From afbd52621c2c14c0a838a0ebc4954ee1689be56a Mon Sep 17 00:00:00 2001
From: yujun4464 <147383236+yujun4464@users.noreply.github.com>
Date: Tue, 12 Dec 2023 11:52:31 +0800
Subject: [PATCH] Change certs path (#195)

* update

* update

* update

* update

* update
---
 docs/deployment/deploy_master_lite_cn.md |  1 +
 docs/reference/apis/summary_cn.md        | 32 ++++++++++++------------
 docs/reference/concepts/domaindata_cn.md |  4 +--
 scripts/deploy/start_secretpad.sh        |  6 +++++
 scripts/deploy/start_standalone.sh       |  2 ++
 5 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/docs/deployment/deploy_master_lite_cn.md b/docs/deployment/deploy_master_lite_cn.md
index 073e2027..d729ab8a 100644
--- a/docs/deployment/deploy_master_lite_cn.md
+++ b/docs/deployment/deploy_master_lite_cn.md
@@ -267,6 +267,7 @@ export SECRETPAD_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflo
 获取部署脚本，部署脚本会下载到当前目录：
 
 ```bash
+export KUSCIA_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia
 docker run --rm --pull always $KUSCIA_IMAGE cat /home/kuscia/scripts/deploy/start_secretpad.sh > start_secretpad.sh && chmod u+x start_secretpad.sh
 ```
 
diff --git a/docs/reference/apis/summary_cn.md b/docs/reference/apis/summary_cn.md
index 932ccb81..16eaade3 100644
--- a/docs/reference/apis/summary_cn.md
+++ b/docs/reference/apis/summary_cn.md
@@ -64,13 +64,13 @@ Status 携带请求响应的状态信息。
 
 ## 如何使用 Kuscia API
 
-### 获取 Kuscia API client 证书和私钥
+### 获取 Kuscia API server 证书和私钥
 
-Kuscia master 部署完成之后，会默认生成一个 kuscia API client 证书，你可以通过以下命令获取（以中心化组网模式为例）：
+Kuscia master 部署完成之后，会默认生成一个 kuscia API server 证书，你可以通过以下命令获取（以中心化组网模式为例）：
 
 ```shell
-docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-client.key .
-docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-client.crt .
+docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-server.key .
+docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/kusciaapi-server.crt .
 docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/ca.crt .
 docker cp ${USER}-kuscia-master:/home/kuscia/var/tmp/token .
 ```
@@ -101,15 +101,15 @@ from kuscia.proto.api.v1alpha1.kusciaapi.domain_pb2 import (
 
 
 def query_domain():
-    client_cert_file = "kusciaapi-client.crt"
-    client_key_file = "kusciaapi-client.key"
+    server_cert_file = "kusciaapi-server.crt"
+    server_key_file = "kusciaapi-server.key"
     trusted_ca_file = "ca.crt"
     token_file = "token"
     address = "root-kuscia-master:8083"
-    with open(client_cert_file, 'rb') as client_cert, open(
-            client_key_file, 'rb'
-    ) as client_key, open(trusted_ca_file, 'rb') as trusted_ca, open(token_file, 'rb') as token:
-        credentials = grpc.ssl_channel_credentials(trusted_ca.read(), client_key.read(), client_cert.read())
+    with open(server_cert_file, 'rb') as server_cert, open(
+            server_key_file, 'rb'
+    ) as server_key, open(trusted_ca_file, 'rb') as trusted_ca, open(token_file, 'rb') as token:
+        credentials = grpc.ssl_channel_credentials(trusted_ca.read(), server_key.read(), server_cert.read())
         channel = grpc.secure_channel(address, credentials)
         domainStub = DomainServiceStub(channel)
         metadata = [('token', token.read())]
@@ -120,9 +120,9 @@ def query_domain():
 你也可以使用 GRPC 的客户端工具连接上 Kuscia API，如 [grpcurl](https://github.com/fullstorydev/grpcurl/releases)，你需要替换 {} 中的内容：
 > 如果 GRPC 的主机端口是 8083 ，则可以执行下面的命令，端口号不是 8083 ，可以先用 `docker inspect --format="{{json .NetworkSettings.Ports}}" ${容器名}` 命令检查下端口
 ```shell
-grpcurl --cert kusciaapi-client.crt \
-        --key kusciaapi-client.key \
-        --cacert ca.crt \
+grpcurl --cert /home/kuscia/var/tmp/kusciaapi-server.crt \
+        --key /home/kuscia/var/tmp/kusciaapi-server.key \
+        --cacert /home/kuscia/var/tmp/ca.crt \
         -H 'Token: {token}' \
         -d '{"domain_id": "alice"}' \
         ${USER}-kuscia-master:8083 kuscia.proto.api.v1alpha1.kusciaapi.DomainService.QueryDomain
@@ -143,9 +143,9 @@ GRPC 主机上端口：master 或者 autonomy 可以通过 `docker inspect --for
 你也可以使用 HTTP 的客户端工具连接上 Kuscia API，如 curl，你需要替换 {} 中的内容：
 > 如果 GRPC 的主机端口是 8082 ，则可以执行下面的命令，端口号不是 8082 ，可以先用 `docker inspect --format="{{json .NetworkSettings.Ports}}" ${容器名}` 命令检查下端口
 ```shell
-curl --cert kusciaapi-client.crt \
-     --key kusciaapi-client.key \
-     --cacert ca.crt \
+curl --cert /home/kuscia/var/tmp/kusciaapi-server.crt \
+     --key /home/kuscia/var/tmp/kusciaapi-server.key \
+     --cacert /home/kuscia/var/tmp/ca.crt \
      --header 'Token: {token}' --header 'Content-Type: application/json' \
      'https://{{USER}-kuscia-master}:8082/api/v1/domain/query' \
      -d '{"domain_id": "alice"}'
diff --git a/docs/reference/concepts/domaindata_cn.md b/docs/reference/concepts/domaindata_cn.md
index 053909a5..5b81dbe1 100644
--- a/docs/reference/concepts/domaindata_cn.md
+++ b/docs/reference/concepts/domaindata_cn.md
@@ -162,8 +162,8 @@ Data Mesh API 提供 HTTP 和 GRPC 两种访问方法，分别位于 8070 和 80
 
 1. 进入 alice 容器 `${USER}-kuscia-lite-alice` 容器中，查询 DomainData。
 ```shell
-curl -X POST 'http://{{USER-kuscia-lite-alice}:8070/api/v1/datamesh/domaindata/query' --header 'Content-Type: application/json' -d '{
-  "domaindata_id": "alice"
+docker exec -it ${USER}-kuscia-lite-alice curl -X POST 'https://127.0.0.1:8070/api/v1/datamesh/domaindata/query' --header 'Content-Type: application/json' -d '{
+  "domaindata_id": "alice-table"
 }' --cacert /home/kuscia/var/tmp/ca.crt --cert /home/kuscia/var/tmp/ca.crt --key /home/kuscia/var/tmp/ca.key
 ```
 
diff --git a/scripts/deploy/start_secretpad.sh b/scripts/deploy/start_secretpad.sh
index 087bdeed..2e7a6a0f 100644
--- a/scripts/deploy/start_secretpad.sh
+++ b/scripts/deploy/start_secretpad.sh
@@ -32,6 +32,8 @@ NETWORK_NAME="kuscia-exchange"
 SECRETPAD_USER_NAME=""
 SECRETPAD_PASSWORD=""
 VOLUME_PATH="${ROOT}"
+ALICE_DOMAIN=alice
+BOB_DOMAIN=bob
 
 
 function log() {
@@ -141,6 +143,8 @@ function create_secretpad_user_password() {
 function copy_kuscia_api_client_certs() {
   local volume_path=$1
   local IMAGE=$SECRETPAD_IMAGE
+  # generate client certs
+  docker exec -it ${MASTER_CTR} sh scripts/deploy/init_kusciaapi_client_certs.sh
   # copy result
   tmp_path=${volume_path}/temp/certs
   mkdir -p ${tmp_path}
@@ -160,6 +164,8 @@ function copy_kuscia_api_lite_client_certs() {
   local volume_path=$2
   local IMAGE=$SECRETPAD_IMAGE
   local domain_ctr=${CTR_PREFIX}-lite-${domain_id}
+  # generate client certs
+  docker exec -it ${domain_ctr} sh scripts/deploy/init_kusciaapi_client_certs.sh
   # copy result
   tmp_path=${volume_path}/temp/certs/${domain_id}
   mkdir -p ${tmp_path}
diff --git a/scripts/deploy/start_standalone.sh b/scripts/deploy/start_standalone.sh
index 1c79d39c..aa8756d9 100755
--- a/scripts/deploy/start_standalone.sh
+++ b/scripts/deploy/start_standalone.sh
@@ -297,6 +297,8 @@ function copy_kuscia_api_lite_client_certs() {
   local volume_path=$2
   local IMAGE=$SECRETPAD_IMAGE
   local domain_ctr=${CTR_PREFIX}-lite-${domain_id}
+  # generate client certs
+  docker exec -it ${domain_ctr} sh scripts/deploy/init_kusciaapi_client_certs.sh
   # copy result
   tmp_path=${volume_path}/temp/certs/${domain_id}
   mkdir -p ${tmp_path}