forked from TrueCloudLab/frostfs-node
[#549] grpc/server: Add TLS encryption
Add TLS to config. Add server side encryption if it is configured so. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
5a3a27ba9f
commit
e10981a7d3
2 changed files with 39 additions and 2 deletions
|
@ -68,6 +68,9 @@ const (
|
||||||
|
|
||||||
// config keys for cfgGRPC
|
// config keys for cfgGRPC
|
||||||
cfgListenAddress = "grpc.endpoint"
|
cfgListenAddress = "grpc.endpoint"
|
||||||
|
cfgTLSEnabled = "grpc.tls.enabled"
|
||||||
|
cfgTLSCertFile = "grpc.tls.certificate"
|
||||||
|
cfgTLSKeyFile = "grpc.tls.key"
|
||||||
|
|
||||||
// config keys for API client cache
|
// config keys for API client cache
|
||||||
cfgAPIClientDialTimeout = "apiclient.dial_timeout"
|
cfgAPIClientDialTimeout = "apiclient.dial_timeout"
|
||||||
|
@ -206,6 +209,10 @@ type cfgGRPC struct {
|
||||||
maxChunkSize uint64
|
maxChunkSize uint64
|
||||||
|
|
||||||
maxAddrAmount uint64
|
maxAddrAmount uint64
|
||||||
|
|
||||||
|
tlsEnabled bool
|
||||||
|
tlsCertFile string
|
||||||
|
tlsKeyFile string
|
||||||
}
|
}
|
||||||
|
|
||||||
type cfgMorph struct {
|
type cfgMorph struct {
|
||||||
|
@ -335,6 +342,18 @@ func initCfg(path string) *cfg {
|
||||||
maxChunkSize := uint64(maxMsgSize) * 3 / 4 // 25% to meta, 75% to payload
|
maxChunkSize := uint64(maxMsgSize) * 3 / 4 // 25% to meta, 75% to payload
|
||||||
maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes
|
maxAddrAmount := uint64(maxChunkSize) / addressSize // each address is about 72 bytes
|
||||||
|
|
||||||
|
var (
|
||||||
|
tlsEnabled bool
|
||||||
|
tlsCertFile string
|
||||||
|
tlsKeyFile string
|
||||||
|
)
|
||||||
|
|
||||||
|
if viperCfg.GetBool(cfgTLSEnabled) {
|
||||||
|
tlsEnabled = true
|
||||||
|
tlsCertFile = viperCfg.GetString(cfgTLSCertFile)
|
||||||
|
tlsKeyFile = viperCfg.GetString(cfgTLSKeyFile)
|
||||||
|
}
|
||||||
|
|
||||||
state := newNetworkState()
|
state := newNetworkState()
|
||||||
|
|
||||||
containerWorkerPool, err := ants.NewPool(notificationHandlerPoolSize)
|
containerWorkerPool, err := ants.NewPool(notificationHandlerPoolSize)
|
||||||
|
@ -377,6 +396,9 @@ func initCfg(path string) *cfg {
|
||||||
cfgGRPC: cfgGRPC{
|
cfgGRPC: cfgGRPC{
|
||||||
maxChunkSize: maxChunkSize,
|
maxChunkSize: maxChunkSize,
|
||||||
maxAddrAmount: maxAddrAmount,
|
maxAddrAmount: maxAddrAmount,
|
||||||
|
tlsEnabled: tlsEnabled,
|
||||||
|
tlsCertFile: tlsCertFile,
|
||||||
|
tlsKeyFile: tlsKeyFile,
|
||||||
},
|
},
|
||||||
localAddr: netAddr,
|
localAddr: netAddr,
|
||||||
respSvc: response.NewService(
|
respSvc: response.NewService(
|
||||||
|
@ -430,6 +452,9 @@ func defaultConfiguration(v *viper.Viper) {
|
||||||
v.SetDefault(cfgMorphNotifyDialTimeout, 5*time.Second)
|
v.SetDefault(cfgMorphNotifyDialTimeout, 5*time.Second)
|
||||||
|
|
||||||
v.SetDefault(cfgListenAddress, "127.0.0.1:50501") // listen address
|
v.SetDefault(cfgListenAddress, "127.0.0.1:50501") // listen address
|
||||||
|
v.SetDefault(cfgTLSEnabled, false)
|
||||||
|
v.SetDefault(cfgTLSCertFile, "")
|
||||||
|
v.SetDefault(cfgTLSKeyFile, "")
|
||||||
|
|
||||||
v.SetDefault(cfgAPIClientDialTimeout, 5*time.Second)
|
v.SetDefault(cfgAPIClientDialTimeout, 5*time.Second)
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"github.com/nspcc-dev/neofs-node/pkg/util/logger"
|
"github.com/nspcc-dev/neofs-node/pkg/util/logger"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/credentials"
|
||||||
)
|
)
|
||||||
|
|
||||||
func initGRPC(c *cfg) {
|
func initGRPC(c *cfg) {
|
||||||
|
@ -15,9 +16,20 @@ func initGRPC(c *cfg) {
|
||||||
c.cfgGRPC.listener, err = net.Listen("tcp", c.viper.GetString(cfgListenAddress))
|
c.cfgGRPC.listener, err = net.Listen("tcp", c.viper.GetString(cfgListenAddress))
|
||||||
fatalOnErr(err)
|
fatalOnErr(err)
|
||||||
|
|
||||||
c.cfgGRPC.server = grpc.NewServer(
|
serverOpts := []grpc.ServerOption{
|
||||||
grpc.MaxSendMsgSize(maxMsgSize),
|
grpc.MaxSendMsgSize(maxMsgSize),
|
||||||
)
|
}
|
||||||
|
|
||||||
|
if c.cfgGRPC.tlsEnabled {
|
||||||
|
creds, err := credentials.NewServerTLSFromFile(c.cfgGRPC.tlsCertFile, c.cfgGRPC.tlsKeyFile)
|
||||||
|
if err != nil {
|
||||||
|
fatalOnErr(fmt.Errorf("could not read credentionals from file: %w", err))
|
||||||
|
}
|
||||||
|
|
||||||
|
serverOpts = append(serverOpts, grpc.Creds(creds))
|
||||||
|
}
|
||||||
|
|
||||||
|
c.cfgGRPC.server = grpc.NewServer(serverOpts...)
|
||||||
|
|
||||||
c.onShutdown(func() {
|
c.onShutdown(func() {
|
||||||
stopGRPC("NeoFS Public API", c.cfgGRPC.server, c.log)
|
stopGRPC("NeoFS Public API", c.cfgGRPC.server, c.log)
|
||||||
|
|
Loading…
Reference in a new issue