yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: add certs for cassandra tls

This commit is contained in:
JianBo He 2023-03-17 16:39:10 +08:00
parent a20c39c83a
commit 5f0828a2ea
12 changed files with 49 additions and 1262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.ci/docker-compose-file/.env
View File

@ -6,5 +6,6 @@ LDAP_TAG=2.4.50
INFLUXDB_TAG=2.5.0
TDENGINE_TAG=3.0.2.4
DYNAMO_TAG=1.21.0
CASSANDRA_TAG=3.11.6
TARGET=emqx/emqx

4
.ci/docker-compose-file/cassandra/Dockerfile-tls
View File

@ -1,4 +0,0 @@
ARG CASSANDRA_TAG=3.11.6
FROM cassandra:${CASSANDRA_TAG}
COPY cassandra-tls.yaml /etc/cassandra/cassandra.yaml
CMD ["cassandra", "-f"]

1236
.ci/docker-compose-file/cassandra/cassandra-tls.yaml
View File

File diff suppressed because it is too large Load Diff

24
.ci/docker-compose-file/cassandra/cassandra.yaml
View File

@ -638,7 +638,7 @@ native_transport_port: 9042
# for native_transport_port. Setting native_transport_port_ssl to a different value
# from native_transport_port will use encryption for native_transport_port_ssl while
# keeping native_transport_port unencrypted.
# native_transport_port_ssl: 9142
native_transport_port_ssl: 9142
# The maximum threads for handling requests when the native transport is used.
# This is similar to rpc_max_threads though the default differs slightly (and
# there is no native_transport_min_threads, idle threads will always be stopped
@ -1044,20 +1044,20 @@ server_encryption_options:
# enable or disable client/server encryption.
client_encryption_options:
enabled: false
enabled: true
# If enabled and optional is set to true encrypted and unencrypted connections are handled.
optional: false
keystore: conf/.keystore
keystore_password: cassandra
# require_client_auth: false
optional: true
keystore: /certs/server.jks
keystore_password: my_password
require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore
# truststore_password: cassandra
truststore: /certs/truststore.jks
truststore_password: my_password
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# internode_compression controls whether traffic between nodes is
# compressed.

23
.ci/docker-compose-file/certs/README.md Normal file
View File

@ -0,0 +1,23 @@
Certificate and Key files for testing
## Cassandra (v3.x)
### How to convert server PEM to JKS Format
1. Convert server.crt and server.key to server.p12
```bash
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "certificate"
```
2. Convert server.p12 to server.jks
```bash
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks
```
### How to convert CA PEM certificate to truststore.jks
```
keytool -import -file ca.pem -keystore truststore.jks
```

BIN
.ci/docker-compose-file/certs/server.jks Normal file
View File

Binary file not shown.

BIN
.ci/docker-compose-file/certs/server.p12 Normal file
View File

Binary file not shown.

BIN
.ci/docker-compose-file/certs/truststore.jks Normal file
View File

Binary file not shown.

5
.ci/docker-compose-file/docker-compose-cassandra-tcp.yaml
View File

@ -2,7 +2,7 @@ version: '3.9'
services:
cassandra_server:
container_name: cassa_tcp
container_name: cassandra
build:
context: ./cassandra
args:
@ -12,8 +12,11 @@ services:
environment:
CASSANDRA_BROADCAST_ADDRESS: "1.2.3.4"
CASSANDRA_RPC_ADDRESS: "0.0.0.0"
volumes:
- ./certs:/certs
ports:
- "9042:9042"
- "9142:9142"
command:
- /bin/bash
- -c

1
.ci/docker-compose-file/docker-compose-toxiproxy.yaml
View File

@ -20,6 +20,7 @@ services:
- 16041:6041
- 18000:8000
- 19042:9042
- 19142:9142
command:
- "-host=0.0.0.0"
- "-config=/config/toxiproxy.json"

8
.ci/docker-compose-file/toxiproxy.json
View File

@ -57,13 +57,13 @@
{
"name": "cassa_tcp",
"listen": "0.0.0.0:9042",
"upstream": "cassa_tcp:9042",
"upstream": "cassandra:9042",
"enabled": true
},
{
"name": "cassa_tls",
"listen": "0.0.0.0:9043",
"upstream": "cassa_tls:9043",
"enabled": false
"listen": "0.0.0.0:9142",
"upstream": "cassandra:9142",
"enabled": true
}
]

9
lib-ee/emqx_ee_bridge/test/emqx_ee_bridge_cassa_SUITE.erl
View File

@ -76,7 +76,7 @@ init_per_group(tcp, Config) ->
];
init_per_group(tls, Config) ->
Host = os:getenv("CASSA_TLS_HOST", "toxiproxy"),
Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9043")),
Port = list_to_integer(os:getenv("CASSA_TLS_PORT", "9142")),
[
{cassa_host, Host},
{cassa_port, Port},
@ -132,6 +132,7 @@ end_per_testcase(_Testcase, Config) ->
%%------------------------------------------------------------------------------
common_init(Config0) ->
ct:pal("commit_init: ~p~n", [Config0]),
BridgeType = proplists:get_value(bridge_type, Config0, <<"cassandra">>),
Host = ?config(cassa_host, Config0),
Port = ?config(cassa_port, Config0),
@ -251,8 +252,7 @@ query_resource(Config, Request) ->
connect_direct_cassa(Config) ->
Opts = #{
host => ?config(cassa_host, Config),
port => ?config(cassa_port, Config),
nodes => [{?config(cassa_host, Config), ?config(cassa_port, Config)}],
username => ?CASSA_USERNAME,
password => ?CASSA_PASSWORD,
keyspace => ?CASSA_KEYSPACE
@ -262,8 +262,7 @@ connect_direct_cassa(Config) ->
case ?config(enable_tls, Config) of
true ->
Opts#{
ssl => true,
ssl_opts => emqx_tls_lib:to_client_opts(#{enable => true})
ssl => emqx_tls_lib:to_client_opts(#{enable => true})
};
false ->
Opts