nacos-go-sdk support grpc tls (#746)

* support grpc tls
nacos-group · Apr 25, 2024 · 690bd7b · 690bd7b
1 parent 6dd8997
commit 690bd7b
Show file tree

Hide file tree

Showing 7 changed files with 128 additions and 7 deletions.
diff --git a/clients/config_client/config_client_test.go b/clients/config_client/config_client_test.go
@@ -34,7 +34,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-var serverConfigWithOptions = constant.NewServerConfig("mse-xxx.mse.aliyuncs.com", 8848)
+var serverConfigWithOptions = constant.NewServerConfig("mse-xxx-p.nacos-ans.mse.aliyuncs.com", 8848)
 
 var clientConfigWithOptions = constant.NewClientConfig(
 	constant.WithTimeoutMs(10*1000),
@@ -47,6 +47,18 @@ var clientConfigWithOptions = constant.NewClientConfig(
 	constant.WithRegionId("cn-hangzhou"),
 )
 
+var clientTLsConfigWithOptions = constant.NewClientConfig(
+	constant.WithTimeoutMs(10*1000),
+	constant.WithBeatInterval(2*1000),
+	constant.WithNotLoadCacheAtStart(true),
+
+	/*constant.WithTLS(constant.TLSConfig{
+		Enable:   true,
+		TrustAll: false,
+		CaFile:   "mse-nacos-ca.cer",
+	}),*/
+)
+
 var localConfigTest = vo.ConfigParam{
 	DataId:  "dataId",
 	Group:   "group",
@@ -63,6 +75,15 @@ func createConfigClientTest() *ConfigClient {
 	return client
 }
 
+func createConfigClientTestTls() *ConfigClient {
+	nc := nacos_client.NacosClient{}
+	_ = nc.SetServerConfig([]constant.ServerConfig{*serverConfigWithOptions})
+	_ = nc.SetClientConfig(*clientTLsConfigWithOptions)
+	_ = nc.SetHttpAgent(&http_agent.HttpAgent{})
+	client, _ := NewConfigClient(&nc)
+	return client
+}
+
 func createConfigClientCommon() *ConfigClient {
 	nc := nacos_client.NacosClient{}
 	_ = nc.SetServerConfig([]constant.ServerConfig{*serverConfigWithOptions})
@@ -148,6 +169,24 @@ func Test_SearchConfig(t *testing.T) {
 	assert.NotEmpty(t, configPage)
 }
 
+func Test_GetConfigTls(t *testing.T) {
+	client := createConfigClientTestTls()
+	_, _ = client.PublishConfig(vo.ConfigParam{
+		DataId:  localConfigTest.DataId,
+		Group:   "DEFAULT_GROUP",
+		Content: "hello world"})
+	configPage, err := client.SearchConfig(vo.SearchConfigParam{
+		Search:   "accurate",
+		DataId:   localConfigTest.DataId,
+		Group:    "DEFAULT_GROUP",
+		PageNo:   1,
+		PageSize: 10,
+	})
+	assert.Nil(t, err)
+	assert.NotEmpty(t, configPage)
+
+}
+
 // only using by ak sk for cipher config of aliyun kms
 /*
 func TestPublishAndGetConfigByUsingLocalCache(t *testing.T) {

diff --git a/clients/config_client/config_proxy.go b/clients/config_client/config_proxy.go
@@ -166,7 +166,7 @@ func (cp *ConfigProxy) createRpcClient(ctx context.Context, taskId string, clien
 		"taskId":                taskId,
 	}
 
-	iRpcClient, _ := rpc.CreateClient(ctx, "config-"+taskId+"-"+client.uid, rpc.GRPC, labels, cp.nacosServer)
+	iRpcClient, _ := rpc.CreateClient(ctx, "config-"+taskId+"-"+client.uid, rpc.GRPC, labels, cp.nacosServer, &cp.clientConfig.TLSCfg)
 	rpcClient := iRpcClient.GetRpcClient()
 	if rpcClient.IsInitialized() {
 		rpcClient.RegisterServerRequestHandler(func() rpc_request.IRequest {

diff --git a/clients/naming_client/naming_grpc/naming_grpc_proxy.go b/clients/naming_client/naming_grpc/naming_grpc_proxy.go
@@ -61,7 +61,7 @@ func NewNamingGrpcProxy(ctx context.Context, clientCfg constant.ClientConfig, na
 		constant.LABEL_MODULE: constant.LABEL_MODULE_NAMING,
 	}
 
-	iRpcClient, err := rpc.CreateClient(ctx, uid.String(), rpc.GRPC, labels, srvProxy.nacosServer)
+	iRpcClient, err := rpc.CreateClient(ctx, uid.String(), rpc.GRPC, labels, srvProxy.nacosServer, &clientCfg.TLSCfg)
 	if err != nil {
 		return nil, err
 	}

diff --git a/common/constant/client_config_options.go b/common/constant/client_config_options.go
@@ -222,6 +222,7 @@ func WithLogRollingConfig(rollingConfig *ClientLogRollingConfig) ClientOption {
 
 func WithTLS(tlsCfg TLSConfig) ClientOption {
 	return func(config *ClientConfig) {
+		tlsCfg.Appointed = true
 		config.TLSCfg = tlsCfg
 	}
 }
diff --git a/common/constant/config.go b/common/constant/config.go
@@ -94,7 +94,9 @@ type ClientLogRollingConfig struct {
 }
 
 type TLSConfig struct {
+	Appointed          bool   // Appointed or not ,if false,will get from env.
 	Enable             bool   // enable tls
+	TrustAll           bool   // trust all server
 	CaFile             string // clients use when verifying server certificates
 	CertFile           string // server use when verifying client certificates
 	KeyFile            string // server use when verifying client certificates

diff --git a/common/remote/rpc/grpc_client.go b/common/remote/rpc/grpc_client.go
@@ -18,8 +18,13 @@ package rpc
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"fmt"
+	"google.golang.org/grpc/credentials"
 	"io"
+	"log"
 	"os"
 	"strconv"
 	"sync"
@@ -41,9 +46,10 @@ import (
 
 type GrpcClient struct {
 	*RpcClient
+	*constant.TLSConfig
 }
 
-func NewGrpcClient(ctx context.Context, clientName string, nacosServer *nacos_server.NacosServer) *GrpcClient {
+func NewGrpcClient(ctx context.Context, clientName string, nacosServer *nacos_server.NacosServer, tlsConfig *constant.TLSConfig) *GrpcClient {
 	rpcClient := &GrpcClient{
 		&RpcClient{
 			ctx:              ctx,
@@ -54,7 +60,7 @@ func NewGrpcClient(ctx context.Context, clientName string, nacosServer *nacos_se
 			reconnectionChan: make(chan ReconnectContext, 1),
 			nacosServer:      nacosServer,
 			mux:              new(sync.Mutex),
-		},
+		}, tlsConfig,
 	}
 	rpcClient.RpcClient.lastActiveTimestamp.Store(time.Now())
 	rpcClient.executeClient = rpcClient
@@ -87,6 +93,41 @@ func getInitialConnWindowSize() int32 {
 	return int32(initialConnWindowSize)
 }
 
+func getTLSCredentials(tlsConfig *constant.TLSConfig, serverInfo ServerInfo) credentials.TransportCredentials {
+
+	logger.Infof("build tls config for connecting to server %s,tlsConfig = %s", serverInfo.serverIp, tlsConfig)
+
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		log.Fatalf("load root cert pool fail : %v", err)
+	}
+	if len(tlsConfig.CaFile) != 0 {
+		cert, err := os.ReadFile(tlsConfig.CaFile)
+		if err != nil {
+			fmt.Errorf("err, %v", err)
+		}
+		if ok := certPool.AppendCertsFromPEM(cert); !ok {
+			fmt.Errorf("failed to append ca certs")
+		}
+	}
+
+	config := tls.Config{
+		InsecureSkipVerify: tlsConfig.TrustAll,
+		RootCAs:            certPool,
+		Certificates:       []tls.Certificate{},
+	}
+	if len(tlsConfig.CertFile) != 0 && len(tlsConfig.KeyFile) != 0 {
+		cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
+
+		if err != nil {
+			log.Fatalf("load cert fail : %v", err)
+		}
+		config.Certificates = append(config.Certificates, cert)
+	}
+	credentials := credentials.NewTLS(&config)
+	return credentials
+}
+
 func getInitialGrpcTimeout() int32 {
 	initialGrpcTimeout, err := strconv.Atoi(os.Getenv("nacos.remote.client.grpc.timeout"))
 	if err != nil {
@@ -117,6 +158,11 @@ func (c *GrpcClient) createNewConnection(serverInfo ServerInfo) (*grpc.ClientCon
 	opts = append(opts, grpc.WithInsecure())
 	opts = append(opts, grpc.WithInitialWindowSize(getInitialWindowSize()))
 	opts = append(opts, grpc.WithInitialConnWindowSize(getInitialConnWindowSize()))
+	c.getEnvTLSConfig(c.TLSConfig)
+	if c.TLSConfig.Enable {
+		logger.Infof(" tls enable ,trying to connection to server %s with tls config %s", serverInfo.serverIp, c.TLSConfig)
+		opts = append(opts, grpc.WithTransportCredentials(getTLSCredentials(c.TLSConfig, serverInfo)))
+	}
 	rpcPort := serverInfo.serverGrpcPort
 	if rpcPort == 0 {
 		rpcPort = serverInfo.serverPort + c.rpcPortOffset()
@@ -125,6 +171,39 @@ func (c *GrpcClient) createNewConnection(serverInfo ServerInfo) (*grpc.ClientCon
 
 }
 
+func (c *GrpcClient) getEnvTLSConfig(config *constant.TLSConfig) {
+	logger.Infof("check tls config ", config)
+
+	if config.Appointed == true {
+		return
+	}
+	logger.Infof("try to get tls config from env")
+
+	enableTls, err := strconv.ParseBool(os.Getenv("nacos_remote_client_rpc_tls_enable"))
+	if err == nil {
+		config.Enable = enableTls
+		logger.Infof("get tls config from env ，key = enableTls value = %s", enableTls)
+	}
+
+	if enableTls != true {
+		logger.Infof(" tls config from env is not enable")
+		return
+	}
+	trustAll, err := strconv.ParseBool(os.Getenv("nacos_remote_client_rpc_tls_trustAll"))
+	if err == nil {
+		config.TrustAll = trustAll
+		logger.Infof("get tls config from env ，key = trustAll value = %s", trustAll)
+	}
+
+	config.CaFile = os.Getenv("nacos_remote_client_rpc_tls_trustCollectionChainPath")
+	logger.Infof("get tls config from env ，key = trustCollectionChainPath value = %s", config.CaFile)
+	config.CertFile = os.Getenv("nacos_remote_client_rpc_tls_certChainFile")
+	logger.Infof("get tls config from env ，key = certChainFile value = %s", config.CertFile)
+	config.KeyFile = os.Getenv("nacos_remote_client_rpc_tls_certPrivateKey")
+	logger.Infof("get tls config from env ，key = certPrivateKey value = %s", config.KeyFile)
+
+}
+
 func (c *GrpcClient) connectToServer(serverInfo ServerInfo) (IConnection, error) {
 	var client nacos_grpc_service.RequestClient
 	var biStreamClient nacos_grpc_service.BiRequestStreamClient

diff --git a/common/remote/rpc/rpc_client.go b/common/remote/rpc/rpc_client.go
@@ -147,13 +147,13 @@ func getClient(clientName string) IRpcClient {
 	return clientMap[clientName]
 }
 
-func CreateClient(ctx context.Context, clientName string, connectionType ConnectionType, labels map[string]string, nacosServer *nacos_server.NacosServer) (IRpcClient, error) {
+func CreateClient(ctx context.Context, clientName string, connectionType ConnectionType, labels map[string]string, nacosServer *nacos_server.NacosServer, tlsConfig *constant.TLSConfig) (IRpcClient, error) {
 	cMux.Lock()
 	defer cMux.Unlock()
 	if _, ok := clientMap[clientName]; !ok {
 		var rpcClient IRpcClient
 		if GRPC == connectionType {
-			rpcClient = NewGrpcClient(ctx, clientName, nacosServer)
+			rpcClient = NewGrpcClient(ctx, clientName, nacosServer, tlsConfig)
 		}
 		if rpcClient == nil {
 			return nil, errors.New("unsupported connection type")