Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional TLS feature to gRPC servers #8049

Merged
merged 2 commits into from
May 11, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
address feedback
use go/vt/tlstest to generate certificates
log warning message when the option is on

Signed-off-by: Anton Tiurin <[email protected]>
noxiouz committed May 5, 2021

Verified

This commit was signed with the committer’s verified signature.
noxiouz Anton Tiurin
commit 78b4c14e514dfb341624f03fa958aa82b25e0e0b
53 changes: 0 additions & 53 deletions go/vt/grpcoptionaltls/certificates_test.go

This file was deleted.

20 changes: 14 additions & 6 deletions go/vt/grpcoptionaltls/server_test.go
Original file line number Diff line number Diff line change
@@ -15,14 +15,17 @@ package grpcoptionaltls
import (
"context"
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net"
"os"
"testing"
"time"

"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
pb "google.golang.org/grpc/examples/helloworld/helloworld"

"vitess.io/vitess/go/vt/tlstest"
)

// server is used to implement helloworld.GreeterServer.
@@ -47,20 +50,25 @@ type testCredentials struct {
}

func createCredentials() (*testCredentials, error) {
cert, err := tls.X509KeyPair(localhostCert, localhostKey)
// Create a temporary directory.
certDir, err := ioutil.TempDir("", "optionaltls_grpc_test")
if err != nil {
return nil, err
}
defer os.RemoveAll(certDir)

certificate, err := x509.ParseCertificate(cert.Certificate[0])
certs := tlstest.CreateClientServerCertPairs(certDir)
cert, err := tls.LoadX509KeyPair(certs.ServerCert, certs.ServerKey)
if err != nil {
return nil, err
}
certpool := x509.NewCertPool()
certpool.AddCert(certificate)

clientCredentials, err := credentials.NewClientTLSFromFile(certs.ServerCA, certs.ServerName)
if err != nil {
return nil, err
}
tc := &testCredentials{
client: credentials.NewClientTLSFromCert(certpool, "example.com"),
client: clientCredentials,
server: credentials.NewServerTLSFromCert(&cert),
}
return tc, nil
1 change: 1 addition & 0 deletions go/vt/servenv/grpc_server.go
Original file line number Diff line number Diff line change
@@ -139,6 +139,7 @@ func createGRPCServer() {
// create the creds server options
creds := credentials.NewTLS(config)
if *GRPCEnableOptionalTLS {
noxiouz marked this conversation as resolved.
Show resolved Hide resolved
log.Warning("Optional TLS is active. Plain-text connections will be accepted")
creds = grpcoptionaltls.New(creds)
}
opts = []grpc.ServerOption{grpc.Creds(creds)}