Skip to content

Commit

Permalink
Implement tls into our grpc servers
Browse files Browse the repository at this point in the history
  • Loading branch information
JamesMurkin committed Jul 9, 2023
1 parent a68579d commit 02b842c
Show file tree
Hide file tree
Showing 12 changed files with 48 additions and 8 deletions.
2 changes: 2 additions & 0 deletions config/armada/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ grpc:
keepaliveEnforcementPolicy:
minTime: 10s
permitWithoutStream: true
tls:
enabled: false
redis:
addrs:
- redis:6379
Expand Down
4 changes: 3 additions & 1 deletion config/binoculars/config.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
grpcPort: 50051
httpPort: 8080
metricsPort: 9000
corsAllowedOrigins:
corsAllowedOrigins:
- http://localhost:3000
- http://localhost:8080
cordon:
Expand All @@ -24,3 +24,5 @@ grpc:
keepaliveEnforcementPolicy:
minTime: 5m
permitWithoutStream: false
tls:
enabled: false
2 changes: 2 additions & 0 deletions config/jobservice/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ grpc:
keepaliveEnforcementPolicy:
minTime: 5m
permitWithoutStream: false
tls:
enabled: false
# gRPC connection pool to armada server configuration.
grpcPool:
initialConnections: 5
Expand Down
2 changes: 2 additions & 0 deletions config/lookout/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ grpc:
keepaliveEnforcementPolicy:
minTime: 5m
permitWithoutStream: false
tls:
enabled: false
uiConfig:
armadaApiBaseUrl: "http://armada-server:8080"
userAnnotationPrefix: "armadaproject.io/"
Expand Down
2 changes: 2 additions & 0 deletions config/scheduler/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ grpc:
keepaliveEnforcementPolicy:
minTime: 10s
permitWithoutStream: true
tls:
enabled: false
scheduling:
executorTimeout: 10m
enableAssertions: true
Expand Down
2 changes: 1 addition & 1 deletion internal/armada/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func Serve(ctx context.Context, config *configuration.ArmadaConfig, healthChecks
if err != nil {
return err
}
grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices)
grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices, config.Grpc.Tls)

// Shut down grpcServer if the context is cancelled.
// Give the server 5 seconds to shut down gracefully.
Expand Down
2 changes: 1 addition & 1 deletion internal/binoculars/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func StartUp(config *configuration.BinocularsConfig) (func(), *sync.WaitGroup) {
os.Exit(-1)
}

grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices)
grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices, config.Grpc.Tls)

permissionsChecker := authorization.NewPrincipalPermissionChecker(
config.Auth.PermissionGroupMapping,
Expand Down
11 changes: 10 additions & 1 deletion internal/common/grpc/configuration/types.go
Original file line number Diff line number Diff line change
@@ -1,14 +1,23 @@
package configuration

import "google.golang.org/grpc/keepalive"
import (
"google.golang.org/grpc/keepalive"
)

type GrpcConfig struct {
Port int `validate:"required"`
KeepaliveParams keepalive.ServerParameters
KeepaliveEnforcementPolicy keepalive.EnforcementPolicy
Tls TlsConfig
}

type GrpcPoolConfig struct {
InitialConnections int
Capacity int
}

type TlsConfig struct {
Enabled bool
KeyPath string
CertPath string
}
25 changes: 22 additions & 3 deletions internal/common/grpc/grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@ package grpc

import (
"context"
"crypto/tls"
"fmt"
"net"
"runtime/debug"
"sync"
"time"

"github.com/armadaproject/armada/internal/common/grpc/configuration"
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
Expand All @@ -17,6 +19,7 @@ import (
log "github.com/sirupsen/logrus"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
_ "google.golang.org/grpc/encoding/gzip"
"google.golang.org/grpc/keepalive"
"google.golang.org/grpc/status"
Expand All @@ -33,6 +36,7 @@ func CreateGrpcServer(
keepaliveParams keepalive.ServerParameters,
keepaliveEnforcementPolicy keepalive.EnforcementPolicy,
authServices []authorization.AuthService,
tlsConfig configuration.TlsConfig,
) *grpc.Server {
// Logging, authentication, etc. are implemented via gRPC interceptors
// (i.e., via functions that are called before handling the actual request).
Expand Down Expand Up @@ -79,13 +83,28 @@ func CreateGrpcServer(
unaryInterceptors = append(unaryInterceptors, grpc_prometheus.UnaryServerInterceptor)
streamInterceptors = append(streamInterceptors, grpc_prometheus.StreamServerInterceptor)

// Interceptors are registered at server creation
return grpc.NewServer(
serverOptions := []grpc.ServerOption{
grpc.KeepaliveParams(keepaliveParams),
grpc.KeepaliveEnforcementPolicy(keepaliveEnforcementPolicy),
grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(streamInterceptors...)),
grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(unaryInterceptors...)),
)
}

if tlsConfig.Enabled {
tlsCreds := credentials.NewTLS(&tls.Config{
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, err := tls.LoadX509KeyPair(tlsConfig.CertPath, tlsConfig.KeyPath)
if err != nil {
return nil, err
}
return &cert, nil
},
})
serverOptions = append(serverOptions, grpc.Creds(tlsCreds))
}

// Interceptors are registered at server creation
return grpc.NewServer(serverOptions...)
}

// TODO We don't need this function. Just do this at the caller.
Expand Down
1 change: 1 addition & 0 deletions internal/jobservice/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func (a *App) StartUp(ctx context.Context, config *configuration.JobServiceConfi
config.Grpc.KeepaliveParams,
config.Grpc.KeepaliveEnforcementPolicy,
[]authorization.AuthService{&authorization.AnonymousAuthService{}},
config.Grpc.Tls,
)

err, sqlJobRepo, dbCallbackFn := repository.NewSQLJobService(config, log)
Expand Down
1 change: 1 addition & 0 deletions internal/lookout/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ func StartUp(config configuration.LookoutConfiguration, healthChecks *health.Mul
config.Grpc.KeepaliveParams,
config.Grpc.KeepaliveEnforcementPolicy,
[]authorization.AuthService{&authorization.AnonymousAuthService{}},
config.Grpc.Tls,
)

db, err := postgres.Open(config.Postgres)
Expand Down
2 changes: 1 addition & 1 deletion internal/scheduler/schedulerapp.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ func Run(config schedulerconfig.Configuration) error {
if err != nil {
return errors.WithMessage(err, "error creating auth services")
}
grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices)
grpcServer := grpcCommon.CreateGrpcServer(config.Grpc.KeepaliveParams, config.Grpc.KeepaliveEnforcementPolicy, authServices, config.Grpc.Tls)
defer grpcServer.GracefulStop()
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", config.Grpc.Port))
if err != nil {
Expand Down

0 comments on commit 02b842c

Please sign in to comment.