From 3843bfc86aeefb98b2523293fa29edcc0058650b Mon Sep 17 00:00:00 2001 From: Gaius Date: Wed, 16 Oct 2024 23:58:10 +0800 Subject: [PATCH] docs: add self-signed certs config (#169) * feat: rename certs to cert in client config Signed-off-by: Gaius * docs: add self-signed certs config Signed-off-by: Gaius --------- Signed-off-by: Gaius --- .../configure-development-nvironment.md | 6 +- docs/getting-started/installation/binaries.md | 6 +- .../quick-start/multi-cluster-kubernetes.md | 6 +- .../container-runtime/containerd.md | 18 ++- .../integrations/container-runtime/cri-o.md | 18 ++- .../integrations/container-runtime/nydus.md | 2 - .../integrations/container-runtime/stargz.md | 2 - docs/operations/integrations/git-lfs.md | 2 - docs/operations/integrations/hugging-face.md | 2 - docs/operations/integrations/torchserve.md | 2 - docs/operations/integrations/triton-server.md | 2 - .../configuration/client/dfdaemon.md | 108 +++++++++++------- docs/reference/configuration/manager.md | 41 ++----- docs/reference/configuration/scheduler.md | 81 +++++-------- 14 files changed, 125 insertions(+), 171 deletions(-) diff --git a/docs/development-guide/configure-development-nvironment.md b/docs/development-guide/configure-development-nvironment.md index f7df0ef5..e401ae8c 100644 --- a/docs/development-guide/configure-development-nvironment.md +++ b/docs/development-guide/configure-development-nvironment.md @@ -148,8 +148,7 @@ Configuration content is as follows: ```yaml # Seed Peer configuration. manager: - addrs: - - http://127.0.0.1:65003 + addr: http://127.0.0.1:65003 seedPeer: enable: true type: super @@ -187,8 +186,7 @@ Configuration content is as follows: ```yaml # Peer configuration. manager: - addrs: - - http://127.0.0.1:65003 + addr: http://127.0.0.1:65003 ``` Run Dfdaemon as Peer: diff --git a/docs/getting-started/installation/binaries.md b/docs/getting-started/installation/binaries.md index fa016c2e..b699c2c5 100644 --- a/docs/getting-started/installation/binaries.md +++ b/docs/getting-started/installation/binaries.md @@ -336,8 +336,7 @@ Configuration content is as follows: ```yaml # Seed Peer configuration. manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 seedPeer: enable: true type: super @@ -376,8 +375,7 @@ Configuration content is as follows: ```yaml # Peer configuration. manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 ``` Run Dfdaemon as Peer: diff --git a/docs/getting-started/quick-start/multi-cluster-kubernetes.md b/docs/getting-started/quick-start/multi-cluster-kubernetes.md index 65963add..e3a86171 100644 --- a/docs/getting-started/quick-start/multi-cluster-kubernetes.md +++ b/docs/getting-started/quick-start/multi-cluster-kubernetes.md @@ -346,8 +346,7 @@ seedClient: config: verbose: true manager: - addrs: - - http://dragonfly-manager.cluster-a.svc.cluster.local:65003 + addr: http://dragonfly-manager.cluster-a.svc.cluster.local:65003 seedPeer: clusterID: 2 @@ -378,8 +377,7 @@ client: host: idc: cluster-2 manager: - addrs: - - http://dragonfly-manager.cluster-a.svc.cluster.local:65003 + addr: http://dragonfly-manager.cluster-a.svc.cluster.local:65003 manager: enable: false diff --git a/docs/operations/integrations/container-runtime/containerd.md b/docs/operations/integrations/container-runtime/containerd.md index c906367f..e46c7bc0 100644 --- a/docs/operations/integrations/container-runtime/containerd.md +++ b/docs/operations/integrations/container-runtime/containerd.md @@ -517,7 +517,7 @@ seedClient: proxy: registryMirror: addr: https://yourdomain.com - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt extraVolumes: - name: seed-client-secret secret: @@ -537,7 +537,7 @@ client: proxy: registryMirror: addr: https://yourdomain.com - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt extraVolumes: - name: client-secret secret: @@ -611,8 +611,7 @@ refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md). ```shell manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 seedPeer: enable: true type: super @@ -624,10 +623,10 @@ proxy: # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address # of registry mirror. addr: https://yourdomain.com - ## certs is the client certs path with PEM format for the registry. + ## cert is the client cert path with PEM format for the registry. ## If registry use self-signed cert, the client should set the ## cert for the registry mirror. - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt ``` ##### Setup Dfdaemon as Peer and configure self-signed certificate @@ -637,8 +636,7 @@ refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md). ```shell manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 proxy: registryMirror: # addr is the default address of the registry mirror. Proxy will start a registry mirror service for the @@ -646,10 +644,10 @@ proxy: # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address # of registry mirror. addr: https://yourdomain.com - ## certs is the client certs path with PEM format for the registry. + ## cert is the client cert path with PEM format for the registry. ## If registry use self-signed cert, the client should set the ## cert for the registry mirror. - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt ``` ##### Configure containerd self-signed certificate diff --git a/docs/operations/integrations/container-runtime/cri-o.md b/docs/operations/integrations/container-runtime/cri-o.md index 0a95a9e6..fbeae08d 100644 --- a/docs/operations/integrations/container-runtime/cri-o.md +++ b/docs/operations/integrations/container-runtime/cri-o.md @@ -320,7 +320,7 @@ seedClient: proxy: registryMirror: addr: https://yourdomain.com - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt extraVolumes: - name: seed-client-secret secret: @@ -340,7 +340,7 @@ client: proxy: registryMirror: addr: https://yourdomain.com - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt extraVolumes: - name: client-secret secret: @@ -414,8 +414,7 @@ refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md). ```shell manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 seedPeer: enable: true type: super @@ -427,10 +426,10 @@ proxy: # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address # of registry mirror. addr: https://yourdomain.com - ## certs is the client certs path with PEM format for the registry. + ## cert is the client cert path with PEM format for the registry. ## If registry use self-signed cert, the client should set the ## cert for the registry mirror. - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt ``` ##### Setup Dfdaemon as Peer and configure self-signed certificate @@ -440,8 +439,7 @@ refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md). ```shell manager: - addrs: - - http://dragonfly-manager:65003 + addr: http://dragonfly-manager:65003 proxy: registryMirror: # addr is the default address of the registry mirror. Proxy will start a registry mirror service for the @@ -449,10 +447,10 @@ proxy: # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address # of registry mirror. addr: https://yourdomain.com - ## certs is the client certs path with PEM format for the registry. + ## cert is the client cert path with PEM format for the registry. ## If registry use self-signed cert, the client should set the ## cert for the registry mirror. - certs: /etc/certs/yourdomain.crt + cert: /etc/certs/yourdomain.crt ``` ##### Configure CRI-O self-signed certificate diff --git a/docs/operations/integrations/container-runtime/nydus.md b/docs/operations/integrations/container-runtime/nydus.md index 15af15b0..8860fabd 100644 --- a/docs/operations/integrations/container-runtime/nydus.md +++ b/docs/operations/integrations/container-runtime/nydus.md @@ -124,8 +124,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: prefetch: true server: diff --git a/docs/operations/integrations/container-runtime/stargz.md b/docs/operations/integrations/container-runtime/stargz.md index 8a46136e..2b0c3a4c 100644 --- a/docs/operations/integrations/container-runtime/stargz.md +++ b/docs/operations/integrations/container-runtime/stargz.md @@ -118,8 +118,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: prefetch: true server: diff --git a/docs/operations/integrations/git-lfs.md b/docs/operations/integrations/git-lfs.md index 27cd93a8..26576634 100644 --- a/docs/operations/integrations/git-lfs.md +++ b/docs/operations/integrations/git-lfs.md @@ -195,8 +195,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: server: port: 4001 diff --git a/docs/operations/integrations/hugging-face.md b/docs/operations/integrations/hugging-face.md index b110696f..8bcd17d8 100644 --- a/docs/operations/integrations/hugging-face.md +++ b/docs/operations/integrations/hugging-face.md @@ -123,8 +123,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: server: port: 4001 diff --git a/docs/operations/integrations/torchserve.md b/docs/operations/integrations/torchserve.md index 21662cfb..78541f0c 100644 --- a/docs/operations/integrations/torchserve.md +++ b/docs/operations/integrations/torchserve.md @@ -137,8 +137,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: server: port: 4001 diff --git a/docs/operations/integrations/triton-server.md b/docs/operations/integrations/triton-server.md index 7df51948..a69fcbce 100644 --- a/docs/operations/integrations/triton-server.md +++ b/docs/operations/integrations/triton-server.md @@ -122,8 +122,6 @@ client: enable: true config: verbose: true - security: - enable: true proxy: server: port: 4001 diff --git a/docs/reference/configuration/client/dfdaemon.md b/docs/reference/configuration/client/dfdaemon.md index d0a017bf..f61b76b8 100644 --- a/docs/reference/configuration/client/dfdaemon.md +++ b/docs/reference/configuration/client/dfdaemon.md @@ -18,14 +18,14 @@ log: # host is the host configuration for dfdaemon. host: - ## idc is the idc of the host. + # idc is the idc of the host. idc: '' - ## location is the location of the host. + # location is the location of the host. location: '' - ## hostname is the hostname of the host. - # hostname: "" - ## ip is the advertise ip of the host. - # ip: "" +# # hostname is the hostname of the host. +# hostname: "" +# # ip is the advertise ip of the host. +# ip: "" server: # pluginDir is the directory to store plugins. @@ -48,16 +48,37 @@ upload: server: # port is the port to the grpc server. port: 4000 - ## ip is the listen ip of the grpc server. - # ip: "" + # # ip is the listen ip of the grpc server. + # ip: "" + # # CA certificate file path for mTLS. + # caCert: /etc/ssl/certs/ca.crt + # # GRPC server certificate file path for mTLS. + # cert: /etc/ssl/certs/server.crt + # # GRPC server key file path for mTLS. + # key: /etc/ssl/private/server.pem + # +# # Client configuration for remote peer's upload server. +# client: +# # CA certificate file path for mTLS. +# caCert: /etc/ssl/certs/ca.crt +# # GRPC client certificate file path for mTLS. +# cert: /etc/ssl/certs/client.crt +# # GRPC client key file path for mTLS. +# key: /etc/ssl/private/client.pem # disableShared indicates whether disable to share data for other peers. disableShared: false # rateLimit is the default rate limit of the upload speed in KiB/MiB/GiB per second, default is 10GiB/s. rateLimit: 10GiB manager: - # addrs is manager addresses. - addrs: [] + # addr is manager address. + addr: http://manager-service:65003 +# # CA certificate file path for mTLS. +# caCert: /etc/ssl/certs/ca.crt +# # GRPC client certificate file path for mTLS. +# cert: /etc/ssl/certs/client.crt +# # GRPC client key file path for mTLS. +# key: /etc/ssl/private/client.pem scheduler: # announceInterval is the interval to announce peer to the scheduler. @@ -71,6 +92,12 @@ scheduler: maxScheduleCount: 5 # enableBackToSource indicates whether enable back-to-source download, when the scheduling failed. enableBackToSource: true +# # CA certificate file path for mTLS. +# caCert: /etc/ssl/certs/ca.crt +# # GRPC client certificate file path for mTLS. +# cert: /etc/ssl/certs/client.crt +# # GRPC client key file path for mTLS. +# key: /etc/ssl/private/client.pem seedPeer: # enable indicates whether enable seed peer. @@ -113,26 +140,26 @@ proxy: server: # port is the port to the proxy server. port: 4001 - ## ip is the listen ip of the proxy server. - # ip: "" - ## caCert is the root CA cert path with PEM format for the proxy server to generate the server cert. - ## If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed. - ## When client requests via the proxy, the client should not verify the server cert and set - ## insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed, - ## you can use openssl to generate the root CA cert and make the system trust the root CA cert. - ## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert - ## and key, and signs the server cert with the root CA cert. When client requests via the proxy, - ## the proxy can intercept the request by the server cert. - # caCert: "" - ## caKey is the root CA key path with PEM format for the proxy server to generate the server cert. - ## If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed. - ## When client requests via the proxy, the client should not verify the server cert and set - ## insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed, - ## you can use openssl to generate the root CA cert and make the system trust the root CA cert. - ## Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert - ## and key, and signs the server cert with the root CA cert. When client requests via the proxy, - ## the proxy can intercept the request by the server cert. - # caKey: "" + # # ip is the listen ip of the proxy server. + # ip: "" + # # caCert is the root CA cert path with PEM format for the proxy server to generate the server cert. + # # If ca_cert is empty, proxy will generate a smaple CA cert by rcgen::generate_simple_self_signed. + # # When client requests via the proxy, the client should not verify the server cert and set + # # insecure to true. If ca_cert is not empty, proxy will sign the server cert with the CA cert. If openssl is installed, + # # you can use openssl to generate the root CA cert and make the system trust the root CA cert. + # # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert + # # and key, and signs the server cert with the root CA cert. When client requests via the proxy, + # # the proxy can intercept the request by the server cert. + # caCert: "" + # # caKey is the root CA key path with PEM format for the proxy server to generate the server cert. + # # If ca_key is empty, proxy will generate a smaple CA key by rcgen::generate_simple_self_signed. + # # When client requests via the proxy, the client should not verify the server cert and set + # # insecure to true. If ca_key is not empty, proxy will sign the server cert with the CA cert. If openssl is installed, + # # you can use openssl to generate the root CA cert and make the system trust the root CA cert. + # # Then set the ca_cert and ca_key to the root CA cert and key path. Dfdaemon generates the server cert + # # and key, and signs the server cert with the root CA cert. When client requests via the proxy, + # # the proxy can intercept the request by the server cert. + # caKey: "" # rules is the list of rules for the proxy server. # regex is the regex of the request url. # useTLS indicates whether use tls for the proxy backend. @@ -156,10 +183,10 @@ proxy: # configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address # of registry mirror. addr: https://index.docker.io - ## certs is the client certs path with PEM format for the registry. - ## If registry use self-signed cert, the client should set the - ## cert for the registry mirror. - # certs: "" + # # cert is the client cert path with PEM format for the registry. + # # If registry use self-signed cert, the client should set the + # # cert for the registry mirror. + # cert: "" # disableBackToSource indicates whether disable to download back-to-source when download failed. disableBackToSource: false # prefetch pre-downloads full of the task when download with range request. @@ -167,19 +194,14 @@ proxy: # readBufferSize is the buffer size for reading piece from disk, default is 32KB. readBufferSize: 32768 -security: - # enable indicates whether enable security. - enable: false - metrics: server: # port is the port to the metrics server. port: 4002 - ## ip is the listen ip of the metrics server. - # ip: "" - -## tracing is the tracing configuration for dfdaemon. + # # ip is the listen ip of the metrics server. + # ip: "" +# # tracing is the tracing configuration for dfdaemon. # tracing: -## addr is the address to report tracing log. +# # addr is the address to report tracing log. # addr: "" ``` diff --git a/docs/reference/configuration/manager.md b/docs/reference/configuration/manager.md index 5ee06a4d..ac631af3 100644 --- a/docs/reference/configuration/manager.md +++ b/docs/reference/configuration/manager.md @@ -24,10 +24,19 @@ server: port: start: 65003 end: 65003 + # # GRPC server tls configuration. + # tls: + # # CA certificate file path for mTLS. + # caCert: /etc/ssl/certs/ca.crt + # # Certificate file path for mTLS. + # cert: /etc/ssl/certs/server.crt + # # Key file path for mTLS. + # key: /etc/ssl/private/server.pem # REST server configure rest: # REST server address addr: :8080 + # # REST server tls configuration. # tls: # # Certificate file path. # cert: /etc/ssl/certs/server.crt @@ -160,8 +169,8 @@ job: tls: # insecureSkipVerify controls whether a client verifies the server's certificate chain and hostname. insecureSkipVerify: false - # # caCert is the CA certificate for preheat tls handshake, it can be path or PEM format string. - # caCert: '' + # # caCert is the CA certificate for preheat tls handshake, it can be path or PEM format string. + # caCert: '' # Object storage service. objectStorage: @@ -194,34 +203,6 @@ metrics: # Enable peer gauge metrics. enablePeerGauge: true -# Security configuration. -security: - # autoIssueCert indicates to issue client certificates for all grpc call. - # If AutoIssueCert is false, any other option in Security will be ignored. - autoIssueCert: false - # caCert is the CA certificate for all grpc tls handshake, it can be path or PEM format string. - caCert: '' - # caKey is the CA private key, it can be path or PEM format string. - caKey: '' - # tlsPolicy controls the grpc shandshake behaviors: - # force: both ClientHandshake and ServerHandshake are only support tls - # prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls - # default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls) - # Notice: If the drgaonfly service has been deployed, a two-step upgrade is required. - # The first step is to set tlsPolicy to default, and then upgrade the dragonfly services. - # The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services. - tlsPolicy: 'prefer' - certSpec: - # dnsNames is a list of dns names be set on the certificate. - dnsNames: - - 'dragonfly-manager' - - 'dragonfly-manager.dragonfly-system.svc' - - 'dragonfly-manager.dragonfly-system.svc.cluster.local' - # ipAddresses is a list of ip addresses be set on the certificate. - ipAddresses: - # validityPeriod is the validity period of certificate. - validityPeriod: 87600h - # Network configuration. network: # Enable ipv6. diff --git a/docs/reference/configuration/scheduler.md b/docs/reference/configuration/scheduler.md index fb639e14..ce2df308 100644 --- a/docs/reference/configuration/scheduler.md +++ b/docs/reference/configuration/scheduler.md @@ -12,18 +12,26 @@ and the default path is `$HOME/.dragonfly/config/scheduler.yaml` in darwin. ```yaml # Server scheduler instance configuration. server: - # # Access ip for other services, - # # when local ip is different with access ip, advertiseIP should be set. - # advertiseIP: 127.0.0.1 - # # Access port for other services, - # # when local ip is different with access port, advertisePort should be set. - # advertisePort: 8002 - # # Listen ip. - # listenIP: 0.0.0.0 - # Port is the ip and port scheduler server listens on. +# # Access ip for other services, +# # when local ip is different with access ip, advertiseIP should be set. +# advertiseIP: 127.0.0.1 +# # Access port for other services, +# # when local ip is different with access port, advertisePort should be set. +# advertisePort: 8002 +# # Listen ip. +# listenIP: 0.0.0.0 +# Port is the ip and port scheduler server listens on. port: 8002 - # # Server host. - # host: localhost +# # GRPC server tls configuration. +# tls: +# # CA certificate file path for mTLS. +# caCert: /etc/ssl/certs/ca.crt +# # Certificate file path for mTLS. +# cert: /etc/ssl/certs/server.crt +# # Key file path for mTLS. +# key: /etc/ssl/private/server.pem +# # Server host. +# host: localhost # WorkHome is working directory. # In linux, default value is /usr/local/dragonfly. # In macos(just for testing), default value is /Users/$USER/.dragonfly. @@ -99,22 +107,6 @@ database: # Redis backend DB. backendDB: 2 -# Resource configuration. -resource: - # Task configuration. - task: - # downloadTiny is the configuration of downloading tiny task by scheduler. - downloadTiny: - # scheme is download tiny task scheme. - scheme: http - # Timeout is http request timeout. - timeout: 1m - # tls is download tiny task TLS configuration. - tls: - # insecureSkipVerify controls whether a client verifies the - # server's certificate chain and hostname. - insecureSkipVerify: true - # Dynamic data configuration. dynConfig: # Dynamic config refresh interval. @@ -137,6 +129,14 @@ manager: keepAlive: # KeepAlive interval. interval: 5s +# # GRPC client tls configuration. +# tls: +# # CA certificate file path for mTLS. +# caCert: /etc/ssl/certs/ca.crt +# # Certificate file path for mTLS. +# cert: /etc/ssl/certs/client.crt +# # Key file path for mTLS. +# key: /etc/ssl/private/client.pem # Seed peer configuration. seedPeer: @@ -176,33 +176,6 @@ metrics: # Enable host metrics. enableHost: false -security: - # autoIssueCert indicates to issue client certificates for all grpc call. - # If AutoIssueCert is false, any other option in Security will be ignored. - autoIssueCert: false - # caCert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string. - caCert: '' - # tlsVerify indicates to verify certificates. - tlsVerify: false - # tlsPolicy controls the grpc shandshake behaviors: - # force: both ClientHandshake and ServerHandshake are only support tls - # prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls - # default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls) - # Notice: If the drgaonfly service has been deployed, a two-step upgrade is required. - # The first step is to set tlsPolicy to default, and then upgrade the dragonfly services. - # The second step is to set tlsPolicy to prefer, and then completely upgrade the dragonfly services. - tlsPolicy: 'prefer' - certSpec: - # dnsNames is a list of dns names be set on the certificate. - dnsNames: - - 'dragonfly-scheduler' - - 'dragonfly-scheduler.dragonfly-system.svc' - - 'dragonfly-scheduler.dragonfly-system.svc.cluster.local' - # ipAddresses is a list of ip addresses be set on the certificate. - ipAddresses: - # validityPeriod is the validity period of certificate. - validityPeriod: 4320h - network: # Enable ipv6. enableIPv6: false