You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/02/10 02:49:43 UTC
[GitHub] [servicecomb-service-center] robotLJW opened a new pull request #856: [SCB-2094]Mongo supports CA certificate verification
robotLJW opened a new pull request #856:
URL: https://github.com/apache/servicecomb-service-center/pull/856
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang merged pull request #856: [SCB-2094]Mongo supports CA certificate verification
Posted by GitBox <gi...@apache.org>.
tianxiaoliang merged pull request #856:
URL: https://github.com/apache/servicecomb-service-center/pull/856
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-service-center] tianxiaoliang commented on a change in pull request #856: [SCB-2094]Mongo supports CA certificate verification
Posted by GitBox <gi...@apache.org>.
tianxiaoliang commented on a change in pull request #856:
URL: https://github.com/apache/servicecomb-service-center/pull/856#discussion_r573525159
##########
File path: datasource/mongo/mongo.go
##########
@@ -87,7 +87,10 @@ func (ds *DataSource) initPlugins() error {
func (ds *DataSource) initClient() error {
uri := config.GetString("registry.mongo.cluster.uri", "mongodb://localhost:27017", config.WithStandby("manager_cluster"))
- cfg := storage.NewConfig(uri)
+ sslEnable := config.GetBool("registry.mongo.cluster.sslEnable", false)
+ rootCA := config.GetString("registry.mongo.cluster.rootCA", "/opt/kie/ca.crt")
+ verifyPeer := config.GetBool("registry.mongo.cluster.verifyPeer", true)
Review comment:
默认false
##########
File path: datasource/mongo/client/mongo.go
##########
@@ -125,8 +128,28 @@ func (mc *MongoClient) HealthCheck(ctx context.Context) {
}
func (mc *MongoClient) newClient(ctx context.Context) (err error) {
- clientOptions := options.Client().ApplyURI(mc.dbconfig.URI)
- mc.client, err = mongo.Connect(ctx, clientOptions)
+ clientOptions := []*options.ClientOptions{options.Client().ApplyURI(mc.dbconfig.URI)}
+ if mc.dbconfig.SSLEnabled {
+ if mc.dbconfig.RootCA == "" {
+ err = ErrRootCAMissing
+ return
+ }
+ pool := x509.NewCertPool()
+ caCert, err := ioutil.ReadFile(mc.dbconfig.RootCA)
+ if err != nil {
+ err = fmt.Errorf("read ca cert file %s failed", mc.dbconfig.RootCA)
+ log.Error("ca cert :", err)
+ return err
+ }
+ pool.AppendCertsFromPEM(caCert)
+ tc := &tls.Config{
+ RootCAs: pool,
+ InsecureSkipVerify: mc.dbconfig.VerifyPeer,
Review comment:
这个条件错了,应该加非,你得测下,否则这段代码不确定是不是work,这个写法明显不work
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org