Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(framework:skip) Update Docker Compose TLS setup #4540

Merged
merged 4 commits into from
Nov 19, 2024
Merged

feat(framework:skip) Update Docker Compose TLS setup #4540

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
30d839e
feat(framework:skip) Update Docker Compose secure setup
Robert-Steiner Nov 19, 2024
33a6c7b
Merge branch 'main' into feat/remove-tls-docker-compose
Robert-Steiner Nov 19, 2024
041f008
Merge branch 'main' into feat/remove-tls-docker-compose
Robert-Steiner Nov 19, 2024
b460401
Merge branch 'main' into feat/remove-tls-docker-compose
Robert-Steiner Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/docker/complete/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
superlink-certificates
supernode-certificates
state
28 changes: 0 additions & 28 deletions src/docker/complete/certs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,32 +36,6 @@ services:
IP.2 = $${SUPERLINK_IP}
EOF

ARG SUPERNODE_IP=127.0.0.1

COPY <<-EOF supernode-certificate.conf
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = US
O = Flower
CN = localhost

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.0 = supernode-1
DNS.1 = supernode-2
DNS.2 = supernode-3
IP.1 = ::1
IP.2 = $${SUPERNODE_IP}
EOF

COPY --chmod=744 <<-'EOF' generate.sh
#!/bin/bash
# This script will generate all certificates if ca.crt does not exist
Expand Down Expand Up @@ -115,12 +89,10 @@ services:
-extensions req_ext
}
generate superlink-certificates superlink-certificate.conf
generate supernode-certificates supernode-certificate.conf
EOF

WORKDIR /app

ENTRYPOINT ["./script/generate.sh"]
volumes:
- ./superlink-certificates/:/app/superlink-certificates/:rw
- ./supernode-certificates/:/app/supernode-certificates/:rw
2 changes: 0 additions & 2 deletions src/docker/complete/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ services:
image: flwr/superlink:${FLWR_VERSION:-1.13.0}
command:
- --insecure
- --executor
- flwr.superexec.deployment:executor
- --isolation
- process
ports:
Expand Down
4 changes: 0 additions & 4 deletions src/docker/complete/with-state.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,12 @@ services:
superlink:
command:
- --insecure
- --executor
- flwr.superexec.deployment:executor
- --isolation
- process
- --database=state/state.db
# To toggle TLS encryption and persisting state for the SuperLink, comment the key `command`
# above and uncomment the lines below:
# command:
# - --executor
# - flwr.superexec.deployment:executor
# - --isolation
# - process
# - --ssl-ca-certfile=certificates/ca.crt
Expand Down
77 changes: 0 additions & 77 deletions src/docker/complete/with-tls.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
services:
superlink:
command:
- --executor
- flwr.superexec.deployment:executor
- --isolation
- process
- --ssl-ca-certfile=certificates/ca.crt
Expand All @@ -16,16 +14,6 @@ services:
- source: superlink-keyfile
target: /app/certificates/server.key

serverapp:
command:
- --serverappio-api-address
- superlink:9091
- --root-certificates
- certificates/ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/ca.crt

supernode-1:
command:
- --superlink
Expand All @@ -36,20 +24,11 @@ services:
- process
- --node-config
- "partition-id=0 num-partitions=2"
- --ssl-ca-certfile=certificates/ca.crt
- --ssl-certfile=certificates/server.pem
- --ssl-keyfile=certificates/server.key
- --root-certificates
- certificates/superlink-ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/superlink-ca.crt
- source: supernode-ca-certfile
target: /app/certificates/ca.crt
- source: supernode-certfile
target: /app/certificates/server.pem
- source: supernode-keyfile
target: /app/certificates/server.key

supernode-2:
command:
Expand All @@ -61,20 +40,11 @@ services:
- process
- --node-config
- "partition-id=1 num-partitions=2"
- --ssl-ca-certfile=certificates/ca.crt
- --ssl-certfile=certificates/server.pem
- --ssl-keyfile=certificates/server.key
- --root-certificates
- certificates/superlink-ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/superlink-ca.crt
- source: supernode-ca-certfile
target: /app/certificates/ca.crt
- source: supernode-certfile
target: /app/certificates/server.pem
- source: supernode-keyfile
target: /app/certificates/server.key

# uncomment to enable TLS on another SuperNode
#
Expand All @@ -88,52 +58,11 @@ services:
# - process
# - --node-config
# - "partition-id=1 num-partitions=2"
# - --ssl-ca-certfile=certificates/ca.crt
# - --ssl-certfile=certificates/server.pem
# - --ssl-keyfile=certificates/server.key
# - --root-certificates
# - certificates/superlink-ca.crt
# secrets:
# - source: superlink-ca-certfile
# target: /app/certificates/superlink-ca.crt
# - source: supernode-ca-certfile
# target: /app/certificates/ca.crt
# - source: supernode-certfile
# target: /app/certificates/server.pem
# - source: supernode-keyfile
# target: /app/certificates/server.key

clientapp-1:
command:
- --clientappio-api-address
- supernode-1:9094
- --root-certificates
- certificates/ca.crt
secrets:
- source: supernode-ca-certfile
target: /app/certificates/ca.crt

clientapp-2:
command:
- --clientappio-api-address
- supernode-2:9095
- --root-certificates
- certificates/ca.crt
secrets:
- source: supernode-ca-certfile
target: /app/certificates/ca.crt

# uncomment to enable TLS on another ClientApp
#
# clientapp-3:
# command:
# - --clientappio-api-address
# - supernode-3:9096
# - --root-certificates
# - certificates/ca.crt
# secrets:
# - source: supernode-ca-certfile
# target: /app/certificates/ca.crt

secrets:
superlink-ca-certfile:
Expand All @@ -142,9 +71,3 @@ secrets:
file: ./superlink-certificates/server.pem
superlink-keyfile:
file: ./superlink-certificates/server.key
supernode-ca-certfile:
file: ./supernode-certificates/ca.crt
supernode-certfile:
file: ./supernode-certificates/server.pem
supernode-keyfile:
file: ./supernode-certificates/server.key
1 change: 0 additions & 1 deletion src/docker/distributed/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
superlink-certificates
supernode-certificates
server/state
1 change: 0 additions & 1 deletion src/docker/distributed/certs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,3 @@ services:
build:
args:
SUPERLINK_IP: ${SUPERLINK_IP:-127.0.0.1}
SUPERNODE_IP: ${SUPERNODE_IP:-127.0.0.1}
51 changes: 3 additions & 48 deletions src/docker/distributed/client/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,11 @@ services:
- process
- --node-config
- "partition-id=0 num-partitions=2"
- --ssl-ca-certfile=certificates/ca.crt
- --ssl-certfile=certificates/server.pem
- --ssl-keyfile=certificates/server.key
- --root-certificates
- certificates/superlink-ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/superlink-ca.crt
- source: supernode-ca-certfile
target: /app/certificates/ca.crt
- source: supernode-certfile
target: /app/certificates/server.pem
- source: supernode-keyfile
target: /app/certificates/server.key

supernode-2:
image: flwr/supernode:${FLWR_VERSION:-1.13.0}
Expand All @@ -36,20 +27,11 @@ services:
- process
- --node-config
- "partition-id=1 num-partitions=2"
- --ssl-ca-certfile=certificates/ca.crt
- --ssl-certfile=certificates/server.pem
- --ssl-keyfile=certificates/server.key
- --root-certificates
- certificates/superlink-ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/superlink-ca.crt
- source: supernode-ca-certfile
target: /app/certificates/ca.crt
- source: supernode-certfile
target: /app/certificates/server.pem
- source: supernode-keyfile
target: /app/certificates/server.key

# uncomment to add another SuperNode
#
Expand All @@ -64,20 +46,11 @@ services:
# - process
# - --node-config
# - "partition-id=1 num-partitions=2"
# - --ssl-ca-certfile=certificates/ca.crt
# - --ssl-certfile=certificates/server.pem
# - --ssl-keyfile=certificates/server.key
# - --root-certificates
# - certificates/superlink-ca.crt
# secrets:
# - source: superlink-ca-certfile
# target: /app/certificates/superlink-ca.crt
# - source: supernode-ca-certfile
# target: /app/certificates/ca.crt
# - source: supernode-certfile
# target: /app/certificates/server.pem
# - source: supernode-keyfile
# target: /app/certificates/server.key

clientapp-1:
build:
Expand All @@ -92,20 +65,16 @@ services:

ENTRYPOINT ["flwr-clientapp"]
command:
- --insecure
- --clientappio-api-address
- supernode-1:9094
- --root-certificates
- certificates/ca.crt
deploy:
resources:
limits:
cpus: "2"
stop_signal: SIGINT
depends_on:
- supernode-1
secrets:
- source: supernode-ca-certfile
target: /app/certificates/ca.crt

clientapp-2:
build:
Expand All @@ -120,20 +89,16 @@ services:

ENTRYPOINT ["flwr-clientapp"]
command:
- --insecure
- --clientappio-api-address
- supernode-2:9095
- --root-certificates
- certificates/ca.crt
deploy:
resources:
limits:
cpus: "2"
stop_signal: SIGINT
depends_on:
- supernode-2
secrets:
- source: supernode-ca-certfile
target: /app/certificates/ca.crt

# uncomment to add another ClientApp
#
Expand All @@ -150,27 +115,17 @@ services:

# ENTRYPOINT ["flwr-clientapp"]
# command:
# - --insecure
# - --clientappio-api-address
# - supernode-3:9096
# - --root-certificates
# - certificates/ca.crt
# deploy:
# resources:
# limits:
# cpus: "2"
# stop_signal: SIGINT
# depends_on:
# - supernode-3
# secrets:
# - source: supernode-ca-certfile
# target: /app/certificates/ca.crt

secrets:
superlink-ca-certfile:
file: ../superlink-certificates/ca.crt
supernode-ca-certfile:
file: ../supernode-certificates/ca.crt
supernode-certfile:
file: ../supernode-certificates/server.pem
supernode-keyfile:
file: ../supernode-certificates/server.key
8 changes: 1 addition & 7 deletions src/docker/distributed/server/compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ services:
superlink:
image: flwr/superlink:${FLWR_VERSION:-1.13.0}
command:
- --executor
- flwr.superexec.deployment:executor
- --isolation
- process
- --ssl-ca-certfile=certificates/ca.crt
Expand Down Expand Up @@ -36,13 +34,9 @@ services:

ENTRYPOINT ["flwr-serverapp"]
command:
- --insecure
- --serverappio-api-address
- superlink:9091
- --root-certificates
- certificates/ca.crt
secrets:
- source: superlink-ca-certfile
target: /app/certificates/ca.crt
depends_on:
- superlink

Expand Down