[#90] Enabled tls for s04
Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
parent
a4300b2a97
commit
1aa8d407ff
9 changed files with 52 additions and 1 deletions
1
.env
1
.env
|
@ -1,6 +1,7 @@
|
|||
# Basenet settings
|
||||
LOCAL_DOMAIN=neofs.devenv
|
||||
IPV4_PREFIX=192.168.130
|
||||
CA_CERTS_TRUSTED_STORE=/etc/ssl/certs
|
||||
|
||||
# NeoGo privnet
|
||||
CHAIN_URL="https://github.com/nspcc-dev/neofs-contract/releases/download/v0.9.2/devenv_mainchain_notary_disabled.gz"
|
||||
|
|
2
Makefile
2
Makefile
|
@ -84,7 +84,7 @@ hosts: vendor/hosts
|
|||
.PHONY: clean
|
||||
.ONESHELL:
|
||||
clean:
|
||||
@rm -rf vendor/*
|
||||
@rm -rf vendor/* services/storage/s04tls.*
|
||||
@for svc in $(START_SVCS)
|
||||
do
|
||||
vols=`docker-compose -f services/$${svc}/docker-compose.yml config --volumes`
|
||||
|
|
16
README.md
16
README.md
|
@ -10,6 +10,16 @@
|
|||
|
||||
Tools to set up local NeoFS network and N3 privnets. Devenv, for short.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Make sure you have installed all of the following prerequisites on your machine:
|
||||
* docker
|
||||
* docker-compose
|
||||
* make
|
||||
* expect
|
||||
* openssl
|
||||
|
||||
|
||||
## Quick Start
|
||||
|
||||
```
|
||||
|
@ -24,6 +34,12 @@ $ make prepare.ir
|
|||
password >
|
||||
fa6ba62bffb04030d303dcc95bda7413e03aa3c7e6ca9c2f999d65db9ec9b82c
|
||||
```
|
||||
Also you should add self-signed node (`s04.neofs.devenv`) certificate to truststore
|
||||
(default location might be changed using `CA_CERTS_TRUSTED_STORE` variable).
|
||||
This step is required for client services (neofs-http-gw, neofs-s3-gw) to interact with the node:
|
||||
```
|
||||
$ sudo make prepare.storage
|
||||
```
|
||||
|
||||
Change NeoFS global configuration values with `make update.*` commands. The
|
||||
password of inner ring wallet is `one`. See examples in `make help`.
|
||||
|
|
6
bin/addCert.sh
Executable file
6
bin/addCert.sh
Executable file
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Source env settings
|
||||
. .env
|
||||
|
||||
ln -sf $(pwd)/services/storage/s04tls.crt ${CA_CERTS_TRUSTED_STORE}/s04.${LOCAL_DOMAIN}.tls.crt
|
|
@ -17,6 +17,9 @@ IPv4 /24 subnet to use for all containers exposed to `basenet_internet`. Last
|
|||
octet will be defined in `docker-compose.yml` file for each container inside
|
||||
service. For simplicity, each service reserves ten host addresses.
|
||||
|
||||
### CA_CERTS_TRUSTED_STORE=/usr/local/share/ca-certificates
|
||||
Trusted store location to add node self-signed tls certificates.
|
||||
|
||||
## bastion container
|
||||
|
||||
There is a `bastion` container with debian 10 userspace to simplify access to
|
||||
|
|
|
@ -21,6 +21,10 @@ NEOFS_METRICS_ADDRESS=:9090
|
|||
|
||||
# GRPC Transport Section
|
||||
NEOFS_GRPC_NUM=1
|
||||
## 0 server
|
||||
### TLS config
|
||||
NEOFS_GRPC_0_TLS_CERTIFICATE=/tls.crt
|
||||
NEOFS_GRPC_0_TLS_KEY=/tls.key
|
||||
|
||||
# Morph section
|
||||
## Endpoints of sidechain RPC nodes (comma-separated)
|
||||
|
|
15
services/storage/artifacts.mk
Normal file
15
services/storage/artifacts.mk
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Create new tls certs
|
||||
|
||||
STORAGE_DIR=$(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
|
||||
SSL_CONFIG := $(shell mktemp)
|
||||
|
||||
get.storage:
|
||||
@echo "⇒ Creating tls certs to NeoFS node"
|
||||
@(echo "[req]"; \
|
||||
echo "distinguished_name=req"; \
|
||||
echo "req_extensions=san"; \
|
||||
echo "[san]"; \
|
||||
echo "subjectAltName=DNS:s04.${LOCAL_DOMAIN}") > ${SSL_CONFIG}
|
||||
@openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
|
||||
-subj "/C=RU/ST=SPB/L=St.Petersburg/O=NSPCC/OU=NSPCC/CN=s04.${LOCAL_DOMAIN}" \
|
||||
-keyout ${STORAGE_DIR}/s04tls.key -out ${STORAGE_DIR}/s04tls.crt -extensions san -config ${SSL_CONFIG}
|
|
@ -114,6 +114,8 @@ services:
|
|||
- storage_s04:/storage
|
||||
- ./../../vendor/neofs-cli:/neofs-cli
|
||||
- ./healthcheck.sh:/healthcheck.sh
|
||||
- ./s04tls.crt:/tls.crt
|
||||
- ./s04tls.key:/tls.key
|
||||
stop_signal: SIGKILL
|
||||
env_file: [ ".env", ".storage.env" ]
|
||||
environment:
|
||||
|
@ -121,6 +123,7 @@ services:
|
|||
- NEOFS_NODE_ADDRESSES=s04.${LOCAL_DOMAIN}:8080
|
||||
- NEOFS_GRPC_0_ENDPOINT=s04.${LOCAL_DOMAIN}:8080
|
||||
- NEOFS_CONTROL_GRPC_ENDPOINT=s04.${LOCAL_DOMAIN}:8081
|
||||
- NEOFS_GRPC_0_TLS_ENABLED=true
|
||||
- NEOFS_NODE_ATTRIBUTE_0=UN-LOCODE:FI HEL
|
||||
- NEOFS_NODE_ATTRIBUTE_1=Price:44
|
||||
healthcheck:
|
||||
|
|
3
services/storage/prepare.mk
Normal file
3
services/storage/prepare.mk
Normal file
|
@ -0,0 +1,3 @@
|
|||
prepare.storage:
|
||||
@echo "Adding self-signed tls certs to trusted store"
|
||||
@./bin/addCert.sh
|
Loading…
Reference in a new issue