From a449040790029256358fd87f1d8681c053e89ae4 Mon Sep 17 00:00:00 2001 From: maco Date: Thu, 16 May 2024 15:12:15 +0800 Subject: [PATCH 1/8] feat: Add tls support for grpc service --- src/cmd/src/datanode.rs | 13 +++++++++++++ src/cmd/src/frontend.rs | 1 + src/datanode/src/config.rs | 3 +++ src/datanode/src/error.rs | 9 +++++++++ src/datanode/src/service.rs | 20 ++++++++++++-------- src/frontend/src/error.rs | 11 ++++++++++- src/frontend/src/server.rs | 8 ++++++-- src/frontend/src/service_config/grpc.rs | 4 ++++ src/servers/src/grpc.rs | 13 +++++++++++-- src/servers/src/grpc/builder.rs | 23 +++++++++++++++++++++++ tests-integration/tests/grpc.rs | 5 +++++ tests-integration/tests/http.rs | 6 ++++++ 12 files changed, 103 insertions(+), 13 deletions(-) diff --git a/src/cmd/src/datanode.rs b/src/cmd/src/datanode.rs index 3c189f2c3d07..422311fdbe38 100644 --- a/src/cmd/src/datanode.rs +++ b/src/cmd/src/datanode.rs @@ -27,6 +27,7 @@ use datanode::config::DatanodeOptions; use datanode::datanode::{Datanode, DatanodeBuilder}; use datanode::service::DatanodeServiceBuilder; use meta_client::MetaClientOptions; +use servers::tls::{TlsMode, TlsOption}; use servers::Mode; use snafu::{OptionExt, ResultExt}; use tracing_appender::non_blocking::WorkerGuard; @@ -142,6 +143,12 @@ struct StartCommand { http_timeout: Option, #[clap(long, default_value = "GREPTIMEDB_DATANODE")] env_prefix: String, + #[clap(long)] + tls_mode: Option, + #[clap(long)] + tls_cert_path: Option, + #[clap(long)] + tls_key_path: Option, } impl StartCommand { @@ -228,6 +235,11 @@ impl StartCommand { opts.http.timeout = Duration::from_secs(http_timeout) } + opts.tls = TlsOption::new( + self.tls_mode.clone(), + self.tls_cert_path.clone(), + self.tls_key_path.clone(), + ); // Disable dashboard in datanode. opts.http.disable_dashboard = true; @@ -275,6 +287,7 @@ impl StartCommand { let services = DatanodeServiceBuilder::new(&opts) .with_default_grpc_server(&datanode.region_server()) + .context(StartDatanodeSnafu)? .enable_http_service() .build() .await diff --git a/src/cmd/src/frontend.rs b/src/cmd/src/frontend.rs index 1f5671f1146d..a2dc2c6fd9ae 100644 --- a/src/cmd/src/frontend.rs +++ b/src/cmd/src/frontend.rs @@ -216,6 +216,7 @@ impl StartCommand { if let Some(addr) = &self.rpc_addr { opts.grpc.addr.clone_from(addr); + opts.grpc.tls = tls_opts.clone(); } if let Some(addr) = &self.mysql_addr { diff --git a/src/datanode/src/config.rs b/src/datanode/src/config.rs index ec278d3c4247..b13fb70a0d74 100644 --- a/src/datanode/src/config.rs +++ b/src/datanode/src/config.rs @@ -30,6 +30,7 @@ use serde::{Deserialize, Serialize}; use servers::export_metrics::ExportMetricsOption; use servers::heartbeat_options::HeartbeatOptions; use servers::http::HttpOptions; +use servers::tls::TlsOption; use servers::Mode; pub const DEFAULT_OBJECT_STORE_CACHE_SIZE: ReadableSize = ReadableSize::mb(256); @@ -236,6 +237,7 @@ pub struct DatanodeOptions { pub enable_telemetry: bool, pub export_metrics: ExportMetricsOption, pub tracing: TracingOptions, + pub tls: TlsOption, } impl Default for DatanodeOptions { @@ -263,6 +265,7 @@ impl Default for DatanodeOptions { enable_telemetry: true, export_metrics: ExportMetricsOption::default(), tracing: TracingOptions::default(), + tls: TlsOption::default(), } } } diff --git a/src/datanode/src/error.rs b/src/datanode/src/error.rs index ec3bccceeb41..070ace3652ad 100644 --- a/src/datanode/src/error.rs +++ b/src/datanode/src/error.rs @@ -367,6 +367,14 @@ pub enum Error { #[snafu(source(from(common_config::error::Error, Box::new)))] source: Box, }, + + #[snafu(display("Invalid tls config"))] + InvalidTlsConfig { + #[snafu(source)] + error: common_grpc::error::Error, + #[snafu(implicit)] + location: Location, + }, } pub type Result = std::result::Result; @@ -401,6 +409,7 @@ impl ErrorExt for Error { | MissingWalDirConfig { .. } | MissingKvBackend { .. } | TomlFormat { .. } => StatusCode::InvalidArguments, + InvalidTlsConfig { .. } => StatusCode::InvalidArguments, PayloadNotExist { .. } | Unexpected { .. } | WatchAsyncTaskChange { .. } => { StatusCode::Unexpected diff --git a/src/datanode/src/service.rs b/src/datanode/src/service.rs index dccacf6813f0..82fbe359bc28 100644 --- a/src/datanode/src/service.rs +++ b/src/datanode/src/service.rs @@ -24,7 +24,7 @@ use servers::server::{ServerHandler, ServerHandlers}; use snafu::ResultExt; use crate::config::DatanodeOptions; -use crate::error::{ParseAddrSnafu, Result, TomlFormatSnafu}; +use crate::error::{InvalidTlsConfigSnafu, ParseAddrSnafu, Result, TomlFormatSnafu}; use crate::region_server::RegionServer; pub struct DatanodeServiceBuilder<'a> { @@ -49,10 +49,10 @@ impl<'a> DatanodeServiceBuilder<'a> { } } - pub fn with_default_grpc_server(mut self, region_server: &RegionServer) -> Self { - let grpc_server = Self::grpc_server_builder(self.opts, region_server).build(); - self.grpc_server = Some(grpc_server); - self + pub fn with_default_grpc_server(mut self, region_server: &RegionServer) -> Result { + let grpc_server_build = Self::grpc_server_builder(self.opts, region_server)?; + self.grpc_server = Some(grpc_server_build.build()); + Ok(self) } pub fn enable_http_service(self) -> Self { @@ -91,14 +91,18 @@ impl<'a> DatanodeServiceBuilder<'a> { pub fn grpc_server_builder( opts: &DatanodeOptions, region_server: &RegionServer, - ) -> GrpcServerBuilder { + ) -> Result { let config = GrpcServerConfig { max_recv_message_size: opts.rpc_max_recv_message_size.as_bytes() as usize, max_send_message_size: opts.rpc_max_send_message_size.as_bytes() as usize, + tls: opts.tls.clone(), }; - GrpcServerBuilder::new(config, region_server.runtime()) + let build = GrpcServerBuilder::new(config, region_server.runtime()) + .with_tls_config(opts.tls.clone()) + .context(InvalidTlsConfigSnafu)? .flight_handler(Arc::new(region_server.clone())) - .region_server_handler(Arc::new(region_server.clone())) + .region_server_handler(Arc::new(region_server.clone())); + Ok(build) } } diff --git a/src/frontend/src/error.rs b/src/frontend/src/error.rs index f7bd62081fbf..9b2a0faf6320 100644 --- a/src/frontend/src/error.rs +++ b/src/frontend/src/error.rs @@ -355,6 +355,14 @@ pub enum Error { location: Location, name: String, }, + + #[snafu(display("Invalid tls config"))] + InvalidTlsConfig { + #[snafu(source)] + error: common_grpc::error::Error, + #[snafu(implicit)] + location: Location, + }, } pub type Result = std::result::Result; @@ -374,7 +382,8 @@ impl ErrorExt for Error { | Error::IllegalAuthConfig { .. } | Error::EmptyData { .. } | Error::ColumnNoneDefaultValue { .. } - | Error::IncompleteGrpcRequest { .. } => StatusCode::InvalidArguments, + | Error::IncompleteGrpcRequest { .. } + | Error::InvalidTlsConfig { .. } => StatusCode::InvalidArguments, Error::NotSupported { .. } => StatusCode::Unsupported, diff --git a/src/frontend/src/server.rs b/src/frontend/src/server.rs index 2309b027349c..2dae0ec8a5ff 100644 --- a/src/frontend/src/server.rs +++ b/src/frontend/src/server.rs @@ -76,9 +76,13 @@ where let grpc_config = GrpcServerConfig { max_recv_message_size: opts.max_recv_message_size.as_bytes() as usize, max_send_message_size: opts.max_send_message_size.as_bytes() as usize, + tls: opts.tls.clone(), }; - - Ok(GrpcServerBuilder::new(grpc_config, grpc_runtime)) + let mut builder = GrpcServerBuilder::new(grpc_config, grpc_runtime); + builder = builder + .with_tls_config(opts.tls.clone()) + .context(error::InvalidTlsConfigSnafu)?; + Ok(builder) } pub fn http_server_builder(&self, opts: &FrontendOptions) -> HttpServerBuilder { diff --git a/src/frontend/src/service_config/grpc.rs b/src/frontend/src/service_config/grpc.rs index 899a22d3ebf3..fbc38b6869c8 100644 --- a/src/frontend/src/service_config/grpc.rs +++ b/src/frontend/src/service_config/grpc.rs @@ -17,6 +17,7 @@ use common_grpc::channel_manager::{ DEFAULT_MAX_GRPC_RECV_MESSAGE_SIZE, DEFAULT_MAX_GRPC_SEND_MESSAGE_SIZE, }; use serde::{Deserialize, Serialize}; +use servers::tls::TlsOption; #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] pub struct GrpcOptions { @@ -26,6 +27,8 @@ pub struct GrpcOptions { pub max_recv_message_size: ReadableSize, // Max gRPC sending(encoding) message size pub max_send_message_size: ReadableSize, + #[serde(default = "Default::default")] + pub tls: TlsOption, } impl Default for GrpcOptions { @@ -35,6 +38,7 @@ impl Default for GrpcOptions { runtime_size: 8, max_recv_message_size: DEFAULT_MAX_GRPC_RECV_MESSAGE_SIZE, max_send_message_size: DEFAULT_MAX_GRPC_SEND_MESSAGE_SIZE, + tls: TlsOption::default(), } } } diff --git a/src/servers/src/grpc.rs b/src/servers/src/grpc.rs index 7afc36c8b58f..aaf64511bd63 100644 --- a/src/servers/src/grpc.rs +++ b/src/servers/src/grpc.rs @@ -36,6 +36,7 @@ use tokio::net::TcpListener; use tokio::sync::oneshot::{self, Receiver, Sender}; use tokio::sync::Mutex; use tonic::transport::server::{Routes, TcpIncoming}; +use tonic::transport::ServerTlsConfig; use tonic::{Request, Response, Status}; use tonic_reflection::server::{ServerReflection, ServerReflectionServer}; @@ -44,6 +45,7 @@ use crate::error::{ }; use crate::metrics::MetricsMiddlewareLayer; use crate::server::Server; +use crate::tls::TlsOption; type TonicResult = std::result::Result; @@ -55,6 +57,8 @@ pub struct GrpcServer { serve_state: Mutex>>>, // handlers routes: Mutex>, + // tls config + tls_config: Option, } /// Grpc Server configuration @@ -64,6 +68,7 @@ pub struct GrpcServerConfig { pub max_recv_message_size: usize, // Max gRPC sending(encoding) message size pub max_send_message_size: usize, + pub tls: TlsOption, } impl Default for GrpcServerConfig { @@ -71,6 +76,7 @@ impl Default for GrpcServerConfig { Self { max_recv_message_size: DEFAULT_MAX_GRPC_RECV_MESSAGE_SIZE.as_bytes() as usize, max_send_message_size: DEFAULT_MAX_GRPC_SEND_MESSAGE_SIZE.as_bytes() as usize, + tls: TlsOption::default(), } } } @@ -172,8 +178,11 @@ impl Server for GrpcServer { .layer(MetricsMiddlewareLayer) .into_inner(); - let builder = tonic::transport::Server::builder() - .layer(metrics_layer) + let mut builder = tonic::transport::Server::builder().layer(metrics_layer); + if let Some(tls_config) = self.tls_config.clone() { + builder = builder.tls_config(tls_config).context(StartGrpcSnafu)?; + } + let builder = builder .add_routes(routes) .add_service(self.create_healthcheck_service()) .add_service(self.create_reflection_service()); diff --git a/src/servers/src/grpc/builder.rs b/src/servers/src/grpc/builder.rs index 2155b36462a2..b0adc284aba7 100644 --- a/src/servers/src/grpc/builder.rs +++ b/src/servers/src/grpc/builder.rs @@ -19,12 +19,15 @@ use api::v1::prometheus_gateway_server::PrometheusGatewayServer; use api::v1::region::region_server::RegionServer; use arrow_flight::flight_service_server::FlightServiceServer; use auth::UserProviderRef; +use common_grpc::error::{InvalidConfigFilePathSnafu, Result}; use common_runtime::Runtime; use opentelemetry_proto::tonic::collector::metrics::v1::metrics_service_server::MetricsServiceServer; use opentelemetry_proto::tonic::collector::trace::v1::trace_service_server::TraceServiceServer; +use snafu::ResultExt; use tokio::sync::Mutex; use tonic::codec::CompressionEncoding; use tonic::transport::server::RoutesBuilder; +use tonic::transport::{Identity, ServerTlsConfig}; use tower::ServiceBuilder; use super::flight::{FlightCraftRef, FlightCraftWrapper}; @@ -37,6 +40,7 @@ use crate::grpc::otlp::OtlpService; use crate::grpc::prom_query_gateway::PrometheusGatewayService; use crate::prometheus_handler::PrometheusHandlerRef; use crate::query_handler::OpenTelemetryProtocolHandlerRef; +use crate::tls::{TlsMode, TlsOption}; /// Add a gRPC service (`service`) to a `builder`([RoutesBuilder]). /// This macro will automatically add some gRPC properties to the service. @@ -62,6 +66,7 @@ pub struct GrpcServerBuilder { config: GrpcServerConfig, runtime: Arc, routes_builder: RoutesBuilder, + tls_config: Option, } impl GrpcServerBuilder { @@ -70,6 +75,7 @@ impl GrpcServerBuilder { config, runtime, routes_builder: RoutesBuilder::default(), + tls_config: None, } } @@ -157,11 +163,28 @@ impl GrpcServerBuilder { &mut self.routes_builder } + pub fn with_tls_config(mut self, tls_option: TlsOption) -> Result { + let tls_config = match tls_option.mode { + TlsMode::Require => { + let cert = std::fs::read_to_string(tls_option.cert_path) + .context(InvalidConfigFilePathSnafu)?; + let key = std::fs::read_to_string(tls_option.key_path) + .context(InvalidConfigFilePathSnafu)?; + let identity = Identity::from_pem(cert, key); + Some(ServerTlsConfig::new().identity(identity)) + } + _ => None, + }; + self.tls_config = tls_config; + Ok(self) + } + pub fn build(self) -> GrpcServer { GrpcServer { routes: Mutex::new(Some(self.routes_builder.routes())), shutdown_tx: Mutex::new(None), serve_state: Mutex::new(None), + tls_config: self.tls_config, } } } diff --git a/tests-integration/tests/grpc.rs b/tests-integration/tests/grpc.rs index b6a56aace7dd..4fd3dacc3bb3 100644 --- a/tests-integration/tests/grpc.rs +++ b/tests-integration/tests/grpc.rs @@ -30,6 +30,7 @@ use servers::http::prometheus::{ PrometheusResponse, }; use servers::server::Server; +use servers::tls::TlsOption; use tests_integration::database::Database; use tests_integration::test_util::{ setup_grpc_server, setup_grpc_server_with, setup_grpc_server_with_user_provider, StorageType, @@ -129,6 +130,7 @@ pub async fn test_grpc_message_size_ok(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, + tls: TlsOption::default(), }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -166,6 +168,7 @@ pub async fn test_grpc_message_size_limit_send(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 50, + tls: TlsOption::default(), }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -185,6 +188,7 @@ pub async fn test_grpc_message_size_limit_recv(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 10, max_send_message_size: 1024, + tls: TlsOption::default(), }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -663,6 +667,7 @@ pub async fn test_grpc_timezone(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, + tls: TlsOption::default(), }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; diff --git a/tests-integration/tests/http.rs b/tests-integration/tests/http.rs index 14c3e8cac265..3fc27fe2dc46 100644 --- a/tests-integration/tests/http.rs +++ b/tests-integration/tests/http.rs @@ -744,6 +744,12 @@ runtime_size = 8 max_recv_message_size = "512MiB" max_send_message_size = "512MiB" +[grpc.tls] +mode = "disable" +cert_path = "" +key_path = "" +watch = false + [mysql] enable = true addr = "127.0.0.1:4002" From 5b8453eb1f338eaa783b77283e63ad0c57e974aa Mon Sep 17 00:00:00 2001 From: maco Date: Fri, 17 May 2024 14:04:18 +0800 Subject: [PATCH 2/8] feat: add integration test --- src/client/src/client.rs | 13 +++++++- src/client/src/error.rs | 13 ++++++-- tests-integration/src/test_util.rs | 11 +++++-- tests-integration/tests/grpc.rs | 49 +++++++++++++++++++++++++++++- 4 files changed, 79 insertions(+), 7 deletions(-) diff --git a/src/client/src/client.rs b/src/client/src/client.rs index ea072a822d39..df8943ad15e6 100644 --- a/src/client/src/client.rs +++ b/src/client/src/client.rs @@ -19,7 +19,7 @@ use api::v1::prometheus_gateway_client::PrometheusGatewayClient; use api::v1::region::region_client::RegionClient as PbRegionClient; use api::v1::HealthCheckRequest; use arrow_flight::flight_service_client::FlightServiceClient; -use common_grpc::channel_manager::ChannelManager; +use common_grpc::channel_manager::{ChannelConfig, ChannelManager, ClientTlsOption}; use parking_lot::RwLock; use snafu::{OptionExt, ResultExt}; use tonic::codec::CompressionEncoding; @@ -87,6 +87,17 @@ impl Client { Self::with_manager_and_urls(ChannelManager::new(), urls) } + pub fn with_tls_and_urls(urls: A, client_tls: ClientTlsOption) -> Result + where + U: AsRef, + A: AsRef<[U]>, + { + let channel_config = ChannelConfig::default().client_tls_config(client_tls); + let channel_manager = ChannelManager::with_tls_config(channel_config) + .context(error::CreateTlsChannelSnafu)?; + Ok(Self::with_manager_and_urls(channel_manager, urls)) + } + pub fn with_manager_and_urls(channel_manager: ChannelManager, urls: A) -> Self where U: AsRef, diff --git a/src/client/src/error.rs b/src/client/src/error.rs index 29197450b62d..e265662e9f2a 100644 --- a/src/client/src/error.rs +++ b/src/client/src/error.rs @@ -82,6 +82,13 @@ pub enum Error { source: common_grpc::error::Error, }, + #[snafu(display("Failed to create Tls channel manager"))] + CreateTlsChannel { + #[snafu(implicit)] + location: Location, + source: common_grpc::error::Error, + }, + #[snafu(display("Failed to request RegionServer, code: {}", code))] RegionServer { code: Code, @@ -129,9 +136,9 @@ impl ErrorExt for Error { Error::FlightGet { source, .. } | Error::HandleRequest { source, .. } | Error::RegionServer { source, .. } => source.status_code(), - Error::CreateChannel { source, .. } | Error::ConvertFlightData { source, .. } => { - source.status_code() - } + Error::CreateChannel { source, .. } + | Error::ConvertFlightData { source, .. } + | Error::CreateTlsChannel { source, .. } => source.status_code(), Error::IllegalGrpcClientState { .. } => StatusCode::Unexpected, } } diff --git a/tests-integration/src/test_util.rs b/tests-integration/src/test_util.rs index 548404ece08d..9894606e79bc 100644 --- a/tests-integration/src/test_util.rs +++ b/tests-integration/src/test_util.rs @@ -50,7 +50,7 @@ use servers::postgres::PostgresServer; use servers::query_handler::grpc::ServerGrpcQueryHandlerAdapter; use servers::query_handler::sql::{ServerSqlQueryHandlerAdapter, SqlQueryHandler}; use servers::server::Server; -use servers::tls::ReloadableTlsServerConfig; +use servers::tls::{ReloadableTlsServerConfig, TlsMode}; use servers::Mode; use session::context::QueryContext; @@ -511,8 +511,15 @@ pub async fn setup_grpc_server_with( let flight_handler = Arc::new(greptime_request_handler.clone()); + let grpc_config = grpc_config.unwrap_or_default(); + let grpc_builder = GrpcServerBuilder::new(grpc_config.clone(), runtime); + let grpc_builder = match grpc_config.tls.mode { + TlsMode::Require => grpc_builder.with_tls_config(grpc_config.tls).unwrap(), + _ => grpc_builder, + }; + let fe_grpc_server = Arc::new( - GrpcServerBuilder::new(grpc_config.unwrap_or_default(), runtime) + grpc_builder .database_handler(greptime_request_handler) .flight_handler(flight_handler) .prometheus_handler(fe_instance_ref.clone(), user_provider) diff --git a/tests-integration/tests/grpc.rs b/tests-integration/tests/grpc.rs index 4fd3dacc3bb3..ee0361d7fdf1 100644 --- a/tests-integration/tests/grpc.rs +++ b/tests-integration/tests/grpc.rs @@ -22,6 +22,7 @@ use api::v1::{ use auth::user_provider_from_option; use client::{Client, OutputData, DEFAULT_CATALOG_NAME, DEFAULT_SCHEMA_NAME}; use common_catalog::consts::MITO_ENGINE; +use common_grpc::channel_manager::ClientTlsOption; use common_query::Output; use common_recordbatch::RecordBatches; use servers::grpc::GrpcServerConfig; @@ -30,7 +31,7 @@ use servers::http::prometheus::{ PrometheusResponse, }; use servers::server::Server; -use servers::tls::TlsOption; +use servers::tls::{TlsMode, TlsOption}; use tests_integration::database::Database; use tests_integration::test_util::{ setup_grpc_server, setup_grpc_server_with, setup_grpc_server_with_user_provider, StorageType, @@ -78,6 +79,7 @@ macro_rules! grpc_tests { test_health_check, test_prom_gateway_query, test_grpc_timezone, + test_grpc_tls_config, ); )* }; @@ -724,3 +726,48 @@ async fn to_batch(output: Output) -> String { .pretty_print() .unwrap() } + +pub async fn test_grpc_tls_config(store_type: StorageType) { + let comm_dir = std::path::PathBuf::from_iter([ + std::env!("CARGO_RUSTC_CURRENT_DIR"), + "src/common/grpc/tests", + ]); + let ca_path = comm_dir.join("tls/server.cert.pem"); + let cert_path = comm_dir.join("tls/client.cert.pem"); + let key_path = comm_dir.join("tls/client.key.pem"); + let ca_path_string = ca_path.to_str().unwrap().to_string(); + let cert_path_str = cert_path.to_str().unwrap(); + let key_path_str = key_path.to_str().unwrap(); + + let tls = TlsOption::new( + Some(TlsMode::Require), + Some(cert_path_str.to_string()), + Some(key_path_str.to_string()), + ); + let config = GrpcServerConfig { + max_recv_message_size: 1024, + max_send_message_size: 1024, + tls, + }; + let (addr, mut guard, fe_grpc_server) = + setup_grpc_server_with(store_type, "tls_create_table", None, Some(config)).await; + + let client_tls = ClientTlsOption { + server_ca_cert_path: ca_path_string, + client_cert_path: cert_path_str.to_string(), + client_key_path: key_path_str.to_string(), + }; + let grpc_client = Client::with_tls_and_urls(vec![addr], client_tls).unwrap(); + let db = Database::new_with_dbname( + format!("{}-{}", DEFAULT_CATALOG_NAME, DEFAULT_SCHEMA_NAME), + grpc_client, + ); + db.sql("show tables;").await.unwrap(); + let _ = fe_grpc_server.shutdown().await; + guard.remove_all().await; +} + +#[tokio::test(flavor = "multi_thread")] +async fn test_grpc_server_builder() { + test_grpc_tls_config(StorageType::File).await; +} From ef53b2071054e3172f5ce201000b09d4ee35d22d Mon Sep 17 00:00:00 2001 From: maco Date: Fri, 17 May 2024 15:53:35 +0800 Subject: [PATCH 3/8] fix: integration test --- src/common/grpc/tests/mod.rs | 16 ++--- src/common/grpc/tests/tls/ca.pem | 28 +++++++++ .../tests/tls/{client.key.pem => client.key} | 0 .../tests/tls/{client.cert.pem => client.pem} | 0 src/common/grpc/tests/tls/server.cert.pem | 40 ------------- src/common/grpc/tests/tls/server.key | 28 +++++++++ src/common/grpc/tests/tls/server.pem | 27 +++++++++ tests-integration/tests/grpc.rs | 58 +++++++++++-------- 8 files changed, 125 insertions(+), 72 deletions(-) create mode 100644 src/common/grpc/tests/tls/ca.pem rename src/common/grpc/tests/tls/{client.key.pem => client.key} (100%) rename src/common/grpc/tests/tls/{client.cert.pem => client.pem} (100%) delete mode 100644 src/common/grpc/tests/tls/server.cert.pem create mode 100644 src/common/grpc/tests/tls/server.key create mode 100644 src/common/grpc/tests/tls/server.pem diff --git a/src/common/grpc/tests/mod.rs b/src/common/grpc/tests/mod.rs index 9967d7ddda8b..40e5e9541f8a 100644 --- a/src/common/grpc/tests/mod.rs +++ b/src/common/grpc/tests/mod.rs @@ -23,9 +23,9 @@ async fn test_mtls_config() { // test wrong file let config = ChannelConfig::new().client_tls_config(ClientTlsOption { - server_ca_cert_path: "tests/tls/wrong_server.cert.pem".to_string(), - client_cert_path: "tests/tls/wrong_client.cert.pem".to_string(), - client_key_path: "tests/tls/wrong_client.key.pem".to_string(), + server_ca_cert_path: "tests/tls/wrong_ca.pem".to_string(), + client_cert_path: "tests/tls/wrong_client.pem".to_string(), + client_key_path: "tests/tls/wrong_client.key".to_string(), }); let re = ChannelManager::with_tls_config(config); @@ -33,8 +33,8 @@ async fn test_mtls_config() { // test corrupted file content let config = ChannelConfig::new().client_tls_config(ClientTlsOption { - server_ca_cert_path: "tests/tls/server.cert.pem".to_string(), - client_cert_path: "tests/tls/client.cert.pem".to_string(), + server_ca_cert_path: "tests/tls/ca.pem".to_string(), + client_cert_path: "tests/tls/client.pem".to_string(), client_key_path: "tests/tls/corrupted".to_string(), }); @@ -44,9 +44,9 @@ async fn test_mtls_config() { // success let config = ChannelConfig::new().client_tls_config(ClientTlsOption { - server_ca_cert_path: "tests/tls/server.cert.pem".to_string(), - client_cert_path: "tests/tls/client.cert.pem".to_string(), - client_key_path: "tests/tls/client.key.pem".to_string(), + server_ca_cert_path: "tests/tls/ca.pem".to_string(), + client_cert_path: "tests/tls/client.pem".to_string(), + client_key_path: "tests/tls/client.key".to_string(), }); let re = ChannelManager::with_tls_config(config).unwrap(); diff --git a/src/common/grpc/tests/tls/ca.pem b/src/common/grpc/tests/tls/ca.pem new file mode 100644 index 000000000000..e5ee6c8e7bab --- /dev/null +++ b/src/common/grpc/tests/tls/ca.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE3DCCA0SgAwIBAgIRAObeYbJFiVQSGR8yk44dsOYwDQYJKoZIhvcNAQELBQAw +gYUxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEtMCsGA1UECwwkbHVj +aW9ATHVjaW9zLVdvcmstTUJQIChMdWNpbyBGcmFuY28pMTQwMgYDVQQDDCtta2Nl +cnQgbHVjaW9ATHVjaW9zLVdvcmstTUJQIChMdWNpbyBGcmFuY28pMB4XDTE5MDky +OTIzMzUzM1oXDTI5MDkyOTIzMzUzM1owgYUxHjAcBgNVBAoTFW1rY2VydCBkZXZl +bG9wbWVudCBDQTEtMCsGA1UECwwkbHVjaW9ATHVjaW9zLVdvcmstTUJQIChMdWNp +byBGcmFuY28pMTQwMgYDVQQDDCtta2NlcnQgbHVjaW9ATHVjaW9zLVdvcmstTUJQ +IChMdWNpbyBGcmFuY28pMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA +y/vE61ItbN/1qMYt13LMf+le1svwfkCCOPsygk7nWeRXmomgUpymqn1LnWiuB0+e +4IdVH2f5E9DknWEpPhKIDMRTCbz4jTwQfHrxCb8EGj3I8oO73pJO5S/xCedM9OrZ +qWcYWwN0GQ8cO/ogazaoZf1uTrRNHyzRyQsKyb412kDBTNEeldJZ2ljKgXXvh4HO +2ZIk9K/ZAaAf6VN8K/89rlJ9/KPgRVNsyAapE+Pb8XXKtpzeFiEcUfuXVYWtkoW+ +xyn/Zu8A1L2CXMQ1sARh7P/42BTMKr5pfraYgcBGxKXLrxoySpxCO9KqeVveKy1q +fPm5FCwFsXDr0koFLrCiR58mcIO/04Q9DKKTV4Z2a+LoqDJRY37KfBSc8sDMPhw5 +k7g3WPoa6QwXRjZTCA5fHWVgLOtcwLsnju5tBE4LDxwF6s+1wPF8NI5yUfufcEjJ +Z6JBwgoWYosVj27Lx7KBNLU/57PX9ryee691zmtswt0tP0WVBAgalhYWg99RXoa3 +AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G +A1UdDgQWBBQdvlE4Bdcsjc9oaxjDCRu5FiuZkzANBgkqhkiG9w0BAQsFAAOCAYEA +BP/6o1kPINksMJZSSXgNCPZskDLyGw7auUZBnQ0ocDT3W6gXQvT/27LM1Hxoj9Eh +qU1TYdEt7ppecLQSGvzQ02MExG7H75art75oLiB+A5agDira937YbK4MCjqW481d +bDhw6ixJnY1jIvwjEZxyH6g94YyL927aSPch51fys0kSnjkFzC2RmuzDADScc4XH +5P1+/3dnIm3M5yfpeUzoaOrTXNmhn8p0RDIGrZ5kA5eISIGGD3Mm8FDssUNKndtO +g4ojHUsxb14icnAYGeye1NOhGiqN6TEFcgr6MPd0XdFNZ5c0HUaBCfN6bc+JxDV5 +MKZVJdNeJsYYwilgJNHAyZgCi30JC20xeYVtTF7CEEsMrFDGJ70Kz7o/FnRiFsA1 +ZSwVVWhhkHG2VkT4vlo0O3fYeZpenYicvy+wZNTbGK83gzHWqxxNC1z3Etg5+HRJ +F9qeMWPyfA3IHYXygiMcviyLcyNGG/SJ0EhUpYBN/Gg7wI5yFkcsxUDPPzd23O0M +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/common/grpc/tests/tls/client.key.pem b/src/common/grpc/tests/tls/client.key similarity index 100% rename from src/common/grpc/tests/tls/client.key.pem rename to src/common/grpc/tests/tls/client.key diff --git a/src/common/grpc/tests/tls/client.cert.pem b/src/common/grpc/tests/tls/client.pem similarity index 100% rename from src/common/grpc/tests/tls/client.cert.pem rename to src/common/grpc/tests/tls/client.pem diff --git a/src/common/grpc/tests/tls/server.cert.pem b/src/common/grpc/tests/tls/server.cert.pem deleted file mode 100644 index 1472fa8926ee..000000000000 --- a/src/common/grpc/tests/tls/server.cert.pem +++ /dev/null @@ -1,40 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIG+jCCBOKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhzELMAkGA1UEBhMCSU4x -EjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQkFOR0FMT1JFMRUwEwYDVQQK -DAxHb0xpbnV4Q2xvdWQxEjAQBgNVBAMMCWNhLXNlcnZlcjElMCMGCSqGSIb3DQEJ -ARYWYWRtaW5AZ29saW51eGNsb3VkLmNvbTAeFw0yMzAyMTQxMTM5NDBaFw0yNzA4 -MjIxMTM5NDBaMHAxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExFTAT -BgNVBAoMDEdvTGludXhDbG91ZDEPMA0GA1UEAwwGc2VydmVyMSUwIwYJKoZIhvcN -AQkBFhZhZG1pbkBnb2xpbnV4Y2xvdWQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAvVtxAoRjLRs3Ei4+CgzqJ2+bpc0sBdUm/4LM/D+0KbXxwD7w -HP6GcKl/9zf9GJg56pVXxXMaerMDLS4Est25+mBgqcePC6utCBYrKA25pKbkFkxZ -TPh9/R4RHGVJ3KHy9vc4VzqoV7XFMJFFUQ2fQywHZlXh6MNz0WPTIGaH7hvYoHbK -I3NpPq8TjRuuV61XB0hK+RW0K6/5Yuj74h/mfheX1VIUOjGwKnTPccZQAlrKYjeW -BZBS4YqahkTIaGLa06SdUSkuhL85rqAxWvhK9GIRlQLNYJOzg+E3jGyqf566xX60 -fxM6alLYf+ZzCwSBuDDj5f+j752gPLYUI82YL4xQ+AEHNR8U1uMvt0EzzFt7mSRe -fobVr+Y2zpci+mo7kcQGOhenzGclsm+qXwMhYUnJcOYFZWtTJlFaaPreL4M3Dh+2 -pmKj23ZU6zcT3MYtE6phjCLJl0DsFIcOn+tSqMdpwB20EeQjo9bVJuw/HJrlpcnY -U9aLsnm/4Ls5A0BQutZnxKBIJjpzp8VfK0WU8a4iKok3AS0z1/K+atNrgSUB9DCH -0MvLqqQmM9TdLcZj7NSEfLyyFVwPRc5dt4CrNDL7JUpMzt36ezU83JU+nfqWDZsL -+2JOaE4gGLZDcA3cfP83/mYRaAnYW/9W4vEnIpa6subzq1aFOeY/3dKLTx8CAwEA -AaOCAYUwggGBMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG -+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD -VR0OBBYEFLijeA+RFDQtuVeMUkaXqF7LF50GMIG8BgNVHSMEgbQwgbGAFKVZwpSJ -CPkNwGXyJX1sl2Pbby4FoYGNpIGKMIGHMQswCQYDVQQGEwJJTjESMBAGA1UECAwJ -S2FybmF0YWthMRIwEAYDVQQHDAlCQU5HQUxPUkUxFTATBgNVBAoMDEdvTGludXhD -bG91ZDESMBAGA1UEAwwJY2Etc2VydmVyMSUwIwYJKoZIhvcNAQkBFhZhZG1pbkBn -b2xpbnV4Y2xvdWQuY29tggkA7NvbvF8jodEwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud -JQQMMAoGCCsGAQUFBwMBMCkGA1UdEQQiMCCHBMCoAHKHBAoAAg+CEnNlcnZlci5l -eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAXvaS9+y5g2Kw/4EPsnhjpN1v -CxXW0+UYSWOaxVJdEAjGQI/1m9LOiF9IHImmiwluJ/Bex1TzuaTCKmpluPwGvd9D -Zgf0A5SmVqW4WTT4d2nSecxw4OICJ3j6ubKkvMVf9s+ZJwb+fMMUaSt80bWqp1TY -XbZguv67PkBECPqVe6rgzXnTLwM3lE8EgG8VtM3IOy9a5SIEjm5L8SQ2I2hiytmE -e4jR1fbZsB5NbBdfA3GFMKQEE2dIymkG3Bz71M3tZi1y4RnHtRKdrFtrIlgclrwd -nVnQn/NiXUOOzsL2+vwSF32SSbiLvOxu63qO1YDBkKVChog3P/2f6xcJ23wkbHlL -qaL2jvLo6ylvMPUYHf5ZWat5zayaGUMHYDKcbD4Dw7aY3M0tNgEHdqUqNePmKvmn -luyXof3KmmLgWlcfBoX96a7hXDtxFyB2N4nzfQBXh+0VAlgqa+ZZhpdEqRQaWkkR -MDBdsVJ9O3812IaNfMzpS1vb701GFDCM5Hcyw6a/v6Ln08NMhYut4saLi13kHilS -Wq7wOAfW3rzxuhjOJJxsi0jJNI775q+a/BbbG/CPl826bXPGH43BdPV8mKwsX5HM -wwDKf3otP/v7bxwJabfhv2EKUy+W1kkFW9FEZ919yTtfhSDrTNcrXtE7RkiAepfm -95I025URIlhJGLGBUlA= ------END CERTIFICATE----- diff --git a/src/common/grpc/tests/tls/server.key b/src/common/grpc/tests/tls/server.key new file mode 100644 index 000000000000..e4c870512e5f --- /dev/null +++ b/src/common/grpc/tests/tls/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDyptbMyYWztgta +t1MXLMzIkaQdeeVbs1Y/qCpAdwZe/Y5ZpbzjGIjCxbB6vNRSnEbYKpytKHPzYfM7 +8d8K8bPvpnqXIiTXFT0JQlw1OHLC1fr4e598GJumAmpMYFrtqv0fbmUFTuQGbHxe +OH2vji0bvr3NKZubMfkEZP3X4sNXXoXIuW2LaS8OMGKoJaeCBvdbszEiSGj/v9Bj +pM0yLTH89NNMX1T+FtTKnuXag5g7pr6lzJj83+MzAGy4nOjseSuUimuiyG90/C5t +A5wC0Qh5RbDnkFYhC44Kxof/i6+jnfateIPNiIIwQV+2f6G/aK1hgjekT10m/eoR +YDTf+e5ZAgMBAAECggEACODt7yRYjhDVLYaTtb9f5t7dYG67Y7WWLFIc6arxQryI +XuNfm/ej2WyeXn9WTYeGWBaHERbv1zH4UnMxNBdP/C7dQXZwXqZaS2JwOUpNeK+X +tUvgtAu6dkKUXSMRcKzXAjVp4N3YHhwOGOx8PNY49FDwZPdmyDD16aFAYIvdle6/ +PSMrj38rB1sbQQdmRob2FjJBSDZ44nsr+/nilrcOFNfNnWv7tQIWYVXNcLfdK/WJ +ZCDFhA8lr/Yon6MEq6ApTj2ZYRRGXPd6UeASJkmTZEUIUbeDcje/MO8cHkREpuRH +wm3pCjR7OdO4vc+/d/QmEvu5ns6wbTauelYnL616YQKBgQD414gJtpCHauNEUlFB +v/R3DzPI5NGp9PAqovOD8nCbI49Mw61gP/ExTIPKiR5uUX/5EL04uspaNkuohXk+ +ys0G5At0NfV7W39lzhvALEaSfleybvYxppbBrc20/q8Gvi/i30NY+1LM3RdtMiEw +hKHjU0SnFhJq0InFg3AO/iCeTQKBgQD5obkbzpOidSsa55aNsUlO2qjiUY9leq9b +irAohIZ8YnuuixYvkOeSeSz1eIrA4tECeAFSgTZxYe1Iz+USru2Xg/0xNte11dJD +rBoH/yMn2gDvBK7xQ6uFMPTeYtKG0vfvpXZYSWZzGntyrHTwFk6UV+xdrt9MBdd1 +XdSn7bwOPQKBgC9VQAko8uDvUf+C8PXiv2uONrl13PPJJY3WpR9qFEVOREnDxszS +HNzVwxPZdTJiykbkCjoqPadfQJDzopZxGQLAifU29lTamKcSx3CMe3gOFDxaovXa +zD5XAxP0hfJwZsdu1G6uj5dsTrJ0oJ+L+wc0pZBqwGIU/L/XOo9/g1DZAoGAUebL +kuH98ik7EUK2VJq8EJERI9/ailLsQb6I+WIxtZGiPqwHhWencpkrNQZtj8dbB9JT +rLwUHrMgZOlAoRafgTyez4zMzS3wJJ/Mkp8U67hM4h7JPwMSvUpIrMYDiJSjIA9L +er/qSw1/Pypx22uWMHmAZWRAgvLPtAQrB0Wqk4kCgYEAr2H1PvfbwZwkSvlMt5o8 +WLnBbxcM3AKglLRbkShxxgiZYdEP71/uOtRMiL26du5XX8evItITN0DsvmXL/kcd +h29LK7LM5uLw7efz0Qxs03G6kEyIHVkacowHi5I5Ul1qI61SoV3yMB1TjIU+bXZt +0ZjC07totO0fqPOLQxonjQg= +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/src/common/grpc/tests/tls/server.pem b/src/common/grpc/tests/tls/server.pem new file mode 100644 index 000000000000..bc7a85bd5daf --- /dev/null +++ b/src/common/grpc/tests/tls/server.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmDCCAwCgAwIBAgIQVEJFCgU/CZk9JEwTucWPpzANBgkqhkiG9w0BAQsFADCB +hTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMS0wKwYDVQQLDCRsdWNp +b0BMdWNpb3MtV29yay1NQlAgKEx1Y2lvIEZyYW5jbykxNDAyBgNVBAMMK21rY2Vy +dCBsdWNpb0BMdWNpb3MtV29yay1NQlAgKEx1Y2lvIEZyYW5jbykwHhcNMTkwNjAx +MDAwMDAwWhcNMjkwOTI5MjMzNTM0WjBYMScwJQYDVQQKEx5ta2NlcnQgZGV2ZWxv +cG1lbnQgY2VydGlmaWNhdGUxLTArBgNVBAsMJGx1Y2lvQEx1Y2lvcy1Xb3JrLU1C +UCAoTHVjaW8gRnJhbmNvKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +APKm1szJhbO2C1q3UxcszMiRpB155VuzVj+oKkB3Bl79jlmlvOMYiMLFsHq81FKc +RtgqnK0oc/Nh8zvx3wrxs++mepciJNcVPQlCXDU4csLV+vh7n3wYm6YCakxgWu2q +/R9uZQVO5AZsfF44fa+OLRu+vc0pm5sx+QRk/dfiw1dehci5bYtpLw4wYqglp4IG +91uzMSJIaP+/0GOkzTItMfz000xfVP4W1Mqe5dqDmDumvqXMmPzf4zMAbLic6Ox5 +K5SKa6LIb3T8Lm0DnALRCHlFsOeQViELjgrGh/+Lr6Od9q14g82IgjBBX7Z/ob9o +rWGCN6RPXSb96hFgNN/57lkCAwEAAaOBrzCBrDAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQdvlE4 +Bdcsjc9oaxjDCRu5FiuZkzBWBgNVHREETzBNggtleGFtcGxlLmNvbYINKi5leGFt +cGxlLmNvbYIMZXhhbXBsZS50ZXN0gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAA +AAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggGBAKb2TJ8l+e1eraNwZWizLw5fccAf +y59J1JAWdLxZyAI/bkiTlVO3DQoPZpw7XwLhefCvILkwKAL4TtIGGVC9yTb5Q5eg +rqGO3FC0yg1fn65Kf1VpVxxUVyoiM5PQ4pFJb4AicAv88rCOLD9FFuE0PKOKU/dm +Tw0WgPStoh9wsJ1RXUuTJYZs1nd1kMBlfv9NbLilnL+cR2sLktS54X5XagsBYVlf +oapRb0JtABOoQhX3U8QMq8UF8yzceRHNTN9yfLOUrW26s9nKtlWVniNhw1uPxZw9 +RHM7w9/4+a9LXtEDYg4IP/1mm0ywBoUqy1O6hA73uId+Yi/kFBks/GyYaGjKgYcO +23B75tkPGYEdGuGZYLzZNHbXg4V0UxFQG3KA1pUiSnD3bN2Rxs+CMpzORnOeK3xi +EooKgAPYsehItoQOMPpccI2xHdSAMWtwUgOKrefUQujkx2Op+KFlspF0+WJ6AZEe +2D4hyWaEZsvvILXapwqHDCuN3/jSUlTIqUoE1w== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/tests-integration/tests/grpc.rs b/tests-integration/tests/grpc.rs index ee0361d7fdf1..a768988fbb7d 100644 --- a/tests-integration/tests/grpc.rs +++ b/tests-integration/tests/grpc.rs @@ -730,19 +730,19 @@ async fn to_batch(output: Output) -> String { pub async fn test_grpc_tls_config(store_type: StorageType) { let comm_dir = std::path::PathBuf::from_iter([ std::env!("CARGO_RUSTC_CURRENT_DIR"), - "src/common/grpc/tests", + "src/common/grpc/tests/tls", ]); - let ca_path = comm_dir.join("tls/server.cert.pem"); - let cert_path = comm_dir.join("tls/client.cert.pem"); - let key_path = comm_dir.join("tls/client.key.pem"); - let ca_path_string = ca_path.to_str().unwrap().to_string(); - let cert_path_str = cert_path.to_str().unwrap(); - let key_path_str = key_path.to_str().unwrap(); + let ca_path = comm_dir.join("ca.pem").to_str().unwrap().to_string(); + let server_cert_path = comm_dir.join("server.pem").to_str().unwrap().to_string(); + let server_key_path = comm_dir.join("server.key").to_str().unwrap().to_string(); + let client_cert_path = comm_dir.join("client.pem").to_str().unwrap().to_string(); + let client_key_path = comm_dir.join("client.key").to_str().unwrap().to_string(); + let client_corrupted = comm_dir.join("corrupted").to_str().unwrap().to_string(); let tls = TlsOption::new( Some(TlsMode::Require), - Some(cert_path_str.to_string()), - Some(key_path_str.to_string()), + Some(server_cert_path), + Some(server_key_path), ); let config = GrpcServerConfig { max_recv_message_size: 1024, @@ -752,22 +752,32 @@ pub async fn test_grpc_tls_config(store_type: StorageType) { let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "tls_create_table", None, Some(config)).await; - let client_tls = ClientTlsOption { - server_ca_cert_path: ca_path_string, - client_cert_path: cert_path_str.to_string(), - client_key_path: key_path_str.to_string(), + let mut client_tls = ClientTlsOption { + server_ca_cert_path: ca_path, + client_cert_path, + client_key_path, }; - let grpc_client = Client::with_tls_and_urls(vec![addr], client_tls).unwrap(); - let db = Database::new_with_dbname( - format!("{}-{}", DEFAULT_CATALOG_NAME, DEFAULT_SCHEMA_NAME), - grpc_client, - ); - db.sql("show tables;").await.unwrap(); + { + let grpc_client = + Client::with_tls_and_urls(vec![addr.clone()], client_tls.clone()).unwrap(); + let db = Database::new_with_dbname( + format!("{}-{}", DEFAULT_CATALOG_NAME, DEFAULT_SCHEMA_NAME), + grpc_client, + ); + db.sql("show tables;").await.unwrap(); + } + + { + // test corrupted client key + client_tls.client_key_path = client_corrupted; + let grpc_client = Client::with_tls_and_urls(vec![addr], client_tls.clone()).unwrap(); + let db = Database::new_with_dbname( + format!("{}-{}", DEFAULT_CATALOG_NAME, DEFAULT_SCHEMA_NAME), + grpc_client, + ); + let re = db.sql("show tables;").await; + assert!(re.is_err()); + } let _ = fe_grpc_server.shutdown().await; guard.remove_all().await; } - -#[tokio::test(flavor = "multi_thread")] -async fn test_grpc_server_builder() { - test_grpc_tls_config(StorageType::File).await; -} From 05d3d1a00595ee72e39bdaae4c5488117f795c21 Mon Sep 17 00:00:00 2001 From: maco Date: Mon, 20 May 2024 14:40:04 +0800 Subject: [PATCH 4/8] fix: revert by suggestion --- src/cmd/src/datanode.rs | 13 ------------- src/datanode/src/config.rs | 3 --- src/datanode/src/error.rs | 9 --------- src/datanode/src/service.rs | 22 ++++++++++------------ 4 files changed, 10 insertions(+), 37 deletions(-) diff --git a/src/cmd/src/datanode.rs b/src/cmd/src/datanode.rs index 422311fdbe38..3c189f2c3d07 100644 --- a/src/cmd/src/datanode.rs +++ b/src/cmd/src/datanode.rs @@ -27,7 +27,6 @@ use datanode::config::DatanodeOptions; use datanode::datanode::{Datanode, DatanodeBuilder}; use datanode::service::DatanodeServiceBuilder; use meta_client::MetaClientOptions; -use servers::tls::{TlsMode, TlsOption}; use servers::Mode; use snafu::{OptionExt, ResultExt}; use tracing_appender::non_blocking::WorkerGuard; @@ -143,12 +142,6 @@ struct StartCommand { http_timeout: Option, #[clap(long, default_value = "GREPTIMEDB_DATANODE")] env_prefix: String, - #[clap(long)] - tls_mode: Option, - #[clap(long)] - tls_cert_path: Option, - #[clap(long)] - tls_key_path: Option, } impl StartCommand { @@ -235,11 +228,6 @@ impl StartCommand { opts.http.timeout = Duration::from_secs(http_timeout) } - opts.tls = TlsOption::new( - self.tls_mode.clone(), - self.tls_cert_path.clone(), - self.tls_key_path.clone(), - ); // Disable dashboard in datanode. opts.http.disable_dashboard = true; @@ -287,7 +275,6 @@ impl StartCommand { let services = DatanodeServiceBuilder::new(&opts) .with_default_grpc_server(&datanode.region_server()) - .context(StartDatanodeSnafu)? .enable_http_service() .build() .await diff --git a/src/datanode/src/config.rs b/src/datanode/src/config.rs index b13fb70a0d74..ec278d3c4247 100644 --- a/src/datanode/src/config.rs +++ b/src/datanode/src/config.rs @@ -30,7 +30,6 @@ use serde::{Deserialize, Serialize}; use servers::export_metrics::ExportMetricsOption; use servers::heartbeat_options::HeartbeatOptions; use servers::http::HttpOptions; -use servers::tls::TlsOption; use servers::Mode; pub const DEFAULT_OBJECT_STORE_CACHE_SIZE: ReadableSize = ReadableSize::mb(256); @@ -237,7 +236,6 @@ pub struct DatanodeOptions { pub enable_telemetry: bool, pub export_metrics: ExportMetricsOption, pub tracing: TracingOptions, - pub tls: TlsOption, } impl Default for DatanodeOptions { @@ -265,7 +263,6 @@ impl Default for DatanodeOptions { enable_telemetry: true, export_metrics: ExportMetricsOption::default(), tracing: TracingOptions::default(), - tls: TlsOption::default(), } } } diff --git a/src/datanode/src/error.rs b/src/datanode/src/error.rs index 070ace3652ad..ec3bccceeb41 100644 --- a/src/datanode/src/error.rs +++ b/src/datanode/src/error.rs @@ -367,14 +367,6 @@ pub enum Error { #[snafu(source(from(common_config::error::Error, Box::new)))] source: Box, }, - - #[snafu(display("Invalid tls config"))] - InvalidTlsConfig { - #[snafu(source)] - error: common_grpc::error::Error, - #[snafu(implicit)] - location: Location, - }, } pub type Result = std::result::Result; @@ -409,7 +401,6 @@ impl ErrorExt for Error { | MissingWalDirConfig { .. } | MissingKvBackend { .. } | TomlFormat { .. } => StatusCode::InvalidArguments, - InvalidTlsConfig { .. } => StatusCode::InvalidArguments, PayloadNotExist { .. } | Unexpected { .. } | WatchAsyncTaskChange { .. } => { StatusCode::Unexpected diff --git a/src/datanode/src/service.rs b/src/datanode/src/service.rs index 82fbe359bc28..7ad90d034062 100644 --- a/src/datanode/src/service.rs +++ b/src/datanode/src/service.rs @@ -21,10 +21,11 @@ use servers::grpc::{GrpcServer, GrpcServerConfig}; use servers::http::HttpServerBuilder; use servers::metrics_handler::MetricsHandler; use servers::server::{ServerHandler, ServerHandlers}; +use servers::tls::TlsOption; use snafu::ResultExt; use crate::config::DatanodeOptions; -use crate::error::{InvalidTlsConfigSnafu, ParseAddrSnafu, Result, TomlFormatSnafu}; +use crate::error::{ParseAddrSnafu, Result, TomlFormatSnafu}; use crate::region_server::RegionServer; pub struct DatanodeServiceBuilder<'a> { @@ -49,10 +50,10 @@ impl<'a> DatanodeServiceBuilder<'a> { } } - pub fn with_default_grpc_server(mut self, region_server: &RegionServer) -> Result { - let grpc_server_build = Self::grpc_server_builder(self.opts, region_server)?; - self.grpc_server = Some(grpc_server_build.build()); - Ok(self) + pub fn with_default_grpc_server(mut self, region_server: &RegionServer) -> Self { + let grpc_serve = Self::grpc_server_builder(self.opts, region_server).build(); + self.grpc_server = Some(grpc_serve); + self } pub fn enable_http_service(self) -> Self { @@ -91,18 +92,15 @@ impl<'a> DatanodeServiceBuilder<'a> { pub fn grpc_server_builder( opts: &DatanodeOptions, region_server: &RegionServer, - ) -> Result { + ) -> GrpcServerBuilder { let config = GrpcServerConfig { max_recv_message_size: opts.rpc_max_recv_message_size.as_bytes() as usize, max_send_message_size: opts.rpc_max_send_message_size.as_bytes() as usize, - tls: opts.tls.clone(), + tls: TlsOption::default(), }; - let build = GrpcServerBuilder::new(config, region_server.runtime()) - .with_tls_config(opts.tls.clone()) - .context(InvalidTlsConfigSnafu)? + GrpcServerBuilder::new(config, region_server.runtime()) .flight_handler(Arc::new(region_server.clone())) - .region_server_handler(Arc::new(region_server.clone())); - Ok(build) + .region_server_handler(Arc::new(region_server.clone())) } } From bf3e8ab7fb56a4af9d322c423dcedc0a37b8cb03 Mon Sep 17 00:00:00 2001 From: maco Date: Mon, 20 May 2024 14:42:48 +0800 Subject: [PATCH 5/8] fix: typos --- src/datanode/src/service.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/datanode/src/service.rs b/src/datanode/src/service.rs index 7ad90d034062..4c4ee7368a97 100644 --- a/src/datanode/src/service.rs +++ b/src/datanode/src/service.rs @@ -51,8 +51,8 @@ impl<'a> DatanodeServiceBuilder<'a> { } pub fn with_default_grpc_server(mut self, region_server: &RegionServer) -> Self { - let grpc_serve = Self::grpc_server_builder(self.opts, region_server).build(); - self.grpc_server = Some(grpc_serve); + let grpc_server = Self::grpc_server_builder(self.opts, region_server).build(); + self.grpc_server = Some(grpc_server); self } From 1039baf1d2c6b8a101b8653d93df1787a2528407 Mon Sep 17 00:00:00 2001 From: maco Date: Wed, 22 May 2024 12:49:58 +0800 Subject: [PATCH 6/8] fix: optimize code --- src/frontend/src/server.rs | 3 +-- src/servers/src/grpc/builder.rs | 31 +++++++++++++++++------------- tests-integration/src/test_util.rs | 21 ++++++++------------ tests-integration/tests/grpc.rs | 30 +++++++++++++++++++++++++++-- 4 files changed, 55 insertions(+), 30 deletions(-) diff --git a/src/frontend/src/server.rs b/src/frontend/src/server.rs index 2dae0ec8a5ff..f5a0afb53016 100644 --- a/src/frontend/src/server.rs +++ b/src/frontend/src/server.rs @@ -78,8 +78,7 @@ where max_send_message_size: opts.max_send_message_size.as_bytes() as usize, tls: opts.tls.clone(), }; - let mut builder = GrpcServerBuilder::new(grpc_config, grpc_runtime); - builder = builder + let builder = GrpcServerBuilder::new(grpc_config, grpc_runtime) .with_tls_config(opts.tls.clone()) .context(error::InvalidTlsConfigSnafu)?; Ok(builder) diff --git a/src/servers/src/grpc/builder.rs b/src/servers/src/grpc/builder.rs index b0adc284aba7..143cd37e19f3 100644 --- a/src/servers/src/grpc/builder.rs +++ b/src/servers/src/grpc/builder.rs @@ -19,7 +19,7 @@ use api::v1::prometheus_gateway_server::PrometheusGatewayServer; use api::v1::region::region_server::RegionServer; use arrow_flight::flight_service_server::FlightServiceServer; use auth::UserProviderRef; -use common_grpc::error::{InvalidConfigFilePathSnafu, Result}; +use common_grpc::error::{Error, InvalidConfigFilePathSnafu, Result}; use common_runtime::Runtime; use opentelemetry_proto::tonic::collector::metrics::v1::metrics_service_server::MetricsServiceServer; use opentelemetry_proto::tonic::collector::trace::v1::trace_service_server::TraceServiceServer; @@ -40,7 +40,7 @@ use crate::grpc::otlp::OtlpService; use crate::grpc::prom_query_gateway::PrometheusGatewayService; use crate::prometheus_handler::PrometheusHandlerRef; use crate::query_handler::OpenTelemetryProtocolHandlerRef; -use crate::tls::{TlsMode, TlsOption}; +use crate::tls::TlsOption; /// Add a gRPC service (`service`) to a `builder`([RoutesBuilder]). /// This macro will automatically add some gRPC properties to the service. @@ -164,18 +164,23 @@ impl GrpcServerBuilder { } pub fn with_tls_config(mut self, tls_option: TlsOption) -> Result { - let tls_config = match tls_option.mode { - TlsMode::Require => { - let cert = std::fs::read_to_string(tls_option.cert_path) - .context(InvalidConfigFilePathSnafu)?; - let key = std::fs::read_to_string(tls_option.key_path) - .context(InvalidConfigFilePathSnafu)?; - let identity = Identity::from_pem(cert, key); - Some(ServerTlsConfig::new().identity(identity)) - } - _ => None, + // tonic does not support watching for tls config changes + // so we don't support it either for now + if tls_option.watch { + return Err(Error::NotSupported { + feat: "grpc tls watch".to_string(), + }); + } + self.tls_config = if tls_option.should_force_tls() { + let cert = std::fs::read_to_string(tls_option.cert_path) + .context(InvalidConfigFilePathSnafu)?; + let key = + std::fs::read_to_string(tls_option.key_path).context(InvalidConfigFilePathSnafu)?; + let identity = Identity::from_pem(cert, key); + Some(ServerTlsConfig::new().identity(identity)) + } else { + None }; - self.tls_config = tls_config; Ok(self) } diff --git a/tests-integration/src/test_util.rs b/tests-integration/src/test_util.rs index 9894606e79bc..4c1b4641c9f4 100644 --- a/tests-integration/src/test_util.rs +++ b/tests-integration/src/test_util.rs @@ -50,7 +50,7 @@ use servers::postgres::PostgresServer; use servers::query_handler::grpc::ServerGrpcQueryHandlerAdapter; use servers::query_handler::sql::{ServerSqlQueryHandlerAdapter, SqlQueryHandler}; use servers::server::Server; -use servers::tls::{ReloadableTlsServerConfig, TlsMode}; +use servers::tls::ReloadableTlsServerConfig; use servers::Mode; use session::context::QueryContext; @@ -512,19 +512,14 @@ pub async fn setup_grpc_server_with( let flight_handler = Arc::new(greptime_request_handler.clone()); let grpc_config = grpc_config.unwrap_or_default(); - let grpc_builder = GrpcServerBuilder::new(grpc_config.clone(), runtime); - let grpc_builder = match grpc_config.tls.mode { - TlsMode::Require => grpc_builder.with_tls_config(grpc_config.tls).unwrap(), - _ => grpc_builder, - }; + let grpc_builder = GrpcServerBuilder::new(grpc_config.clone(), runtime) + .database_handler(greptime_request_handler) + .flight_handler(flight_handler) + .prometheus_handler(fe_instance_ref.clone(), user_provider) + .with_tls_config(grpc_config.tls) + .unwrap(); - let fe_grpc_server = Arc::new( - grpc_builder - .database_handler(greptime_request_handler) - .flight_handler(flight_handler) - .prometheus_handler(fe_instance_ref.clone(), user_provider) - .build(), - ); + let fe_grpc_server = Arc::new(grpc_builder.build()); let fe_grpc_addr = "127.0.0.1:0".parse::().unwrap(); let fe_grpc_addr = fe_grpc_server diff --git a/tests-integration/tests/grpc.rs b/tests-integration/tests/grpc.rs index a768988fbb7d..c0faf403c27e 100644 --- a/tests-integration/tests/grpc.rs +++ b/tests-integration/tests/grpc.rs @@ -12,6 +12,8 @@ // See the License for the specific language governing permissions and // limitations under the License. +use std::sync::Arc; + use api::v1::alter_expr::Kind; use api::v1::promql_request::Promql; use api::v1::{ @@ -25,6 +27,8 @@ use common_catalog::consts::MITO_ENGINE; use common_grpc::channel_manager::ClientTlsOption; use common_query::Output; use common_recordbatch::RecordBatches; +use common_runtime::Runtime; +use servers::grpc::builder::GrpcServerBuilder; use servers::grpc::GrpcServerConfig; use servers::http::prometheus::{ PromData, PromQueryResult, PromSeriesMatrix, PromSeriesVector, PrometheusJsonResponse, @@ -152,6 +156,7 @@ pub async fn test_grpc_zstd_compression(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, + tls: TlsOption::default(), }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -766,9 +771,8 @@ pub async fn test_grpc_tls_config(store_type: StorageType) { ); db.sql("show tables;").await.unwrap(); } - + // test corrupted client key { - // test corrupted client key client_tls.client_key_path = client_corrupted; let grpc_client = Client::with_tls_and_urls(vec![addr], client_tls.clone()).unwrap(); let db = Database::new_with_dbname( @@ -778,6 +782,28 @@ pub async fn test_grpc_tls_config(store_type: StorageType) { let re = db.sql("show tables;").await; assert!(re.is_err()); } + // test grpc unsupported tls watch + { + let tls = TlsOption { + watch: true, + ..Default::default() + }; + let config = GrpcServerConfig { + max_recv_message_size: 1024, + max_send_message_size: 1024, + tls, + }; + let runtime = Arc::new(Runtime::builder().build().unwrap()); + let grpc_builder = + GrpcServerBuilder::new(config.clone(), runtime).with_tls_config(config.tls); + assert!(grpc_builder.is_err()); + } + let _ = fe_grpc_server.shutdown().await; guard.remove_all().await; } + +#[tokio::test(flavor = "multi_thread")] +async fn test_grpc() { + test_grpc_tls_config(StorageType::File).await; +} From d6e2edf3d34992bdcc5b2047b5c1dc19086cc1a2 Mon Sep 17 00:00:00 2001 From: maco Date: Thu, 23 May 2024 10:40:54 +0800 Subject: [PATCH 7/8] fix: optimize code --- src/servers/src/grpc/builder.rs | 3 ++- tests-integration/tests/grpc.rs | 15 +++++---------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/src/servers/src/grpc/builder.rs b/src/servers/src/grpc/builder.rs index 143cd37e19f3..ba9b44a68380 100644 --- a/src/servers/src/grpc/builder.rs +++ b/src/servers/src/grpc/builder.rs @@ -168,7 +168,8 @@ impl GrpcServerBuilder { // so we don't support it either for now if tls_option.watch { return Err(Error::NotSupported { - feat: "grpc tls watch".to_string(), + feat: "Certificates watch and reloading for gRPC is not supported at the moment" + .to_string(), }); } self.tls_config = if tls_option.should_force_tls() { diff --git a/tests-integration/tests/grpc.rs b/tests-integration/tests/grpc.rs index c0faf403c27e..48419498e726 100644 --- a/tests-integration/tests/grpc.rs +++ b/tests-integration/tests/grpc.rs @@ -136,7 +136,7 @@ pub async fn test_grpc_message_size_ok(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, - tls: TlsOption::default(), + ..Default::default() }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -156,7 +156,7 @@ pub async fn test_grpc_zstd_compression(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, - tls: TlsOption::default(), + ..Default::default() }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -175,7 +175,7 @@ pub async fn test_grpc_message_size_limit_send(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 50, - tls: TlsOption::default(), + ..Default::default() }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -195,7 +195,7 @@ pub async fn test_grpc_message_size_limit_recv(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 10, max_send_message_size: 1024, - tls: TlsOption::default(), + ..Default::default() }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -674,7 +674,7 @@ pub async fn test_grpc_timezone(store_type: StorageType) { let config = GrpcServerConfig { max_recv_message_size: 1024, max_send_message_size: 1024, - tls: TlsOption::default(), + ..Default::default() }; let (addr, mut guard, fe_grpc_server) = setup_grpc_server_with(store_type, "auto_create_table", None, Some(config)).await; @@ -802,8 +802,3 @@ pub async fn test_grpc_tls_config(store_type: StorageType) { let _ = fe_grpc_server.shutdown().await; guard.remove_all().await; } - -#[tokio::test(flavor = "multi_thread")] -async fn test_grpc() { - test_grpc_tls_config(StorageType::File).await; -} From 6ca0b19a065590af9a1de7edc658d56b1472f373 Mon Sep 17 00:00:00 2001 From: maco Date: Thu, 23 May 2024 11:56:27 +0800 Subject: [PATCH 8/8] docs: update configs --- config/config.md | 14 ++++++++++++-- config/frontend.example.toml | 19 ++++++++++++++++++- config/standalone.example.toml | 19 ++++++++++++++++++- src/common/grpc/tests/tls/ca.pem | 2 +- src/common/grpc/tests/tls/server.key | 2 +- src/common/grpc/tests/tls/server.pem | 2 +- 6 files changed, 51 insertions(+), 7 deletions(-) diff --git a/config/config.md b/config/config.md index b0c95f4e2ada..912e8ca7508c 100644 --- a/config/config.md +++ b/config/config.md @@ -20,6 +20,11 @@ | `grpc` | -- | -- | The gRPC server options. | | `grpc.addr` | String | `127.0.0.1:4001` | The address to bind the gRPC server. | | `grpc.runtime_size` | Integer | `8` | The number of server worker threads. | +| `grpc.tls` | -- | -- | gRPC server TLS options, see `mysql.tls` section. | +| `grpc.tls.mode` | String | `disable` | TLS mode. | +| `grpc.tls.cert_path` | String | `None` | Certificate file path. | +| `grpc.tls.key_path` | String | `None` | Private key file path. | +| `grpc.tls.watch` | Bool | `false` | Watch for Certificate and key file change and auto reload.
For now, gRPC tls config does not support auto reload. | | `mysql` | -- | -- | MySQL server options. | | `mysql.enable` | Bool | `true` | Whether to enable. | | `mysql.addr` | String | `127.0.0.1:4002` | The addr to bind the MySQL server. | @@ -33,7 +38,7 @@ | `postgres.enable` | Bool | `true` | Whether to enable | | `postgres.addr` | String | `127.0.0.1:4003` | The addr to bind the PostgresSQL server. | | `postgres.runtime_size` | Integer | `2` | The number of server worker threads. | -| `postgres.tls` | -- | -- | PostgresSQL server TLS options, see `mysql_options.tls` section. | +| `postgres.tls` | -- | -- | PostgresSQL server TLS options, see `mysql.tls` section. | | `postgres.tls.mode` | String | `disable` | TLS mode. | | `postgres.tls.cert_path` | String | `None` | Certificate file path. | | `postgres.tls.key_path` | String | `None` | Private key file path. | @@ -159,6 +164,11 @@ | `grpc` | -- | -- | The gRPC server options. | | `grpc.addr` | String | `127.0.0.1:4001` | The address to bind the gRPC server. | | `grpc.runtime_size` | Integer | `8` | The number of server worker threads. | +| `grpc.tls` | -- | -- | gRPC server TLS options, see `mysql.tls` section. | +| `grpc.tls.mode` | String | `disable` | TLS mode. | +| `grpc.tls.cert_path` | String | `None` | Certificate file path. | +| `grpc.tls.key_path` | String | `None` | Private key file path. | +| `grpc.tls.watch` | Bool | `false` | Watch for Certificate and key file change and auto reload.
For now, gRPC tls config does not support auto reload. | | `mysql` | -- | -- | MySQL server options. | | `mysql.enable` | Bool | `true` | Whether to enable. | | `mysql.addr` | String | `127.0.0.1:4002` | The addr to bind the MySQL server. | @@ -172,7 +182,7 @@ | `postgres.enable` | Bool | `true` | Whether to enable | | `postgres.addr` | String | `127.0.0.1:4003` | The addr to bind the PostgresSQL server. | | `postgres.runtime_size` | Integer | `2` | The number of server worker threads. | -| `postgres.tls` | -- | -- | PostgresSQL server TLS options, see `mysql_options.tls` section. | +| `postgres.tls` | -- | -- | PostgresSQL server TLS options, see `mysql.tls` section. | | `postgres.tls.mode` | String | `disable` | TLS mode. | | `postgres.tls.cert_path` | String | `None` | Certificate file path. | | `postgres.tls.key_path` | String | `None` | Private key file path. | diff --git a/config/frontend.example.toml b/config/frontend.example.toml index 5f3c38c0ae3b..728a3099f837 100644 --- a/config/frontend.example.toml +++ b/config/frontend.example.toml @@ -30,6 +30,23 @@ addr = "127.0.0.1:4001" ## The number of server worker threads. runtime_size = 8 +## gRPC server TLS options, see `mysql.tls` section. +[grpc.tls] +## TLS mode. +mode = "disable" + +## Certificate file path. +## +toml2docs:none-default +cert_path = "" + +## Private key file path. +## +toml2docs:none-default +key_path = "" + +## Watch for Certificate and key file change and auto reload. +## For now, gRPC tls config does not support auto reload. +watch = false + ## MySQL server options. [mysql] ## Whether to enable. @@ -70,7 +87,7 @@ addr = "127.0.0.1:4003" ## The number of server worker threads. runtime_size = 2 -## PostgresSQL server TLS options, see `mysql_options.tls` section. +## PostgresSQL server TLS options, see `mysql.tls` section. [postgres.tls] ## TLS mode. mode = "disable" diff --git a/config/standalone.example.toml b/config/standalone.example.toml index 7f3daedb46d7..8386c7e1e61a 100644 --- a/config/standalone.example.toml +++ b/config/standalone.example.toml @@ -25,6 +25,23 @@ addr = "127.0.0.1:4001" ## The number of server worker threads. runtime_size = 8 +## gRPC server TLS options, see `mysql.tls` section. +[grpc.tls] +## TLS mode. +mode = "disable" + +## Certificate file path. +## +toml2docs:none-default +cert_path = "" + +## Private key file path. +## +toml2docs:none-default +key_path = "" + +## Watch for Certificate and key file change and auto reload. +## For now, gRPC tls config does not support auto reload. +watch = false + ## MySQL server options. [mysql] ## Whether to enable. @@ -65,7 +82,7 @@ addr = "127.0.0.1:4003" ## The number of server worker threads. runtime_size = 2 -## PostgresSQL server TLS options, see `mysql_options.tls` section. +## PostgresSQL server TLS options, see `mysql.tls` section. [postgres.tls] ## TLS mode. mode = "disable" diff --git a/src/common/grpc/tests/tls/ca.pem b/src/common/grpc/tests/tls/ca.pem index e5ee6c8e7bab..d81956096677 100644 --- a/src/common/grpc/tests/tls/ca.pem +++ b/src/common/grpc/tests/tls/ca.pem @@ -25,4 +25,4 @@ g4ojHUsxb14icnAYGeye1NOhGiqN6TEFcgr6MPd0XdFNZ5c0HUaBCfN6bc+JxDV5 MKZVJdNeJsYYwilgJNHAyZgCi30JC20xeYVtTF7CEEsMrFDGJ70Kz7o/FnRiFsA1 ZSwVVWhhkHG2VkT4vlo0O3fYeZpenYicvy+wZNTbGK83gzHWqxxNC1z3Etg5+HRJ F9qeMWPyfA3IHYXygiMcviyLcyNGG/SJ0EhUpYBN/Gg7wI5yFkcsxUDPPzd23O0M ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- diff --git a/src/common/grpc/tests/tls/server.key b/src/common/grpc/tests/tls/server.key index e4c870512e5f..80984ef9000d 100644 --- a/src/common/grpc/tests/tls/server.key +++ b/src/common/grpc/tests/tls/server.key @@ -25,4 +25,4 @@ er/qSw1/Pypx22uWMHmAZWRAgvLPtAQrB0Wqk4kCgYEAr2H1PvfbwZwkSvlMt5o8 WLnBbxcM3AKglLRbkShxxgiZYdEP71/uOtRMiL26du5XX8evItITN0DsvmXL/kcd h29LK7LM5uLw7efz0Qxs03G6kEyIHVkacowHi5I5Ul1qI61SoV3yMB1TjIU+bXZt 0ZjC07totO0fqPOLQxonjQg= ------END PRIVATE KEY----- \ No newline at end of file +-----END PRIVATE KEY----- diff --git a/src/common/grpc/tests/tls/server.pem b/src/common/grpc/tests/tls/server.pem index bc7a85bd5daf..4cc97bcf4b6d 100644 --- a/src/common/grpc/tests/tls/server.pem +++ b/src/common/grpc/tests/tls/server.pem @@ -24,4 +24,4 @@ RHM7w9/4+a9LXtEDYg4IP/1mm0ywBoUqy1O6hA73uId+Yi/kFBks/GyYaGjKgYcO 23B75tkPGYEdGuGZYLzZNHbXg4V0UxFQG3KA1pUiSnD3bN2Rxs+CMpzORnOeK3xi EooKgAPYsehItoQOMPpccI2xHdSAMWtwUgOKrefUQujkx2Op+KFlspF0+WJ6AZEe 2D4hyWaEZsvvILXapwqHDCuN3/jSUlTIqUoE1w== ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE-----