[#XX] Support TLS for s3-gw

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
Release v1.6.4
2024-11-08 12:07:19 +03:00 · 2024-10-03 15:46:39 +03:00 · 2024-09-20 14:10:44 +00:00 · 2024-09-17 14:40:43 +03:00 · 2024-09-17 14:40:43 +03:00 · 2024-09-11 15:06:43 +03:00
24 changed files with 161 additions and 20 deletions
--- a/.env
+++ b/.env
@ -1,3 +1,3 @@
 FROSTFS_HUB_IMAGE=truecloudlab/frostfs
 AIO_IMAGE=truecloudlab/frostfs-aio
-AIO_VERSION=1.5.1
+AIO_VERSION=1.6.4
--- a/7
+++ b/7
@ -1,9 +1,9 @@
 ARG FROSTFS_HUB_IMAGE=truecloudlab/frostfs
 ARG NEOGO_HUB_IMAGE=nspccdev/neo-go

-ARG FROSTFS_CORE_TAG=0.42.12
+ARG FROSTFS_CORE_TAG=0.42.15
 ARG FROSTFS_HTTP_GATE_TAG=0.30.2
-ARG FROSTFS_S3_GATE_TAG=0.30.4
+ARG FROSTFS_S3_GATE_TAG=0.30.7
 ARG NEOGO_TAG=0.106.0

 FROM ${NEOGO_HUB_IMAGE}:${NEOGO_TAG} AS neo-go
@ -46,8 +46,11 @@ COPY ./morph/node-config.yaml /config/node-config.yaml
 COPY ./http-gw/http-gw-config.yaml /config/http-gw-config.yaml
 COPY ./http-gw/http-gw-wallet.json /config/http-gw-wallet.json
 COPY ./s3-gw/rules.json /config/bearer-rules.json
+COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
--- a/Dockerfile.custom
+++ b/Dockerfile.custom
@ -1,9 +1,9 @@
 ARG FROSTFS_HUB_IMAGE=truecloudlab/frostfs
 ARG NEOGO_HUB_IMAGE=nspccdev/neo-go

-ARG FROSTFS_CORE_TAG=0.42.12
+ARG FROSTFS_CORE_TAG=0.42.15
 ARG FROSTFS_HTTP_GATE_TAG=0.30.2
-ARG FROSTFS_S3_GATE_TAG=0.30.4
+ARG FROSTFS_S3_GATE_TAG=0.30.7
 ARG NEOGO_TAG=0.106.0

 FROM ${NEOGO_HUB_IMAGE}:${NEOGO_TAG} AS neo-go
@ -46,8 +46,11 @@ COPY ./morph/node-config.yaml /config/node-config.yaml
 COPY ./http-gw/http-gw-config.yaml /config/http-gw-config.yaml
 COPY ./http-gw/http-gw-wallet.json /config/http-gw-wallet.json
 COPY ./s3-gw/rules.json /config/bearer-rules.json
+COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
--- a/Dockerfile.local
+++ b/Dockerfile.local
@ -18,6 +18,7 @@ COPY ./bin/frostfs-node /usr/bin/frostfs-node
 COPY ./bin/frostfs-s3-gw /usr/bin/frostfs-s3-gw
 COPY ./bin/frostfs-s3-authmate /usr/bin/frostfs-s3-authmate
 COPY ./bin/frostfs-http-gw /usr/bin/frostfs-http-gw
+COPY ./bin/issue-creds.sh /usr/bin/issue-creds.sh

 COPY ./adm/frostfs-adm.yml /config/frostfs-adm.yml
 COPY ./ir/cli-cfg.yaml /config/cli-cfg-ir.yaml
@ -30,8 +31,11 @@ COPY ./morph/node-config.yaml /config/node-config.yaml
 COPY ./http-gw/http-gw-config.yaml /config/http-gw-config.yaml
 COPY ./http-gw/http-gw-wallet.json /config/http-gw-wallet.json
 COPY ./s3-gw/rules.json /config/bearer-rules.json
+COPY ./s3-gw/regions.json /config/regions.json
 COPY ./s3-gw/s3-gw-config.yaml /config/s3-gw-config.yaml
 COPY ./s3-gw/s3-gw-wallet.json /config/s3-gw-wallet.json
+COPY ./s3-gw/s3-gw-tls.crt /config/s3-gw-tls.crt
+COPY ./s3-gw/s3-gw-tls.key /config/s3-gw-tls.key
 COPY ./s3-gw/user-wallet.json /config/user-wallet.json
 COPY ./sn/cli-cfg.yaml /config/cli-cfg-sn.yaml
 COPY ./sn/wallet.json /config/wallet-sn.json
--- a/33
+++ b/33
@ -63,11 +63,19 @@ clean: down

 # Generate S3 credentials
 s3cred:
-	@docker exec aio /usr/bin/issue-creds.sh
+	@docker exec aio /usr/bin/issue-creds.sh s3

 # Generate S3 credentials based on imported wallets
 s3cred-custom:
-	@docker exec aio /usr/bin/issue-creds.sh $(wallet)
+	@docker exec aio /usr/bin/issue-creds.sh s3 $(wallet)
+
+# Register user-wallet.json in FrostFS ID contract
+cred:
+	@docker exec aio /usr/bin/issue-creds.sh native
+
+# Register custom wallet in FrostFS ID contract
+cred-custom:
+	@docker exec aio /usr/bin/issue-creds.sh native $(wallet)

 enable-oracle:
 	@docker exec aio neo-go contract invokefunction -r http://localhost:30333 \
@ -84,6 +92,27 @@ enable-oracle:
 tick.epoch:
 	@docker exec aio /usr/bin/frostfs-adm --config /config/frostfs-adm.yml morph force-new-epoch

+# Create new wallet
+WALLET?=wallets/wallet1.json
+.PHONY: wallet
+wallet:
+	@! test -f "$(WALLET)" || { echo "File exists: $(WALLET)"; exit 1; }
+	@docker exec -it aio /usr/bin/neo-go wallet init -a -w "$(WALLET)"
+
+# Refill GAS in arbitrary WALLET (must be under wallets/ directory)
+GAS?=50.0
+.PHONY: refill
+refill:
+	@docker exec aio /usr/bin/frostfs-adm --config /config/frostfs-adm.yml \
+		morph refill-gas --storage-wallet=/$(WALLET) --gas=$(GAS)
+	@$(MAKE) --no-print-directory balance
+
+# Show wallet balance
+.PHONY: balance
+balance:
+	@echo "Balance for $(WALLET)"
+	@docker exec aio /usr/bin/neo-go wallet nep17 balance -r http://localhost:30333 -w "$(WALLET)"
+
 # Show current version
 version:
 	@echo $(VERSION)
--- a/README.md
+++ b/README.md
@ -62,7 +62,8 @@ Data and the system configuration is stored in container's volume.
 Next time container is started, it will take less time to initialize.

 Before updating image version, reset `frostfs-aio` by clearing its local volume
-before starting container.
+before starting container. Update may contain incompatible changes, e.g. neo-go
+database format update. This repository does not provide any migration tools.

 ```
 $ make clean
@ -287,16 +288,55 @@ If everything is rigth, the stdout will show a pretty-printed contents of the wa
 wallet successfully created, file location is /wallets/new-wallet.json
 ```

+You can use `make wallet WALLET=wallets/new-wallet.json`
+to execute the steps listed above a little faster.
+
+
+### Transfering GAS tokens to wallet
+
+To add GAS to a new wallet use `make refill`
+
+```console
+$ make refill GAS=12.3 WALLET=wallets/new-wallet.json
+Waiting for transactions to persist...
+Balance for wallets/new-wallet.json
+Account NgB6jnyVsMg6E3gQQLXoccZ3JBMLsgiut3
+GAS: GasToken (d2a4cff31913016155e38e474a2c06d08be276cf)
+        Amount : 12.3
+        Updated: 25069
+```
+
+### Checking wallet balance
+
+```console
+$ make balance WALLET=wallets/new-wallet.json
+Balance for wallets/new-wallet.json
+Account NgB6jnyVsMg6E3gQQLXoccZ3JBMLsgiut3
+GAS: GasToken (d2a4cff31913016155e38e474a2c06d08be276cf)
+        Amount : 12.3
+        Updated: 25069
+```
+

 ## frostfs-cli interface

+### Native credentials
+
+To use wallet file, it should be register in FrostFS ID contract and have  
+policies to perform FrostFS operations.
+
+Use `make cred` to register `s3-gw/user-wallet.json`. For custom wallets from
+`wallet` dir, use `make cred-custom wallet=wallet1.json`.
+
+These commands are similar to `make s3cred` and `make s3cred-custom`.
+
 ### Create container with frostfs-cli

 ``` sh
-$ frostfs-cli -r localhost:8080 -w /config/user-wallet.json \
+$ frostfs-cli -r localhost:8080 -w s3-gw/user-wallet.json \
            --address NWeByJPgNC97F83hTUnSbnZSBKaFvk5HNw \
            container create \
-            --policy "REP 1" --basic-acl public-read-write --await
+            --policy "REP 1" --await
 container ID: GfWw35kHds7gKWmSvW7Zi4U39K7NMLK8EfXBQ5FPJA46
 awaiting...
 container has been persisted on sidechain
@ -305,7 +345,7 @@ container has been persisted on sidechain
 ### Put an object with frostfs-cli

 ``` sh
-$ frostfs-cli -r localhost:8080 -w /config/user-wallet.json \
+$ frostfs-cli -r localhost:8080 -w s3-gw/user-wallet.json \
            --address NWeByJPgNC97F83hTUnSbnZSBKaFvk5HNw \
            object put \
            --cid GfWw35kHds7gKWmSvW7Zi4U39K7NMLK8EfXBQ5FPJA46 \
@ -318,7 +358,7 @@ $ frostfs-cli -r localhost:8080 -w /config/user-wallet.json \
 ### Get and object with frostfs-cli

 ``` sh
-$ frostfs-cli -r localhost:8080 -w /config/user-wallet.json \
+$ frostfs-cli -r localhost:8080 -w s3-gw/user-wallet.json \
            --address NWeByJPgNC97F83hTUnSbnZSBKaFvk5HNw \
            object get \
            --cid GfWw35kHds7gKWmSvW7Zi4U39K7NMLK8EfXBQ5FPJA46 \
--- a/bin/issue-creds.sh
+++ b/bin/issue-creds.sh
@ -17,8 +17,8 @@ issueAWS() {
 }

 S3_GATE_PUBLIC_KEY=$(neo-go wallet dump-keys -w /config/s3-gw-wallet.json | tail -1)
-WALLET_PATH=/wallets/$1
-if [[ -z "$1" ]]; then
+WALLET_PATH=/wallets/$2
+if [[ -z "$2" ]]; then
  WALLET_PATH=/config/user-wallet.json
 fi

@ -29,4 +29,7 @@ USERNAME=$(echo $WALLET_PATH | md5sum | cut -d' ' -f1)
 if [ ! -e $WALLET_CACHE/$USERNAME ]; then
  initUser
 fi
-issueAWS
+
+if [ $1 == "s3" ]; then
+  issueAWS
+fi
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -25,6 +25,7 @@ services:
      - "30333:30333" # RPC
      - "8080:8080"   # FrostFS API RPC
      - "8084:8084"   # S3 Gateway
+      - "8184:8184"   # S3 Gateway with TLS
      - "16513:16513" # Control service

 volumes:
--- a/s3-gw/regions.json
+++ b/s3-gw/regions.json
@ -0,0 +1,4 @@
+{
+  "us-east-1": "REP 1",
+  "us-west-1": "REP 1"
+}
--- a/s3-gw/s3-gw-config.yaml
+++ b/s3-gw/s3-gw-config.yaml
@ -11,6 +11,11 @@ peers:

 server:
  - address: 0.0.0.0:8084
+  - address: 0.0.0.0:8184
+    tls:
+      enabled: true
+      cert_file: /config/s3-gw-tls.crt
+      key_file: /config/s3-gw-tls.key

 logger:
  level: debug
@ -32,7 +37,7 @@ stream_timeout: 10s
 healthcheck_timeout: 15s
 rebalance_interval: 60s
 pool_error_threshold: 100
-max_clients_count: 100
+max_clients_count: 1000
 max_clients_deadline: 30s

 cache:
@ -60,6 +65,7 @@ cache:

 placement_policy:
  default: REP 1
+  region_mapping: /config/regions.json

 features:
  md5:
--- a/s3-gw/s3-gw-tls.crt
+++ b/s3-gw/s3-gw-tls.crt
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAowCCQDXZEH0aQRqFzANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMC
+UlUxFjAUBgNVBAgMDVN0LlBldGVyc2J1cmcxGTAXBgNVBAcMEFNhaW50IFBldGVy
+c2J1cmcxDjAMBgNVBAoMBU5TUENDMREwDwYDVQQLDAhOZW8gU1BDQzERMA8GA1UE
+AwwIbnNwY2MucnUxGzAZBgkqhkiG9w0BCQEWDG9wc0Buc3BjYy5ydTAeFw0yMDA3
+MTMxNTQyMzZaFw0zMDA3MTExNTQyMzZaMIGTMQswCQYDVQQGEwJSVTEWMBQGA1UE
+CAwNU3QuUGV0ZXJzYnVyZzEZMBcGA1UEBwwQU2FpbnQgUGV0ZXJzYnVyZzEOMAwG
+A1UECgwFTlNQQ0MxETAPBgNVBAsMCE5lbyBTUENDMREwDwYDVQQDDAhuc3BjYy5y
+dTEbMBkGCSqGSIb3DQEJARYMb3BzQG5zcGNjLnJ1MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2
+Q5qM8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7Bbuz
+NOchonlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFK
+eeJGtueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl
+xsnnAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tL
+YtUMdLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDEGhAyOtfsNwbZ0oZIw06e0JXCmri+8jsn5Ly/yHU0+ecHgMA5AAQ
+AG2QRpZZtZCtD/Cj4i6nSTWbRhS0FgqY998p5Lnh/AXTZHBx0t3LKJupN59CIjCK
+1eMEfQChoAZg66oO/obAFkq72gj8gpagMY9vFNVcszmse3FWrvlKmO1TwTEh+CzM
+7wbmiL/ujm0lIf44pp0U4qYFcSimSDqbwOfeDPif9lMinzylDxMfaAKBHBHPj5Vt
+fX8dgf6MIqyz51u/2G0gHfXMDxXec8huYKt2EtPyavh6kFxxGvcA15m6seJTcu+h
+6WzeQFa2NBg7Z3ai4DiPXirNtcHWeqxK
+-----END CERTIFICATE-----
--- a/s3-gw/s3-gw-tls.key
+++ b/s3-gw/s3-gw-tls.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2Q5qM
+8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7BbuzNOch
+onlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFKeeJG
+tueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl+xsn
+nAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tLYtUM
+dLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABAoIBAEIp3mJEjPgNOdDf
+NlEYpdfxLStOQIKMo0bdXAOBToOc28SAjDTGGSflFGIIQWwF+Vq3meRzfExgyouY
+AG3XwYQcZF4USX4XwG71YUXzQXdiY7ewc3Mos2gxD4kVXYpgwzJtOET2GN72zwAm
+asSXY7GXdesmu8mMYkxzEAKlhFgMj+bGE/4QQUBKG9ylGIdo07zmU6rAsVhnwQTb
+LE3cf+AxCeTVA7OsJCUUR4S9qsgXUN1WeaV8LNg0lYx8UTu1xlbrpSjx7B4eYy6J
+FGJWuT9b3X+cBLcGk3BzheUAfqBG2UFDxUCt0grqmmTBkB850MtCDhffhPjxxrD7
+KrwAcpECgYEA6HApn2VtWI/tDYCbNix6yxeqq73fO3ng6yFry1u7EYvl8hJXBgR4
+b6kAVc3y/9pZO/5D23dHl1PQtnU5401/j6dQrb8A2TMqZ1vA8XIdIMjOiVjZtYMF
+nXzmf78PEbw9jWlDVARJdAwkJeuDI4/HVvgiDAh3zxx5F8uDVP16/r8CgYEA1mXS
+9owfLIPtPSxyMJoGU0jP7OP+HVwlKkXpvg7uBtINKSDW4UU4rnpIGW5MohR3ACWO
+ReFliOnGA5FXBp9GzkbJ+wIYovPIsGuBdxSsBlPY1S0yPlo30hr7E6cK3B3EuxDg
+SkbJcWp2EwXYEIyEcopbVUTTlBO3wmBFgm/Ps+kCgYA/+Kar9OlMR4hRgAS3uzQs
+cx4I2F/46YlKjU8yj9ODd8JYhk2nHVHcQWITO3RWkEyg41DftQtiDbJSlR7SfUDP
+U5gzyW69WISiH7GRgfucS0f0qxx4BVBlULvLitTl5631HnRmSivBIZpNSW01O1v8
+hpwwPaBjww1czCkgGgdg1wKBgQCkaSdTW/bX+z9lpvzWWnc5TN/uSJRpTW1Osphh
+4C8WWeQvwvglfiDOZAWAQv5PWKQ9H4+v9P4Y9TSdLcpv0JrKuqxPabcc1xfyei6o
+89hLbecc6vDZsfOWkowx8Oo6DDX+Qh3Nt+TorXxocBXV8vvqnkEV7ZbWuhwz2gHT
+2gyMaQKBgEE7rNzm8Q03IqQ08eYaRw8gWz8EpLeVebrGqtoH9AR5cd4OeTeZAEqc
+iPehXctke2pUgS47XgG98G7Yg3E9UuOYM+H2nzQCoT7jrM0dZrVGZ0ty7z1a8QGe
+UrjaAC/cyIGdszhf0Rf3qA7450nit9Txh+ilLiumgnUezl+eJXyI
+-----END RSA PRIVATE KEY-----
--- a/sn/config.yaml
+++ b/sn/config.yaml
@ -37,6 +37,7 @@ pprof:

 storage:
  shard_num: 1
+  shard_pool_size: 1000
  shard:
    0:
      writecache:
@ -65,6 +66,4 @@ tree:

 object:
  put:
-    pool_size_remote: 100
-    pool_size_local: 100
-
+    local_pool_size: 1000
--- a/vendor/contracts/alphabet/alphabet_contract.nef
+++ b/vendor/contracts/alphabet/alphabet_contract.nef
--- a/vendor/contracts/balance/balance_contract.nef
+++ b/vendor/contracts/balance/balance_contract.nef
--- a/vendor/contracts/container/container_contract.nef
+++ b/vendor/contracts/container/container_contract.nef
--- a/vendor/contracts/frostfs/frostfs_contract.nef
+++ b/vendor/contracts/frostfs/frostfs_contract.nef
--- a/vendor/contracts/frostfsid/config.json
+++ b/vendor/contracts/frostfsid/config.json
--- a/vendor/contracts/frostfsid/frostfsid_contract.nef
+++ b/vendor/contracts/frostfsid/frostfsid_contract.nef
--- a/vendor/contracts/netmap/netmap_contract.nef
+++ b/vendor/contracts/netmap/netmap_contract.nef
--- a/vendor/contracts/nns/nns_contract.nef
+++ b/vendor/contracts/nns/nns_contract.nef
--- a/vendor/contracts/policy/policy_contract.nef
+++ b/vendor/contracts/policy/policy_contract.nef
--- a/vendor/contracts/processing/processing_contract.nef
+++ b/vendor/contracts/processing/processing_contract.nef
--- a/vendor/contracts/proxy/proxy_contract.nef
+++ b/vendor/contracts/proxy/proxy_contract.nef
Author	SHA1	Message	Date
Denis Kirillov	9b215113ff	[#XX] Support TLS for s3-gw Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-11-08 12:07:19 +03:00
Denis Kirillov	fcc4b84805	Release v1.6.4 Update s3-gw to fix aws-chunked encoding Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2024-10-03 15:46:39 +03:00
Vitaliy Potyarkin	52c5fb042d	[#47 ] Add Makefile helpers for wallet management Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>	2024-09-20 14:10:44 +00:00
Alex Vanin	539faea51e	[#45 ] Update to the latest component releases Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-17 14:40:43 +03:00
Alex Vanin	0438608a3e	[#45 ] Add Makefile targets to register wallet files in FrostFS ID This is required in frostfs-node since AIO 1.6.0 Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-17 14:40:43 +03:00
Nikita Zinkevich	e1b048c013	[#44 ] Update binaries copy in Dockerfile.local issue-creds.sh was not copied in Dockerfile.local Thus `make s3cred` don't work	2024-09-11 15:06:43 +03:00
Alex Vanin	d83d797cef	[#43 ] Support up to 1000 concurrent S3 requests Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-09 12:50:47 +03:00
Alex Vanin	00986aed8b	[#42 ] Add region mapping for S3 Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-05 14:21:02 +03:00
Alex Vanin	a75b1b66eb	[#41 ] Bump image version Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-04 17:20:05 +03:00
Alex Vanin	abf918111f	[#41 ] Update smart-contracts up to v0.19.3 Signed-off-by: Alex Vanin <a.vanin@yadro.com>	2024-09-04 17:20:00 +03:00