feat: add self-signed certs config (#329)

Signed-off-by: Gaius <[email protected]>
dragonflyoss · Oct 16, 2024 · 240d603 · 240d603
1 parent 822515f
commit 240d603
Show file tree

Hide file tree

Showing 7 changed files with 207 additions and 220 deletions.
diff --git a/charts/dragonfly/Chart.yaml b/charts/dragonfly/Chart.yaml
@@ -3,7 +3,7 @@ name: dragonfly
 description: Dragonfly is an intelligent P2P based image and file distribution system
 icon: https://raw.githubusercontent.com/dragonflyoss/Dragonfly2/main/docs/images/logo/dragonfly.svg
 type: application
-version: 1.2.17
+version: 1.2.18
 appVersion: 2.1.60
 keywords:
   - dragonfly
@@ -27,8 +27,8 @@ sources:
 
 annotations:
   artifacthub.io/changes: |
-    - Update tag of the dragonfly image to v2.1.60.
-    - Update tag of the client image to v2.1.111.
+    - Rename `certs` to `cert` in client configuration.
+    - Update tag of the client image to v2.1.112.
 
   artifacthub.io/links: |
     - name: Chart Source
@@ -43,11 +43,11 @@ annotations:
     - name: scheduler
       image: dragonflyoss/scheduler:v2.1.60
     - name: client
-      image: dragonflyoss/client:v0.1.111
+      image: dragonflyoss/client:v0.1.112
     - name: seed-client
-      image: dragonflyoss/client:v0.1.111
+      image: dragonflyoss/client:v0.1.112
     - name: dfinit
-      image: dragonflyoss/dfinit:v0.1.111
+      image: dragonflyoss/dfinit:v0.1.112
 
 dependencies:
   - name: mysql

diff --git a/charts/dragonfly/README.md b/charts/dragonfly/README.md
@@ -140,7 +140,7 @@ helm delete dragonfly --namespace dragonfly-system
 | client.config.health.server.port | int | `4003` | port is the port to the health server. |
 | client.config.host | object | `{"idc":"","location":""}` | host is the host configuration for dfdaemon. |
 | client.config.log.level | string | `"info"` | Specify the logging level [trace, debug, info, warn, error] |
-| client.config.manager.addrs | list | `[]` | addrs is manager addresses. |
+| client.config.manager.addr | string | `""` | addr is manager address. |
 | client.config.metrics.server.port | int | `4002` | port is the port to the metrics server. |
 | client.config.proxy.disableBackToSource | bool | `false` | disableBackToSource indicates whether disable to download back-to-source when download failed. |
 | client.config.proxy.prefetch | bool | `false` | prefetch pre-downloads full of the task when download with range request. |
@@ -152,7 +152,6 @@ helm delete dragonfly --namespace dragonfly-system
 | client.config.scheduler.enableBackToSource | bool | `true` | enableBackToSource indicates whether enable back-to-source download, when the scheduling failed. |
 | client.config.scheduler.maxScheduleCount | int | `5` | maxScheduleCount is the max count of schedule. |
 | client.config.scheduler.scheduleTimeout | string | `"30s"` | scheduleTimeout is the timeout for scheduling. If the scheduling timesout, dfdaemon will back-to-source download if enableBackToSource is true, otherwise dfdaemon will return download failed. |
-| client.config.security.enable | bool | `false` | enable indicates whether enable security. |
 | client.config.server.cacheDir | string | `"/var/cache/dragonfly/dfdaemon/"` | cacheDir is the directory to store cache files. |
 | client.config.server.pluginDir | string | `"/var/lib/dragonfly/plugins/dfdaemon/"` | pluginDir is the directory to store plugins. |
 | client.config.stats.server.port | int | `4004` | port is the port to the stats server. |
@@ -174,7 +173,7 @@ helm delete dragonfly --namespace dragonfly-system
 | client.dfinit.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. |
 | client.dfinit.image.registry | string | `"docker.io"` | Image registry. |
 | client.dfinit.image.repository | string | `"dragonflyoss/dfinit"` | Image repository. |
-| client.dfinit.image.tag | string | `"v0.1.111"` | Image tag. |
+| client.dfinit.image.tag | string | `"v0.1.112"` | Image tag. |
 | client.enable | bool | `true` | Enable client. |
 | client.extraVolumeMounts | list | `[{"mountPath":"/var/lib/dragonfly/","name":"storage"},{"mountPath":"/var/log/dragonfly/dfdaemon/","name":"logs"}]` | Extra volumeMounts for dfdaemon. |
 | client.extraVolumes | list | `[{"hostPath":{"path":"/var/lib/dragonfly/","type":"DirectoryOrCreate"},"name":"storage"},{"emptyDir":{},"name":"logs"}]` | Extra volumes for dfdaemon. |
@@ -188,7 +187,7 @@ helm delete dragonfly --namespace dragonfly-system
 | client.image.pullSecrets | list | `[]` (defaults to global.imagePullSecrets). | Image pull secrets. |
 | client.image.registry | string | `"docker.io"` | Image registry. |
 | client.image.repository | string | `"dragonflyoss/client"` | Image repository. |
-| client.image.tag | string | `"v0.1.111"` | Image tag. |
+| client.image.tag | string | `"v0.1.112"` | Image tag. |
 | client.initContainer.image.digest | string | `""` | Image digest. |
 | client.initContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. |
 | client.initContainer.image.registry | string | `"docker.io"` | Image registry. |
@@ -271,13 +270,6 @@ helm delete dragonfly --namespace dragonfly-system
 | manager.config.objectStorage.s3ForcePathStyle | bool | `true` | S3ForcePathStyle sets force path style for s3, true by default. Set this to `true` to force the request to use path-style addressing, i.e., `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client will use virtual hosted bucket addressing when possible (`http://BUCKET.s3.amazonaws.com/KEY`). Refer to https://github.com/aws/aws-sdk-go/blob/main/aws/config.go#L118. |
 | manager.config.objectStorage.secretKey | string | `""` | SecretKey is access key secret. |
 | manager.config.pprofPort | int | `-1` | Listen port for pprof, only valid when the verbose option is true default is -1. If it is 0, pprof will use a random port. |
-| manager.config.security.autoIssueCert | bool | `false` | AutoIssueCert indicates to issue client certificates for all grpc call. If AutoIssueCert is false, any other option in Security will be ignored. |
-| manager.config.security.caCert | string | `""` | CACert is the CA certificate for all grpc tls handshake, it can be path or PEM format string. |
-| manager.config.security.caKey | string | `""` | CAKey is the CA private key, it can be path or PEM format string. |
-| manager.config.security.certSpec.dnsNames | list | `["dragonfly-manager","dragonfly-manager.dragonfly-system.svc","dragonfly-manager.dragonfly-system.svc.cluster.local"]` | DNSNames is a list of dns names be set on the certificate. |
-| manager.config.security.certSpec.ipAddresses | string | `nil` | IPAddresses is a list of ip addresses be set on the certificate. |
-| manager.config.security.certSpec.validityPeriod | string | `"87600h"` | ValidityPeriod is the validity period  of certificate. |
-| manager.config.security.tlsPolicy | string | `"prefer"` | TLSPolicy controls the grpc shandshake behaviors:   force: both ClientHandshake and ServerHandshake are only support tls.   prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls.   default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls). Notice: If the drgaonfly service has been deployed, a two-step upgrade is required. The first step is to set tlsPolicy to default, and then upgrade the dragonfly services. The second step is to set tlsPolicy to prefer, and tthen completely upgrade the dragonfly services. |
 | manager.config.server.cacheDir | string | `""` | Dynconfig cache directory. |
 | manager.config.server.grpc.advertiseIP | string | `""` | GRPC advertise ip. |
 | manager.config.server.logDir | string | `""` | Log directory. |
@@ -366,13 +358,6 @@ helm delete dragonfly --namespace dragonfly-system
 | scheduler.config.manager.schedulerClusterID | int | `1` | Associated scheduler cluster id. |
 | scheduler.config.network.enableIPv6 | bool | `false` | enableIPv6 enables ipv6. |
 | scheduler.config.pprofPort | int | `-1` | Listen port for pprof, only valid when the verbose option is true. default is -1. If it is 0, pprof will use a random port. |
-| scheduler.config.resource | object | `{"task":{"downloadTiny":{"scheme":"http","timeout":"1m","tls":{"insecureSkipVerify":true}}}}` | resource configuration. |
-| scheduler.config.resource.task | object | `{"downloadTiny":{"scheme":"http","timeout":"1m","tls":{"insecureSkipVerify":true}}}` | task configuration. |
-| scheduler.config.resource.task.downloadTiny | object | `{"scheme":"http","timeout":"1m","tls":{"insecureSkipVerify":true}}` | downloadTiny is the configuration of downloading tiny task by scheduler. |
-| scheduler.config.resource.task.downloadTiny.scheme | string | `"http"` | scheme is download tiny task scheme. |
-| scheduler.config.resource.task.downloadTiny.timeout | string | `"1m"` | timeout is http request timeout. |
-| scheduler.config.resource.task.downloadTiny.tls | object | `{"insecureSkipVerify":true}` | tls is download tiny task TLS configuration. |
-| scheduler.config.resource.task.downloadTiny.tls.insecureSkipVerify | bool | `true` | insecureSkipVerify controls whether a client verifies the server's certificate chain and hostname. |
 | scheduler.config.scheduler.algorithm | string | `"default"` | Algorithm configuration to use different scheduling algorithms, default configuration supports "default", "ml" and "nt". "default" is the rule-based scheduling algorithm, "ml" is the machine learning scheduling algorithm. It also supports user plugin extension, the algorithm value is "plugin", and the compiled `d7y-scheduler-plugin-evaluator.so` file is added to the dragonfly working directory plugins. |
 | scheduler.config.scheduler.backToSourceCount | int | `200` | backToSourceCount is single task allows the peer to back-to-source count. |
 | scheduler.config.scheduler.gc.hostGCInterval | string | `"5m"` | hostGCInterval is the interval of host gc. |
@@ -384,13 +369,6 @@ helm delete dragonfly --namespace dragonfly-system
 | scheduler.config.scheduler.retryBackToSourceLimit | int | `5` | retryBackToSourceLimit reaches the limit, then the peer back-to-source. |
 | scheduler.config.scheduler.retryInterval | string | `"700ms"` | Retry scheduling interval. |
 | scheduler.config.scheduler.retryLimit | int | `7` | Retry scheduling limit times. |
-| scheduler.config.security.autoIssueCert | bool | `false` | AutoIssueCert indicates to issue client certificates for all grpc call. If AutoIssueCert is false, any other option in Security will be ignored. |
-| scheduler.config.security.caCert | string | `""` | CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string. |
-| scheduler.config.security.certSpec.dnsNames | list | `["dragonfly-scheduler","dragonfly-scheduler.dragonfly-system.svc","dragonfly-scheduler.dragonfly-system.svc.cluster.local"]` | DNSNames is a list of dns names be set on the certificate. |
-| scheduler.config.security.certSpec.ipAddresses | string | `nil` | IPAddresses is a list of ip addresses be set on the certificate. |
-| scheduler.config.security.certSpec.validityPeriod | string | `"4320h"` | ValidityPeriod is the validity period  of certificate. |
-| scheduler.config.security.tlsPolicy | string | `"prefer"` | TLSPolicy controls the grpc shandshake behaviors:   force: both ClientHandshake and ServerHandshake are only support tls.   prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls.   default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls). Notice: If the drgaonfly service has been deployed, a two-step upgrade is required. The first step is to set tlsPolicy to default, and then upgrade the dragonfly services. The second step is to set tlsPolicy to prefer, and tthen completely upgrade the dragonfly services. |
-| scheduler.config.security.tlsVerify | bool | `false` | TLSVerify indicates to verify certificates. |
 | scheduler.config.seedPeer.enable | bool | `true` | scheduler enable seed peer as P2P peer, if the value is false, P2P network will not be back-to-source through seed peer but by dfdaemon and preheat feature does not work. |
 | scheduler.config.server.advertiseIP | string | `""` | Advertise ip. |
 | scheduler.config.server.advertisePort | int | `8002` | Advertise port. |
@@ -464,7 +442,7 @@ helm delete dragonfly --namespace dragonfly-system
 | seedClient.config.health.server.port | int | `4003` | port is the port to the health server. |
 | seedClient.config.host | object | `{"idc":"","location":""}` | host is the host configuration for dfdaemon. |
 | seedClient.config.log.level | string | `"info"` | Specify the logging level [trace, debug, info, warn, error] |
-| seedClient.config.manager.addrs | list | `[]` | addrs is manager addresses. |
+| seedClient.config.manager.addr | string | `""` | addr is manager address. |
 | seedClient.config.metrics.server.port | int | `4002` | port is the port to the metrics server. |
 | seedClient.config.proxy.disableBackToSource | bool | `false` | disableBackToSource indicates whether disable to download back-to-source when download failed. |
 | seedClient.config.proxy.prefetch | bool | `false` | prefetch pre-downloads full of the task when download with range request. |
@@ -475,7 +453,6 @@ helm delete dragonfly --namespace dragonfly-system
 | seedClient.config.scheduler.announceInterval | string | `"1m"` | announceInterval is the interval to announce peer to the scheduler. Announcer will provide the scheduler with peer information for scheduling, peer information includes cpu, memory, etc. |
 | seedClient.config.scheduler.maxScheduleCount | int | `5` | maxScheduleCount is the max count of schedule. |
 | seedClient.config.scheduler.scheduleTimeout | string | `"30s"` | scheduleTimeout is the timeout for scheduling. If the scheduling timesout, dfdaemon will back-to-source download if enableBackToSource is true, otherwise dfdaemon will return download failed. |
-| seedClient.config.security.enable | bool | `false` | enable indicates whether enable security. |
 | seedClient.config.seedPeer.clusterID | int | `1` | clusterID is the cluster id of the seed peer cluster. |
 | seedClient.config.seedPeer.enable | bool | `true` | enable indicates whether enable seed peer. |
 | seedClient.config.seedPeer.keepaliveInterval | string | `"15s"` | keepaliveInterval is the interval to keep alive with manager. |
@@ -500,7 +477,7 @@ helm delete dragonfly --namespace dragonfly-system
 | seedClient.image.pullSecrets | list | `[]` (defaults to global.imagePullSecrets). | Image pull secrets. |
 | seedClient.image.registry | string | `"docker.io"` | Image registry. |
 | seedClient.image.repository | string | `"dragonflyoss/client"` | Image repository. |
-| seedClient.image.tag | string | `"v0.1.111"` | Image tag. |
+| seedClient.image.tag | string | `"v0.1.112"` | Image tag. |
 | seedClient.initContainer.image.digest | string | `""` | Image digest. |
 | seedClient.initContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. |
 | seedClient.initContainer.image.registry | string | `"docker.io"` | Image registry. |

diff --git a/charts/dragonfly/templates/client/client-configmap.yaml b/charts/dragonfly/templates/client/client-configmap.yaml
@@ -21,13 +21,12 @@ data:
     upload:
 {{ toYaml .Values.client.config.upload | indent 6 }}
     manager:
-      addrs:
       {{- if .Values.client.config.manager.addrs }}
-{{ toYaml .Values.client.config.manager.addrs | indent 6 }}
+      addr: {{ .Values.client.config.manager.addr }}
       {{- else if .Values.manager.enable }}
-      - http://{{ template "dragonfly.manager.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.manager.grpcPort }}
+      addr: http://{{ template "dragonfly.manager.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.manager.grpcPort }}
       {{- else }}
-      - http://{{ .Values.externalManager.host }}:{{ .Values.externalManager.grpcPort }}
+      addr: http://{{ .Values.externalManager.host }}:{{ .Values.externalManager.grpcPort }}
       {{- end }}
     scheduler:
 {{ toYaml .Values.client.config.scheduler | indent 6 }}
@@ -39,8 +38,6 @@ data:
 {{ toYaml .Values.client.config.gc | indent 6 }}
     proxy:
 {{ toYaml .Values.client.config.proxy | indent 6 }}
-    security:
-{{ toYaml .Values.client.config.security | indent 6 }}
     health:
 {{ toYaml .Values.client.config.health | indent 6 }}
     metrics:

diff --git a/charts/dragonfly/templates/manager/manager-configmap.yaml b/charts/dragonfly/templates/manager/manager-configmap.yaml
@@ -69,8 +69,6 @@ data:
 {{ toYaml .Values.manager.config.job | indent 6 }}
     objectStorage:
 {{ toYaml .Values.manager.config.objectStorage | indent 6 }}
-    security:
-{{ toYaml .Values.manager.config.security | indent 6 }}
     network:
 {{ toYaml .Values.manager.config.network | indent 6 }}
     metrics:

diff --git a/charts/dragonfly/templates/scheduler/scheduler-configmap.yaml b/charts/dragonfly/templates/scheduler/scheduler-configmap.yaml
@@ -31,8 +31,6 @@ data:
         brokerDB: {{ .Values.externalRedis.brokerDB }}
         backendDB: {{ .Values.externalRedis.backendDB }}
         {{- end }}
-    resource:
-{{ toYaml .Values.scheduler.config.resource | indent 6 }}
     dynconfig:
 {{ toYaml .Values.scheduler.config.dynconfig | indent 6 }}
     host:
@@ -65,8 +63,6 @@ data:
         {{- end }}
     storage:
 {{ toYaml .Values.scheduler.config.storage | indent 6 }}
-    security:
-{{ toYaml .Values.scheduler.config.security | indent 6 }}
     network:
 {{ toYaml .Values.scheduler.config.network | indent 6 }}
     metrics:

diff --git a/charts/dragonfly/templates/seed-client/seed-client-configmap.yaml b/charts/dragonfly/templates/seed-client/seed-client-configmap.yaml
@@ -21,13 +21,12 @@ data:
     upload:
 {{ toYaml .Values.seedClient.config.upload | indent 6 }}
     manager:
-      addrs:
       {{- if .Values.seedClient.config.manager.addrs }}
-{{ toYaml .Values.seedClient.config.manager.addrs | indent 6 }}
+      addr: {{ .Values.seedClient.config.manager.addr }}
       {{- else if .Values.manager.enable }}
-      - http://{{ template "dragonfly.manager.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.manager.grpcPort }}
+      addr: http://{{ template "dragonfly.manager.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.manager.grpcPort }}
       {{- else }}
-      - http://{{ .Values.externalManager.host }}:{{ .Values.externalManager.grpcPort }}
+      addr: http://{{ .Values.externalManager.host }}:{{ .Values.externalManager.grpcPort }}
       {{- end }}
     scheduler:
 {{ toYaml .Values.seedClient.config.scheduler | indent 6 }}
@@ -41,8 +40,6 @@ data:
 {{ toYaml .Values.seedClient.config.gc | indent 6 }}
     proxy:
 {{ toYaml .Values.seedClient.config.proxy | indent 6 }}
-    security:
-{{ toYaml .Values.seedClient.config.security | indent 6 }}
     health:
 {{ toYaml .Values.seedClient.config.health | indent 6 }}
     metrics: