当前位置：网站首页>Grpc: how to enable tls/ssl?

Grpc: how to enable tls/ssl?

2022-06-24 02:40:00 【Trespass 】

Introduce

This article will show you how to gRPC Open in microservice TLS/SSL, That's what we often say https.

We will use rk-boot To start up gRPC service .

Please visit the following address for a complete tutorial ：
https://rkdev.info/cn
https://rkdocs.netlify.app/cn ( spare )

Generate Self-Signed Certificate

Users can purchase certificates from major cloud manufacturers , Or use cfssl Create a custom certificate .

Let's introduce how to generate a certificate locally .

1. download cfssl & cfssljson Command line

Recommended rk Command line to download .

$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson

Download from the official website

$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson

2. Generate CA

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json

Modify... As needed ca-config.json and ca-csr.json.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

3. Generate server certificate

server.csr,server.pem and server-key.pem Will be generated .

$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json | cfssljson -bare server

install

go get github.com/rookie-ninja/rk-boot
go get github.com/rookie-ninja/rk-grpc

Quick start

rk-boot Support to make gRPC Service get certificate .

Local file system
Remote file system
Consul
ETCD

Let's first look at how to get a certificate locally and start .

1. establish boot.yaml

In this case , We only start the certificate of the server . among ,locale Used to distinguish between different environments cert.

Please refer to the previous article for details ：gRPC: Based on cloud native environment , Distinguish between configuration files

---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
    commonService:
      enabled: true

2. establish main.go

package main

import (
	"context"
	"github.com/rookie-ninja/rk-boot"
	_ "github.com/rookie-ninja/rk-grpc/boot"
)

// Application entrance.
func main() {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Bootstrap
	boot.Bootstrap(context.Background())

	// Wait for shutdown sig
	boot.WaitForShutdownSig(context.Background())
}

3. Folder structure

.
├── boot.yaml
├── cert
│   ├── server-key.pem
│   └── server.pem
├── go.mod
├── go.sum
└── main.go

1 directory, 6 files

4. start-up main.go

$ go run main.go

5. verification

send out Restful request $ curl -X GET --insecure https://localhost:8080/rk/v1/healthy {"healthy":true}
send out grpc request $ grpcurl -insecure localhost:8080 rk.api.v1.RkCommonService.Healthy { "healthy": true }

framework

Parameter Introduction

1. Read certificate locally

Configuration item	details	need	The default value is
cert.localFs.name	Local file system getter name	yes	""
cert.localFs.locale	follow locale: \<realm>::\<region>::\<az>::\<domain>	yes	""
cert.localFs.serverCertPath	Server certificate path	no	""
cert.localFs.serverKeyPath	Server certificate key path	no	""
cert.localFs.clientCertPath	Client certificate path	no	""
cert.localFs.clientCertPath	Client certificate key path	no	""

Example

---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS

2. Read certificate from remote file service

Configuration item	details	need	The default value is
cert.remoteFs.name	Remote file service getter name	yes	""
cert.remoteFs.locale	follow locale：\<realm>::\<region>::\<az>::\<domain>	yes	""
cert.remoteFs.endpoint	Remote address ： http://x.x.x.x perhaps x.x.x.x	yes	N/A
cert.remoteFs.basicAuth	Basic auth： <user:pass>.	no	""
cert.remoteFs.serverCertPath	Server certificate path	no	""
cert.remoteFs.serverKeyPath	Server certificate key path	no	""
cert.remoteFs.clientCertPath	Client certificate path	no	""
cert.remoteFs.clientCertPath	Client certificate key path	no	""

Example

---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS

3. from Consul Read the certificate

Configuration item	details	need	The default value is
cert.consul.name	Consul Getter name	yes	""
cert.consul.locale	follow locale: \<realm>::\<region>::\<az>::\<domain>	yes	""
cert.consul.endpoint	Consul Address ： http://x.x.x.x or x.x.x.x	yes	N/A
cert.consul.datacenter	Consul Data Center	yes	""
cert.consul.token	Consul Access key	no	""
cert.consul.basicAuth	Consul Basic auth, Format ：<user:pass>.	no	""
cert.consul.serverCertPath	Server certificate path	no	""
cert.consul.serverKeyPath	Server certificate key path	no	""
cert.consul.clientCertPath	Server certificate key path	no	""
cert.consul.clientCertPath	Server certificate key path	no	""

Example

---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: "*::*::*::*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS

4. from ETCD Read the certificate

Configuration item	details	need	The default value is
cert.etcd.name	ETCD Getter name	yes	""
cert.etcd.locale	follow locale: \<realm>::\<region>::\<az>::\<domain>	yes	""
cert.etcd.endpoint	ETCD Address ：http://x.x.x.x or x.x.x.x	yes	N/A
cert.etcd.basicAuth	ETCD basic auth, Format ：<user:pass>.	no	""
cert.etcd.serverCertPath	Server certificate path	no	""
cert.etcd.serverKeyPath	Server certificate path	no	""
cert.etcd.clientCertPath	Client certificate path	no	""
cert.etcd.clientCertPath	Client certificate key path	no	""

Example

---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS

原网站

版权声明
本文为[Trespass ]所创，转载请带上原文链接，感谢
https://yzsam.com/2021/10/20211026213625731u.html