forked from TrueCloudLab/frostfs-node
[#1170] morph: Support mTLS
Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
parent
68ac490729
commit
42ecc2f2b9
5 changed files with 40 additions and 10 deletions
2
go.mod
2
go.mod
|
@ -127,3 +127,5 @@ require (
|
||||||
lukechampine.com/blake3 v1.2.1 // indirect
|
lukechampine.com/blake3 v1.2.1 // indirect
|
||||||
rsc.io/tmplfunc v0.0.3 // indirect
|
rsc.io/tmplfunc v0.0.3 // indirect
|
||||||
)
|
)
|
||||||
|
|
||||||
|
replace github.com/nspcc-dev/neo-go => git.frostfs.info/TrueCloudLab/neoneo-go v0.106.1-0.20240611123832-594f716b3d18
|
||||||
|
|
BIN
go.sum
BIN
go.sum
Binary file not shown.
|
@ -141,7 +141,7 @@ func New(ctx context.Context, key *keys.PrivateKey, opts ...Option) (*Client, er
|
||||||
} else {
|
} else {
|
||||||
var endpoint Endpoint
|
var endpoint Endpoint
|
||||||
for cli.endpoints.curr, endpoint = range cli.endpoints.list {
|
for cli.endpoints.curr, endpoint = range cli.endpoints.list {
|
||||||
cli.client, act, err = cli.newCli(ctx, endpoint.Address)
|
cli.client, act, err = cli.newCli(ctx, endpoint)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
cli.logger.Warn(logs.FrostFSIRCouldntCreateRPCClientForEndpoint,
|
cli.logger.Warn(logs.FrostFSIRCouldntCreateRPCClientForEndpoint,
|
||||||
zap.Error(err), zap.String("endpoint", endpoint.Address))
|
zap.Error(err), zap.String("endpoint", endpoint.Address))
|
||||||
|
@ -162,10 +162,15 @@ func New(ctx context.Context, key *keys.PrivateKey, opts ...Option) (*Client, er
|
||||||
return cli, nil
|
return cli, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) newCli(ctx context.Context, endpoint string) (*rpcclient.WSClient, *actor.Actor, error) {
|
func (c *Client) newCli(ctx context.Context, endpoint Endpoint) (*rpcclient.WSClient, *actor.Actor, error) {
|
||||||
cli, err := rpcclient.NewWS(ctx, endpoint, rpcclient.WSOptions{
|
cfg, err := endpoint.MTLSConfig.parse()
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("read mtls certificates: %w", err)
|
||||||
|
}
|
||||||
|
cli, err := rpcclient.NewWS(ctx, endpoint.Address, rpcclient.WSOptions{
|
||||||
Options: rpcclient.Options{
|
Options: rpcclient.Options{
|
||||||
DialTimeout: c.cfg.dialTimeout,
|
DialTimeout: c.cfg.dialTimeout,
|
||||||
|
TLSClientConfig: cfg,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
22
pkg/morph/client/mtls.go
Normal file
22
pkg/morph/client/mtls.go
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
|
||||||
|
"github.com/nspcc-dev/neo-go/pkg/rpcclient"
|
||||||
|
)
|
||||||
|
|
||||||
|
// MTLSConfig represents endpoint mTLS configuration.
|
||||||
|
type MTLSConfig struct {
|
||||||
|
TrustedCAList []string
|
||||||
|
KeyFile string
|
||||||
|
CertFile string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *MTLSConfig) parse() (*tls.Config, error) {
|
||||||
|
if m == nil {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return rpcclient.TLSClientConfig(m.TrustedCAList, m.CertFile, m.KeyFile)
|
||||||
|
}
|
|
@ -13,6 +13,7 @@ import (
|
||||||
type Endpoint struct {
|
type Endpoint struct {
|
||||||
Address string
|
Address string
|
||||||
Priority int
|
Priority int
|
||||||
|
MTLSConfig *MTLSConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
type endpoints struct {
|
type endpoints struct {
|
||||||
|
@ -38,11 +39,11 @@ func (c *Client) SwitchRPC(ctx context.Context) bool {
|
||||||
|
|
||||||
// Iterate endpoints in the order of decreasing priority.
|
// Iterate endpoints in the order of decreasing priority.
|
||||||
for c.endpoints.curr = range c.endpoints.list {
|
for c.endpoints.curr = range c.endpoints.list {
|
||||||
newEndpoint := c.endpoints.list[c.endpoints.curr].Address
|
newEndpoint := c.endpoints.list[c.endpoints.curr]
|
||||||
cli, act, err := c.newCli(ctx, newEndpoint)
|
cli, act, err := c.newCli(ctx, newEndpoint)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.logger.Warn(logs.ClientCouldNotEstablishConnectionToTheSwitchedRPCNode,
|
c.logger.Warn(logs.ClientCouldNotEstablishConnectionToTheSwitchedRPCNode,
|
||||||
zap.String("endpoint", newEndpoint),
|
zap.String("endpoint", newEndpoint.Address),
|
||||||
zap.Error(err),
|
zap.Error(err),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -52,7 +53,7 @@ func (c *Client) SwitchRPC(ctx context.Context) bool {
|
||||||
c.cache.invalidate()
|
c.cache.invalidate()
|
||||||
|
|
||||||
c.logger.Info(logs.ClientConnectionToTheNewRPCNodeHasBeenEstablished,
|
c.logger.Info(logs.ClientConnectionToTheNewRPCNodeHasBeenEstablished,
|
||||||
zap.String("endpoint", newEndpoint))
|
zap.String("endpoint", newEndpoint.Address))
|
||||||
|
|
||||||
c.client = cli
|
c.client = cli
|
||||||
c.setActor(act)
|
c.setActor(act)
|
||||||
|
@ -119,7 +120,7 @@ mainLoop:
|
||||||
|
|
||||||
tryE := e.Address
|
tryE := e.Address
|
||||||
|
|
||||||
cli, act, err := c.newCli(ctx, tryE)
|
cli, act, err := c.newCli(ctx, e)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.logger.Warn(logs.ClientCouldNotCreateClientToTheHigherPriorityNode,
|
c.logger.Warn(logs.ClientCouldNotCreateClientToTheHigherPriorityNode,
|
||||||
zap.String("endpoint", tryE),
|
zap.String("endpoint", tryE),
|
||||||
|
|
Loading…
Reference in a new issue