Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”
This article also participated in the “Digitalstar Project” to win a creative gift package and creative incentive money
introduce
This article will show you how to enable TLS/SSL in gRPC microservices, I’m what we call HTTPS.
We will use RK-boot to start the gRPC service.
Please visit the following address for the full tutorial:
rkdev.info/cn
Rkdocs.net lilify. app/cn (standby)
Generate the Self – Signed Certificate
Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.
We show you how to generate certificates locally.
1. Download the CFSSL & cfssljson command lines
The rK command line is recommended.
$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code
Official website to download
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code
2. Generate the CA
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code
Modify ca-config.json and ca-csr.json as required.
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code
3. Generate a server certificate
Server. CSR, server. Pem and server-key.pem will be generated.
$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json | cfssljson -bare server
Copy the code
The installation
go get github.com/rookie-ninja/rk-boot
Copy the code
Quick start
Rk-boot allows the gRPC service to obtain certificates in the following ways.
- Local file system
- Remote file system
- Consul
- ETCD
Let’s start by looking at how to get the certificate locally and start it.
1. Create the boot. Yaml
In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.
Refer to the previous article for details: GRPC: Based on cloud native environment, differentiated configuration files
---
cert:
- name: "local-cert" # Required
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
grpc:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
commonService:
enabled: true
Copy the code
2. Create a main. Go
package main
import (
"context"
"github.com/rookie-ninja/rk-boot"
)
// Application entrance.
func main(a) {
// Create a new boot instance.
boot := rkboot.NewBoot()
// Bootstrap
boot.Bootstrap(context.Background())
// Wait for shutdown sig
boot.WaitForShutdownSig(context.Background())
}
Copy the code
3. Folder structure
. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code
4. Start the main. Go
$ go run main.go
Copy the code
5. Verify
- Sending Restful Requests
$ curl -X GET --insecure https://localhost:8080/rk/v1/healthy
{"healthy":true}
Copy the code
- Send the GRPC request
$ grpcurl -insecure localhost:8080 rk.api.v1.RkCommonService.Healthy
{
"healthy": true
}
Copy the code
architecture
Parameter is introduced
1. Read the certificate from the local PC
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.localFs.name | Name of the local file system getter | is | “” |
cert.localFs.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.localFs.serverCertPath | Server Certificate Path | no | “” |
cert.localFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.localFs.clientCertPath | Path of the client certificate | no | “” |
cert.localFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "local-cert" # Required
description: "Description of entry" # Optional
provider: "localFs" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
grpc:
- name: greeter
port: 8080
enabled: true
enableReflection: true
cert:
ref: "local-cert" # Enable grpc TLS
Copy the code
2. Read the certificate from the remote file service
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.remoteFs.name | Name of the remote file service getter | is | “” |
cert.remoteFs.locale | Comply with locale :< realm>::<region>::<az>::<domain> | is | “” |
cert.remoteFs.endpoint | Remote Address:http://x.x.x.xOr X.X.X.X | is | N/A |
cert.remoteFs.basicAuth | Basic auth:user:pass. | no | “” |
cert.remoteFs.serverCertPath | Server Certificate Path | no | “” |
cert.remoteFs.serverKeyPath | Path of the server certificate key | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate | no | “” |
cert.remoteFs.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "remote-cert" # Required
description: "Description of entry" # Optional
provider: "remoteFs" # Required, etcd, consul, localFs, remoteFs are supported options
endpoint: "localhost:8081" # Required, both http://x.x.x.x or x.x.x.x are acceptable
locale: * : : : : : : "*" # Required, default: ""
serverCertPath: "cert/server.pem" # Optional, default: "", path of certificate on local FS
serverKeyPath: "cert/server-key.pem" # Optional, default: "", path of certificate on local FS
grpc:
- name: greeter
port: 8080
enabled: true
cert:
ref: "remote-cert" # Enable grpc TLS
Copy the code
3. Obtain the certificate from Consul
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.consul.name | Consul Specifies the Consul name | is | “” |
cert.consul.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.consul.endpoint | The Consul address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.consul.datacenter | Consul Data Center | is | “” |
cert.consul.token | Consul access key | no | “” |
cert.consul.basicAuth | Consul Basic Auth, format:user:pass. | no | “” |
cert.consul.serverCertPath | Server Certificate Path | no | “” |
cert.consul.serverKeyPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
cert.consul.clientCertPath | Path of the server certificate key | no | “” |
- example
---
cert:
- name: "consul-cert" # Required
provider: "consul" # Required, etcd, consul, localFS, remoteFs are supported options
description: "Description of entry" # Optional
locale: * : : : : : : "*" # Required, ""
endpoint: "localhost:8500" # Required, http://x.x.x.x or x.x.x.x both acceptable.
datacenter: "dc1" # Optional, default: "", consul datacenter
serverCertPath: "server.pem" # Optional, default: "", key of value in consul
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in consul
grpc:
- name: greeter
port: 8080
enabled: true
cert:
ref: "consul-cert" # Enable grpc TLS
Copy the code
4. Read the certificate from the ETCD
Configuration items | details | Need to be | The default value |
---|---|---|---|
cert.etcd.name | ETCD getter name | is | “” |
cert.etcd.locale | Comply with the locale: < realm > : < region > : : < az > : : < domain > | is | “” |
cert.etcd.endpoint | ETCD address:http://x.x.x.x or x.x.x.x | is | N/A |
cert.etcd.basicAuth | ETCD Basic Authuser:pass. | no | “” |
cert.etcd.serverCertPath | Server Certificate Path | no | “” |
cert.etcd.serverKeyPath | Server Certificate Path | no | “” |
cert.etcd.clientCertPath | Path of the client certificate | no | “” |
cert.etcd.clientCertPath | Path of the client certificate key | no | “” |
- example
---
cert:
- name: "etcd-cert" # Required
description: "Description of entry" # Optional
provider: "etcd" # Required, etcd, consul, localFs, remoteFs are supported options
locale: * : : : : : : "*" # Required, default: ""
endpoint: "localhost:2379" # Required, http://x.x.x.x or x.x.x.x both acceptable.
serverCertPath: "server.pem" # Optional, default: "", key of value in etcd
serverKeyPath: "server-key.pem" # Optional, default: "", key of value in etcd
grpc:
- name: greeter
port: 8080
enabled: true
cert:
ref: "etcd-cert" # Enable grpc TLS
Copy the code