Skip to content
This repository has been archived by the owner on Aug 3, 2023. It is now read-only.

Commit

Permalink
#59 #60 Add TLS support for RPC node of internal consensus
Browse files Browse the repository at this point in the history
  • Loading branch information
@aprasolova
anastasia prasolova authored and aprasolova committed Jul 5, 2023
1 parent 22f23eb commit 922fa03
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 2 deletions.
60 changes: 58 additions & 2 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,35 @@ neofs_ir__blockchain_notary_disabled: False
neofs_ir__blockchain_time_per_block: '15s'
neofs_ir__blockchain_magic: '735783775'
neofs_ir__blockchain_seed_nodes: []
neofs_ir__blockchain_rpc_addresses: []
neofs_ir__blockchain_p2p_addresses: []

neofs_ir__blockchain_rpc_address: 'localhost'
neofs_ir__blockchain_rpc_port: 30333
neofs_ir__blockchain_rpc_allow: []
neofs_ir__blockchain_rpc_group_allow: []
neofs_ir__blockchain_rpc_host_allow: []
neofs_ir__blockchain_rpc_addresses:
- '{{ neofs_ir__blockchain_rpc_address }}:{{ neofs_ir__blockchain_rpc_port }}'

neofs_ir__blockchain_tls_rpc_enabled: False
neofs_ir__blockchain_tls_rpc_address: 'localhost'
neofs_ir__blockchain_tls_rpc_port: 30335
neofs_ir__blockchain_tls_rpc_allow: []
neofs_ir__blockchain_tls_rpc_group_allow: []
neofs_ir__blockchain_tls_rpc_host_allow: []
neofs_ir__blockchain_tls_rpc_addresses:
- '{{ neofs_ir__blockchain_tls_rpc_address }}:{{ neofs_ir__blockchain_tls_rpc_port }}'
neofs_ir__blockchain_tls_rpc_cert: '{{ neofs_ir__conf_dir }}/server.crt'
neofs_ir__blockchain_tls_rpc_key: '{{ neofs_ir__conf_dir }}/server.key'
neofs_ir__blockchain_tls_rpc_local_cert: '/local/path/to/cert'
neofs_ir__blockchain_tls_rpc_local_key: '/local/path/to/key'

neofs_ir__blockchain_p2p_address: 'localhost'
neofs_ir__blockchain_p2p_port: 20333
neofs_ir__blockchain_p2p_allow: []
neofs_ir__blockchain_p2p_group_allow: []
neofs_ir__blockchain_p2p_host_allow: []
neofs_ir__blockchain_p2p_addresses:
- '{{ neofs_ir__blockchain_p2p_address }}:{{ neofs_ir__blockchain_p2p_port }}'

neofs_ir__validators:
- '026fa34ec057d74c2fdf1a18e336d0bd597ea401a0b2ad57340d5c220d09f44086'
Expand Down Expand Up @@ -90,6 +117,11 @@ neofs_ir__sidechain_config:
seed_nodes: '{{ neofs_ir__blockchain_seed_nodes }}'
rpc:
listen: '{{ neofs_ir__blockchain_rpc_addresses }}'
tls:
enabled: '{{ neofs_ir__blockchain_tls_rpc_enabled }}'
listen: '{{ neofs_ir__blockchain_tls_rpc_addresses }}'
cert_file: '{{ neofs_ir__blockchain_tls_rpc_cert }}'
key_file: '{{ neofs_ir__blockchain_tls_rpc_key }}'
p2p:
dial_timeout: 3s
proto_tick_interval: 2s
Expand Down Expand Up @@ -230,3 +262,27 @@ neofs_ir__ferm__dependent_rules:
saddr: '{{ neofs_ir__control_allow + neofs_ir__control_group_allow + neofs_ir__control_host_allow }}'
protocol: 'tcp'
rule_state: "{{ 'present' if neofs_ir__control_enabled else 'absent' }}"

- type: 'accept'
name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_rpc'
dport: [ '{{ neofs_ir__blockchain_rpc_port }}' ]
daddr: [ '{{ neofs_ir__blockchain_rpc_address }}' ]
saddr: '{{ neofs_ir__blockchain_rpc_allow + neofs_ir__blockchain_rpc_group_allow + neofs_ir__blockchain_rpc_host_allow }}'
protocol: 'tcp'
rule_state: "{{ 'present' if not neofs_ir__external_sidechain else 'absent' }}"

- type: 'accept'
name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_tls_rpc'
dport: [ '{{ neofs_ir__blockchain_tls_rpc_port }}' ]
daddr: [ '{{ neofs_ir__blockchain_tls_rpc_address }}' ]
saddr: '{{ neofs_ir__blockchain_tls_rpc_allow + neofs_ir__blockchain_tls_rpc_group_allow + neofs_ir__blockchain_tls_rpc_host_allow }}'
protocol: 'tcp'
rule_state: "{{ 'present' if neofs_ir__blockchain_tls_rpc_enabled else 'absent' }}"

- type: 'accept'
name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_p2p'
dport: [ '{{ neofs_ir__blockchain_p2p_port }}' ]
daddr: [ '{{ neofs_ir__blockchain_p2p_address }}' ]
saddr: '{{ neofs_ir__blockchain_p2p_allow + neofs_ir__blockchain_p2p_group_allow + neofs_ir__blockchain_p2p_host_allow }}'
protocol: 'tcp'
rule_state: "{{ 'present' if not neofs_ir__external_sidechain else 'absent' }}"
2 changes: 2 additions & 0 deletions tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@

- ansible.builtin.include_tasks: wallet.yml

- ansible.builtin.include_tasks: tls.yml

- name: Copy NeoFS IR config
ansible.builtin.template:
src: 'config.yml.j2'
Expand Down
19 changes: 19 additions & 0 deletions tasks/tls.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---

- name: Copy TLS certificate for Internal Consensus RPC node
ansible.builtin.copy:
src: '{{ neofs_ir__blockchain_tls_rpc_local_cert }}'
dest: '{{ neofs_ir__blockchain_tls_rpc_cert }}'
owner: 'root'
group: '{{ neofs_ir__group }}'
mode: '0640'
notify: [ 'Restart NeoFS IR' ]

- name: Copy TLS key for Internal Consensus RPC node
ansible.builtin.copy:
src: '{{ neofs_ir__blockchain_tls_rpc_local_key }}'
dest: '{{ neofs_ir__blockchain_tls_rpc_key }}'
owner: 'root'
group: '{{ neofs_ir__group }}'
mode: '0640'
notify: [ 'Restart NeoFS IR' ]

0 comments on commit 922fa03

Please sign in to comment.