setup grpc server with auto_encrypt certs #7086
Conversation
hanshasselberg
force-pushed
the
auto_encrypt_grpc
branch
from
ab4743d to
ffa90a3
Compare
tlsutil/config.go
Outdated
| @@ -561,6 +569,12 @@ func (c *Configurator) VerifyServerHostname() bool { | |||
| return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname | |||
| } | |||
|
|
|||
| // TransportCredentials returns credentials to be used with eg a grpc server. | |||
| func (c *Configurator) TransportCredentials() *credentials.TransportCredentials { | |||
| creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{*c.Cert()}}) | |||
There was a problem hiding this comment.
*c.Cert() will panic if c.Cert() returns nil.
Currently the only call to TransportCredentials does a nil check before the function call, but I'm concerned about someone else calling this later without knowing about that behavior.
Maybe it would be useful to put in a nil check in this function just in case.
Alternatively, constructing the TransportCredentials could be done in the GRPCServer function, rather than being split out into a separate method.
There was a problem hiding this comment.
Nice catch! There is a nil check now.
agent/xds/server.go
Outdated
| return nil, err | ||
| if tlsConfigurator != nil { | ||
| if cert := tlsConfigurator.Cert(); cert != nil { | ||
| opts = append(opts, grpc.Creds(*tlsConfigurator.TransportCredentials())) |
There was a problem hiding this comment.
It seems a bit odd to have TransportCredentials return a pointer, but then dereference it for grpc.Creds().
I think TransportCredentials shouldn't return a pointer, since we only need a copy.
| opts = append(opts, grpc.Creds(*tlsConfigurator.TransportCredentials())) | |
| opts = append(opts, grpc.Creds(tlsConfigurator.TransportCredentials())) |
tlsutil/config.go
Outdated
| // TransportCredentials returns credentials to be used with eg a grpc server. | ||
| func (c *Configurator) TransportCredentials() *credentials.TransportCredentials { | ||
| creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{*c.Cert()}}) | ||
| return &creds |
There was a problem hiding this comment.
| return &creds | |
| return creds |
See comment about TransportCredentials() pointer dereference.
hanshasselberg
force-pushed
the
auto_encrypt_grpc
branch
from
ffa90a3 to
22b019c
Compare
|
@freddygv thank you for the review! I figured it would be great if grpc connections would use the same TLS config, the other consul stuff is using. Which not only fixes the cert problem, but also takes advantage of all the existing TLS configuration bits. The pointer things you asked about, are now gone. |
hanshasselberg
added
the
waiting-reply
stale
bot
removed
the
waiting-reply
hanshasselberg
added
the
waiting-reply
stale
bot
removed
the
waiting-reply
| @@ -561,6 +567,16 @@ func (c *Configurator) VerifyServerHostname() bool { | |||
| return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname | |||
| } | |||
|
|
|||
| // IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections. | |||
| func (c *Configurator) IncomingGRPCConfig() *tls.Config { | |||
| c.log("IncomingGRPCConfig") | |||
There was a problem hiding this comment.
What are these logs used for?
There was a problem hiding this comment.
I am using them for debugging. They are showing the version of the config that is being used to generate the *tls.Config. Eg when you reload consul so that a new cert is being used, this log line should show a version increased by one. If it doesn't increase, something is wrong.
This is a backported commit based on: * hashicorp@11a571d * hashicorp#7086 To allow the grpc server used by consul connect to reload its tls info.
HTTPS serves auto_encrypt certificates and so should GRPC. Also introduces a flag for
-https-port, which I kept wondering why it is missing...Fixes #7076.
Fixes #6590 since grpc TLS is now configurable via existing Consul TLS configuration.