a list of dns names be set on the certificate.
DNSNames []string `mapstructure:"dnsNames" yaml:"dnsNames"`
// IPAddresses is a list of ip addresses be set on the certificate.
IPAddresses []net.IP `mapstructure:"ipAddresses" yaml:"ipAddresses"`
// ValidityPeriod is the validity period of certificate.
ValidityPeriod time.Duration `mapstructure:"validityPeriod" yaml:"validityPeriod"`
}

type SchedulerOption struct {
// Manager is to get the scheduler configuration remotely.
Manager ManagerOption `mapstructure:"manager" yaml:"manager"`
Expand Down
12 changes: 0 additions & 12 deletions client/config/peerhost_darwin.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (

"d7y.io/dragonfly/v2/client/util"
"d7y.io/dragonfly/v2/pkg/net/fqdn"
"d7y.io/dragonfly/v2/pkg/rpc"
"d7y.io/dragonfly/v2/pkg/types"
)

Expand Down Expand Up @@ -164,17 +163,6 @@ var peerHostConfig = func() *DaemonOption {
Duration: time.Minute,
},
},
Security: GlobalSecurityOption{
AutoIssueCert: false,
CACert: types.PEMContent(""),
TLSVerify: false,
TLSPolicy: rpc.PreferTLSPolicy,
CertSpec: &CertSpec{
DNSNames: DefaultCertDNSNames,
IPAddresses: DefaultCertIPAddresses,
ValidityPeriod: DefaultCertValidityPeriod,
},
},
Network: &NetworkOption{
EnableIPv6: false,
},
Expand Down
12 changes: 0 additions & 12 deletions client/config/peerhost_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (

"d7y.io/dragonfly/v2/client/util"
"d7y.io/dragonfly/v2/pkg/net/fqdn"
"d7y.io/dragonfly/v2/pkg/rpc"
"d7y.io/dragonfly/v2/pkg/types"
)

Expand Down Expand Up @@ -164,17 +163,6 @@ var peerHostConfig = func() *DaemonOption {
Duration: time.Minute,
},
},
Security: GlobalSecurityOption{
AutoIssueCert: false,
CACert: types.PEMContent(""),
TLSVerify: false,
TLSPolicy: rpc.DefaultTLSPolicy,
CertSpec: &CertSpec{
DNSNames: DefaultCertDNSNames,
IPAddresses: DefaultCertIPAddresses,
ValidityPeriod: DefaultCertValidityPeriod,
},
},
Network: &NetworkOption{
EnableIPv6: false,
},
Expand Down
87 changes: 0 additions & 87 deletions client/config/peerhost_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -501,17 +501,6 @@ func TestPeerHostOption_Load(t *testing.T) {
Duration: 180000000000,
},
},
Security: GlobalSecurityOption{
AutoIssueCert: true,
CACert: "-----BEGIN CERTIFICATE-----",
TLSVerify: true,
TLSPolicy: "force",
CertSpec: &CertSpec{
DNSNames: []string{"foo"},
IPAddresses: []net.IP{net.IPv4zero},
ValidityPeriod: 1000000000,
},
},
Network: &NetworkOption{
EnableIPv6: true,
},
Expand Down Expand Up @@ -681,82 +670,6 @@ func TestPeerHostOption_Validate(t *testing.T) {
assert.EqualError(err, "gcInterval must be greater than 0")
},
},
{
name: "security requires parameter caCert",
config: NewDaemonConfig(),
mock: func(cfg *DaemonConfig) {
cfg.Scheduler.NetAddrs = []dfnet.NetAddr{
{
Type: dfnet.TCP,
Addr: "127.0.0.1:8002",
},
}
cfg.Security.AutoIssueCert = true
cfg.Security.CACert = ""
},
expect: func(t *testing.T, err error) {
assert := assert.New(t)
assert.EqualError(err, "security requires parameter caCert")
},
},
{
name: "certSpec requires parameter ipAddresses",
config: NewDaemonConfig(),
mock: func(cfg *DaemonConfig) {
cfg.Scheduler.NetAddrs = []dfnet.NetAddr{
{
Type: dfnet.TCP,
Addr: "127.0.0.1:8002",
},
}
cfg.Security.AutoIssueCert = true
cfg.Security.CACert = "test"
cfg.Security.CertSpec.IPAddresses = nil
},
expect: func(t *testing.T, err error) {
assert := assert.New(t)
assert.EqualError(err, "certSpec requires parameter ipAddresses")
},
},
{
name: "certSpec requires parameter dnsNames",
config: NewDaemonConfig(),
mock: func(cfg *DaemonConfig) {
cfg.Scheduler.NetAddrs = []dfnet.NetAddr{
{
Type: dfnet.TCP,
Addr: "127.0.0.1:8002",
},
}
cfg.Security.AutoIssueCert = true
cfg.Security.CACert = "test"
cfg.Security.CertSpec.IPAddresses = []net.IP{net.ParseIP("127.0.0.1")}
cfg.Security.CertSpec.DNSNames = nil
},
expect: func(t *testing.T, err error) {
assert := assert.New(t)
assert.EqualError(err, "certSpec requires parameter dnsNames")
},
},
{
name: "certSpec requires parameter validityPeriod",
config: NewDaemonConfig(),
mock: func(cfg *DaemonConfig) {
cfg.Scheduler.NetAddrs = []dfnet.NetAddr{
{
Type: dfnet.TCP,
Addr: "127.0.0.1:8002",
},
}
cfg.Security.AutoIssueCert = true
cfg.Security.CACert = "testcert"
cfg.Security.CertSpec.ValidityPeriod = 0
},
expect: func(t *testing.T, err error) {
assert := assert.New(t)
assert.EqualError(err, "certSpec requires parameter validityPeriod")
},
},
}

for _, tc := range tests {
Expand Down
12 changes: 0 additions & 12 deletions client/config/testdata/config/daemon.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -175,18 +175,6 @@ proxy:
reload:
interval: 3m0s

security:
autoIssueCert: true
caCert: -----BEGIN CERTIFICATE-----
tlsVerify: true
tlsPolicy: force
certSpec:
dnsNames:
- foo
ipAddresses:
- 0.0.0.0
validityPeriod: 1s

network:
enableIPv6: true

Expand Down
Loading

0 comments on commit e3b8583

Please sign in to comment.