yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: add certs for cassandra tls

This commit is contained in:
JianBo He 2023-03-17 16:39:10 +08:00
parent a20c39c83a
commit 5f0828a2ea
12 changed files with 49 additions and 1262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.ci/docker-compose-file/.env
View File

@ -6,5 +6,6 @@ LDAP_TAG=2.4.50
INFLUXDB_TAG=2.5.0 INFLUXDB_TAG=2.5.0
TDENGINE_TAG=3.0.2.4 TDENGINE_TAG=3.0.2.4
DYNAMO_TAG=1.21.0 DYNAMO_TAG=1.21.0
CASSANDRA_TAG=3.11.6
TARGET=emqx/emqx TARGET=emqx/emqx

4
.ci/docker-compose-file/cassandra/Dockerfile-tls
View File

@ -1,4 +0,0 @@
ARG CASSANDRA_TAG=3.11.6
FROM cassandra:${CASSANDRA_TAG}
COPY cassandra-tls.yaml /etc/cassandra/cassandra.yaml
CMD ["cassandra", "-f"]

1236
.ci/docker-compose-file/cassandra/cassandra-tls.yaml
View File

File diff suppressed because it is too large Load Diff

24
.ci/docker-compose-file/cassandra/cassandra.yaml
View File

@ -638,7 +638,7 @@ native_transport_port: 9042
# for native_transport_port. Setting native_transport_port_ssl to a different value # for native_transport_port. Setting native_transport_port_ssl to a different value
# from native_transport_port will use encryption for native_transport_port_ssl while # from native_transport_port will use encryption for native_transport_port_ssl while
# keeping native_transport_port unencrypted. # keeping native_transport_port unencrypted.
# native_transport_port_ssl: 9142 native_transport_port_ssl: 9142
# The maximum threads for handling requests when the native transport is used. # The maximum threads for handling requests when the native transport is used.
# This is similar to rpc_max_threads though the default differs slightly (and # This is similar to rpc_max_threads though the default differs slightly (and
# there is no native_transport_min_threads, idle threads will always be stopped # there is no native_transport_min_threads, idle threads will always be stopped
@ -1044,20 +1044,20 @@ server_encryption_options:
# enable or disable client/server encryption. # enable or disable client/server encryption.
client_encryption_options: client_encryption_options:
enabled: false enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled. # If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false optional: true
keystore: conf/.keystore keystore: /certs/server.jks
keystore_password: cassandra keystore_password: my_password
# require_client_auth: false require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true # Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore truststore: /certs/truststore.jks
# truststore_password: cassandra truststore_password: my_password
# More advanced defaults below: # More advanced defaults below:
# protocol: TLS protocol: TLS
# algorithm: SunX509 algorithm: SunX509
# store_type: JKS store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# internode_compression controls whether traffic between nodes is # internode_compression controls whether traffic between nodes is
# compressed. # compressed.

23
.ci/docker-compose-file/certs/README.md Normal file
View File

@ -0,0 +1,23 @@
Certificate and Key files for testing
## Cassandra (v3.x)
### How to convert server PEM to JKS Format
1. Convert server.crt and server.key to server.p12
```bash
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "certificate"
```
2. Convert server.p12 to server.jks
```bash
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks
```
### How to convert CA PEM certificate to truststore.jks
```
keytool -import -file ca.pem -keystore truststore.jks
```

BIN
.ci/docker-compose-file/certs/server.jks Normal file
View File

Binary file not shown.

BIN
.ci/docker-compose-file/certs/server.p12 Normal file
View File

Binary file not shown.

BIN
.ci/docker-compose-file/certs/truststore.jks Normal file
View File

Binary file not shown.

5
.ci/docker-compose-file/docker-compose-cassandra-tcp.yaml
View File

@ -2,7 +2,7 @@ version: '3.9'
services: services:
cassandra_server: cassandra_server:
container_name: cassa_tcp container_name: cassandra
build: build:
context: ./cassandra context: ./cassandra
args: args:
@ -12,8 +12,11 @@ services:
environment: environment:
CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4" CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4"
CASSANDRA_RPC_ADDRESS: "0.0.0.0" CASSANDRA_RPC_ADDRESS: "0.0.0.0"
volumes:
- ./certs:/certs
ports: ports:
- "9042:9042" - "9042:9042"
- "9142:9142"
command: command:
- /bin/bash - /bin/bash
- -c - -c

1
.ci/docker-compose-file/docker-compose-toxiproxy.yaml
View File

@ -20,6 +20,7 @@ services:
- 16041:6041 - 16041:6041
- 18000:8000 - 18000:8000
- 19042:9042 - 19042:9042
- 19142:9142
command: command:
- "-host=0.0.0.0" - "-host=0.0.0.0"
- "-config=/config/toxiproxy.json" - "-config=/config/toxiproxy.json"

8
.ci/docker-compose-file/toxiproxy.json
View File

@ -57,13 +57,13 @@
{ {
"name": "cassa_tcp", "name": "cassa_tcp",
"listen": "0.0.0.0:9042", "listen": "0.0.0.0:9042",
"upstream": "cassa_tcp:9042", "upstream": "cassandra:9042",
"enabled": true "enabled": true
}, },
{ {
"name": "cassa_tls", "name": "cassa_tls",
"listen": "0.0.0.0:9043", "listen": "0.0.0.0:9142",
"upstream": "cassa_tls:9043", "upstream": "cassandra:9142",
"enabled": false "enabled": true
} }
] ]

9
lib-ee/emqx_ee_bridge/test/emqx_ee_bridge_cassa_SUITE.erl
View File

@ -76,7 +76,7 @@ init_per_group(tcp, Config) ->
]; ];
init_per_group(tls, Config) -> init_per_group(tls, Config) ->
Host = os:getenv("CASSA_TLS_HOST", "toxiproxy"), Host = os:getenv("CASSA_TLS_HOST", "toxiproxy"),
Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9043")), Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9142")),
[ [
{cassa_host, Host}, {cassa_host, Host},
{cassa_port, Port}, {cassa_port, Port},
@ -132,6 +132,7 @@ end_per_testcase(_Testcase, Config) ->
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
common_init(Config0) -> common_init(Config0) ->
ct:pal("commit_init: ~p~n", [Config0]),
BridgeType = proplists:get_value(bridge_type, Config0, <<"cassandra">>), BridgeType = proplists:get_value(bridge_type, Config0, <<"cassandra">>),
Host = ?config(cassa_host, Config0), Host = ?config(cassa_host, Config0),
Port = ?config(cassa_port, Config0), Port = ?config(cassa_port, Config0),
@ -251,8 +252,7 @@ query_resource(Config, Request) ->
connect_direct_cassa(Config) -> connect_direct_cassa(Config) ->
Opts = #{ Opts = #{
host => ?config(cassa_host, Config), nodes => [{?config(cassa_host, Config), ?config(cassa_port, Config)}],
port => ?config(cassa_port, Config),
username => ?CASSA_USERNAME, username => ?CASSA_USERNAME,
password => ?CASSA_PASSWORD, password => ?CASSA_PASSWORD,
keyspace => ?CASSA_KEYSPACE keyspace => ?CASSA_KEYSPACE
@ -262,8 +262,7 @@ connect_direct_cassa(Config) ->
case ?config(enable_tls, Config) of case ?config(enable_tls, Config) of
true -> true ->
Opts#{ Opts#{
ssl => true, ssl => emqx_tls_lib:to_client_opts(#{enable => true})
ssl_opts => emqx_tls_lib:to_client_opts(#{enable => true})
}; };
false -> false ->
Opts Opts