mirror of
				https://github.com/openimsdk/open-im-server.git
				synced 2025-10-25 20:52:11 +08:00 
			
		
		
		
	Merge branch 'feat/redis-sentinel' of github.com:mo3et/open-im-server into feat/redis-sentinel
This commit is contained in:
		
						commit
						63343817dc
					
				
							
								
								
									
										2
									
								
								.env
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								.env
									
									
									
									
									
								
							| @ -2,7 +2,7 @@ MONGO_IMAGE=mongo:7.0 | ||||
| REDIS_IMAGE=redis:7.0.0 | ||||
| KAFKA_IMAGE=bitnami/kafka:3.5.1 | ||||
| MINIO_IMAGE=minio/minio:RELEASE.2024-01-11T07-46-16Z | ||||
| ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13 | ||||
| ETCD_IMAGE=bitnami/etcd:3.5.13 | ||||
| PROMETHEUS_IMAGE=prom/prometheus:v2.45.6 | ||||
| ALERTMANAGER_IMAGE=prom/alertmanager:v0.27.0 | ||||
| GRAFANA_IMAGE=grafana/grafana:11.0.1 | ||||
|  | ||||
| @ -1,9 +1,11 @@ | ||||
| enable: etcd | ||||
| etcd: | ||||
|   rootDirectory: openim | ||||
|   address: [ localhost:12379 ] | ||||
|   username: '' | ||||
|   password: '' | ||||
|   address: [localhost:12379] | ||||
|   ## Attention: If you set auth in etcd | ||||
|   ## you must also update the username and password in Chat project. | ||||
|   username: | ||||
|   password: | ||||
| 
 | ||||
| kubernetes: | ||||
|   namespace: default | ||||
| @ -17,4 +19,4 @@ rpcService: | ||||
|   group: group-rpc-service | ||||
|   auth: auth-rpc-service | ||||
|   conversation: conversation-rpc-service | ||||
|   third: third-rpc-service | ||||
|   third: third-rpc-service | ||||
|  | ||||
| @ -1,13 +1,13 @@ | ||||
| # Username for authentication | ||||
| username: '' | ||||
| # Password for authentication | ||||
| password: '' | ||||
| ## Kafka authentication | ||||
| username: | ||||
| password: | ||||
| 
 | ||||
| # Producer acknowledgment settings | ||||
| producerAck:  | ||||
| producerAck: | ||||
| # Compression type to use (e.g., none, gzip, snappy) | ||||
| compressType: none | ||||
| # List of Kafka broker addresses | ||||
| address: [ localhost:19094 ] | ||||
| address: [localhost:19094] | ||||
| # Kafka topic for Redis integration | ||||
| toRedisTopic: toRedis | ||||
| # Kafka topic for MongoDB integration | ||||
| @ -29,12 +29,12 @@ tls: | ||||
|   # Enable or disable TLS | ||||
|   enableTLS: false | ||||
|   # CA certificate file path | ||||
|   caCrt:  | ||||
|   caCrt: | ||||
|   # Client certificate file path | ||||
|   clientCrt:  | ||||
|   clientCrt: | ||||
|   # Client key file path | ||||
|   clientKey:  | ||||
|   clientKey: | ||||
|   # Client key password | ||||
|   clientKeyPwd:  | ||||
|   clientKeyPwd: | ||||
|   # Whether to skip TLS verification (not recommended for production) | ||||
|   insecureSkipVerify: false | ||||
|  | ||||
| @ -83,8 +83,83 @@ services: | ||||
|       - ETCD_INITIAL_CLUSTER=s1=http://0.0.0.0:2380 | ||||
|       - ETCD_INITIAL_CLUSTER_TOKEN=tkn | ||||
|       - ETCD_INITIAL_CLUSTER_STATE=new | ||||
|       - ALLOW_NONE_AUTHENTICATION=no | ||||
| 
 | ||||
|       ## Optional: Enable etcd authentication by setting the following credentials | ||||
|       # - ETCD_ROOT_USER=root | ||||
|       # - ETCD_ROOT_PASSWORD=openIM123 | ||||
|       # - ETCD_USERNAME=openIM | ||||
|       # - ETCD_PASSWORD=openIM123 | ||||
|     volumes: | ||||
|       - "${DATA_DIR}/components/etcd:/etcd-data" | ||||
|     command: > | ||||
|       /bin/sh -c ' | ||||
|         etcd & | ||||
|         export ETCDCTL_API=3 | ||||
|         echo "Waiting for etcd to become healthy..." | ||||
|         until etcdctl --endpoints=http://127.0.0.1:2379 endpoint health &>/dev/null; do | ||||
|           echo "Waiting for ETCD to start..." | ||||
|           sleep 1 | ||||
|         done | ||||
| 
 | ||||
|         echo "etcd is healthy." | ||||
| 
 | ||||
|         if [ -n "$${ETCD_ROOT_USER}" ] && [ -n "$${ETCD_ROOT_PASSWORD}" ] && [ -n "$${ETCD_USERNAME}" ] && [ -n "$${ETCD_PASSWORD}" ]; then | ||||
|           echo "Authentication credentials provided. Setting up authentication..." | ||||
| 
 | ||||
|         echo "Checking authentication status..." | ||||
|         if ! etcdctl --endpoints=http://127.0.0.1:2379 auth status | grep -q "Authentication Status: true"; then | ||||
|           echo "Authentication is disabled. Creating users and enabling..." | ||||
|            | ||||
|           # Create users and setup permissions | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 user add $${ETCD_ROOT_USER} --new-user-password=$${ETCD_ROOT_PASSWORD} || true | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} || true | ||||
|            | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 role add openim-role || true | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission openim-role --prefix=true readwrite / || true | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission openim-role --prefix=true readwrite "" || true | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_USERNAME} openim-role || true | ||||
|            | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_ROOT_USER} $${ETCD_USERNAME} root || true | ||||
|            | ||||
|           echo "Enabling authentication..." | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 auth enable | ||||
|           echo "Authentication enabled successfully" | ||||
|         else | ||||
|           echo "Authentication is already enabled. Checking OpenIM user..." | ||||
|            | ||||
|           # Check if openIM user exists and can perform operations | ||||
|           if ! etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} put /test/auth "auth-check" &>/dev/null; then | ||||
|             echo "OpenIM user test failed. Recreating user with root credentials..." | ||||
|              | ||||
|             # Try to create/update the openIM user using root credentials | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} --no-password-file || true | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role add openim-role || true | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite / || true | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite "" || true | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user grant-role $${ETCD_USERNAME} openim-role || true | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 user grant-role $${ETCD_ROOT_USER} $${ETCD_USERNAME} root || true | ||||
|              | ||||
|             echo "OpenIM user recreated with required permissions" | ||||
|           else | ||||
|             echo "OpenIM user exists and has correct permissions" | ||||
|             etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} del /test/auth &>/dev/null | ||||
|           fi | ||||
|         fi | ||||
|         echo "Testing authentication with OpenIM user..." | ||||
|         if etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} put /test/auth "auth-works"; then | ||||
|           echo "Authentication working properly" | ||||
|           etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_USERNAME}:$${ETCD_PASSWORD} del /test/auth | ||||
|         else | ||||
|           echo "WARNING: Authentication test failed" | ||||
|           fi | ||||
|         else | ||||
|           echo "No authentication credentials provided. Running in no-auth mode." | ||||
|           echo "To enable authentication, set ETCD_ROOT_USER, ETCD_ROOT_PASSWORD, ETCD_USERNAME, and ETCD_PASSWORD environment variables." | ||||
|         fi | ||||
|          | ||||
|         tail -f /dev/null | ||||
|       ' | ||||
|     restart: always | ||||
|     networks: | ||||
|       - openim | ||||
| @ -104,12 +179,38 @@ services: | ||||
|       KAFKA_CFG_NODE_ID: 0 | ||||
|       KAFKA_CFG_PROCESS_ROLES: controller,broker | ||||
|       KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@kafka:9093 | ||||
|       KAFKA_CFG_LISTENERS: PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094 | ||||
|       KAFKA_CFG_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094 | ||||
|       KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT | ||||
|       KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER | ||||
|       KAFKA_NUM_PARTITIONS: 8 | ||||
|       KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "true" | ||||
| 
 | ||||
|       KAFKA_CFG_LISTENERS: "PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094" | ||||
|       KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094" | ||||
|       KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT" | ||||
|       KAFKA_CFG_INTER_BROKER_LISTENER_NAME: "PLAINTEXT" | ||||
| 
 | ||||
|       # Authentication configuration variables - comment out to disable auth | ||||
|       # KAFKA_USERNAME: "openIM" | ||||
|       # KAFKA_PASSWORD: "openIM123" | ||||
|     command: > | ||||
|       /bin/sh -c ' | ||||
|         if [ -n "$${KAFKA_USERNAME}" ] && [ -n "$${KAFKA_PASSWORD}" ]; then | ||||
|           echo "=== Kafka SASL Authentication ENABLED ===" | ||||
|           echo "Username: $${KAFKA_USERNAME}" | ||||
|            | ||||
|           # Set environment variables for SASL authentication | ||||
|           export KAFKA_CFG_LISTENERS="SASL_PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094" | ||||
|           export KAFKA_CFG_ADVERTISED_LISTENERS="SASL_PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094" | ||||
|           export KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP="CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT" | ||||
|           export KAFKA_CFG_SASL_ENABLED_MECHANISMS="PLAIN" | ||||
|           export KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL="PLAIN" | ||||
|           export KAFKA_CFG_INTER_BROKER_LISTENER_NAME="SASL_PLAINTEXT" | ||||
|           export KAFKA_CLIENT_USERS="$${KAFKA_USERNAME}" | ||||
|           export KAFKA_CLIENT_PASSWORDS="$${KAFKA_PASSWORD}" | ||||
|         fi | ||||
|          | ||||
|         # Start Kafka with the configured environment | ||||
|         exec /opt/bitnami/scripts/kafka/entrypoint.sh /opt/bitnami/scripts/kafka/run.sh | ||||
|       ' | ||||
|     networks: | ||||
|       - openim | ||||
| 
 | ||||
| @ -148,7 +249,7 @@ services: | ||||
|       - "11002:80" | ||||
|     networks: | ||||
|       - openim | ||||
|        | ||||
| 
 | ||||
|   prometheus: | ||||
|     image: ${PROMETHEUS_IMAGE} | ||||
|     container_name: prometheus | ||||
| @ -161,9 +262,9 @@ services: | ||||
|       - ./config/instance-down-rules.yml:/etc/prometheus/instance-down-rules.yml | ||||
|       - ${DATA_DIR}/components/prometheus/data:/prometheus | ||||
|     command: | ||||
|       - '--config.file=/etc/prometheus/prometheus.yml' | ||||
|       - '--storage.tsdb.path=/prometheus' | ||||
|       - '--web.listen-address=:${PROMETHEUS_PORT}' | ||||
|       - "--config.file=/etc/prometheus/prometheus.yml" | ||||
|       - "--storage.tsdb.path=/prometheus" | ||||
|       - "--web.listen-address=:${PROMETHEUS_PORT}" | ||||
|     network_mode: host | ||||
| 
 | ||||
|   alertmanager: | ||||
| @ -176,8 +277,8 @@ services: | ||||
|       - ./config/alertmanager.yml:/etc/alertmanager/alertmanager.yml | ||||
|       - ./config/email.tmpl:/etc/alertmanager/email.tmpl | ||||
|     command: | ||||
|       - '--config.file=/etc/alertmanager/alertmanager.yml' | ||||
|       - '--web.listen-address=:${ALERTMANAGER_PORT}' | ||||
|       - "--config.file=/etc/alertmanager/alertmanager.yml" | ||||
|       - "--web.listen-address=:${ALERTMANAGER_PORT}" | ||||
|     network_mode: host | ||||
| 
 | ||||
|   grafana: | ||||
| @ -209,9 +310,8 @@ services: | ||||
|       - /sys:/host/sys:ro | ||||
|       - /:/rootfs:ro | ||||
|     command: | ||||
|       - '--path.procfs=/host/proc' | ||||
|       - '--path.sysfs=/host/sys' | ||||
|       - '--path.rootfs=/rootfs' | ||||
|       - '--web.listen-address=:19100' | ||||
|       - "--path.procfs=/host/proc" | ||||
|       - "--path.sysfs=/host/sys" | ||||
|       - "--path.rootfs=/rootfs" | ||||
|       - "--web.listen-address=:19100" | ||||
|     network_mode: host | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user