From 42af4688a46fa861bf1dee9966fae01f1bc4b533 Mon Sep 17 00:00:00 2001
From: "kevin.qiao" <kevin.qiao@vesoft.com>
Date: Thu, 21 Sep 2023 00:03:46 +0800
Subject: [PATCH] support storage ssl (#286)

---
 apis/apps/v1alpha1/nebulacluster.go           |  6 ++++++
 apis/apps/v1alpha1/nebulacluster_graphd.go    |  1 +
 apis/apps/v1alpha1/nebulacluster_metad.go     |  1 +
 apis/apps/v1alpha1/nebulacluster_storaged.go  |  1 +
 pkg/controller/component/metad_cluster.go     |  2 +-
 pkg/controller/component/storaged_cluster.go  |  4 ++--
 pkg/controller/component/storaged_scaler.go   |  4 ++--
 pkg/controller/component/storaged_updater.go  |  2 +-
 .../nebularestore/nebula_restore_manager.go   |  2 +-
 pkg/nebula/client.go                          |  6 +++++-
 pkg/nebula/options.go                         | 20 ++++++++++++++++++-
 11 files changed, 40 insertions(+), 9 deletions(-)

diff --git a/apis/apps/v1alpha1/nebulacluster.go b/apis/apps/v1alpha1/nebulacluster.go
index d6d7f087..bb585736 100644
--- a/apis/apps/v1alpha1/nebulacluster.go
+++ b/apis/apps/v1alpha1/nebulacluster.go
@@ -141,6 +141,12 @@ func (nc *NebulaCluster) IsClusterSSLEnabled() bool {
 		nc.Spec.Storaged.Config["enable_ssl"] == "true"
 }
 
+func (nc *NebulaCluster) IsStoragedSSLEnabled() bool {
+	return nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" &&
+		nc.Spec.Metad.Config["enable_storage_ssl"] == "true" &&
+		nc.Spec.Storaged.Config["enable_storage_ssl"] == "true"
+}
+
 func (nc *NebulaCluster) IsZoneEnabled() bool {
 	return nc.Spec.Metad.Config["zone_list"] != ""
 }
diff --git a/apis/apps/v1alpha1/nebulacluster_graphd.go b/apis/apps/v1alpha1/nebulacluster_graphd.go
index b42c9401..338249df 100644
--- a/apis/apps/v1alpha1/nebulacluster_graphd.go
+++ b/apis/apps/v1alpha1/nebulacluster_graphd.go
@@ -89,6 +89,7 @@ func (c *graphdComponent) GetDataStorageResources() (*corev1.ResourceRequirement
 func (c *graphdComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Graphd.Config["enable_graph_ssl"] == "true" ||
 		c.nc.Spec.Graphd.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Graphd.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Graphd.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }
diff --git a/apis/apps/v1alpha1/nebulacluster_metad.go b/apis/apps/v1alpha1/nebulacluster_metad.go
index bf8172f9..a603e3ec 100644
--- a/apis/apps/v1alpha1/nebulacluster_metad.go
+++ b/apis/apps/v1alpha1/nebulacluster_metad.go
@@ -106,6 +106,7 @@ func (c *metadComponent) GetDataStorageResources() (*corev1.ResourceRequirements
 
 func (c *metadComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Metad.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Metad.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Metad.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }
diff --git a/apis/apps/v1alpha1/nebulacluster_storaged.go b/apis/apps/v1alpha1/nebulacluster_storaged.go
index df1d175e..66f73a72 100644
--- a/apis/apps/v1alpha1/nebulacluster_storaged.go
+++ b/apis/apps/v1alpha1/nebulacluster_storaged.go
@@ -107,6 +107,7 @@ func (c *storagedComponent) GetDataStorageResources() (*corev1.ResourceRequireme
 
 func (c *storagedComponent) IsSSLEnabled() bool {
 	return (c.nc.Spec.Storaged.Config["enable_meta_ssl"] == "true" ||
+		c.nc.Spec.Storaged.Config["enable_storage_ssl"] == "true" ||
 		c.nc.Spec.Storaged.Config["enable_ssl"] == "true") &&
 		c.nc.Spec.SSLCerts != nil
 }
diff --git a/pkg/controller/component/metad_cluster.go b/pkg/controller/component/metad_cluster.go
index e0148900..c4041eb2 100644
--- a/pkg/controller/component/metad_cluster.go
+++ b/pkg/controller/component/metad_cluster.go
@@ -182,7 +182,7 @@ func (c *metadCluster) syncMetadPVC(nc *v1alpha1.NebulaCluster) error {
 }
 
 func (c *metadCluster) setVersion(nc *v1alpha1.NebulaCluster) error {
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/controller/component/storaged_cluster.go b/pkg/controller/component/storaged_cluster.go
index e6f7f3ae..6a20c3c5 100644
--- a/pkg/controller/component/storaged_cluster.go
+++ b/pkg/controller/component/storaged_cluster.go
@@ -236,7 +236,7 @@ func (c *storagedCluster) syncStoragedPVC(nc *v1alpha1.NebulaCluster) error {
 }
 
 func (c *storagedCluster) addStorageHosts(nc *v1alpha1.NebulaCluster, oldReplicas, newReplicas int32) error {
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
@@ -280,7 +280,7 @@ func (c *storagedCluster) registeredHosts(mc nebula.MetaInterface) (sets.Set[str
 
 func (c *storagedCluster) addStorageHostsToZone(nc *v1alpha1.NebulaCluster, newReplicas int32) error {
 	namespace := nc.GetNamespace()
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/controller/component/storaged_scaler.go b/pkg/controller/component/storaged_scaler.go
index eaf2e3ea..949b1817 100644
--- a/pkg/controller/component/storaged_scaler.go
+++ b/pkg/controller/component/storaged_scaler.go
@@ -76,7 +76,7 @@ func (ss *storageScaler) ScaleOut(nc *v1alpha1.NebulaCluster) error {
 		return nil
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
@@ -126,7 +126,7 @@ func (ss *storageScaler) ScaleIn(nc *v1alpha1.NebulaCluster, oldReplicas, newRep
 		return err
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/controller/component/storaged_updater.go b/pkg/controller/component/storaged_updater.go
index add0568e..92f35d31 100644
--- a/pkg/controller/component/storaged_updater.go
+++ b/pkg/controller/component/storaged_updater.go
@@ -90,7 +90,7 @@ func (s *storagedUpdater) Update(
 		return err
 	}
 
-	options, err := nebula.ClientOptions(nc)
+	options, err := nebula.ClientOptions(nc, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/controller/nebularestore/nebula_restore_manager.go b/pkg/controller/nebularestore/nebula_restore_manager.go
index 4970e659..3a27f6af 100644
--- a/pkg/controller/nebularestore/nebula_restore_manager.go
+++ b/pkg/controller/nebularestore/nebula_restore_manager.go
@@ -146,7 +146,7 @@ func (rm *restoreManager) syncRestoreProcess(rt *v1alpha1.NebulaRestore) error {
 		return err
 	}
 
-	options, err := nebula.ClientOptions(original)
+	options, err := nebula.ClientOptions(original, nebula.SetIsMeta(true))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/nebula/client.go b/pkg/nebula/client.go
index 67dc69c6..b7279486 100644
--- a/pkg/nebula/client.go
+++ b/pkg/nebula/client.go
@@ -34,7 +34,11 @@ func buildClientTransport(endpoint string, options ...Option) (thrift.Transport,
 
 	var err error
 	var sock thrift.Transport
-	tlsEnabled := opts.EnableClusterTLS || (opts.EnableMetaTLS && !opts.IsStorage)
+	tlsEnabled := opts.EnableClusterTLS ||
+		(opts.EnableMetaTLS && opts.EnableStorageTLS) ||
+		(opts.EnableMetaTLS && !opts.IsStorage) ||
+		(opts.EnableStorageTLS && !opts.IsMeta)
+
 	if tlsEnabled {
 		sock, err = thrift.NewSSLSocketTimeout(endpoint, opts.TLSConfig, opts.Timeout)
 	} else {
diff --git a/pkg/nebula/options.go b/pkg/nebula/options.go
index 0870ff11..57a90878 100644
--- a/pkg/nebula/options.go
+++ b/pkg/nebula/options.go
@@ -34,15 +34,17 @@ type Option func(ops *Options)
 
 type Options struct {
 	EnableMetaTLS    bool
+	EnableStorageTLS bool
 	EnableClusterTLS bool
 	IsStorage        bool
+	IsMeta           bool
 	Timeout          time.Duration
 	TLSConfig        *tls.Config
 }
 
 func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error) {
 	options := []Option{SetTimeout(DefaultTimeout)}
-	if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() {
+	if !nc.IsMetadSSLEnabled() && !nc.IsClusterSSLEnabled() && !nc.IsStoragedSSLEnabled() {
 		return options, nil
 	}
 	if nc.Spec.SSLCerts == nil {
@@ -53,6 +55,10 @@ func ClientOptions(nc *v1alpha1.NebulaCluster, opts ...Option) ([]Option, error)
 		options = append(options, SetMetaTLS(true))
 		klog.Infof("cluster [%s/%s] metad SSL enabled", nc.Namespace, nc.Name)
 	}
+	if nc.IsStoragedSSLEnabled() && !nc.IsClusterSSLEnabled() {
+		options = append(options, SetStorageTLS(true))
+		klog.Infof("cluster [%s/%s] storaged SSL enabled", nc.Namespace, nc.Name)
+	}
 	if nc.IsClusterSSLEnabled() {
 		options = append(options, SetClusterTLS(true))
 		klog.Infof("cluster [%s/%s] SSL enabled", nc.Namespace, nc.Name)
@@ -105,12 +111,24 @@ func SetMetaTLS(e bool) Option {
 	}
 }
 
+func SetStorageTLS(e bool) Option {
+	return func(options *Options) {
+		options.EnableStorageTLS = e
+	}
+}
+
 func SetClusterTLS(e bool) Option {
 	return func(options *Options) {
 		options.EnableClusterTLS = e
 	}
 }
 
+func SetIsMeta(e bool) Option {
+	return func(options *Options) {
+		options.IsMeta = e
+	}
+}
+
 func SetIsStorage(e bool) Option {
 	return func(options *Options) {
 		options.IsStorage = e