[#549] grpc/server: Add TLS encryption

Add TLS to config. Add server side encryption
if it is configured so.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
Pavel Karpy 2021-05-14 12:11:49 +03:00 committed by Alex Vanin
parent 5a3a27ba9f
commit e10981a7d3
2 changed files with 39 additions and 2 deletions

View file

@ -68,6 +68,9 @@ const (
// config keys for cfgGRPC // config keys for cfgGRPC
cfgListenAddress = "grpc.endpoint" cfgListenAddress = "grpc.endpoint"
cfgTLSEnabled = "grpc.tls.enabled"
cfgTLSCertFile = "grpc.tls.certificate"
cfgTLSKeyFile = "grpc.tls.key"
// config keys for API client cache // config keys for API client cache
cfgAPIClientDialTimeout = "apiclient.dial_timeout" cfgAPIClientDialTimeout = "apiclient.dial_timeout"
@ -206,6 +209,10 @@ type cfgGRPC struct {
maxChunkSize uint64 maxChunkSize uint64
maxAddrAmount uint64 maxAddrAmount uint64
tlsEnabled bool
tlsCertFile string
tlsKeyFile string
} }
type cfgMorph struct { type cfgMorph struct {
@ -335,6 +342,18 @@ func initCfg(path string) *cfg {
maxChunkSize := uint64(maxMsgSize) * 3 / 4 // 25% to meta, 75% to payload maxChunkSize := uint64(maxMsgSize) * 3 / 4 // 25% to meta, 75% to payload
maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes
var (
tlsEnabled bool
tlsCertFile string
tlsKeyFile string
)
if viperCfg.GetBool(cfgTLSEnabled) {
tlsEnabled = true
tlsCertFile = viperCfg.GetString(cfgTLSCertFile)
tlsKeyFile = viperCfg.GetString(cfgTLSKeyFile)
}
state := newNetworkState() state := newNetworkState()
containerWorkerPool, err := ants.NewPool(notificationHandlerPoolSize) containerWorkerPool, err := ants.NewPool(notificationHandlerPoolSize)
@ -377,6 +396,9 @@ func initCfg(path string) *cfg {
cfgGRPC: cfgGRPC{ cfgGRPC: cfgGRPC{
maxChunkSize: maxChunkSize, maxChunkSize: maxChunkSize,
maxAddrAmount: maxAddrAmount, maxAddrAmount: maxAddrAmount,
tlsEnabled: tlsEnabled,
tlsCertFile: tlsCertFile,
tlsKeyFile: tlsKeyFile,
}, },
localAddr: netAddr, localAddr: netAddr,
respSvc: response.NewService( respSvc: response.NewService(
@ -430,6 +452,9 @@ func defaultConfiguration(v *viper.Viper) {
v.SetDefault(cfgMorphNotifyDialTimeout, 5*time.Second) v.SetDefault(cfgMorphNotifyDialTimeout, 5*time.Second)
v.SetDefault(cfgListenAddress, "127.0.0.1:50501") // listen address v.SetDefault(cfgListenAddress, "127.0.0.1:50501") // listen address
v.SetDefault(cfgTLSEnabled, false)
v.SetDefault(cfgTLSCertFile, "")
v.SetDefault(cfgTLSKeyFile, "")
v.SetDefault(cfgAPIClientDialTimeout, 5*time.Second) v.SetDefault(cfgAPIClientDialTimeout, 5*time.Second)

View file

@ -7,6 +7,7 @@ import (
"github.com/nspcc-dev/neofs-node/pkg/util/logger" "github.com/nspcc-dev/neofs-node/pkg/util/logger"
"go.uber.org/zap" "go.uber.org/zap"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials"
) )
func initGRPC(c *cfg) { func initGRPC(c *cfg) {
@ -15,9 +16,20 @@ func initGRPC(c *cfg) {
c.cfgGRPC.listener, err = net.Listen("tcp", c.viper.GetString(cfgListenAddress)) c.cfgGRPC.listener, err = net.Listen("tcp", c.viper.GetString(cfgListenAddress))
fatalOnErr(err) fatalOnErr(err)
c.cfgGRPC.server = grpc.NewServer( serverOpts := []grpc.ServerOption{
grpc.MaxSendMsgSize(maxMsgSize), grpc.MaxSendMsgSize(maxMsgSize),
) }
if c.cfgGRPC.tlsEnabled {
creds, err := credentials.NewServerTLSFromFile(c.cfgGRPC.tlsCertFile, c.cfgGRPC.tlsKeyFile)
if err != nil {
fatalOnErr(fmt.Errorf("could not read credentionals from file: %w", err))
}
serverOpts = append(serverOpts, grpc.Creds(creds))
}
c.cfgGRPC.server = grpc.NewServer(serverOpts...)
c.onShutdown(func() { c.onShutdown(func() {
stopGRPC("NeoFS Public API", c.cfgGRPC.server, c.log) stopGRPC("NeoFS Public API", c.cfgGRPC.server, c.log)