support storage ssl (#286)

vesoft-inc · Sep 20, 2023 · 25253a4 · 25253a4
1 parent 3b7cb00
commit 25253a4
Show file tree

Hide file tree

Showing 11 changed files with 40 additions and 9 deletions.
diff --git a/apis/apps/v1alpha1/nebulacluster.go b/apis/apps/v1alpha1/nebulacluster.go
@@ -141,6 +141,12 @@ func (nc *NebulaCluster) IsClusterSSLEnabled() bool {
 		nc.Spec.Storaged.Config["enable_ssl"] == "true"
 }
 
+func (nc *NebulaCluster) IsStoragedSSLEnabled() bool {
+	return nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" &&
+		nc.Spec.Metad.Config["enable_storage_ssl"] == "true" &&
+		nc.Spec.Storaged.Config["enable_storage_ssl"] == "true"
+}
+
 func (nc *NebulaCluster) IsZoneEnabled() bool {
 	return nc.Spec.Metad.Config["zone_list"] != ""
 }
diff --git a/apis/apps/v1alpha1/nebulacluster_graphd.go b/apis/apps/v1alpha1/nebulacluster_graphd.go
@@ -91,6 +91,7 @@ func (c *graphdComponent) GetDataStorageResources() (*corev1.ResourceRequirement
 func (c *graphdComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Graphd.Config["enable_graph_ssl"] == "true" ||
 		c.nc.Spec.Graphd.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Graphd.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }

diff --git a/apis/apps/v1alpha1/nebulacluster_metad.go b/apis/apps/v1alpha1/nebulacluster_metad.go
@@ -108,6 +108,7 @@ func (c *metadComponent) GetDataStorageResources() (*corev1.ResourceRequirements
 
 func (c *metadComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Metad.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Metad.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Metad.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }

diff --git a/apis/apps/v1alpha1/nebulacluster_storaged.go b/apis/apps/v1alpha1/nebulacluster_storaged.go
@@ -109,6 +109,7 @@ func (c *storagedComponent) GetDataStorageResources() (*corev1.ResourceRequireme
 
 func (c *storagedComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Storaged.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Storaged.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Storaged.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }

diff --git a/pkg/controller/component/metad_cluster.go b/pkg/controller/component/metad_cluster.go
@@ -174,7 +174,7 @@ func (c *metadCluster) syncMetadConfigMap(nc *v1alpha1.NebulaCluster) (*corev1.C
 }
 
 func (c *metadCluster) setVersion(nc *v1alpha1.NebulaCluster) error {
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/component/storaged_cluster.go b/pkg/controller/component/storaged_cluster.go
@@ -228,7 +228,7 @@ func (c *storagedCluster) syncStoragedConfigMap(nc *v1alpha1.NebulaCluster) (*co
 }
 
 func (c *storagedCluster) addStorageHosts(nc *v1alpha1.NebulaCluster, oldReplicas, newReplicas int32) error {
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
@@ -272,7 +272,7 @@ func (c *storagedCluster) registeredHosts(mc nebula.MetaInterface) (sets.Set[str
 
 func (c *storagedCluster) addStorageHostsToZone(nc *v1alpha1.NebulaCluster, newReplicas int32) error {
 	namespace := nc.GetNamespace()
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/component/storaged_scaler.go b/pkg/controller/component/storaged_scaler.go
@@ -76,7 +76,7 @@ func (ss *storageScaler) ScaleOut(nc *v1alpha1.NebulaCluster) error {
 		return nil
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
@@ -126,7 +126,7 @@ func (ss *storageScaler) ScaleIn(nc *v1alpha1.NebulaCluster, oldReplicas, newRep
 		return err
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/component/storaged_updater.go b/pkg/controller/component/storaged_updater.go
@@ -90,7 +90,7 @@ func (s *storagedUpdater) Update(
 		return err
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/nebularestore/nebula_restore_manager.go b/pkg/controller/nebularestore/nebula_restore_manager.go
@@ -146,7 +146,7 @@ func (rm *restoreManager) syncRestoreProcess(rt *v1alpha1.NebulaRestore) error {
 		return err
 	}
 
-	options, err := nebula.ClientOptions(original)
+	options, err := nebula.ClientOptions(original, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/nebula/client.go b/pkg/nebula/client.go
@@ -34,7 +34,11 @@ func buildClientTransport(endpoint string, options ...Option) (thrift.Transport,
 
 	var err error
 	var sock thrift.Transport
-	tlsEnabled := opts.EnableClusterTLS || (opts.EnableMetaTLS && !opts.IsStorage)
+	tlsEnabled := opts.EnableClusterTLS ||
+		(opts.EnableMetaTLS && opts.EnableStorageTLS) ||
+		(opts.EnableMetaTLS && !opts.IsStorage) ||
+		(opts.EnableStorageTLS && !opts.IsMeta)
+
 	if tlsEnabled {
 		sock, err = thrift.NewSSLSocketTimeout(endpoint, opts.TLSConfig, opts.Timeout)
 	} else {

diff --git a/pkg/nebula/options.go b/pkg/nebula/options.go
@@ -34,15 +34,17 @@ type Option func(ops *Options)
 
 type Options struct {
 	EnableMetaTLS    bool
+	EnableStorageTLS bool
 	EnableClusterTLS bool
 	IsStorage        bool
+	IsMeta           bool
 	Timeout          time.Duration
 	TLSConfig        *tls.Config
 }
 
 func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error) {
 	options := []Option{SetTimeout(DefaultTimeout)}
-	if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() {
+	if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() && !nc.IsStoragedSSLEnabled() {
 		return options, nil
 	}
 	if nc.Spec.SSLCerts == nil {
@@ -53,6 +55,10 @@ func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error)
 		options = append(options, SetMetaTLS(true))
 		klog.Infof("cluster [%s/%s] metad SSL enabled", nc.Namespace, nc.Name)
 	}
+	if nc.IsStoragedSSLEnabled() && !nc.IsClusterSSLEnabled() {
+		options = append(options, SetStorageTLS(true))
+		klog.Infof("cluster [%s/%s] storaged SSL enabled", nc.Namespace, nc.Name)
+	}
 	if nc.IsClusterSSLEnabled() {
 		options = append(options, SetClusterTLS(true))
 		klog.Infof("cluster [%s/%s] SSL enabled", nc.Namespace, nc.Name)
@@ -105,12 +111,24 @@ func SetMetaTLS(e bool) Option {
 	}
 }
 
+func SetStorageTLS(e bool) Option {
+	return func(options *Options) {
+		options.EnableStorageTLS = e
+	}
+}
+
 func SetClusterTLS(e bool) Option {
 	return func(options *Options) {
 		options.EnableClusterTLS = e
 	}
 }
 
+func SetIsMeta(e bool) Option {
+	return func(options *Options) {
+		options.IsMeta = e
+	}
+}
+
 func SetIsStorage(e bool) Option {
 	return func(options *Options) {
 		options.IsStorage = e