You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2021/02/19 07:25:00 UTC
[servicecomb-service-center] branch master updated: [SCB-2094]Mongo
supports CA certificate verification (#856)
This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new dae6b80 [SCB-2094]Mongo supports CA certificate verification (#856)
dae6b80 is described below
commit dae6b806ec1dae0be3c7a8aef1cd0c4482cc2618
Author: robotLJW <79...@qq.com>
AuthorDate: Fri Feb 19 15:24:48 2021 +0800
[SCB-2094]Mongo supports CA certificate verification (#856)
---
datasource/mongo/client/common.go | 1 +
datasource/mongo/client/mongo.go | 37 +++++++++++++++++++++++++++++++++++--
datasource/mongo/mongo.go | 9 +++++++--
etc/conf/app.yaml | 5 +++++
go.mod | 5 +++--
scripts/build/local.sh | 1 -
6 files changed, 51 insertions(+), 7 deletions(-)
diff --git a/datasource/mongo/client/common.go b/datasource/mongo/client/common.go
index e71706a..1fa44d5 100644
--- a/datasource/mongo/client/common.go
+++ b/datasource/mongo/client/common.go
@@ -22,4 +22,5 @@ import (
var (
ErrCollectionsNil = errors.New("collection is nil")
ErrOpenDbFailed = errors.New("open db failed")
+ ErrRootCAMissing = errors.New("rootCAFile is empty in config file")
)
diff --git a/datasource/mongo/client/mongo.go b/datasource/mongo/client/mongo.go
index b0739be..3c27476 100644
--- a/datasource/mongo/client/mongo.go
+++ b/datasource/mongo/client/mongo.go
@@ -17,7 +17,10 @@ package client
import (
"context"
+ "crypto/tls"
+ "crypto/x509"
"fmt"
+ "io/ioutil"
"time"
"github.com/apache/servicecomb-service-center/pkg/gopool"
@@ -125,8 +128,38 @@ func (mc *MongoClient) HealthCheck(ctx context.Context) {
}
func (mc *MongoClient) newClient(ctx context.Context) (err error) {
- clientOptions := options.Client().ApplyURI(mc.dbconfig.URI)
- mc.client, err = mongo.Connect(ctx, clientOptions)
+ clientOptions := []*options.ClientOptions{options.Client().ApplyURI(mc.dbconfig.URI)}
+ if mc.dbconfig.SSLEnabled {
+ if mc.dbconfig.RootCA == "" {
+ err = ErrRootCAMissing
+ return
+ }
+ pool := x509.NewCertPool()
+ caCert, err := ioutil.ReadFile(mc.dbconfig.RootCA)
+ if err != nil {
+ err = fmt.Errorf("read ca cert file %s failed", mc.dbconfig.RootCA)
+ log.Error("ca cert :", err)
+ return err
+ }
+ pool.AppendCertsFromPEM(caCert)
+ clientCerts := make([]tls.Certificate, 0)
+ if mc.dbconfig.CertFile != "" && mc.dbconfig.KeyFile != "" {
+ cert, err := tls.LoadX509KeyPair(mc.dbconfig.CertFile, mc.dbconfig.KeyFile)
+ if err != nil {
+ log.Error("load X509 keyPair failed: ", err)
+ return err
+ }
+ clientCerts = append(clientCerts, cert)
+ }
+ tc := &tls.Config{
+ RootCAs: pool,
+ InsecureSkipVerify: !mc.dbconfig.VerifyPeer,
+ Certificates: clientCerts,
+ }
+ clientOptions = append(clientOptions, options.Client().SetTLSConfig(tc))
+ log.Info("enabled ssl communication to mongodb")
+ }
+ mc.client, err = mongo.Connect(ctx, clientOptions...)
if err != nil {
log.Error("failed to connect to mongo", err)
if derr := mc.client.Disconnect(ctx); derr != nil {
diff --git a/datasource/mongo/mongo.go b/datasource/mongo/mongo.go
index 731704c..b4a8ce1 100644
--- a/datasource/mongo/mongo.go
+++ b/datasource/mongo/mongo.go
@@ -86,8 +86,13 @@ func (ds *DataSource) initPlugins() error {
}
func (ds *DataSource) initClient() error {
- uri := config.GetString("registry.mongo.cluster.uri", "mongodb://localhost:27017", config.WithStandby("manager_cluster"))
- cfg := storage.NewConfig(uri)
+ uri := config.GetString("registry.mongo.cluster.uri", "mongodb://localhost:27017")
+ sslEnable := config.GetBool("registry.mongo.cluster.sslEnabled", false)
+ rootCA := config.GetString("registry.mongo.cluster.rootCAFile", "/opt/ssl/ca.crt")
+ verifyPeer := config.GetBool("registry.mongo.cluster.verifyPeer", false)
+ certFile := config.GetString("registry.mongo.cluster.certFile", "")
+ keyFile := config.GetString("registry.mongo.cluster.keyFile", "")
+ cfg := storage.NewConfig(uri, storage.SSLEnabled(sslEnable), storage.RootCA(rootCA), storage.VerifyPeer(verifyPeer), storage.CertFile(certFile), storage.KeyFile(keyFile))
client.NewMongoClient(cfg)
select {
case err := <-client.GetMongoClient().Err():
diff --git a/etc/conf/app.yaml b/etc/conf/app.yaml
index 82b2f50..1bd7719 100644
--- a/etc/conf/app.yaml
+++ b/etc/conf/app.yaml
@@ -96,6 +96,11 @@ registry:
timeout: 10
cluster:
uri: mongodb://localhost:27017
+ sslEnabled: false
+ rootCAFile: /opt/ssl/ca.crt
+ verifyPeer: false
+ certFile: /opt/ssl/client.crt
+ keyFile: /opt/ssl/client.key
service:
# enable the job clear the microservices which deploy no instance
diff --git a/go.mod b/go.mod
index 552ce00..1f1de6c 100644
--- a/go.mod
+++ b/go.mod
@@ -19,8 +19,8 @@ require (
github.com/ghodss/yaml v1.0.0
github.com/go-chassis/cari v0.0.2-0.20210208095358-3bccdf2ce456
github.com/go-chassis/foundation v0.2.2
- github.com/go-chassis/go-archaius v1.3.6-0.20201130023516-387922b408d0
- github.com/go-chassis/go-chassis/v2 v2.1.1-0.20201208095114-93feb76fd997
+ github.com/go-chassis/go-archaius v1.3.6-0.20201210061741-7450779aaeb8
+ github.com/go-chassis/go-chassis/v2 v2.1.1-0.20210218100404-85e04ad6bd31
github.com/go-chassis/kie-client v0.0.0-20210122061843-eee856b0a9af
github.com/golang/protobuf v1.4.2
github.com/gorilla/websocket v1.4.2
@@ -34,6 +34,7 @@ require (
github.com/karlseguin/expect v1.0.7 // indirect
github.com/labstack/echo/v4 v4.1.18-0.20201218141459-936c48a17e97
github.com/mattn/go-runewidth v0.0.9 // indirect
+ github.com/mitchellh/mapstructure v1.3.3 // indirect
github.com/natefinch/lumberjack v0.0.0-20170531160350-a96e63847dc3
github.com/olekukonko/tablewriter v0.0.0-20180506121414-d4647c9c7a84
github.com/onsi/ginkgo v1.14.0
diff --git a/scripts/build/local.sh b/scripts/build/local.sh
index 2dfb536..ba76d94 100644
--- a/scripts/build/local.sh
+++ b/scripts/build/local.sh
@@ -16,7 +16,6 @@
# limitations under the License.
set -e
-export GOPROXY=https://goproxy.io
export GOOS=${1:-"linux"}
export GOARCH=${4:-"amd64"}
export CGO_ENABLED=${CGO_ENABLED:-0} # prevent to compile cgo file