diff --git a/apis/apps/v1alpha1/nebulacluster.go b/apis/apps/v1alpha1/nebulacluster.go index d6d7f087..bb585736 100644 --- a/apis/apps/v1alpha1/nebulacluster.go +++ b/apis/apps/v1alpha1/nebulacluster.go @@ -141,6 +141,12 @@ func (nc *NebulaCluster) IsClusterSSLEnabled() bool { nc.Spec.Storaged.Config["enable_ssl"] == "true" } +func (nc *NebulaCluster) IsStoragedSSLEnabled() bool { + return nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" && + nc.Spec.Metad.Config["enable_storage_ssl"] == "true" && + nc.Spec.Storaged.Config["enable_storage_ssl"] == "true" +} + func (nc *NebulaCluster) IsZoneEnabled() bool { return nc.Spec.Metad.Config["zone_list"] != "" } diff --git a/apis/apps/v1alpha1/nebulacluster_graphd.go b/apis/apps/v1alpha1/nebulacluster_graphd.go index 7eb11311..502cdc9e 100644 --- a/apis/apps/v1alpha1/nebulacluster_graphd.go +++ b/apis/apps/v1alpha1/nebulacluster_graphd.go @@ -91,6 +91,7 @@ func (c *graphdComponent) GetDataStorageResources() (*corev1.ResourceRequirement func (c *graphdComponent) IsSSLEnabled() bool { return (c.nc.Spec.Graphd.Config["enable_graph_ssl"] == "true" || c.nc.Spec.Graphd.Config["enable_meta_ssl"] == "true" || + c.nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" || c.nc.Spec.Graphd.Config["enable_ssl"] == "true") && c.nc.Spec.SSLCerts != nil } diff --git a/apis/apps/v1alpha1/nebulacluster_metad.go b/apis/apps/v1alpha1/nebulacluster_metad.go index 9a0adea1..a6f52d29 100644 --- a/apis/apps/v1alpha1/nebulacluster_metad.go +++ b/apis/apps/v1alpha1/nebulacluster_metad.go @@ -108,6 +108,7 @@ func (c *metadComponent) GetDataStorageResources() (*corev1.ResourceRequirements func (c *metadComponent) IsSSLEnabled() bool { return (c.nc.Spec.Metad.Config["enable_meta_ssl"] == "true" || + c.nc.Spec.Metad.Config["enable_storage_ssl"] == "true" || c.nc.Spec.Metad.Config["enable_ssl"] == "true") && c.nc.Spec.SSLCerts != nil } diff --git a/apis/apps/v1alpha1/nebulacluster_storaged.go b/apis/apps/v1alpha1/nebulacluster_storaged.go index 23f1b2ef..ac7227e3 100644 --- a/apis/apps/v1alpha1/nebulacluster_storaged.go +++ b/apis/apps/v1alpha1/nebulacluster_storaged.go @@ -109,6 +109,7 @@ func (c *storagedComponent) GetDataStorageResources() (*corev1.ResourceRequireme func (c *storagedComponent) IsSSLEnabled() bool { return (c.nc.Spec.Storaged.Config["enable_meta_ssl"] == "true" || + c.nc.Spec.Storaged.Config["enable_storage_ssl"] == "true" || c.nc.Spec.Storaged.Config["enable_ssl"] == "true") && c.nc.Spec.SSLCerts != nil } diff --git a/pkg/controller/component/metad_cluster.go b/pkg/controller/component/metad_cluster.go index 1186ad2a..ed114c4d 100644 --- a/pkg/controller/component/metad_cluster.go +++ b/pkg/controller/component/metad_cluster.go @@ -174,7 +174,7 @@ func (c *metadCluster) syncMetadConfigMap(nc *v1alpha1.NebulaCluster) (*corev1.C } func (c *metadCluster) setVersion(nc *v1alpha1.NebulaCluster) error { - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } diff --git a/pkg/controller/component/storaged_cluster.go b/pkg/controller/component/storaged_cluster.go index 5cd4108d..8bc499eb 100644 --- a/pkg/controller/component/storaged_cluster.go +++ b/pkg/controller/component/storaged_cluster.go @@ -228,7 +228,7 @@ func (c *storagedCluster) syncStoragedConfigMap(nc *v1alpha1.NebulaCluster) (*co } func (c *storagedCluster) addStorageHosts(nc *v1alpha1.NebulaCluster, oldReplicas, newReplicas int32) error { - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } @@ -272,7 +272,7 @@ func (c *storagedCluster) registeredHosts(mc nebula.MetaInterface) (sets.Set[str func (c *storagedCluster) addStorageHostsToZone(nc *v1alpha1.NebulaCluster, newReplicas int32) error { namespace := nc.GetNamespace() - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } diff --git a/pkg/controller/component/storaged_scaler.go b/pkg/controller/component/storaged_scaler.go index eaf2e3ea..949b1817 100644 --- a/pkg/controller/component/storaged_scaler.go +++ b/pkg/controller/component/storaged_scaler.go @@ -76,7 +76,7 @@ func (ss *storageScaler) ScaleOut(nc *v1alpha1.NebulaCluster) error { return nil } - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } @@ -126,7 +126,7 @@ func (ss *storageScaler) ScaleIn(nc *v1alpha1.NebulaCluster, oldReplicas, newRep return err } - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } diff --git a/pkg/controller/component/storaged_updater.go b/pkg/controller/component/storaged_updater.go index add0568e..92f35d31 100644 --- a/pkg/controller/component/storaged_updater.go +++ b/pkg/controller/component/storaged_updater.go @@ -90,7 +90,7 @@ func (s *storagedUpdater) Update( return err } - options, err := nebula.ClientOptions(nc) + options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true)) if err != nil { return err } diff --git a/pkg/controller/nebularestore/nebula_restore_manager.go b/pkg/controller/nebularestore/nebula_restore_manager.go index 4970e659..3a27f6af 100644 --- a/pkg/controller/nebularestore/nebula_restore_manager.go +++ b/pkg/controller/nebularestore/nebula_restore_manager.go @@ -146,7 +146,7 @@ func (rm *restoreManager) syncRestoreProcess(rt *v1alpha1.NebulaRestore) error { return err } - options, err := nebula.ClientOptions(original) + options, err := nebula.ClientOptions(original, nebula.SetIsMeta(true)) if err != nil { return err } diff --git a/pkg/nebula/client.go b/pkg/nebula/client.go index 67dc69c6..b7279486 100644 --- a/pkg/nebula/client.go +++ b/pkg/nebula/client.go @@ -34,7 +34,11 @@ func buildClientTransport(endpoint string, options ...Option) (thrift.Transport, var err error var sock thrift.Transport - tlsEnabled := opts.EnableClusterTLS || (opts.EnableMetaTLS && !opts.IsStorage) + tlsEnabled := opts.EnableClusterTLS || + (opts.EnableMetaTLS && opts.EnableStorageTLS) || + (opts.EnableMetaTLS && !opts.IsStorage) || + (opts.EnableStorageTLS && !opts.IsMeta) + if tlsEnabled { sock, err = thrift.NewSSLSocketTimeout(endpoint, opts.TLSConfig, opts.Timeout) } else { diff --git a/pkg/nebula/options.go b/pkg/nebula/options.go index 0870ff11..57a90878 100644 --- a/pkg/nebula/options.go +++ b/pkg/nebula/options.go @@ -34,15 +34,17 @@ type Option func(ops *Options) type Options struct { EnableMetaTLS bool + EnableStorageTLS bool EnableClusterTLS bool IsStorage bool + IsMeta bool Timeout time.Duration TLSConfig *tls.Config } func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error) { options := []Option{SetTimeout(DefaultTimeout)} - if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() { + if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() && !nc.IsStoragedSSLEnabled() { return options, nil } if nc.Spec.SSLCerts == nil { @@ -53,6 +55,10 @@ func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error) options = append(options, SetMetaTLS(true)) klog.Infof("cluster [%s/%s] metad SSL enabled", nc.Namespace, nc.Name) } + if nc.IsStoragedSSLEnabled() && !nc.IsClusterSSLEnabled() { + options = append(options, SetStorageTLS(true)) + klog.Infof("cluster [%s/%s] storaged SSL enabled", nc.Namespace, nc.Name) + } if nc.IsClusterSSLEnabled() { options = append(options, SetClusterTLS(true)) klog.Infof("cluster [%s/%s] SSL enabled", nc.Namespace, nc.Name) @@ -105,12 +111,24 @@ func SetMetaTLS(e bool) Option { } } +func SetStorageTLS(e bool) Option { + return func(options *Options) { + options.EnableStorageTLS = e + } +} + func SetClusterTLS(e bool) Option { return func(options *Options) { options.EnableClusterTLS = e } } +func SetIsMeta(e bool) Option { + return func(options *Options) { + options.IsMeta = e + } +} + func SetIsStorage(e bool) Option { return func(options *Options) { options.IsStorage = e