Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional TLS feature to gRPC servers #8049

Merged
merged 2 commits into from
May 11, 2021

Conversation

noxiouz
Copy link
Contributor

@noxiouz noxiouz commented May 5, 2021

Description

Implement TransportCredentials that allows a gRPC server to accept both
TLS and plain-text connections at the same time on the same endpoint.

This feature is vital to migrating Vitess cluster in production from plain-text to TLS without downtime.

As Vitess components talk to each other via gRPC, currently, it's not possible to do a rolling update:

  • not possible to update any gRPC server to listen to TLS as gRPC clients will not be able to connect to it
  • not possible to update gRPC clients first as they won't be able to talk to any gRPC server

With the optional TLS feature this update is possible in 3 steps without downtime:

  1. Restart gRPC servers to accept both TLS & plain-text
  2. Update clients to use TLS only
  3. Restart gRPC servers again to accept TLS only

To detect a connection type TransportCredentials inspects the first 6 bytes read from a socket and compares them with TLS prefix. TLS prefix is different from plain-text HTTP2 prefix.

Originally implemented as a separate gRPC package: go-grpc-optionaltls-creds

Related Issue(s)

Checklist

  • Tests were added or are not required
  • Documentation was added or is not required

Deployment Notes

@noxiouz noxiouz requested a review from deepthi as a code owner May 5, 2021 21:34
Implement TransportCredentials that allows a server
to accept both TLS and plain-text connections at the same time
on the same endpoint. To detect a connection type TransportCredentials
inspects the first 6 bytes read from a socket and compares them against
bytes in TLS prefix. A TLS prefix is different from plain-text HTTP2
prefix.

Signed-off-by: Anton Tiurin <[email protected]>
@noxiouz noxiouz force-pushed the feature/optional_tls branch from def9b77 to 96db82c Compare May 5, 2021 21:36
@deepthi deepthi requested review from aquarapid and dkhenry May 5, 2021 21:36
@deepthi
Copy link
Member

deepthi commented May 5, 2021

@noxiouz Thank you for the contribution. We can run CI once a reviewer has had a chance to look at the change.
In the meantime, can you fix the signoff? DCO check is failing.

@noxiouz
Copy link
Contributor Author

noxiouz commented May 5, 2021

DCO check is failing.

fixed :)

Copy link
Contributor

@dkhenry dkhenry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I would prefer if we could log that insecure connections would be accepted so that users would know this is a potentially unsafe flag

use go/vt/tlstest to generate certificates
log warning message when the option is on

Signed-off-by: Anton Tiurin <[email protected]>
@noxiouz
Copy link
Contributor Author

noxiouz commented May 11, 2021

Please, let me know if you need more details, tests, docs, etc from my side. I am happy to give any :)

@dkhenry
Copy link
Contributor

dkhenry commented May 11, 2021

I think you should be good to go. I have just approved the CI to run for this PR

@deepthi deepthi merged commit a855082 into vitessio:master May 11, 2021
@noxiouz noxiouz deleted the feature/optional_tls branch May 12, 2021 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants