-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add optional TLS feature to gRPC servers #8049
Conversation
Implement TransportCredentials that allows a server to accept both TLS and plain-text connections at the same time on the same endpoint. To detect a connection type TransportCredentials inspects the first 6 bytes read from a socket and compares them against bytes in TLS prefix. A TLS prefix is different from plain-text HTTP2 prefix. Signed-off-by: Anton Tiurin <[email protected]>
def9b77
to
96db82c
Compare
@noxiouz Thank you for the contribution. We can run CI once a reviewer has had a chance to look at the change. |
fixed :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I would prefer if we could log that insecure connections would be accepted so that users would know this is a potentially unsafe flag
use go/vt/tlstest to generate certificates log warning message when the option is on Signed-off-by: Anton Tiurin <[email protected]>
Please, let me know if you need more details, tests, docs, etc from my side. I am happy to give any :) |
I think you should be good to go. I have just approved the CI to run for this PR |
Description
Implement TransportCredentials that allows a gRPC server to accept both
TLS and plain-text connections at the same time on the same endpoint.
This feature is vital to migrating Vitess cluster in production from plain-text to TLS without downtime.
As Vitess components talk to each other via gRPC, currently, it's not possible to do a rolling update:
With the optional TLS feature this update is possible in 3 steps without downtime:
To detect a connection type TransportCredentials inspects the first 6 bytes read from a socket and compares them with TLS prefix. TLS prefix is different from plain-text HTTP2 prefix.
Originally implemented as a separate gRPC package: go-grpc-optionaltls-creds
Related Issue(s)
Checklist
Deployment Notes