diff --git a/docs/deployment/deploy_master_lite_cn.md b/docs/deployment/deploy_master_lite_cn.md index 073e2027..d729ab8a 100644 --- a/docs/deployment/deploy_master_lite_cn.md +++ b/docs/deployment/deploy_master_lite_cn.md @@ -267,6 +267,7 @@ export SECRETPAD_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflo 获取部署脚本,部署脚本会下载到当前目录: ```bash +export KUSCIA_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia docker run --rm --pull always $KUSCIA_IMAGE cat /home/kuscia/scripts/deploy/start_secretpad.sh > start_secretpad.sh && chmod u+x start_secretpad.sh ``` diff --git a/docs/reference/apis/summary_cn.md b/docs/reference/apis/summary_cn.md index 932ccb81..16eaade3 100644 --- a/docs/reference/apis/summary_cn.md +++ b/docs/reference/apis/summary_cn.md @@ -64,13 +64,13 @@ Status 携带请求响应的状态信息。 ## 如何使用 Kuscia API -### 获取 Kuscia API client 证书和私钥 +### 获取 Kuscia API server 证书和私钥 -Kuscia master 部署完成之后,会默认生成一个 kuscia API client 证书,你可以通过以下命令获取(以中心化组网模式为例): +Kuscia master 部署完成之后,会默认生成一个 kuscia API server 证书,你可以通过以下命令获取(以中心化组网模式为例): ```shell -docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-client.key . -docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-client.crt . +docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-server.key . +docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-server.crt . docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/ca.crt . docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/token . ``` @@ -101,15 +101,15 @@ from kuscia.proto.api.v1alpha1.kusciaapi.domain_pb2 import ( def query_domain(): - client_cert_file = "kusciaapi-client.crt" - client_key_file = "kusciaapi-client.key" + server_cert_file = "kusciaapi-server.crt" + server_key_file = "kusciaapi-server.key" trusted_ca_file = "ca.crt" token_file = "token" address = "root-kuscia-master:8083" - with open(client_cert_file, 'rb') as client_cert, open( - client_key_file, 'rb' - ) as client_key, open(trusted_ca_file, 'rb') as trusted_ca, open(token_file, 'rb') as token: - credentials = grpc.ssl_channel_credentials(trusted_ca.read(), client_key.read(), client_cert.read()) + with open(server_cert_file, 'rb') as server_cert, open( + server_key_file, 'rb' + ) as server_key, open(trusted_ca_file, 'rb') as trusted_ca, open(token_file, 'rb') as token: + credentials = grpc.ssl_channel_credentials(trusted_ca.read(), server_key.read(), server_cert.read()) channel = grpc.secure_channel(address, credentials) domainStub = DomainServiceStub(channel) metadata = [('token', token.read())] @@ -120,9 +120,9 @@ def query_domain(): 你也可以使用 GRPC 的客户端工具连接上 Kuscia API,如 [grpcurl](https://github.com/fullstorydev/grpcurl/releases),你需要替换 {} 中的内容: > 如果 GRPC 的主机端口是 8083 ,则可以执行下面的命令,端口号不是 8083 ,可以先用 `docker inspect --format="{{json .NetworkSettings.Ports}}" ${容器名}` 命令检查下端口 ```shell -grpcurl --cert kusciaapi-client.crt \ - --key kusciaapi-client.key \ - --cacert ca.crt \ +grpcurl --cert /home/kuscia/var/tmp/kusciaapi-server.crt \ + --key /home/kuscia/var/tmp/kusciaapi-server.key \ + --cacert /home/kuscia/var/tmp/ca.crt \ -H 'Token: {token}' \ -d '{"domain_id": "alice"}' \ ${USER}-kuscia-master:8083 kuscia.proto.api.v1alpha1.kusciaapi.DomainService.QueryDomain @@ -143,9 +143,9 @@ GRPC 主机上端口:master 或者 autonomy 可以通过 `docker inspect --for 你也可以使用 HTTP 的客户端工具连接上 Kuscia API,如 curl,你需要替换 {} 中的内容: > 如果 GRPC 的主机端口是 8082 ,则可以执行下面的命令,端口号不是 8082 ,可以先用 `docker inspect --format="{{json .NetworkSettings.Ports}}" ${容器名}` 命令检查下端口 ```shell -curl --cert kusciaapi-client.crt \ - --key kusciaapi-client.key \ - --cacert ca.crt \ +curl --cert /home/kuscia/var/tmp/kusciaapi-server.crt \ + --key /home/kuscia/var/tmp/kusciaapi-server.key \ + --cacert /home/kuscia/var/tmp/ca.crt \ --header 'Token: {token}' --header 'Content-Type: application/json' \ 'https://{{USER}-kuscia-master}:8082/api/v1/domain/query' \ -d '{"domain_id": "alice"}' diff --git a/docs/reference/concepts/domaindata_cn.md b/docs/reference/concepts/domaindata_cn.md index 053909a5..5b81dbe1 100644 --- a/docs/reference/concepts/domaindata_cn.md +++ b/docs/reference/concepts/domaindata_cn.md @@ -162,8 +162,8 @@ Data Mesh API 提供 HTTP 和 GRPC 两种访问方法,分别位于 8070 和 80 1. 进入 alice 容器 `${USER}-kuscia-lite-alice` 容器中,查询 DomainData。 ```shell -curl -X POST 'http://{{USER-kuscia-lite-alice}:8070/api/v1/datamesh/domaindata/query' --header 'Content-Type: application/json' -d '{ - "domaindata_id": "alice" +docker exec -it ${USER}-kuscia-lite-alice curl -X POST 'https://127.0.0.1:8070/api/v1/datamesh/domaindata/query' --header 'Content-Type: application/json' -d '{ + "domaindata_id": "alice-table" }' --cacert /home/kuscia/var/tmp/ca.crt --cert /home/kuscia/var/tmp/ca.crt --key /home/kuscia/var/tmp/ca.key ``` diff --git a/scripts/deploy/start_secretpad.sh b/scripts/deploy/start_secretpad.sh index 087bdeed..2e7a6a0f 100644 --- a/scripts/deploy/start_secretpad.sh +++ b/scripts/deploy/start_secretpad.sh @@ -32,6 +32,8 @@ NETWORK_NAME="kuscia-exchange" SECRETPAD_USER_NAME="" SECRETPAD_PASSWORD="" VOLUME_PATH="${ROOT}" +ALICE_DOMAIN=alice +BOB_DOMAIN=bob function log() { @@ -141,6 +143,8 @@ function create_secretpad_user_password() { function copy_kuscia_api_client_certs() { local volume_path=$1 local IMAGE=$SECRETPAD_IMAGE + # generate client certs + docker exec -it ${MASTER_CTR} sh scripts/deploy/init_kusciaapi_client_certs.sh # copy result tmp_path=${volume_path}/temp/certs mkdir -p ${tmp_path} @@ -160,6 +164,8 @@ function copy_kuscia_api_lite_client_certs() { local volume_path=$2 local IMAGE=$SECRETPAD_IMAGE local domain_ctr=${CTR_PREFIX}-lite-${domain_id} + # generate client certs + docker exec -it ${domain_ctr} sh scripts/deploy/init_kusciaapi_client_certs.sh # copy result tmp_path=${volume_path}/temp/certs/${domain_id} mkdir -p ${tmp_path} diff --git a/scripts/deploy/start_standalone.sh b/scripts/deploy/start_standalone.sh index 1c79d39c..aa8756d9 100755 --- a/scripts/deploy/start_standalone.sh +++ b/scripts/deploy/start_standalone.sh @@ -297,6 +297,8 @@ function copy_kuscia_api_lite_client_certs() { local volume_path=$2 local IMAGE=$SECRETPAD_IMAGE local domain_ctr=${CTR_PREFIX}-lite-${domain_id} + # generate client certs + docker exec -it ${domain_ctr} sh scripts/deploy/init_kusciaapi_client_certs.sh # copy result tmp_path=${volume_path}/temp/certs/${domain_id} mkdir -p ${tmp_path}