Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support xds certificate #1945

Merged
merged 18 commits into from
Sep 23, 2022
Merged

feat: support xds certificate #1945

merged 18 commits into from
Sep 23, 2022

Conversation

ZLBer
Copy link
Contributor

@ZLBer ZLBer commented Jun 27, 2022

What this PR does:
support xds certificate , fetch cert from agent mode or no agent mode, using it for rpc tls and xds tls.

Which issue(s) this PR fixes:
Fixes #1808

You should pay attention to items below to ensure your pr passes our ci test
We do not merge pr with ci tests failed

  • All ut passed (run 'go test ./...' in project root)
  • After go-fmt ed , run 'go fmt project' using goland.
  • Golangci-lint passed, run 'sudo golangci-lint run' in project root.
  • After import formatted, (using imports-formatter to run 'imports-formatter .' in project root, to format your import blocks, mentioned in CONTRIBUTING.md above)
  • Your new-created file needs to have apache license at the top, like other existed file does.
  • All integration test passed. You can run integration test locally (with docker env). Clone our dubbo-go-samples project and replace the go.mod to your dubbo-go, and run 'sudo sh start_integration_test.sh' at root of samples project root. (M1 Slice is not Support)

@AlexStocks
Copy link
Contributor

If u have finished ur work, pls delete the 'WIP'.

@ZLBer ZLBer changed the title [WIP]feat: support xds certificate feat: support xds certificate Jul 18, 2022
@ZLBer
Copy link
Contributor Author

ZLBer commented Jul 18, 2022

@LaurenceLiZhixin @AlexStocks pls review this pr, tks.

@AlexStocks AlexStocks changed the base branch from master to 3.0 July 20, 2022 04:45
@AlexStocks
Copy link
Contributor

pls fix the ci failure

@ZLBer
Copy link
Contributor Author

ZLBer commented Jul 31, 2022

how to fix this check error?
image

@LaurenceLiZhixin
Copy link
Contributor

@ZLBer 提交前使用 import-formatter 修正下代码。

% import-formatter .

https://github.com/dubbogo/tools#5-how-to-get-imports-formatter

@ZLBer
Copy link
Contributor Author

ZLBer commented Jul 31, 2022

@LaurenceLiZhixin fixed.

@AlexStocks
Copy link
Contributor

@ZLBer so badly that the ci still failed.

@ZLBer
Copy link
Contributor Author

ZLBer commented Jul 31, 2022

why can not find this package?
image

@codecov-commenter
Copy link

codecov-commenter commented Aug 2, 2022

Codecov Report

Merging #1945 (9eae05e) into 3.0 (b7e3483) will decrease coverage by 0.48%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##              3.0    #1945      +/-   ##
==========================================
- Coverage   45.00%   44.52%   -0.49%     
==========================================
  Files         287      281       -6     
  Lines       17135    16826     -309     
==========================================
- Hits         7711     7491     -220     
+ Misses       8608     8543      -65     
+ Partials      816      792      -24     
Impacted Files Coverage Δ
xds/client/bootstrap/bootstrap.go 59.11% <0.00%> (ø)
xds/utils/credentials/xds/handshake_info.go 41.46% <ø> (ø)
config/config_center_config.go 14.28% <0.00%> (-58.10%) ⬇️
metadata/report/delegate/delegate_report.go 26.49% <0.00%> (-8.61%) ⬇️
filter/token/filter.go 53.12% <0.00%> (-6.88%) ⬇️
cluster/cluster/available/cluster_invoker.go 66.66% <0.00%> (-6.67%) ⬇️
config/provider_config.go 41.53% <0.00%> (-3.47%) ⬇️
metrics/prometheus/reporter.go 30.25% <0.00%> (-3.08%) ⬇️
common/url.go 59.04% <0.00%> (-0.27%) ⬇️
config/graceful_shutdown.go 3.88% <0.00%> (-0.12%) ⬇️
... and 114 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@AlexStocks
Copy link
Contributor

why can not find this package? image

has been moved to github.com/dubbogo/gost

@thehackercat
Copy link
Contributor

thehackercat commented Sep 6, 2022

@ZLBer Good Job 👍🏻

Could you give a draft document how to run this xds certificate provider and communicate with istiod locally?

@ZLBer
Copy link
Contributor Author

ZLBer commented Sep 6, 2022

@thehackercat this doc has a example for how to use this:https://github.com/dubbogo/dubbogo.github.io/blob/master/docs/zh-cn/user/tasks/mesh/dubbogo_certificate_using_istio.md
but at this stage, this func is not well integrated with dubbo-go, we need to obtain the certificate using CertManager manually. it's not friendly.

@thehackercat
Copy link
Contributor

thehackercat commented Sep 8, 2022

generally LGTM, will be better to add some examples on https://github.com/apache/dubbo-go-samples

for example,

func main() {
    manager, _ := NewCertManager()
    client(manager)
}

func client(manager CertManager) {
    time.Sleep(time.Second * 2)
    cert, _ := manager.GetCertificate()
    root, _ := manager.GetRootCertificate()

    creds := credentials.NewTLS(&tls.Config{
        ServerName:   "spiffe://cluster.local/ns/default/sa/default",
        Certificates: cert,
        RootCAs:      root,
        VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
          //pass
      return nil
        },
        InsecureSkipVerify: true,
    })
    fmt.Println(creds)
    clientCredentials, err := xds.NewClientCredentials(xds.ClientOptions{
        FallbackCreds: insecure.NewCredentials(),
    })
    fmt.Println(clientCredentials, err)
    conn, err := grpc.Dial("127.0.0.1:8000", grpc.WithTransportCredentials(creds))
    if err != nil {
        panic(err)
    }
    defer conn.Close()

    grpcClient := NewHelloWorldClient(conn)

    say, err := grpcClient.SayHelloWorld(context.Background(), &HelloWorldRequest{
        Referer: "hello",
    })
    fmt.Println(say)
}

@ZLBer
Copy link
Contributor Author

ZLBer commented Sep 8, 2022

@thehackercat issue fixed, thanks for your review. Next i think we can inject certificate when user use xds. but, the tls of dubbo-go is not very convenient. i think i can do more about this.

@thehackercat
Copy link
Contributor

@AlexStocks this PR LGTM, I think it's ready to be merged.

@justxuewei could u also help take a look at xds/credentials/cert_manager.go codes.

@ZLBer
Copy link
Contributor Author

ZLBer commented Sep 13, 2022

@thehackercat sure, will add an example on dubbo-go-samples

@justxuewei
Copy link
Member

justxuewei commented Sep 18, 2022

@justxuewei could u also help take a look at xds/credentials/cert_manager.go codes.

Ok, I will review the code you mentioned later today.

@justxuewei
Copy link
Member

There are some slight problems, but most looks good to me.

@ZLBer
Copy link
Contributor Author

ZLBer commented Sep 20, 2022

@justxuewei all fixed, thanks

@AlexStocks AlexStocks merged commit 96683b0 into apache:3.0 Sep 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GSoC 2022: Proxyless Mesh
6 participants