feat: add self-signed certs for mTLS

Signed-off-by: Gaius <gaius.qi@gmail.com>

deploy/docker-compose/template/client.template.yaml

@@ -7,13 +7,14 @@ log:
 
 # host is the host configuration for dfdaemon.
 host:
-  ## idc is the idc of the host.
+  # idc is the idc of the host.
   idc: ''
-  ## location is the location of the host.
+  # location is the location of the host.
   location: ''
-  ## hostname is the hostname of the host.
-  # hostname: ""
-  ## ip is the advertise ip of the host.
+# # hostname is the hostname of the host.
+# hostname: ""
+#
+  # ip is the advertise ip of the host.
   ip: __IP__
 
 server:
@@ -37,17 +38,38 @@ upload:
   server:
     # port is the port to the grpc server.
     port: 4000
-    ## ip is the listen ip of the grpc server.
-    # ip: ""
+  # # ip is the listen ip of the grpc server.
+  # ip: ""
+  # # CA certificate file path for mTLS.
+  # caCert: /etc/ssl/certs/ca.crt
+  # # GRPC server certificate file path for mTLS.
+  # cert: /etc/ssl/certs/server.crt
+  # # GRPC server key file path for mTLS.
+  # key: /etc/ssl/private/server.pem
+  #
+# # Client configuration for remote peer's upload server.
+# client:
+#   # CA certificate file path for mTLS.
+#   caCert: /etc/ssl/certs/ca.crt
+#   # GRPC client certificate file path for mTLS.
+#   cert: /etc/ssl/certs/client.crt
+#   # GRPC client key file path for mTLS.
+#   key: /etc/ssl/private/client.pem
+#
   # disableShared indicates whether disable to share data for other peers.
   disableShared: false
   # rateLimit is the default rate limit of the upload speed in KiB/MiB/GiB per second, default is 10GiB/s.
   rateLimit: 10GiB
 
 manager:
-  # addrs is manager addresses.
-  addrs:
-    - http://__IP__:65003
+  # addr is manager addresses.
+  addr: http://__IP__:65003
+# # CA certificate file path for mTLS.
+# caCert: /etc/ssl/certs/ca.crt
+# # GRPC client certificate file path for mTLS.
+# cert: /etc/ssl/certs/client.crt
+# # GRPC client key file path for mTLS.
+# key: /etc/ssl/private/client.pem
 
 scheduler:
   # announceInterval is the interval to announce peer to the scheduler.
@@ -61,6 +83,12 @@ scheduler:
   maxScheduleCount: 5
   # enableBackToSource indicates whether enable back-to-source download, when the scheduling failed.
   enableBackToSource: true
+# # CA certificate file path for mTLS.
+# caCert: /etc/ssl/certs/ca.crt
+# # GRPC client certificate file path for mTLS.
+# cert: /etc/ssl/certs/client.crt
+# # GRPC client key file path for mTLS.
+# key: /etc/ssl/private/client.pem
 
 dynconfig:
   # refreshInterval is the interval to refresh dynamic configuration from manager.
@@ -93,26 +121,29 @@ proxy:
   server:
     # port is the port to the proxy server.
     port: 4001
-    ## ip is the listen ip of the proxy server.
-    # ip: ""
-    ## caCert is the root CA cert path with PEM format for the proxy server to generate the server cert.
-    ## If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed.
-    ## When client requests via the proxy, the client should not verify the server cert and set
-    ## insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
-    ## you can use openssl to generate the root CA cert and make the system trust the root CA cert.
-    ## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
-    ## and key, and signs the server cert with the root CA cert. When client requests via the proxy,
-    ## the proxy can intercept the request by the server cert.
-    # caCert: ""
-    ## caKey is the root CA key path with PEM format for the proxy server to generate the server cert.
-    ## If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed.
-    ## When client requests via the proxy, the client should not verify the server cert and set
-    ## insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
-    ## you can use openssl to generate the root CA cert and make the system trust the root CA cert.
-    ## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
-    ## and key, and signs the server cert with the root CA cert. When client requests via the proxy,
-    ## the proxy can intercept the request by the server cert.
-    # caKey: ""
+  # # ip is the listen ip of the proxy server.
+  # ip: ""
+  #
+  # # caCert is the root CA cert path with PEM format for the proxy server to generate the server cert.
+  # # If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed.
+  # # When client requests via the proxy, the client should not verify the server cert and set
+  # # insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
+  # # you can use openssl to generate the root CA cert and make the system trust the root CA cert.
+  # # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
+  # # and key, and signs the server cert with the root CA cert. When client requests via the proxy,
+  # # the proxy can intercept the request by the server cert.
+  # caCert: ""
+  #
+  # # caKey is the root CA key path with PEM format for the proxy server to generate the server cert.
+  # # If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed.
+  # # When client requests via the proxy, the client should not verify the server cert and set
+  # # insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed,
+  # # you can use openssl to generate the root CA cert and make the system trust the root CA cert.
+  # # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert
+  # # and key, and signs the server cert with the root CA cert. When client requests via the proxy,
+  # # the proxy can intercept the request by the server cert.
+  # caKey: ""
+  #
   # rules is the list of rules for the proxy server.
   # regex is the regex of the request url.
   # useTLS indicates whether use tls for the proxy backend.
@@ -136,29 +167,26 @@ proxy:
     # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
     # of registry mirror.
     addr: https://index.docker.io
-    ## certs is the client certs path with PEM format for the registry.
-    ## If registry use self-signed cert, the client should set the
-    ## cert for the registry mirror.
-    # certs: ""
+  # # cert is the client cert path with PEM format for the registry.
+  # # If registry use self-signed cert, the client should set the
+  # # cert for the registry mirror.
+  # cert: ""
+  #
   # disableBackToSource indicates whether disable to download back-to-source when download failed.
   disableBackToSource: false
   # prefetch pre-downloads full of the task when download with range request.
   prefetch: false
   # readBufferSize is the buffer size for reading piece from disk, default is 32KB.
   readBufferSize: 32768
 
-security:
-  # enable indicates whether enable security.
-  enable: false
-
 metrics:
   server:
     # port is the port to the metrics server.
     port: 4002
-    ## ip is the listen ip of the metrics server.
-    # ip: ""
+  # # ip is the listen ip of the metrics server.
+  # ip: ""
 
-## tracing is the tracing configuration for dfdaemon.
+# # tracing is the tracing configuration for dfdaemon.
 # tracing:
-## addr is the address to report tracing log.
-# addr: ""
+#   # addr is the address to report tracing log.
+#   addr: ""

deploy/docker-compose/template/manager.template.yaml

@@ -7,10 +7,20 @@ server:
     advertiseIP: __IP__
     # # Listen ip.
     # listenIP: 0.0.0.0
+    #
     # Listen port.
     port:
       start: 65003
       end: 65003
+  # # GRPC server tls configuration.
+  # tls:
+  #   # CA certificate file path for mTLS.
+  #   caCert: /etc/ssl/certs/ca.crt
+  #   # Certificate file path for mTLS.
+  #   cert: /etc/ssl/certs/server.crt
+  #   # Key file path for mTLS.
+  #   key: /etc/ssl/private/server.pem
+  #
   # REST server configure
   rest:
     # REST server address
@@ -20,6 +30,7 @@ server:
   #   cert: /etc/ssl/certs/server.crt
   #   # Key file path.
   #   key: /etc/ssl/private/server.pem
+  #
   # logDir is the log directory.
   # In linux, default value is /var/log/dragonfly.
   # In macos(just for testing), default value is /Users/$USER/.dragonfly/logs.
@@ -70,6 +81,7 @@ database:
   #   ca: /etc/ssl/certs/ca.pem
   #   # Whether a client verifies the server's certificate chain and hostname.
   #   insecureSkipVerify: true
+  #
   # Redis configure.
   redis:
     # Redis addresses.
@@ -142,34 +154,6 @@ metrics:
   # Enable peer gauge metrics.
   enablePeerGauge: true
 
-# Security configuration.
-security:
-  # autoIssueCert indicates to issue client certificates for all grpc call.
-  # If AutoIssueCert is false, any other option in Security will be ignored.
-  autoIssueCert: false
-  # caCert is the CA certificate for all grpc tls handshake, it can be path or PEM format string.
-  caCert: ''
-  # caKey is the CA private key, it can be path or PEM format string.
-  caKey: ''
-  # tlsPolicy controls the grpc shandshake behaviors:
-  #   force: both ClientHandshake and ServerHandshake are only support tls
-  #   prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
-  #   default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
-  # Notice: If the drgaonfly service has been deployed, a two-step upgrade is required.
-  # The first step is to set tlsPolicy to default, and then upgrade the dragonfly services.
-  # The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services.
-  tlsPolicy: 'prefer'
-  certSpec:
-    # dnsNames is a list of dns names be set on the certificate.
-    dnsNames:
-      - 'dragonfly-manager'
-      - 'dragonfly-manager.dragonfly-system.svc'
-      - 'dragonfly-manager.dragonfly-system.svc.cluster.local'
-    # ipAddresses is a list of ip addresses be set on the certificate.
-    ipAddresses:
-    # validityPeriod is the validity period  of certificate.
-    validityPeriod: 87600h
-
 # Network configuration.
 network:
   # Enable ipv6.

deploy/docker-compose/template/scheduler.template.yaml

@@ -3,15 +3,26 @@ server:
   # # Access ip for other services,
   # # when local ip is different with access ip, advertiseIP should be set.
   advertiseIP: __IP__
-  # # Access port for other services,
-  # # when local ip is different with access port, advertisePort should be set.
-  # advertisePort: 8002
-  # # Listen ip.
-  # listenIP: 0.0.0.0
+# # Access port for other services,
+# # when local ip is different with access port, advertisePort should be set.
+# advertisePort: 8002
+# # Listen ip.
+# listenIP: 0.0.0.0
+#
   # Port is the ip and port scheduler server listens on.
   port: 8002
+# # GRPC server tls configuration.
+# tls:
+#   # CA certificate file path for mTLS.
+#   caCert: /etc/ssl/certs/ca.crt
+#   # Certificate file path for mTLS.
+#   cert: /etc/ssl/certs/server.crt
+#   # Key file path for mTLS.
+#   key: /etc/ssl/private/server.pem
+#
   # # Server host.
   # host: localhost
+  #
   # logDir is the log directory.
   # In linux, default value is /var/log/dragonfly.
   # In macos(just for testing), default value is /Users/$USER/.dragonfly/logs.
@@ -83,22 +94,6 @@ database:
     # Redis backend DB.
     backendDB: 2
 
-# Resource configuration.
-resource:
-  # Task configuration.
-  task:
-    # downloadTiny is the configuration of downloading tiny task by scheduler.
-    downloadTiny:
-      # scheme is download tiny task scheme.
-      scheme: http
-      # Timeout is http request timeout.
-      timeout: 1m
-      # tls is download tiny task TLS configuration.
-      tls:
-        # insecureSkipVerify controls whether a client verifies the
-        # server's certificate chain and hostname.
-        insecureSkipVerify: true
-
 # Dynamic data configuration.
 dynConfig:
   # Dynamic config refresh interval.
@@ -121,13 +116,29 @@ manager:
   keepAlive:
     # KeepAlive interval.
     interval: 5s
+# # GRPC client tls configuration.
+# tls:
+#   # CA certificate file path for mTLS.
+#   caCert: /etc/ssl/certs/ca.crt
+#   # Certificate file path for mTLS.
+#   cert: /etc/ssl/certs/client.crt
+#   # Key file path for mTLS.
+#   key: /etc/ssl/private/client.pem
 
 # Seed peer configuration.
 seedPeer:
   # Scheduler enable seed peer as P2P peer,
   # if the value is false, P2P network will not be back-to-source through
   # seed peer but by peer and preheat feature does not work.
   enable: true
+# # GRPC client tls configuration.
+# tls:
+#   # CA certificate file path for mTLS.
+#   caCert: /etc/ssl/certs/ca.crt
+#   # Certificate file path for mTLS.
+#   cert: /etc/ssl/certs/client.crt
+#   # Key file path for mTLS.
+#   key: /etc/ssl/private/client.pem
 
 # Machinery async job configuration,
 # see https://github.com/RichardKnop/machinery.
@@ -160,33 +171,6 @@ metrics:
   # Enable host metrics.
   enableHost: false
 
-security:
-  # autoIssueCert indicates to issue client certificates for all grpc call.
-  # If AutoIssueCert is false, any other option in Security will be ignored.
-  autoIssueCert: false
-  # caCert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string.
-  caCert: ''
-  # tlsVerify indicates to verify certificates.
-  tlsVerify: false
-  # tlsPolicy controls the grpc shandshake behaviors:
-  #   force: both ClientHandshake and ServerHandshake are only support tls
-  #   prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
-  #   default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
-  # Notice: If the drgaonfly service has been deployed, a two-step upgrade is required.
-  # The first step is to set tlsPolicy to default, and then upgrade the dragonfly services.
-  # The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services.
-  tlsPolicy: 'prefer'
-  certSpec:
-    # dnsNames is a list of dns names be set on the certificate.
-    dnsNames:
-      - 'dragonfly-scheduler'
-      - 'dragonfly-scheduler.dragonfly-system.svc'
-      - 'dragonfly-scheduler.dragonfly-system.svc.cluster.local'
-    # ipAddresses is a list of ip addresses be set on the certificate.
-    ipAddresses:
-    # validityPeriod is the validity period  of certificate.
-    validityPeriod: 4320h
-
 network:
   # Enable ipv6.
   enableIPv6: false