-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: support ssl communication for raft nodes #6926
base: 2.x
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 2.x #6926 +/- ##
============================================
- Coverage 52.61% 52.60% -0.01%
- Complexity 6579 6580 +1
============================================
Files 1126 1126
Lines 39928 39945 +17
Branches 4680 4683 +3
============================================
+ Hits 21010 21015 +5
- Misses 16916 16929 +13
+ Partials 2002 2001 -1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@Muluo-cyan Please register this PR in change logs[1]. [1]https://github.com/apache/incubator-seata/tree/2.x/changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Muluo-cyan can you add some configuration docs on seata website?
Ⅰ. Describe what this PR did
Raft集群节点之间的通信现在支持开启ssl
The communication between nodes in the Raft cluster now supports SSL.
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
server的application.yml中添加如下配置开启ssl支持。
Add the following configuration to the application.yml file on the server to enable SSL support.
server:
raft:
ssl:
enabled: true //是否开启ssl支持
keystore.type: pkcs12 //keystore类型
kmf.algorithm: SunX509 //kmf算法
server:
keystore: bolt.pfx //raft节点rpc服务端keystore文件路径
keystore.password: sfbolt //keystore密码
client:
keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径
keystore.password: sfbolt //keystore密码
其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成:
The server-side SSL keystore file bolt.pfx and the client-side SSL keystore file cbolt.pfx can be generated using the following steps:
1.首先生成 keystore 并且导出其认证文件。
First, generate the keystore and export its certificate.
keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12
keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer
2.接着生成客户端 keystore并且导出其认证文件。
Next, generate the client keystore and export its certificate.
keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12
keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer
3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。
Finally, import the server certificate into the client keystore and the client certificate into the server keystore.
keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx
keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx
将生成的证书copy到每个节点。
然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点与其他节点的通信会被拒绝
Copy the generated certificates to each node.
Then, start the Seata cluster. You should see that the Raft cluster has SSL support enabled, and any node without the certificate will have its communication with other nodes rejected.
Ⅴ. Special notes for reviews