Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional TLS feature to gRPC servers #8176

Merged
merged 2 commits into from
May 26, 2021

Conversation

gedgar
Copy link
Contributor

@gedgar gedgar commented May 24, 2021

Description

Implement TransportCredentials that allows a gRPC server to accept both
TLS and plain-text connections at the same time on the same endpoint.

This feature is vital to migrating Vitess cluster in production from plain-text to TLS without downtime.

As Vitess components talk to each other via gRPC, currently, it's not possible to do a rolling update:

  • not possible to update any gRPC server to listen to TLS as gRPC clients will not be able to connect to it
  • not possible to update gRPC clients first as they won't be able to talk to any gRPC server

With the optional TLS feature this update is possible in 3 steps without downtime:

  1. Restart gRPC servers to accept both TLS & plain-text
  2. Update clients to use TLS only
  3. Restart gRPC servers again to accept TLS only

To detect a connection type TransportCredentials inspects the first 6 bytes read from a socket and compares them with TLS prefix. TLS prefix is different from plain-text HTTP2 prefix.

Originally implemented as a separate gRPC package: go-grpc-optionaltls-creds

Related Issue(s)

Backport of #8049

Checklist

  • Tests were added or are not required
  • Documentation was added or is not required

noxiouz added 2 commits May 24, 2021 09:54
Implement TransportCredentials that allows a server
to accept both TLS and plain-text connections at the same time
on the same endpoint. To detect a connection type TransportCredentials
inspects the first 6 bytes read from a socket and compares them against
bytes in TLS prefix. A TLS prefix is different from plain-text HTTP2
prefix.

Signed-off-by: Anton Tiurin <[email protected]>
use go/vt/tlstest to generate certificates
log warning message when the option is on

Signed-off-by: Anton Tiurin <[email protected]>
@systay systay changed the title 10.0.0-release: Backport OptionalTLS Feature [10] Backport OptionalTLS Feature May 25, 2021
@systay systay changed the title [10] Backport OptionalTLS Feature [10.0] Backport OptionalTLS Feature May 25, 2021
@systay systay added Backport This is a backport Type: Enhancement Logical improvement (somewhere between a bug and feature) labels May 25, 2021
@gedgar gedgar marked this pull request as ready for review May 25, 2021 15:47
@gedgar gedgar requested a review from deepthi as a code owner May 25, 2021 15:47
@deepthi deepthi merged commit ed516f7 into vitessio:release-10.0 May 26, 2021
@deepthi deepthi deleted the optional-tls-backport branch May 26, 2021 23:55
@systay systay changed the title [10.0] Backport OptionalTLS Feature Add optional TLS feature to gRPC servers May 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Backport This is a backport Type: Enhancement Logical improvement (somewhere between a bug and feature)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants