Skip to content

Commit

Permalink
feat: add self-signed certs for mTLS
Browse files Browse the repository at this point in the history
Signed-off-by: Gaius <[email protected]>
  • Loading branch information
gaius-qi committed Oct 16, 2024
1 parent 5ab6450 commit 0126f5e
Show file tree
Hide file tree
Showing 23 changed files with 389 additions and 511 deletions.
114 changes: 71 additions & 43 deletions deploy/docker-compose/template/client.template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@ log:

# host is the host configuration for dfdaemon.
host:
## idc is the idc of the host.
# idc is the idc of the host.
idc: ''
## location is the location of the host.
# location is the location of the host.
location: ''
## hostname is the hostname of the host.
# hostname: ""
## ip is the advertise ip of the host.
# # hostname is the hostname of the host.
# hostname: ""
#
# ip is the advertise ip of the host.
ip: __IP__

server:
Expand All @@ -37,17 +38,38 @@ upload:
server:
# port is the port to the grpc server.
port: 4000
## ip is the listen ip of the grpc server.
# ip: ""
# # ip is the listen ip of the grpc server.
# ip: ""
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # GRPC server certificate file path for mTLS.
# cert: /etc/ssl/certs/server.crt
# # GRPC server key file path for mTLS.
# key: /etc/ssl/private/server.pem
#
# # Client configuration for remote peer's upload server.
# client:
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # GRPC client certificate file path for mTLS.
# cert: /etc/ssl/certs/client.crt
# # GRPC client key file path for mTLS.
# key: /etc/ssl/private/client.pem
#
# disableShared indicates whether disable to share data for other peers.
disableShared: false
# rateLimit is the default rate limit of the upload speed in KiB/MiB/GiB per second, default is 10GiB/s.
rateLimit: 10GiB

manager:
# addrs is manager addresses.
addrs:
- http://__IP__:65003
# addr is manager addresses.
addr: http://__IP__:65003
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # GRPC client certificate file path for mTLS.
# cert: /etc/ssl/certs/client.crt
# # GRPC client key file path for mTLS.
# key: /etc/ssl/private/client.pem

scheduler:
# announceInterval is the interval to announce peer to the scheduler.
Expand All @@ -61,6 +83,12 @@ scheduler:
maxScheduleCount: 5
# enableBackToSource indicates whether enable back-to-source download, when the scheduling failed.
enableBackToSource: true
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # GRPC client certificate file path for mTLS.
# cert: /etc/ssl/certs/client.crt
# # GRPC client key file path for mTLS.
# key: /etc/ssl/private/client.pem

dynconfig:
# refreshInterval is the interval to refresh dynamic configuration from manager.
Expand Down Expand Up @@ -93,26 +121,29 @@ proxy:
server:
# port is the port to the proxy server.
port: 4001
## ip is the listen ip of the proxy server.
# ip: ""
## caCert is the root CA cert path with PEM format for the proxy server to generate the server cert.
## If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed.
## When client requests via the proxy, the client should not verify the server cert and set
## insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
## you can use openssl to generate the root CA cert and make the system trust the root CA cert.
## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
## and key, and signs the server cert with the root CA cert. When client requests via the proxy,
## the proxy can intercept the request by the server cert.
# caCert: ""
## caKey is the root CA key path with PEM format for the proxy server to generate the server cert.
## If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed.
## When client requests via the proxy, the client should not verify the server cert and set
## insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
## you can use openssl to generate the root CA cert and make the system trust the root CA cert.
## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
## and key, and signs the server cert with the root CA cert. When client requests via the proxy,
## the proxy can intercept the request by the server cert.
# caKey: ""
# # ip is the listen ip of the proxy server.
# ip: ""
#
# # caCert is the root CA cert path with PEM format for the proxy server to generate the server cert.
# # If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed.
# # When client requests via the proxy, the client should not verify the server cert and set
# # insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
# # you can use openssl to generate the root CA cert and make the system trust the root CA cert.
# # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
# # and key, and signs the server cert with the root CA cert. When client requests via the proxy,
# # the proxy can intercept the request by the server cert.
# caCert: ""
#
# # caKey is the root CA key path with PEM format for the proxy server to generate the server cert.
# # If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed.
# # When client requests via the proxy, the client should not verify the server cert and set
# # insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
# # you can use openssl to generate the root CA cert and make the system trust the root CA cert.
# # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
# # and key, and signs the server cert with the root CA cert. When client requests via the proxy,
# # the proxy can intercept the request by the server cert.
# caKey: ""
#
# rules is the list of rules for the proxy server.
# regex is the regex of the request url.
# useTLS indicates whether use tls for the proxy backend.
Expand All @@ -136,29 +167,26 @@ proxy:
# configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
# of registry mirror.
addr: https://index.docker.io
## certs is the client certs path with PEM format for the registry.
## If registry use self-signed cert, the client should set the
## cert for the registry mirror.
# certs: ""
# # cert is the client cert path with PEM format for the registry.
# # If registry use self-signed cert, the client should set the
# # cert for the registry mirror.
# cert: ""
#
# disableBackToSource indicates whether disable to download back-to-source when download failed.
disableBackToSource: false
# prefetch pre-downloads full of the task when download with range request.
prefetch: false
# readBufferSize is the buffer size for reading piece from disk, default is 32KB.
readBufferSize: 32768

security:
# enable indicates whether enable security.
enable: false

metrics:
server:
# port is the port to the metrics server.
port: 4002
## ip is the listen ip of the metrics server.
# ip: ""
# # ip is the listen ip of the metrics server.
# ip: ""

## tracing is the tracing configuration for dfdaemon.
# # tracing is the tracing configuration for dfdaemon.
# tracing:
## addr is the address to report tracing log.
# addr: ""
# # addr is the address to report tracing log.
# addr: ""
40 changes: 12 additions & 28 deletions deploy/docker-compose/template/manager.template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,20 @@ server:
advertiseIP: __IP__
# # Listen ip.
# listenIP: 0.0.0.0
#
# Listen port.
port:
start: 65003
end: 65003
# # GRPC server tls configuration.
# tls:
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # Certificate file path for mTLS.
# cert: /etc/ssl/certs/server.crt
# # Key file path for mTLS.
# key: /etc/ssl/private/server.pem
#
# REST server configure
rest:
# REST server address
Expand All @@ -20,6 +30,7 @@ server:
# cert: /etc/ssl/certs/server.crt
# # Key file path.
# key: /etc/ssl/private/server.pem
#
# logDir is the log directory.
# In linux, default value is /var/log/dragonfly.
# In macos(just for testing), default value is /Users/$USER/.dragonfly/logs.
Expand Down Expand Up @@ -70,6 +81,7 @@ database:
# ca: /etc/ssl/certs/ca.pem
# # Whether a client verifies the server's certificate chain and hostname.
# insecureSkipVerify: true
#
# Redis configure.
redis:
# Redis addresses.
Expand Down Expand Up @@ -142,34 +154,6 @@ metrics:
# Enable peer gauge metrics.
enablePeerGauge: true

# Security configuration.
security:
# autoIssueCert indicates to issue client certificates for all grpc call.
# If AutoIssueCert is false, any other option in Security will be ignored.
autoIssueCert: false
# caCert is the CA certificate for all grpc tls handshake, it can be path or PEM format string.
caCert: ''
# caKey is the CA private key, it can be path or PEM format string.
caKey: ''
# tlsPolicy controls the grpc shandshake behaviors:
# force: both ClientHandshake and ServerHandshake are only support tls
# prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
# default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
# Notice: If the drgaonfly service has been deployed, a two-step upgrade is required.
# The first step is to set tlsPolicy to default, and then upgrade the dragonfly services.
# The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services.
tlsPolicy: 'prefer'
certSpec:
# dnsNames is a list of dns names be set on the certificate.
dnsNames:
- 'dragonfly-manager'
- 'dragonfly-manager.dragonfly-system.svc'
- 'dragonfly-manager.dragonfly-system.svc.cluster.local'
# ipAddresses is a list of ip addresses be set on the certificate.
ipAddresses:
# validityPeriod is the validity period of certificate.
validityPeriod: 87600h

# Network configuration.
network:
# Enable ipv6.
Expand Down
80 changes: 32 additions & 48 deletions deploy/docker-compose/template/scheduler.template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,26 @@ server:
# # Access ip for other services,
# # when local ip is different with access ip, advertiseIP should be set.
advertiseIP: __IP__
# # Access port for other services,
# # when local ip is different with access port, advertisePort should be set.
# advertisePort: 8002
# # Listen ip.
# listenIP: 0.0.0.0
# # Access port for other services,
# # when local ip is different with access port, advertisePort should be set.
# advertisePort: 8002
# # Listen ip.
# listenIP: 0.0.0.0
#
# Port is the ip and port scheduler server listens on.
port: 8002
# # GRPC server tls configuration.
# tls:
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # Certificate file path for mTLS.
# cert: /etc/ssl/certs/server.crt
# # Key file path for mTLS.
# key: /etc/ssl/private/server.pem
#
# # Server host.
# host: localhost
#
# logDir is the log directory.
# In linux, default value is /var/log/dragonfly.
# In macos(just for testing), default value is /Users/$USER/.dragonfly/logs.
Expand Down Expand Up @@ -83,22 +94,6 @@ database:
# Redis backend DB.
backendDB: 2

# Resource configuration.
resource:
# Task configuration.
task:
# downloadTiny is the configuration of downloading tiny task by scheduler.
downloadTiny:
# scheme is download tiny task scheme.
scheme: http
# Timeout is http request timeout.
timeout: 1m
# tls is download tiny task TLS configuration.
tls:
# insecureSkipVerify controls whether a client verifies the
# server's certificate chain and hostname.
insecureSkipVerify: true

# Dynamic data configuration.
dynConfig:
# Dynamic config refresh interval.
Expand All @@ -121,13 +116,29 @@ manager:
keepAlive:
# KeepAlive interval.
interval: 5s
# # GRPC client tls configuration.
# tls:
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # Certificate file path for mTLS.
# cert: /etc/ssl/certs/client.crt
# # Key file path for mTLS.
# key: /etc/ssl/private/client.pem

# Seed peer configuration.
seedPeer:
# Scheduler enable seed peer as P2P peer,
# if the value is false, P2P network will not be back-to-source through
# seed peer but by peer and preheat feature does not work.
enable: true
# # GRPC client tls configuration.
# tls:
# # CA certificate file path for mTLS.
# caCert: /etc/ssl/certs/ca.crt
# # Certificate file path for mTLS.
# cert: /etc/ssl/certs/client.crt
# # Key file path for mTLS.
# key: /etc/ssl/private/client.pem

# Machinery async job configuration,
# see https://github.com/RichardKnop/machinery.
Expand Down Expand Up @@ -160,33 +171,6 @@ metrics:
# Enable host metrics.
enableHost: false

security:
# autoIssueCert indicates to issue client certificates for all grpc call.
# If AutoIssueCert is false, any other option in Security will be ignored.
autoIssueCert: false
# caCert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string.
caCert: ''
# tlsVerify indicates to verify certificates.
tlsVerify: false
# tlsPolicy controls the grpc shandshake behaviors:
# force: both ClientHandshake and ServerHandshake are only support tls
# prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
# default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
# Notice: If the drgaonfly service has been deployed, a two-step upgrade is required.
# The first step is to set tlsPolicy to default, and then upgrade the dragonfly services.
# The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services.
tlsPolicy: 'prefer'
certSpec:
# dnsNames is a list of dns names be set on the certificate.
dnsNames:
- 'dragonfly-scheduler'
- 'dragonfly-scheduler.dragonfly-system.svc'
- 'dragonfly-scheduler.dragonfly-system.svc.cluster.local'
# ipAddresses is a list of ip addresses be set on the certificate.
ipAddresses:
# validityPeriod is the validity period of certificate.
validityPeriod: 4320h

network:
# Enable ipv6.
enableIPv6: false
Expand Down
Loading

0 comments on commit 0126f5e

Please sign in to comment.