You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2022/06/27 15:19:43 UTC
[GitHub] [dubbo-go] ZLBer opened a new pull request, #1945: [WIP]feat: support xds certificate
ZLBer opened a new pull request, #1945:
URL: https://github.com/apache/dubbo-go/pull/1945
<!-- Thanks for sending a pull request!
Read https://github.com/apache/dubbo-go/blob/master/CONTRIBUTING.md before commit pull request.
-->
**What this PR does**:
support xds certificate , fetch cert from agent mode or no agent mode, using it for rpc tls and xds tls.
working in progress, do not merge.
**Which issue(s) this PR fixes**:
Fixes #1808
**You should pay attention to items below to ensure your pr passes our ci test**
We do not merge pr with ci tests failed
- [ ] All ut passed (run 'go test ./...' in project root)
- [ ] After go-fmt ed , run 'go fmt project' using goland.
- [ ] Golangci-lint passed, run 'sudo golangci-lint run' in project root.
- [ ] After import formatted, (using [imports-formatter](https://github.com/dubbogo/tools#5-how-to-get-imports-formatter) to run 'imports-formatter .' in project root, to format your import blocks, mentioned in [CONTRIBUTING.md](https://github.com/apache/dubbo-go/blob/master/CONTRIBUTING.md) above)
- [ ] Your new-created file needs to have [apache license](https://raw.githubusercontent.com/dubbogo/resources/master/tools/license/license.txt) at the top, like other existed file does.
- [ ] All integration test passed. You can run integration test locally (with docker env). Clone our [dubbo-go-samples](https://github.com/apache/dubbo-go-samples) project and replace the go.mod to your dubbo-go, and run 'sudo sh start_integration_test.sh' at root of samples project root. (M1 Slice is not Support)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r933988192
##########
xds/credentials/certgenerate/generate_cert.go:
##########
@@ -242,12 +242,12 @@ func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate,
// signerCertFile: cert file name
// signerPrivFile: private key file name
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error) {
- signerCertBytes, err := os.ReadFile(signerCertFile)
+ signerCertBytes, err := ioutil.ReadFile(signerCertFile)
Review Comment:
这个是因为golint检查报错我才改成ioutil包的, 因为dubbo-go用的go 1.15版本没有os.ReadFile这个函数。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200369039
@LaurenceLiZhixin fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r969128411
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
Review Comment:
`NewCertManager()` is not called?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r964599566
##########
xds/credentials/certprovider/remote/istioca_client.go:
##########
@@ -0,0 +1,211 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Copyright Istio Authors
+
+package remote
+
+import (
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "errors"
+ "fmt"
+ "log"
+ "path/filepath"
+ "strings"
+ "time"
+)
+
+import (
+ structpb "github.com/golang/protobuf/ptypes/struct"
+
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/credentials"
+ "google.golang.org/grpc/metadata"
+)
+
+import (
+ v1alpha1 "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote/v1alpha1"
+)
+
+const (
+ // CertSigner info
+ CertSigner = "CertSigner"
+)
+
+type Options struct {
+ CAEndpoint string
+ CAEndpointSAN string
+
+ TokenProvider credentials.PerRPCCredentials
+ GRPCOptions []grpc.DialOption
+
+ CertSigner string
+ ClusterID string
+
+ TrustedRoots *x509.CertPool
+
+ // ProvCert contains a long-lived 'provider' certificate that will be
+ // exchanged with the workload certificate.
+ // It is a cert signed by same CA (or a CA trusted by Istiod).
+ // It is still exchanged because Istiod may add info to the cert.
+ ProvCert string
+}
+
+type CitadelClient struct {
+ enableTLS bool
+ client v1alpha1.IstioCertificateServiceClient
+ conn *grpc.ClientConn
+ opts *Options
+}
+
+// NewCitadelClient create a CA client for Citadel.
+func NewCitadelClient(opts *Options) (*CitadelClient, error) {
+ c := &CitadelClient{
+ enableTLS: true,
+ opts: opts,
+ }
+
+ conn, err := c.buildConnection()
+
+ if err != nil {
+ log.Printf("Failed to connect to endpoint %s: %v", opts.CAEndpoint, err)
+ return nil, fmt.Errorf("failed to connect to endpoint %s", opts.CAEndpoint)
+ }
+ c.conn = conn
+ c.client = v1alpha1.NewIstioCertificateServiceClient(conn)
+ return c, nil
+}
+
+func (c *CitadelClient) Close() {
+ if c.conn != nil {
+ c.conn.Close()
+ }
+}
+
+// CSR Sign calls Citadel to sign a CSR.
+func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
+ crMetaStruct := &structpb.Struct{
+ Fields: map[string]*structpb.Value{
+ CertSigner: {
+ Kind: &structpb.Value_StringValue{StringValue: c.opts.CertSigner},
+ },
+ },
+ }
+ req := &v1alpha1.IstioCertificateRequest{
+ Csr: string(csrPEM),
+ ValidityDuration: certValidTTLInSec,
+ Metadata: crMetaStruct,
+ }
+ ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("ClusterID", c.opts.ClusterID))
+ resp, err := c.client.CreateCertificate(ctx, req)
+ if err != nil {
+ return nil, fmt.Errorf("create certificate: %v", err)
+ }
+
+ if len(resp.CertChain) <= 1 {
+ return nil, errors.New("invalid empty CertChain")
+ }
+
+ return resp.CertChain, nil
+}
+
+func (c *CitadelClient) getTLSDialOption() (grpc.DialOption, error) {
+ // Load the TLS root certificate from the specified file.
+ // Create a certificate pool
+ var certPool *x509.CertPool
+ var err error
+ if c.opts.TrustedRoots == nil {
+ // No explicit certificate - assume the citadel-compatible server uses a public cert
+ certPool, err = x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+ } else {
+ certPool = c.opts.TrustedRoots
+ }
+ var certificate tls.Certificate
+ config := tls.Config{
+ GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+ if c.opts.ProvCert != "" {
+ // Load the certificate from disk
+ certificate, err = tls.LoadX509KeyPair(
+ filepath.Join(c.opts.ProvCert, "cert-chain.pem"),
+ filepath.Join(c.opts.ProvCert, "key.pem"))
+
+ if err != nil {
+ // we will return an empty cert so that when user sets the Prov cert path
+ // but not have such cert in the file path we use the token to provide verification
+ // instead of just broken the workflow
+ log.Printf("cannot load key pair, using token instead: %v", err)
+ return &certificate, nil
+ }
+ if certificate.Leaf.NotAfter.Before(time.Now()) {
+ log.Printf("cannot parse the cert chain, using token instead: %v", err)
+ return &tls.Certificate{}, nil
+ }
+ }
+ return &certificate, nil
+ },
+ }
+ config.RootCAs = certPool
+
+ // For debugging on localhost (with port forward)
+ // TODO: remove once istiod is stable and we have a way to validate JWTs locally
+ if strings.Contains(c.opts.CAEndpoint, "localhost") {
+ config.ServerName = "istiod.istio-system.svc"
+ }
+ if c.opts.CAEndpointSAN != "" {
+ config.ServerName = c.opts.CAEndpointSAN
+ }
+
+ transportCreds := credentials.NewTLS(&config)
+ return grpc.WithTransportCredentials(transportCreds), nil
+}
+
+func (c *CitadelClient) buildConnection() (*grpc.ClientConn, error) {
+ var ol []grpc.DialOption
+ var opts grpc.DialOption
+ var err error
+ if c.enableTLS {
+ opts, err = c.getTLSDialOption()
+ if err != nil {
+ return nil, err
+ }
+ ol = append(ol, opts)
+ } else {
+ opts = grpc.WithInsecure()
+ ol = append(ol, opts)
+ }
+ ol = append(ol, grpc.WithPerRPCCredentials(c.opts.TokenProvider))
+ ol = append(ol, c.opts.GRPCOptions...)
+ //security.CARetryInterceptor())
Review Comment:
we should add it back ?
https://github.com/istio/istio/blob/master/security/pkg/nodeagent/caclient/providers/citadel/client.go#L210
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r964599566
##########
xds/credentials/certprovider/remote/istioca_client.go:
##########
@@ -0,0 +1,211 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Copyright Istio Authors
+
+package remote
+
+import (
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "errors"
+ "fmt"
+ "log"
+ "path/filepath"
+ "strings"
+ "time"
+)
+
+import (
+ structpb "github.com/golang/protobuf/ptypes/struct"
+
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/credentials"
+ "google.golang.org/grpc/metadata"
+)
+
+import (
+ v1alpha1 "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote/v1alpha1"
+)
+
+const (
+ // CertSigner info
+ CertSigner = "CertSigner"
+)
+
+type Options struct {
+ CAEndpoint string
+ CAEndpointSAN string
+
+ TokenProvider credentials.PerRPCCredentials
+ GRPCOptions []grpc.DialOption
+
+ CertSigner string
+ ClusterID string
+
+ TrustedRoots *x509.CertPool
+
+ // ProvCert contains a long-lived 'provider' certificate that will be
+ // exchanged with the workload certificate.
+ // It is a cert signed by same CA (or a CA trusted by Istiod).
+ // It is still exchanged because Istiod may add info to the cert.
+ ProvCert string
+}
+
+type CitadelClient struct {
+ enableTLS bool
+ client v1alpha1.IstioCertificateServiceClient
+ conn *grpc.ClientConn
+ opts *Options
+}
+
+// NewCitadelClient create a CA client for Citadel.
+func NewCitadelClient(opts *Options) (*CitadelClient, error) {
+ c := &CitadelClient{
+ enableTLS: true,
+ opts: opts,
+ }
+
+ conn, err := c.buildConnection()
+
+ if err != nil {
+ log.Printf("Failed to connect to endpoint %s: %v", opts.CAEndpoint, err)
+ return nil, fmt.Errorf("failed to connect to endpoint %s", opts.CAEndpoint)
+ }
+ c.conn = conn
+ c.client = v1alpha1.NewIstioCertificateServiceClient(conn)
+ return c, nil
+}
+
+func (c *CitadelClient) Close() {
+ if c.conn != nil {
+ c.conn.Close()
+ }
+}
+
+// CSR Sign calls Citadel to sign a CSR.
+func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
+ crMetaStruct := &structpb.Struct{
+ Fields: map[string]*structpb.Value{
+ CertSigner: {
+ Kind: &structpb.Value_StringValue{StringValue: c.opts.CertSigner},
+ },
+ },
+ }
+ req := &v1alpha1.IstioCertificateRequest{
+ Csr: string(csrPEM),
+ ValidityDuration: certValidTTLInSec,
+ Metadata: crMetaStruct,
+ }
+ ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("ClusterID", c.opts.ClusterID))
+ resp, err := c.client.CreateCertificate(ctx, req)
+ if err != nil {
+ return nil, fmt.Errorf("create certificate: %v", err)
+ }
+
+ if len(resp.CertChain) <= 1 {
+ return nil, errors.New("invalid empty CertChain")
+ }
+
+ return resp.CertChain, nil
+}
+
+func (c *CitadelClient) getTLSDialOption() (grpc.DialOption, error) {
+ // Load the TLS root certificate from the specified file.
+ // Create a certificate pool
+ var certPool *x509.CertPool
+ var err error
+ if c.opts.TrustedRoots == nil {
+ // No explicit certificate - assume the citadel-compatible server uses a public cert
+ certPool, err = x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+ } else {
+ certPool = c.opts.TrustedRoots
+ }
+ var certificate tls.Certificate
+ config := tls.Config{
+ GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+ if c.opts.ProvCert != "" {
+ // Load the certificate from disk
+ certificate, err = tls.LoadX509KeyPair(
+ filepath.Join(c.opts.ProvCert, "cert-chain.pem"),
+ filepath.Join(c.opts.ProvCert, "key.pem"))
+
+ if err != nil {
+ // we will return an empty cert so that when user sets the Prov cert path
+ // but not have such cert in the file path we use the token to provide verification
+ // instead of just broken the workflow
+ log.Printf("cannot load key pair, using token instead: %v", err)
+ return &certificate, nil
+ }
+ if certificate.Leaf.NotAfter.Before(time.Now()) {
+ log.Printf("cannot parse the cert chain, using token instead: %v", err)
+ return &tls.Certificate{}, nil
+ }
+ }
+ return &certificate, nil
+ },
+ }
+ config.RootCAs = certPool
+
+ // For debugging on localhost (with port forward)
+ // TODO: remove once istiod is stable and we have a way to validate JWTs locally
+ if strings.Contains(c.opts.CAEndpoint, "localhost") {
+ config.ServerName = "istiod.istio-system.svc"
+ }
+ if c.opts.CAEndpointSAN != "" {
+ config.ServerName = c.opts.CAEndpointSAN
+ }
+
+ transportCreds := credentials.NewTLS(&config)
+ return grpc.WithTransportCredentials(transportCreds), nil
+}
+
+func (c *CitadelClient) buildConnection() (*grpc.ClientConn, error) {
+ var ol []grpc.DialOption
+ var opts grpc.DialOption
+ var err error
+ if c.enableTLS {
+ opts, err = c.getTLSDialOption()
+ if err != nil {
+ return nil, err
+ }
+ ol = append(ol, opts)
+ } else {
+ opts = grpc.WithInsecure()
+ ol = append(ol, opts)
+ }
+ ol = append(ol, grpc.WithPerRPCCredentials(c.opts.TokenProvider))
+ ol = append(ol, c.opts.GRPCOptions...)
+ //security.CARetryInterceptor())
Review Comment:
`security.CARetryInterceptor())` is enabled in istio-agent, to correspon with istio-proxy, should we add this back?
https://github.com/istio/istio/blob/master/security/pkg/nodeagent/caclient/providers/citadel/client.go#L210
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1237634906
@ZLBer Could you give a draft document how to run this xds certificate provider and communicate with istiod locally?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r973724315
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
+ bootstrapPath := os.Getenv(envconfig.XDSBootstrapFileNameEnv)
+ if bootstrapPath != "" {
+ manager := &AgentCertManager{}
+ config, err := bootstrap.NewConfig()
+ if err != nil {
+ logger.Errorf("build bootstrap config error :%s", err.Error())
+ return nil, err
+ }
+ certProvider, err := buildProvider(config.CertProviderConfigs, "default")
+
+ if err != nil {
+ logger.Errorf("get cert provider error :%s", err.Error())
+ return nil, err
+ }
+ manager.provider = certProvider
+ return manager, nil
+ } else {
+ manager := &CACertManager{}
+ manager.rootPath = RootCertPath
+ return manager, nil
+ }
+
+}
+
+// AgentCertManager work in istio agent mode
+type AgentCertManager struct {
+ provider certprovider.Provider
+}
+
+//GetRootCertificate return certificate of ca
+func (c *AgentCertManager) GetRootCertificate() (*x509.CertPool, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Roots, nil
+}
+
+//GetCertificate return certificate of application
+func (c *AgentCertManager) GetCertificate() ([]tls.Certificate, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Certs, nil
+}
+
+// buildProvider build cert provider from config
+func buildProvider(configs map[string]*certprovider.BuildableConfig, instanceName string) (certprovider.Provider, error) {
+ cfg, ok := configs[instanceName]
+ if !ok {
+ return nil, fmt.Errorf("certificate provider instance %q not found in bootstrap file", instanceName)
+ }
+ provider, err := cfg.Build(certprovider.BuildOptions{
+ CertName: "ca",
+ WantIdentity: true,
+ WantRoot: true,
+ })
+ if err != nil {
+ return nil, fmt.Errorf("xds: failed to get security plugin instance (%+v): %v", cfg, err)
+ }
+ return provider, nil
+}
+
+// CACertManager work in no agent mode, fetch cert form CA
+type CACertManager struct {
+ // Certs contains a slice of cert/key pairs used to prove local identity.
+ Certs []tls.Certificate
+ // Roots contains the set of trusted roots to validate the peer's identity.
+ Roots *x509.CertPool
+
+ NoAfter time.Time
+
+ RootNoAfter time.Time
+
+ rootPath string
+}
+
+//GetCertificate return certificate of application
+func (c *CACertManager) GetCertificate() ([]tls.Certificate, error) {
+ //cert expired
+ if time.Now().After(c.NoAfter) {
+ if err := c.UpdateCert(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Certs, nil
+}
+
+//GetRootCertificate return certificate of ca
+func (c *CACertManager) GetRootCertificate() (*x509.CertPool, error) {
+ //root expired
+ if time.Now().After(c.RootNoAfter) {
+ if err := c.UpdateRoot(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Roots, nil
+}
+
+// UpdateRoot update root cert
+func (c *CACertManager) UpdateRoot() error {
+ rootFileContents, err := ioutil.ReadFile(c.rootPath)
+ if err != nil {
+ return err
+ }
+ trustPool := x509.NewCertPool()
+ if !trustPool.AppendCertsFromPEM(rootFileContents) {
+ logger.Warn("failed to parse root certificate")
+ }
+ c.Roots = trustPool
+ block, _ := pem.Decode(rootFileContents)
+ if block == nil {
+ return fmt.Errorf("failed to decode certificate")
+ }
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil
+ }
+ c.RootNoAfter = cert.NotAfter
+ return nil
+}
+
+// UpdateCert update cert
+func (c *CACertManager) UpdateCert() error {
+ tokenProvider, err := NewSaTokenProvider(ServiceAccountPath)
+ if err != nil {
+ return err
+ }
+
+ trustRoot, err := c.GetRootCertificate()
+ if err != nil {
+ return nil
Review Comment:
Same as above.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200434259
@ZLBer so badly that the ci still failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] LaurenceLiZhixin commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
LaurenceLiZhixin commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200357734
@ZLBer 提交前使用 import-formatter 修正下代码。
```bash
% import-formatter .
```
https://github.com/dubbogo/tools#5-how-to-get-imports-formatter
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1240148784
generally LGTM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1240864482
@thehackercat issue fixed, thanks for your review. Next i think we can inject certificate when user use xds. but, the tls of dubbo-go is not very convenient. i think i can do more about this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks merged pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks merged PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on pull request #1945: [WIP]feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1186313207
If u have finished ur work, pls delete the 'WIP'.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r963237838
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
+ bootstrapPath := os.Getenv(envconfig.XDSBootstrapFileNameEnv)
+ if bootstrapPath != "" {
+ manager := &AgentCertManager{}
+ config, err := bootstrap.NewConfig()
+ if err != nil {
+ logger.Errorf("build bootstrap config error :%s", err.Error())
+ return nil, err
+ }
+ certProvider, err := buildProvider(config.CertProviderConfigs, "default")
+
+ if err != nil {
+ logger.Errorf("get cert provider error :%s", err.Error())
+ return nil, err
+ }
+ manager.provider = certProvider
+ return manager, nil
+ } else {
+ manager := &CACertManager{}
+ manager.rootPath = RootCertPath
+ return manager, nil
+ }
+
+}
+
+// AgentCertManager work in istio agent mode
+type AgentCertManager struct {
+ provider certprovider.Provider
+}
+
+//GetRootCertificate return certificate of ca
+func (c *AgentCertManager) GetRootCertificate() (*x509.CertPool, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Roots, nil
+}
+
+//GetCertificate return certificate of application
+func (c *AgentCertManager) GetCertificate() ([]tls.Certificate, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Certs, nil
+}
+
+// buildProvider build cert provider from config
+func buildProvider(configs map[string]*certprovider.BuildableConfig, instanceName string) (certprovider.Provider, error) {
+ cfg, ok := configs[instanceName]
+ if !ok {
+ return nil, fmt.Errorf("certificate provider instance %q not found in bootstrap file", instanceName)
+ }
+ provider, err := cfg.Build(certprovider.BuildOptions{
+ CertName: "ca",
+ WantIdentity: true,
+ WantRoot: true,
+ })
+ if err != nil {
+ return nil, fmt.Errorf("xds: failed to get security plugin instance (%+v): %v", cfg, err)
+ }
+ return provider, nil
+}
+
+// CACertManager work in no agent mode, fetch cert form CA
+type CACertManager struct {
+ // Certs contains a slice of cert/key pairs used to prove local identity.
+ Certs []tls.Certificate
+ // Roots contains the set of trusted roots to validate the peer's identity.
+ Roots *x509.CertPool
+
+ NoAfter time.Time
+
+ RootNoAfter time.Time
+
+ rootPath string
+}
+
+//GetCertificate return certificate of application
+func (c *CACertManager) GetCertificate() ([]tls.Certificate, error) {
+ //cert expired
+ if time.Now().After(c.NoAfter) {
+ if err := c.UpdateCert(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Certs, nil
+}
+
+//GetRootCertificate return certificate of ca
+func (c *CACertManager) GetRootCertificate() (*x509.CertPool, error) {
+ //root expired
+ if time.Now().After(c.RootNoAfter) {
+ if err := c.UpdateRoot(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Roots, nil
+}
+
+// UpdateRoot update root cert
+func (c *CACertManager) UpdateRoot() error {
+ rootFileContents, err := ioutil.ReadFile(c.rootPath)
+ if err != nil {
+ return err
+ }
+ trustPool := x509.NewCertPool()
+ if !trustPool.AppendCertsFromPEM(rootFileContents) {
+ logger.Warn("failed to parse root certificate")
+ }
+ c.Roots = trustPool
+ block, _ := pem.Decode(rootFileContents)
+ if block == nil {
+ return fmt.Errorf("failed to decode certificate")
+ }
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil
+ }
+ c.RootNoAfter = cert.NotAfter
+ return nil
+}
+
+// UpdateCert update cert
+func (c *CACertManager) UpdateCert() error {
+ tokenProvider, err := NewSaTokenProvider(ServiceAccountPath)
+ if err != nil {
+ return err
+ }
+
+ trustRoot, err := c.GetRootCertificate()
+ if err != nil {
+ return nil
+ }
+ citadelClient, err := remote.NewCitadelClient(&remote.Options{
+ CAEndpoint: IstioCAEndpoint,
+ TrustedRoots: trustRoot,
+ TokenProvider: tokenProvider,
+ CertSigner: certSigner,
+ ClusterID: clusterID,
+ })
+ if err != nil {
+ return err
+ }
+ host := "spiffe://" + "cluster.local" + "/ns/" + PodNamespace + "/sa/" + "default"
Review Comment:
Could we make this host configurable, like this `URIPrifix`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r973724446
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
+ bootstrapPath := os.Getenv(envconfig.XDSBootstrapFileNameEnv)
+ if bootstrapPath != "" {
+ manager := &AgentCertManager{}
+ config, err := bootstrap.NewConfig()
+ if err != nil {
+ logger.Errorf("build bootstrap config error :%s", err.Error())
+ return nil, err
+ }
+ certProvider, err := buildProvider(config.CertProviderConfigs, "default")
+
+ if err != nil {
+ logger.Errorf("get cert provider error :%s", err.Error())
+ return nil, err
+ }
+ manager.provider = certProvider
+ return manager, nil
+ } else {
+ manager := &CACertManager{}
+ manager.rootPath = RootCertPath
+ return manager, nil
+ }
+
+}
+
+// AgentCertManager work in istio agent mode
+type AgentCertManager struct {
+ provider certprovider.Provider
+}
+
+//GetRootCertificate return certificate of ca
+func (c *AgentCertManager) GetRootCertificate() (*x509.CertPool, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Roots, nil
+}
+
+//GetCertificate return certificate of application
+func (c *AgentCertManager) GetCertificate() ([]tls.Certificate, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Certs, nil
+}
+
+// buildProvider build cert provider from config
+func buildProvider(configs map[string]*certprovider.BuildableConfig, instanceName string) (certprovider.Provider, error) {
+ cfg, ok := configs[instanceName]
+ if !ok {
+ return nil, fmt.Errorf("certificate provider instance %q not found in bootstrap file", instanceName)
+ }
+ provider, err := cfg.Build(certprovider.BuildOptions{
+ CertName: "ca",
+ WantIdentity: true,
+ WantRoot: true,
+ })
+ if err != nil {
+ return nil, fmt.Errorf("xds: failed to get security plugin instance (%+v): %v", cfg, err)
+ }
+ return provider, nil
+}
+
+// CACertManager work in no agent mode, fetch cert form CA
+type CACertManager struct {
+ // Certs contains a slice of cert/key pairs used to prove local identity.
+ Certs []tls.Certificate
+ // Roots contains the set of trusted roots to validate the peer's identity.
+ Roots *x509.CertPool
+
+ NoAfter time.Time
+
+ RootNoAfter time.Time
+
+ rootPath string
+}
+
+//GetCertificate return certificate of application
+func (c *CACertManager) GetCertificate() ([]tls.Certificate, error) {
+ //cert expired
+ if time.Now().After(c.NoAfter) {
+ if err := c.UpdateCert(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Certs, nil
+}
+
+//GetRootCertificate return certificate of ca
+func (c *CACertManager) GetRootCertificate() (*x509.CertPool, error) {
+ //root expired
+ if time.Now().After(c.RootNoAfter) {
+ if err := c.UpdateRoot(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Roots, nil
+}
+
+// UpdateRoot update root cert
+func (c *CACertManager) UpdateRoot() error {
+ rootFileContents, err := ioutil.ReadFile(c.rootPath)
+ if err != nil {
+ return err
+ }
+ trustPool := x509.NewCertPool()
+ if !trustPool.AppendCertsFromPEM(rootFileContents) {
+ logger.Warn("failed to parse root certificate")
+ }
+ c.Roots = trustPool
+ block, _ := pem.Decode(rootFileContents)
+ if block == nil {
+ return fmt.Errorf("failed to decode certificate")
+ }
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil
+ }
+ c.RootNoAfter = cert.NotAfter
+ return nil
+}
+
+// UpdateCert update cert
Review Comment:
A duplicated space should be removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1250313678
There are some slight problems, but most looks good to me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1202346010
> why can not find this package? 
has been moved to github.com/dubbogo/gost
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200079014
pls fix the ci failure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1238009759
@thehackercat this doc has a example for how to use this:https://github.com/dubbogo/dubbogo.github.io/blob/master/docs/zh-cn/user/tasks/mesh/dubbogo_certificate_using_istio.md
but at this stage, this func is not well integrated with dubbo-go, we need to obtain the certificate using `CertManager` manually. it's not friendly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1250178450
> @justxuewei could u also help take a look at xds/credentials/cert_manager.go codes.
Ok, I will review the code you mention later today.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r973723895
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
+ bootstrapPath := os.Getenv(envconfig.XDSBootstrapFileNameEnv)
+ if bootstrapPath != "" {
+ manager := &AgentCertManager{}
+ config, err := bootstrap.NewConfig()
+ if err != nil {
+ logger.Errorf("build bootstrap config error :%s", err.Error())
+ return nil, err
+ }
+ certProvider, err := buildProvider(config.CertProviderConfigs, "default")
+
+ if err != nil {
+ logger.Errorf("get cert provider error :%s", err.Error())
+ return nil, err
+ }
+ manager.provider = certProvider
+ return manager, nil
+ } else {
+ manager := &CACertManager{}
+ manager.rootPath = RootCertPath
+ return manager, nil
+ }
+
+}
+
+// AgentCertManager work in istio agent mode
+type AgentCertManager struct {
+ provider certprovider.Provider
+}
+
+//GetRootCertificate return certificate of ca
+func (c *AgentCertManager) GetRootCertificate() (*x509.CertPool, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Roots, nil
+}
+
+//GetCertificate return certificate of application
+func (c *AgentCertManager) GetCertificate() ([]tls.Certificate, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Certs, nil
+}
+
+// buildProvider build cert provider from config
Review Comment:
A duplicated space should be removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r969128411
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
Review Comment:
`NewCertManager()` is not called?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on a diff in pull request #1945: [WIP]feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r908032704
##########
remoting/xds/xds_client_factory.go:
##########
@@ -18,10 +18,23 @@
package xds
import (
+ "bytes"
Review Comment:
format this import as other files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200340716
how to fix this check error?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r933993549
##########
xds/credentials/certgenerate/generate_cert.go:
##########
@@ -242,12 +242,12 @@ func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate,
// signerCertFile: cert file name
// signerPrivFile: private key file name
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error) {
- signerCertBytes, err := os.ReadFile(signerCertFile)
+ signerCertBytes, err := ioutil.ReadFile(signerCertFile)
Review Comment:
好的。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1187646070
@LaurenceLiZhixin @AlexStocks pls review this pr, tks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1245313440
@thehackercat sure, will add an example on [dubbo-go-samples](https://github.com/apache/dubbo-go-samples)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] thehackercat commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
thehackercat commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1244871809
@AlexStocks this PR LGTM, I think it's ready to be merged.
@justxuewei could u also help take a look at `xds/credentials/cert_manager.go` codes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
AlexStocks commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r933959364
##########
xds/credentials/certgenerate/generate_cert.go:
##########
@@ -242,12 +242,12 @@ func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate,
// signerCertFile: cert file name
// signerPrivFile: private key file name
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error) {
- signerCertBytes, err := os.ReadFile(signerCertFile)
+ signerCertBytes, err := ioutil.ReadFile(signerCertFile)
Review Comment:
改下包名称,为何?当然我也知道go一些历史原因,导致两个包重复实现了这些函数,但是 ioutil 这个实现的优点在哪?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1200435576
why can not find this package?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] ZLBer commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
ZLBer commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1252509624
@justxuewei all fixed, thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] justxuewei commented on a diff in pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
justxuewei commented on code in PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#discussion_r973724250
##########
xds/credentials/cert_manager.go:
##########
@@ -0,0 +1,271 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+ "bytes"
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+import (
+ "github.com/dubbogo/gost/log/logger"
+)
+
+import (
+ "dubbo.apache.org/dubbo-go/v3/xds/client/bootstrap"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certgenerate"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/pemfile"
+ "dubbo.apache.org/dubbo-go/v3/xds/credentials/certprovider/remote"
+ "dubbo.apache.org/dubbo-go/v3/xds/internal"
+ "dubbo.apache.org/dubbo-go/v3/xds/utils/envconfig"
+)
+
+func init() {
+ //init file_watcher builder
+ certprovider.Register(&pemfile.PluginBuilder{})
+ //init builder func
+ internal.GetCertificateProviderBuilder = certprovider.GetBuilder
+}
+
+//CertManager manage agent or no agent cert
+type CertManager interface {
+ GetCertificate() ([]tls.Certificate, error)
+ GetRootCertificate() (*x509.CertPool, error)
+}
+
+// NewCertManager return a manager
+func NewCertManager() (CertManager, error) {
+ bootstrapPath := os.Getenv(envconfig.XDSBootstrapFileNameEnv)
+ if bootstrapPath != "" {
+ manager := &AgentCertManager{}
+ config, err := bootstrap.NewConfig()
+ if err != nil {
+ logger.Errorf("build bootstrap config error :%s", err.Error())
+ return nil, err
+ }
+ certProvider, err := buildProvider(config.CertProviderConfigs, "default")
+
+ if err != nil {
+ logger.Errorf("get cert provider error :%s", err.Error())
+ return nil, err
+ }
+ manager.provider = certProvider
+ return manager, nil
+ } else {
+ manager := &CACertManager{}
+ manager.rootPath = RootCertPath
+ return manager, nil
+ }
+
+}
+
+// AgentCertManager work in istio agent mode
+type AgentCertManager struct {
+ provider certprovider.Provider
+}
+
+//GetRootCertificate return certificate of ca
+func (c *AgentCertManager) GetRootCertificate() (*x509.CertPool, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Roots, nil
+}
+
+//GetCertificate return certificate of application
+func (c *AgentCertManager) GetCertificate() ([]tls.Certificate, error) {
+ material, err := c.provider.KeyMaterial(context.Background())
+ if err != nil {
+ return nil, err
+ }
+ return material.Certs, nil
+}
+
+// buildProvider build cert provider from config
+func buildProvider(configs map[string]*certprovider.BuildableConfig, instanceName string) (certprovider.Provider, error) {
+ cfg, ok := configs[instanceName]
+ if !ok {
+ return nil, fmt.Errorf("certificate provider instance %q not found in bootstrap file", instanceName)
+ }
+ provider, err := cfg.Build(certprovider.BuildOptions{
+ CertName: "ca",
+ WantIdentity: true,
+ WantRoot: true,
+ })
+ if err != nil {
+ return nil, fmt.Errorf("xds: failed to get security plugin instance (%+v): %v", cfg, err)
+ }
+ return provider, nil
+}
+
+// CACertManager work in no agent mode, fetch cert form CA
+type CACertManager struct {
+ // Certs contains a slice of cert/key pairs used to prove local identity.
+ Certs []tls.Certificate
+ // Roots contains the set of trusted roots to validate the peer's identity.
+ Roots *x509.CertPool
+
+ NoAfter time.Time
+
+ RootNoAfter time.Time
+
+ rootPath string
+}
+
+//GetCertificate return certificate of application
+func (c *CACertManager) GetCertificate() ([]tls.Certificate, error) {
+ //cert expired
+ if time.Now().After(c.NoAfter) {
+ if err := c.UpdateCert(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Certs, nil
+}
+
+//GetRootCertificate return certificate of ca
+func (c *CACertManager) GetRootCertificate() (*x509.CertPool, error) {
+ //root expired
+ if time.Now().After(c.RootNoAfter) {
+ if err := c.UpdateRoot(); err != nil {
+ return nil, err
+ }
+ }
+ return c.Roots, nil
+}
+
+// UpdateRoot update root cert
+func (c *CACertManager) UpdateRoot() error {
+ rootFileContents, err := ioutil.ReadFile(c.rootPath)
+ if err != nil {
+ return err
+ }
+ trustPool := x509.NewCertPool()
+ if !trustPool.AppendCertsFromPEM(rootFileContents) {
+ logger.Warn("failed to parse root certificate")
+ }
+ c.Roots = trustPool
+ block, _ := pem.Decode(rootFileContents)
+ if block == nil {
+ return fmt.Errorf("failed to decode certificate")
+ }
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil
Review Comment:
Why here return nil?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] codecov-commenter commented on pull request #1945: feat: support xds certificate
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #1945:
URL: https://github.com/apache/dubbo-go/pull/1945#issuecomment-1201977654
# [Codecov](https://codecov.io/gh/apache/dubbo-go/pull/1945?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#1945](https://codecov.io/gh/apache/dubbo-go/pull/1945?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (38c195b) into [3.0](https://codecov.io/gh/apache/dubbo-go/commit/b7e348319f82444e18ecda284e20656d7ed3b861?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (b7e3483) will **decrease** coverage by `0.68%`.
> The diff coverage is `0.00%`.
```diff
@@ Coverage Diff @@
## 3.0 #1945 +/- ##
==========================================
- Coverage 45.00% 44.31% -0.69%
==========================================
Files 287 281 -6
Lines 17135 16785 -350
==========================================
- Hits 7711 7438 -273
+ Misses 8608 8558 -50
+ Partials 816 789 -27
```
| [Impacted Files](https://codecov.io/gh/apache/dubbo-go/pull/1945?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [xds/client/bootstrap/bootstrap.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-eGRzL2NsaWVudC9ib290c3RyYXAvYm9vdHN0cmFwLmdv) | `59.11% <0.00%> (ø)` | |
| [xds/utils/credentials/xds/handshake\_info.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-eGRzL3V0aWxzL2NyZWRlbnRpYWxzL3hkcy9oYW5kc2hha2VfaW5mby5nbw==) | `41.46% <ø> (ø)` | |
| [config/config\_center\_config.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29uZmlnL2NvbmZpZ19jZW50ZXJfY29uZmlnLmdv) | `14.28% <0.00%> (-58.10%)` | :arrow_down: |
| [metadata/report/delegate/delegate\_report.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bWV0YWRhdGEvcmVwb3J0L2RlbGVnYXRlL2RlbGVnYXRlX3JlcG9ydC5nbw==) | `26.49% <0.00%> (-8.61%)` | :arrow_down: |
| [filter/token/filter.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZmlsdGVyL3Rva2VuL2ZpbHRlci5nbw==) | `53.12% <0.00%> (-6.88%)` | :arrow_down: |
| [config/provider\_config.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29uZmlnL3Byb3ZpZGVyX2NvbmZpZy5nbw==) | `41.53% <0.00%> (-3.47%)` | :arrow_down: |
| [metrics/prometheus/reporter.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bWV0cmljcy9wcm9tZXRoZXVzL3JlcG9ydGVyLmdv) | `31.79% <0.00%> (-1.54%)` | :arrow_down: |
| [config/graceful\_shutdown.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29uZmlnL2dyYWNlZnVsX3NodXRkb3duLmdv) | `3.88% <0.00%> (-0.12%)` | :arrow_down: |
| [registry/event.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVnaXN0cnkvZXZlbnQuZ28=) | `29.62% <0.00%> (ø)` | |
| [protocol/invoker.go](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cHJvdG9jb2wvaW52b2tlci5nbw==) | `69.56% <0.00%> (ø)` | |
| ... and [107 more](https://codecov.io/gh/apache/dubbo-go/pull/1945/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
Help us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org