Merge remote-tracking branch 'gitlab/feature/fix-cert'

# Conflicts: # .gitlab-ci.yml # go.mod
eolinker · Feb 7, 2023 · 8934411 · 8934411
2 parents 7d30dca + 24d5446
commit 8934411
Show file tree

Hide file tree

Showing 23 changed files with 326 additions and 117 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,91 @@
+stages:
+  - notice
+  - check
+  - build
+  - deploy
+  - publish
+
+variables:
+  PATH: /usr/local/sonar-scanner/sonar-scanner-4.4.0.2170-linux/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/data/golang/go/bin/:/root/go/bin
+  GOROOT: /data/golang/go
+  GOPROXY: https://goproxy.cn
+  APP: apinto
+  VERSION: $CI_COMMIT_SHORT_SHA
+  SAVE_DIR: /opt/apinto
+  APP_PRE: ${APP}-${VERSION}
+
+default:
+  before_script:
+    - pwd
+
+merge-informer: # 飞书回调
+  stage: notice
+  variables:
+    DIFF_URL: "$CI_MERGE_REQUEST_PROJECT_URL/-/merge_requests/$CI_MERGE_REQUEST_IID/diffs"
+  rules:
+    - if: $CI_PIPELINE_SOURCE=="merge_request_event"
+  script:
+    - rm -rf out/apinto-*
+    - |
+      curl -X POST -H "Content-Type: application/json" \
+      -d "{\"msg_type\":\"text\",\"content\":{\"text\":\"项目：${CI_PROJECT_NAME}\\n提交人：${GITLAB_USER_NAME}\\n提交信息：${CI_MERGE_REQUEST_TITLE}\\n合并分支信息：${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} -> ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}\\n差异性地址：${DIFF_URL}\\n请及时review代码\"}}" \
+      https://open.feishu.cn/open-apis/bot/v2/hook/1c334752-2874-41a1-8f1b-3060f2d46b6c
+checker:
+  stage: check
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+  script:
+    - set +e
+    - go mod tidy
+    - go test -covermode=atomic -coverpkg=./... -coverprofile=coverage.data -timeout=1m ./...
+    - golangci-lint run --timeout=3m --out-format checkstyle --issues-exit-code 0 ./... > report.xml
+    - sonar-scanner
+builder:
+  stage: build
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH=="test"
+      when: on_success
+  script:
+    - sed -i '/replace github.com\/eolinker\/eosc => */d' go.mod
+    - go mod tidy
+    - cd build/cmd && ./package.sh $VERSION
+  cache:
+    paths:
+      - out/
+deployer:
+  stage: deploy
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+      variables:
+        DEPLOY_SERVER: [email protected]
+        DEPLOY_DESC: "DEV 环境"
+    - if: $CI_COMMIT_BRANCH=="test"
+      variables:
+        DEPLOY_SERVER: [email protected]
+        DEPLOY_DESC: "TEST 环境"
+  dependencies:
+    - builder
+  script:
+    - set -e
+    - scp out/${APP_PRE}.linux.x64.tar.gz ${DEPLOY_SERVER}:${SAVE_DIR}
+    - ssh ${DEPLOY_SERVER} "set -e; cd ${SAVE_DIR}; mkdir -p ${APP_PRE};tar -zxvf ${APP_PRE}.linux.x64.tar.gz -C ${APP_PRE};cd ${APP_PRE}/${APP}; ./install.sh upgrade;cd ${SAVE_DIR}; ./clean.sh ${APP_PRE}"
+    - |
+      curl -X POST -H "Content-Type: application/json" \
+      -d "{\"msg_type\":\"text\",\"content\":{\"text\":\"项目：apinto\\n环境：${DEPLOY_DESC}\\n更新部署完成.\"}}" \
+      https://open.feishu.cn/open-apis/bot/v2/hook/1c334752-2874-41a1-8f1b-3060f2d46b6c
+  when: on_success
+  cache:
+    paths:
+      - out/
+publisher:
+  stage: publish
+  only:
+    - tags
+  script:
+    - sed -i '/replace github.com\/eolinker\/eosc => */d' go.mod
+    - go mod tidy
+    - GOVERSION=$(go version) EoscVersion=$(sed -n 's/.*eosc v/v/p' go.mod) goreleaser release --skip-validate --rm-dist --skip-publish
+    - mkdir -p /data/pkg/apinto/${CI_COMMIT_TAG}
+    - cp -if dist/*.tar.gz /data/pkg/apinto/${CI_COMMIT_TAG}
diff --git a/.gitlab-ci.yml~gitlab_feature_fix-cert b/.gitlab-ci.yml~gitlab_feature_fix-cert
@@ -0,0 +1,91 @@
+stages:
+  - notice
+  - check
+  - build
+  - deploy
+  - publish
+
+variables:
+  PATH: /usr/local/sonar-scanner/sonar-scanner-4.4.0.2170-linux/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/data/golang/go/bin/:/root/go/bin
+  GOROOT: /data/golang/go
+  GOPROXY: https://goproxy.cn
+  APP: apinto
+  VERSION: $CI_COMMIT_SHORT_SHA
+  SAVE_DIR: /opt/apinto
+  APP_PRE: ${APP}-${VERSION}
+
+default:
+  before_script:
+    - pwd
+
+merge-informer: # 飞书回调
+  stage: notice
+  variables:
+    DIFF_URL: "$CI_MERGE_REQUEST_PROJECT_URL/-/merge_requests/$CI_MERGE_REQUEST_IID/diffs"
+  rules:
+    - if: $CI_PIPELINE_SOURCE=="merge_request_event"
+  script:
+    - rm -rf out/apinto-*
+    - |
+      curl -X POST -H "Content-Type: application/json" \
+      -d "{\"msg_type\":\"text\",\"content\":{\"text\":\"项目：${CI_PROJECT_NAME}\\n提交人：${GITLAB_USER_NAME}\\n提交信息：${CI_MERGE_REQUEST_TITLE}\\n合并分支信息：${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} -> ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}\\n差异性地址：${DIFF_URL}\\n请及时review代码\"}}" \
+      https://open.feishu.cn/open-apis/bot/v2/hook/1c334752-2874-41a1-8f1b-3060f2d46b6c
+checker:
+  stage: check
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+  script:
+    - set +e
+    - go mod tidy
+    - go test -covermode=atomic -coverpkg=./... -coverprofile=coverage.data -timeout=1m ./...
+    - golangci-lint run --timeout=3m --out-format checkstyle --issues-exit-code 0 ./... > report.xml
+    - sonar-scanner
+builder:
+  stage: build
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH=="test"
+      when: on_success
+  script:
+    - sed -i '/replace github.com\/eolinker\/eosc => */d' go.mod
+    - go mod tidy
+    - cd build/cmd && ./package.sh $VERSION
+  cache:
+    paths:
+      - out/
+deployer:
+  stage: deploy
+  rules:
+    - if: $CI_COMMIT_BRANCH=="develop"
+      variables:
+        DEPLOY_SERVER: [email protected]
+        DEPLOY_DESC: "DEV 环境"
+    - if: $CI_COMMIT_BRANCH=="test"
+      variables:
+        DEPLOY_SERVER: [email protected]
+        DEPLOY_DESC: "TEST 环境"
+  dependencies:
+    - builder
+  script:
+    - set -e
+    - scp out/${APP_PRE}.linux.x64.tar.gz ${DEPLOY_SERVER}:${SAVE_DIR}
+    - ssh ${DEPLOY_SERVER} "set -e; cd ${SAVE_DIR}; mkdir -p ${APP_PRE};tar -zxvf ${APP_PRE}.linux.x64.tar.gz -C ${APP_PRE};cd ${APP_PRE}/${APP}; ./install.sh upgrade;cd ${SAVE_DIR}; ./clean.sh ${APP_PRE}"
+    - |
+      curl -X POST -H "Content-Type: application/json" \
+      -d "{\"msg_type\":\"text\",\"content\":{\"text\":\"项目：apinto\\n环境：${DEPLOY_DESC}\\n更新部署完成.\"}}" \
+      https://open.feishu.cn/open-apis/bot/v2/hook/1c334752-2874-41a1-8f1b-3060f2d46b6c
+  when: on_success
+  cache:
+    paths:
+      - out/
+publisher:
+  stage: publish
+  only:
+    - tags
+  script:
+    - sed -i '/replace github.com\/eolinker\/eosc => */d' go.mod
+    - go mod tidy
+    - GOVERSION=$(go version) EoscVersion=$(sed -n 's/.*eosc v/v/p' go.mod) goreleaser release --skip-validate --rm-dist --skip-publish
+    - mkdir -p /data/pkg/apinto/${CI_COMMIT_TAG}
+    - cp -if dist/*.tar.gz /data/pkg/apinto/${CI_COMMIT_TAG}
diff --git a/app/apinto/config.yml b/app/apinto/config.yml
@@ -4,6 +4,7 @@ client:
   - http://0.0.0.0:9400
 gateway:
   listen_urls:
+  - https://0.0.0.0:8099
   - http://0.0.0.0:8099
 peer:
   listen_urls:

diff --git a/build/cmd/common.sh b/build/cmd/common.sh
@@ -26,11 +26,23 @@ function buildApp(){
     APP=$1
     VERSION=$2
     OUTPATH="${BasePath}/out/${APP}-${VERSION}"
+    echo "rm -rf ${OUTPATH}"
     rm -rf ${OUTPATH}
+    echo "mkdir -p ${OUTPATH}"
     mkdir -p ${OUTPATH}
-    buildCMD="go build  -o ${OUTPATH}/$APP ${BasePath}/app/$APP"
-    echo "build $APP:${buildCMD}"
-    ${buildCMD}
+    BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    EOSC_VERSION=$(sed -n 's/.*eosc v/v/p' ${BasePath}/go.mod)
+    flags="-X 'github.com/eolinker/apinto/utils/version.Version=${VERSION}'
+           -X 'github.com/eolinker/apinto/utils/version.gitCommit=$(git rev-parse HEAD)'
+           -X 'github.com/eolinker/apinto/utils/version.buildTime=${BUILD_TIME}'
+           -X 'github.com/eolinker/apinto/utils/version.buildUser=gitlab'
+           -X 'github.com/eolinker/apinto/utils/version.goVersion=$(go version)'
+           -X 'github.com/eolinker/apinto/utils/version.eoscVersion=${EOSC_VERSION}'"
+    echo -e "build $APP:go build -ldflags "-w -s $flags" -o ${OUTPATH}/$APP ${BasePath}/app/$APP"
+    go build -ldflags "-w -s $flags" -o ${OUTPATH}/$APP ${BasePath}/app/$APP
+#    echo "build $APP:${buildCMD}"
+
+#    echo `${buildCMD}`
 
     if [[ "$?" != "0" ]]
     then

diff --git a/build/cmd/package.sh b/build/cmd/package.sh
@@ -9,7 +9,7 @@ VERSION=$(genVersion $1)
 folder="${BasePath}/out/apinto-${VERSION}"
 if [[ ! -d "$folder" ]]
 then
-  mkdir "$folder"
+#  mkdir -p "$folder"
   ${CMD}/build.sh $1
   if [[ "$?" != "0" ]]
   then

diff --git a/build/resources/config.yml.tpl b/build/resources/config.yml.tpl
@@ -1,15 +1,26 @@
-listen:   # node listen port
-  - 8099
+version: 2
+#certificate: # 证书存放根目录
+#  dir: /etc/apinto/cert
+client:
+	#advertise_urls: # open api 服务的广播地址
+  #- http://127.0.0.1:9400
+  listen_urls: # open api 服务的监听地址
+  - http://0.0.0.0:9400
+  #certificate:  # 证书配置，允许使用ip的自签证书
+  #  - cert: server.pem
+  #    key: server.key
+gateway:
+	#advertise_urls: # 转发服务的广播地址
+   #- http://127.0.0.1:9400
+  listen_urls: # 转发服务的监听地址
+  - https://0.0.0.0:8099
+  - http://0.0.0.0:8099
+peer: # 集群间节点通信配置信息
+  listen_urls: # 节点监听地址
+  - http://0.0.0.0:9401
+  #advertise_urls: # 节点通信广播地址
+    #- http://127.0.0.1:9400
+  #certificate:  # 证书配置，允许使用ip的自签证书
+	#  - cert: server.pem
+	#    key: server.key
 
-admin:    # openAPI request info
-  scheme: http # listen scheme
-  listen: 9400 # listen port
-  ip: 0.0.0.0 # listen ip
-#ssl:
-#  listen:
-#    - port: 443       #https端口
-#      certificate:    # 不配表示使用所有 cert_dir中的证书，默认pem文件后缀为pem，key后缀为key
-#        - cert: cert.pem
-#          key:  cert.key
-#certificate:
-#  dir: ./cert # 证书文件目录，不填则默认从cert目录下载
diff --git a/build/resources/install.sh b/build/resources/install.sh
diff --git a/build/resources/join.sh b/build/resources/join.sh
@@ -32,7 +32,7 @@ do
   if [ ${ip} != ${POD_IP} ]
   then
   #join the cluster
-    ./apinto join --ip ${POD_IP} --addr=${ip}:${APINTO_ADMIN_PORT}
+    ./apinto join --addr=${ip}:${APINTO_ADMIN_PORT}
     break
   fi
 done
diff --git a/build/resources/leave.sh b/build/resources/leave.sh
diff --git a/build/resources/start.sh b/build/resources/start.sh
diff --git a/certs/cert.go b/certs/cert.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"github.com/eolinker/eosc/config"
 	"sync"
+	"sync/atomic"
 )
 
 var errorCertificateNotExit = errors.New("not exist cert")
@@ -15,11 +16,14 @@ type ICert interface {
 }
 
 var (
-	workerMaps               = make(map[string]*tls.Certificate)
-	lock                     = sync.RWMutex{}
-	currentCert *config.Cert = nil
+	workerMaps  = make(map[string]*tls.Certificate)
+	lock        = sync.RWMutex{}
+	currentCert = atomic.Pointer[config.Cert]{}
 )
 
+func init() {
+	currentCert.Store(config.NewCert(nil))
+}
 func DelCert(workerId string) {
 	lock.Lock()
 	defer lock.Unlock()
@@ -43,36 +47,27 @@ func rebuild() {
 			certsMap[dnsName] = i
 		}
 	}
-	currentCert = config.NewCert(certsMap)
+	currentCert.Swap(config.NewCert(certsMap))
 }
 func GetCertificateFunc(certsLocal ...*config.Cert) func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	lock.RLock()
-	certsCluster := currentCert
-	lock.RUnlock()
 
-	certList := make([]*config.Cert, 0, len(certsLocal)+1)
-	for _, c := range certList {
-		if c != nil {
-			certList = append(certList, c)
-		}
-	}
-	if certsCluster != nil {
-		certList = append(certList, certsCluster)
-	}
-	if len(certList) == 0 {
+	if len(certsLocal) == 0 {
+
 		return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			return nil, errorCertificateNotExit
+			return currentCert.Load().GetCertificate(info)
 		}
 	}
-	if len(certList) == 1 {
-		certs := certList[0]
-		return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			return certs.GetCertificate(info)
+	certList := make([]*config.Cert, 0, len(certsLocal))
+	for _, c := range certsLocal {
+		if c != nil {
+			certList = append(certList, c)
 		}
 	}
-
 	return func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
-
+		certificate, err = currentCert.Load().GetCertificate(info)
+		if certificate != nil {
+			return
+		}
 		for _, cert := range certList {
 			certificate, err = cert.GetCertificate(info)
 			if certificate != nil {

diff --git a/drivers/certs/config.go b/drivers/certs/config.go
@@ -2,6 +2,6 @@ package certs
 
 type Config struct {
 	Name string `json:"name" label:"证书名"`
-	Key  string `json:"key" label:"key"`
-	Pem  string `json:"pem" label:"value"`
+	Key  string `json:"key" label:"密钥内容" format:"text" description:"密钥文件的后缀名一般为.key"`
+	Pem  string `json:"pem" label:"证书内容" format:"text" description:"证书文件的后缀名一般为.crt 或 .pem"`
 }
diff --git a/drivers/certs/worker.go b/drivers/certs/worker.go
@@ -3,6 +3,7 @@ package certs
 import (
 	"crypto/tls"
 	"crypto/x509"
+
 	"github.com/eolinker/apinto/certs"
 	"github.com/eolinker/apinto/drivers"
 	"github.com/eolinker/apinto/utils"
@@ -55,6 +56,10 @@ func (w *Worker) CheckSkill(string) bool {
 }
 
 func parseCert(privateKey, pemValue string) (*tls.Certificate, error) {
+	cert, err := genCert([]byte(privateKey), []byte(pemValue))
+	if err == nil {
+		return cert, nil
+	}
 
 	keydata, err := utils.B64Decode(privateKey)
 	if err != nil {
@@ -64,7 +69,11 @@ func parseCert(privateKey, pemValue string) (*tls.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	certificate, err := tls.X509KeyPair(pem, keydata)
+	return genCert(keydata, pem)
+}
+
+func genCert(key, pem []byte) (*tls.Certificate, error) {
+	certificate, err := tls.X509KeyPair(pem, key)
 	if err != nil {
 		return nil, err
 	}