diff options
| author | yuryalekseev <yuryalekseev@yandex-team.com> | 2022-09-28 12:52:22 +0300 |
|---|---|---|
| committer | yuryalekseev <yuryalekseev@yandex-team.com> | 2022-09-28 12:52:22 +0300 |
| commit | 300c8cdc8cdb9efcf173ab131ef620708cdfd780 (patch) | |
| tree | 72f6dd98ac25b504eda962bea242f1833cfd5f8b | |
| parent | f024fe34b8d6b7bbdb6f4361fadd0b5b59b98b9f (diff) | |
| download | ydb-300c8cdc8cdb9efcf173ab131ef620708cdfd780.tar.gz | |
Add support for separate certificate configuration of grpc and ic.
| -rw-r--r-- | ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp | 63 | ||||
| -rw-r--r-- | ydb/core/driver_lib/run/run.cpp | 42 | ||||
| -rw-r--r-- | ydb/core/http_proxy/auth_factory.cpp | 2 | ||||
| -rw-r--r-- | ydb/core/protos/config.proto | 3 |
4 files changed, 86 insertions, 24 deletions
diff --git a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp index 4de480e11f7..30d1f53382a 100644 --- a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp +++ b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp @@ -84,9 +84,12 @@ protected: TVector<TString> GRpcPublicAddressesV4; TVector<TString> GRpcPublicAddressesV6; TString GRpcPublicTargetNameOverride; - TString PathToCert; - TString PathToPKey; - TString PathToCA; + TString PathToGrpcCertFile; + TString PathToInterconnectCertFile; + TString PathToGrpcPrivateKeyFile; + TString PathToInterconnectPrivateKeyFile; + TString PathToGrpcCaFile; + TString PathToInterconnectCaFile; TVector<TString> YamlConfigFiles; TClientCommandServerBase(const char *cmd, const char *description) @@ -239,9 +242,15 @@ protected: .RequiredArgument("NAME").StoreResult(&NodeType); config.Opts->AddLongOption("ignore-cms-configs", "Don't load configs from CMS") .NoArgument().SetFlag(&IgnoreCmsConfigs); - config.Opts->AddLongOption("cert", "Path to client certificate file (PEM)").RequiredArgument("PATH").StoreResult(&PathToCert); - config.Opts->AddLongOption("key", "Path to private key file (PEM)").RequiredArgument("PATH").StoreResult(&PathToPKey); - config.Opts->AddLongOption("ca", "Path to certificate authority file (PEM)").RequiredArgument("PATH").StoreResult(&PathToCA); + config.Opts->AddLongOption("cert", "Path to client certificate file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectCertFile); + config.Opts->AddLongOption("grpc-cert", "Path to client certificate file (PEM) for grpc").RequiredArgument("PATH").StoreResult(&PathToGrpcCertFile); + config.Opts->AddLongOption("ic-cert", "Path to client certificate file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectCertFile); + config.Opts->AddLongOption("key", "Path to private key file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectPrivateKeyFile); + config.Opts->AddLongOption("grpc-key", "Path to private key file (PEM) for grpc").RequiredArgument("PATH").StoreResult(&PathToGrpcPrivateKeyFile); + config.Opts->AddLongOption("ic-key", "Path to private key file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectPrivateKeyFile); + config.Opts->AddLongOption("ca", "Path to certificate authority file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectCaFile); + config.Opts->AddLongOption("grpc-ca", "Path to certificate authority file (PEM) for grpc").RequiredArgument("PATH").StoreResult(&PathToGrpcCaFile); + config.Opts->AddLongOption("ic-ca", "Path to certificate authority file (PEM) for interconnect").RequiredArgument("PATH").StoreResult(&PathToInterconnectCaFile); config.Opts->AddLongOption("data-center", "data center name (used to describe dynamic node location)") .RequiredArgument("NAME").StoreResult(&DataCenter); config.Opts->AddLongOption("rack", "rack name (used to describe dynamic node location)") @@ -467,14 +476,40 @@ protected: } // apply certificates, if any - if (config.ParseResult->Has("cert")) { - AppConfig.MutableInterconnectConfig()->SetPathToCertificateFile(PathToCert); + if (!PathToInterconnectCertFile.Empty()) { + AppConfig.MutableInterconnectConfig()->SetPathToCertificateFile(PathToInterconnectCertFile); } - if (config.ParseResult->Has("key")) { - AppConfig.MutableInterconnectConfig()->SetPathToPrivateKeyFile(PathToPKey); + + if (!PathToInterconnectPrivateKeyFile.Empty()) { + AppConfig.MutableInterconnectConfig()->SetPathToPrivateKeyFile(PathToInterconnectPrivateKeyFile); + } + + if (!PathToInterconnectCaFile.Empty()) { + AppConfig.MutableInterconnectConfig()->SetPathToCaFile(PathToInterconnectCaFile); + } + + if (AppConfig.HasGRpcConfig() && AppConfig.GetGRpcConfig().HasCert()) { + AppConfig.MutableGRpcConfig()->SetPathToCertificateFile(AppConfig.GetGRpcConfig().GetCert()); + } + + if (!PathToGrpcCertFile.Empty()) { + AppConfig.MutableGRpcConfig()->SetPathToCertificateFile(PathToGrpcCertFile); } - if (config.ParseResult->Has("ca")) { - AppConfig.MutableInterconnectConfig()->SetPathToCaFile(PathToCA); + + if (AppConfig.HasGRpcConfig() && AppConfig.GetGRpcConfig().HasKey()) { + AppConfig.MutableGRpcConfig()->SetPathToPrivateKeyFile(AppConfig.GetGRpcConfig().GetKey()); + } + + if (config.ParseResult->Has("grpc-key")) { + AppConfig.MutableGRpcConfig()->SetPathToPrivateKeyFile(PathToGrpcPrivateKeyFile); + } + + if (AppConfig.HasGRpcConfig() && AppConfig.GetGRpcConfig().HasCA()) { + AppConfig.MutableGRpcConfig()->SetPathToCaFile(AppConfig.GetGRpcConfig().GetCA()); + } + + if (config.ParseResult->Has("grpc-ca")) { + AppConfig.MutableGRpcConfig()->SetPathToCaFile(PathToGrpcCaFile); } if (!AppConfig.HasDomainsConfig()) @@ -1120,8 +1155,8 @@ private: grpcConfig.LoadBalancingPolicy = "round_robin"; if (endpoint.EnableSsl.Defined()) { grpcConfig.EnableSsl = endpoint.EnableSsl.GetRef(); - if (PathToCA) { - grpcConfig.SslCaCert = ReadFromFile(PathToCA, "CA certificates"); + if (!PathToInterconnectCaFile.Empty()) { + grpcConfig.SslCaCert = ReadFromFile(PathToInterconnectCaFile, "CA certificates"); } } return NClient::TKikimr(grpcConfig); diff --git a/ydb/core/driver_lib/run/run.cpp b/ydb/core/driver_lib/run/run.cpp index 2340d649e97..d57e11631d6 100644 --- a/ydb/core/driver_lib/run/run.cpp +++ b/ydb/core/driver_lib/run/run.cpp @@ -857,16 +857,23 @@ void TKikimrRunner::InitializeGRpc(const TKikimrRunConfig& runConfig) { } } +#define GET_PATH_TO_FILE(GRPC_CONFIG, PRIMARY_FIELD, SECONDARY_FIELD) \ + (GRPC_CONFIG.Has##PRIMARY_FIELD() ? GRPC_CONFIG.Get##PRIMARY_FIELD() : GRPC_CONFIG.Get##SECONDARY_FIELD()) + NGrpc::TServerOptions sslOpts = opts; if (grpcConfig.HasSslPort() && grpcConfig.GetSslPort()) { - Y_VERIFY(grpcConfig.HasCA(), "CA not set"); - Y_VERIFY(grpcConfig.HasCert(), "Cert not set"); - Y_VERIFY(grpcConfig.HasKey(), "Key not set"); + const auto& pathToCaFile = GET_PATH_TO_FILE(grpcConfig, PathToCaFile, CA); + const auto& pathToCertificateFile = GET_PATH_TO_FILE(grpcConfig, PathToCertificateFile, Cert); + const auto& pathToPrivateKeyFile = GET_PATH_TO_FILE(grpcConfig, PathToPrivateKeyFile, Key); + + Y_VERIFY(!pathToCaFile.Empty(), "CA not set"); + Y_VERIFY(!pathToCertificateFile.Empty(), "Cert not set"); + Y_VERIFY(!pathToPrivateKeyFile.Empty(), "Key not set"); sslOpts.SetPort(grpcConfig.GetSslPort()); NGrpc::TSslData sslData; - sslData.Root = ReadFile(grpcConfig.GetCA()); - sslData.Cert = ReadFile(grpcConfig.GetCert()); - sslData.Key = ReadFile(grpcConfig.GetKey()); + sslData.Root = ReadFile(pathToCaFile); + sslData.Cert = ReadFile(pathToCertificateFile); + sslData.Key = ReadFile(pathToPrivateKeyFile); sslOpts.SetSslData(sslData); GRpcServers.push_back({ "grpcs", new NGrpc::TGRpcServer(sslOpts) }); @@ -898,9 +905,26 @@ void TKikimrRunner::InitializeGRpc(const TKikimrRunConfig& runConfig) { NGrpc::TSslData sslData; - sslData.Root = ex.HasCA() ? ReadFile(ex.GetCA()) : ReadFile(grpcConfig.GetCA()); - sslData.Cert = ex.HasCert() ? ReadFile(ex.GetCert()) : ReadFile(grpcConfig.GetCert()); - sslData.Key = ex.HasKey() ? ReadFile(ex.GetKey()) : ReadFile(grpcConfig.GetKey()); + + auto pathToCaFile = GET_PATH_TO_FILE(ex, PathToCaFile, CA); + if (pathToCaFile.Empty()) { + pathToCaFile = GET_PATH_TO_FILE(grpcConfig, PathToCaFile, CA); + } + sslData.Root = ReadFile(pathToCaFile); + + auto pathToCertificateFile = GET_PATH_TO_FILE(ex, PathToCertificateFile, Cert); + if (pathToCertificateFile.Empty()) { + pathToCertificateFile = GET_PATH_TO_FILE(grpcConfig, PathToCertificateFile, Cert); + } + sslData.Cert = ReadFile(pathToCertificateFile); + + auto pathToPrivateKeyFile = GET_PATH_TO_FILE(ex, PathToPrivateKeyFile, Key); + if (pathToPrivateKeyFile.Empty()) { + pathToPrivateKeyFile = GET_PATH_TO_FILE(grpcConfig, PathToPrivateKeyFile, Key); + } + sslData.Key = ReadFile(pathToPrivateKeyFile); +#undef GET_PATH_TO_FILE + xopts.SetSslData(sslData); Y_VERIFY(xopts.SslData->Root, "CA not set"); diff --git a/ydb/core/http_proxy/auth_factory.cpp b/ydb/core/http_proxy/auth_factory.cpp index 2a41745c62d..f00d79e50dc 100644 --- a/ydb/core/http_proxy/auth_factory.cpp +++ b/ydb/core/http_proxy/auth_factory.cpp @@ -23,7 +23,7 @@ void TAuthFactory::Initialize( // secure = true; grpcPort = grpcConfig.GetSslPort(); } - CA = grpcConfig.GetCA(); + CA = grpcConfig.HasPathToCaFile() ? grpcConfig.GetPathToCaFile() : grpcConfig.GetCA(); NKikimrConfig::TServerlessProxyConfig config; config.MutableHttpConfig()->CopyFrom(httpConfig); diff --git a/ydb/core/protos/config.proto b/ydb/core/protos/config.proto index 6e7444f8fb6..eeee15d6a2c 100644 --- a/ydb/core/protos/config.proto +++ b/ydb/core/protos/config.proto @@ -593,6 +593,9 @@ message TGRpcConfig { optional string CA = 10; optional string Cert = 11; optional string Key = 12; + optional string PathToCertificateFile = 27; + optional string PathToPrivateKeyFile = 28; + optional string PathToCaFile = 29; // public host/port for publishing optional string PublicHost = 13; |