Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”

This article also participated in the “Digitalstar Project” to win a creative gift package and creative incentive money

introduce

This article will show you how to enable TLS/SSL in gRPC microservices, I’m what we call HTTPS.

We will use RK-boot to start the gRPC service.

Please visit the following address for the full tutorial:

  • rkdev.info/cn

  • Rkdocs.net lilify. app/cn (standby)

Generate the Self – Signed Certificate

Users can purchase certificates from major cloud vendors or create custom certificates using CFSSL.

We show you how to generate certificates locally.

1. Download the CFSSL & cfssljson command lines

The rK command line is recommended.

$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson
Copy the code

Official website to download

$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson
Copy the code

2. Generate the CA

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
Copy the code

Modify ca-config.json and ca-csr.json as required.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Copy the code

3. Generate a server certificate

Server. CSR, server. Pem and server-key.pem will be generated.

$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json | cfssljson -bare server
Copy the code

The installation

go get github.com/rookie-ninja/rk-boot
Copy the code

Quick start

Rk-boot allows the gRPC service to obtain certificates in the following ways.

  • Local file system
  • Remote file system
  • Consul
  • ETCD

Let’s start by looking at how to get the certificate locally and start it.

1. Create the boot. Yaml

In this example, we only start the server’s certificate. Locale is used to distinguish cert control in different environments.

Refer to the previous article for details: GRPC: Based on cloud native environment, differentiated configuration files

---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
    commonService:
      enabled: true
Copy the code

2. Create a main. Go

package main

import (
	"context"
	"github.com/rookie-ninja/rk-boot"
)

// Application entrance.
func main(a) {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Bootstrap
	boot.Bootstrap(context.Background())

	// Wait for shutdown sig
	boot.WaitForShutdownSig(context.Background())
}
Copy the code

3. Folder structure

. ├ ─ ─ the boot. Yaml ├ ─ ─ cert │ ├ ─ ─ server - key. Pem │ └ ─ ─ for server pem ├ ─ ─. Mod ├ ─ ─. Sum └ ─ ─ main. Go 1 directory, 6 filesCopy the code

4. Start the main. Go

$ go run main.go
Copy the code

5. Verify

  • Sending Restful Requests
$ curl -X GET --insecure https://localhost:8080/rk/v1/healthy                 
{"healthy":true}
Copy the code
  • Send the GRPC request
$ grpcurl -insecure localhost:8080 rk.api.v1.RkCommonService.Healthy
{
  "healthy": true
}
Copy the code

architecture

Parameter is introduced

1. Read the certificate from the local PC

Configuration items details Need to be The default value
cert.localFs.name Name of the local file system getter is “”
cert.localFs.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.localFs.serverCertPath Server Certificate Path no “”
cert.localFs.serverKeyPath Path of the server certificate key no “”
cert.localFs.clientCertPath Path of the client certificate no “”
cert.localFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
Copy the code

2. Read the certificate from the remote file service

Configuration items details Need to be The default value
cert.remoteFs.name Name of the remote file service getter is “”
cert.remoteFs.locale Comply with locale :< realm>::<region>::<az>::<domain> is “”
cert.remoteFs.endpoint Remote Address:http://x.x.x.xOr X.X.X.X is N/A
cert.remoteFs.basicAuth Basic auth:user:pass. no “”
cert.remoteFs.serverCertPath Server Certificate Path no “”
cert.remoteFs.serverKeyPath Path of the server certificate key no “”
cert.remoteFs.clientCertPath Path of the client certificate no “”
cert.remoteFs.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: * : : : : : : "*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS
Copy the code

3. Obtain the certificate from Consul

Configuration items details Need to be The default value
cert.consul.name Consul Specifies the Consul name is “”
cert.consul.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.consul.endpoint The Consul address:http://x.x.x.x or x.x.x.x is N/A
cert.consul.datacenter Consul Data Center is “”
cert.consul.token Consul access key no “”
cert.consul.basicAuth Consul Basic Auth, format:user:pass. no “”
cert.consul.serverCertPath Server Certificate Path no “”
cert.consul.serverKeyPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
cert.consul.clientCertPath Path of the server certificate key no “”
  • example
---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: * : : : : : : "*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS
Copy the code

4. Read the certificate from the ETCD

Configuration items details Need to be The default value
cert.etcd.name ETCD getter name is “”
cert.etcd.locale Comply with the locale: < realm > : < region > : : < az > : : < domain > is “”
cert.etcd.endpoint ETCD address:http://x.x.x.x or x.x.x.x is N/A
cert.etcd.basicAuth ETCD Basic Authuser:pass. no “”
cert.etcd.serverCertPath Server Certificate Path no “”
cert.etcd.serverKeyPath Server Certificate Path no “”
cert.etcd.clientCertPath Path of the client certificate no “”
cert.etcd.clientCertPath Path of the client certificate key no “”
  • example
---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: * : : : : : : "*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS
Copy the code