gRPC: 如何开启 TLS/SSL?

2021-12-13 00:22:30 浏览数 (1)

介绍

本文将介绍如何在 gRPC 微服务中开启 TLS/SSL,我就是我们常说的 https。

我们将会使用 rk-boot 来启动 gRPC 服务。

请访问如下地址获取完整教程:

https://rkdev.info/cn

https://rkdocs.netlify.app/cn (备用)

生成 Self-Signed Certificate

用户可以从各大云厂商购买证书,或者使用 cfssl 创建自定义证书。

我们介绍如何在本地生成证书。

1.下载 cfssl & cfssljson 命令行

推荐使用 rk 命令行来下载。

代码语言:txt复制
$ go get -u github.com/rookie-ninja/rk/cmd/rk
$ rk install cfssl
$ rk install cfssljson

官网下载

代码语言:txt复制
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/cfssljson

2.生成 CA

代码语言:txt复制
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json

根据需要修改 ca-config.json 和 ca-csr.json。

代码语言:txt复制
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

3.生成服务端证书

server.csrserver.pemserver-key.pem 将会被生成。

代码语言:txt复制
$ cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json | cfssljson -bare server

安装

代码语言:txt复制
go get github.com/rookie-ninja/rk-boot
go get github.com/rookie-ninja/rk-grpc

快速开始

rk-boot 支持通过如下方式让 gRPC 服务获取证书。

  • 本地文件系统
  • 远程文件系统
  • Consul
  • ETCD

我们先看看如何从本地获取证书并启动。

1.创建 boot.yaml

在这个例子中,我们只启动服务端的证书。其中,locale 用于区分不同环境下 cert。

请参考之前的文章了解详情:gRPC: 基于云原生环境,区分配置文件

代码语言:txt复制
---
cert:
  - name: "local-cert"                     # Required
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS
    commonService:
      enabled: true

2.创建 main.go

代码语言:txt复制
package main

import (
	"context"
	"github.com/rookie-ninja/rk-boot"
	_ "github.com/rookie-ninja/rk-grpc/boot"
)

// Application entrance.
func main() {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	// Bootstrap
	boot.Bootstrap(context.Background())

	// Wait for shutdown sig
	boot.WaitForShutdownSig(context.Background())
}

3.文件夹结构

代码语言:txt复制
.
├── boot.yaml
├── cert
│   ├── server-key.pem
│   └── server.pem
├── go.mod
├── go.sum
└── main.go

1 directory, 6 files

4.启动 main.go

代码语言:txt复制
$ go run main.go

5.验证

  • 发送 Restful 请求$ curl -X GET --insecure https://localhost:8080/rk/v1/healthy {"healthy":true}
  • 发送 grpc 请求$ grpcurl -insecure localhost:8080 rk.api.v1.RkCommonService.Healthy { "healthy": true }

架构

参数介绍

1.从本地读取证书

配置项

详情

需要

默认值

cert.localFs.name

本地文件系统获取器名称

""

cert.localFs.locale

遵从 locale: <realm>::<region>::<az>::<domain>

""

cert.localFs.serverCertPath

服务器证书路径

""

cert.localFs.serverKeyPath

服务器证书密钥路径

""

cert.localFs.clientCertPath

客户端证书路径

""

cert.localFs.clientCertPath

客户端证书密钥路径

""

  • 例子
代码语言:txt复制
---
cert:
  - name: "local-cert"                     # Required
    description: "Description of entry"    # Optional
    provider: "localFs"                    # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    enableReflection: true
    cert:
      ref: "local-cert"                    # Enable grpc TLS

2.从远程文件服务读取证书

配置项

详情

需要

默认值

cert.remoteFs.name

远程文件服务获取器名称

""

cert.remoteFs.locale

遵从 locale:<realm>::<region>::<az>::<domain>

""

cert.remoteFs.endpoint

远程地址: http://x.x.x.x 或者 x.x.x.x

N/A

cert.remoteFs.basicAuth

Basic auth: <user:pass>.

""

cert.remoteFs.serverCertPath

服务器证书路径

""

cert.remoteFs.serverKeyPath

服务器证书密钥路径

""

cert.remoteFs.clientCertPath

客户端证书路径

""

cert.remoteFs.clientCertPath

客户端证书密钥路径

""

  • 例子
代码语言:txt复制
---
cert:
  - name: "remote-cert"                    # Required
    description: "Description of entry"    # Optional
    provider: "remoteFs"                   # Required, etcd, consul, localFs, remoteFs are supported options
    endpoint: "localhost:8081"             # Required, both http://x.x.x.x or x.x.x.x are acceptable
    locale: "*::*::*::*"                   # Required, default: ""
    serverCertPath: "cert/server.pem"      # Optional, default: "", path of certificate on local FS
    serverKeyPath: "cert/server-key.pem"   # Optional, default: "", path of certificate on local FS
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "remote-cert"                   # Enable grpc TLS

3.从 Consul 读取证书

配置项

详情

需要

默认值

cert.consul.name

Consul 获取器名称

""

cert.consul.locale

遵从 locale: <realm>::<region>::<az>::<domain>

""

cert.consul.endpoint

Consul 地址: http://x.x.x.x or x.x.x.x

N/A

cert.consul.datacenter

Consul 数据中心

""

cert.consul.token

Consul 访问密钥

""

cert.consul.basicAuth

Consul Basic auth,格式:<user:pass>.

""

cert.consul.serverCertPath

服务器证书路径

""

cert.consul.serverKeyPath

服务器证书密钥路径

""

cert.consul.clientCertPath

服务器证书密钥路径

""

cert.consul.clientCertPath

服务器证书密钥路径

""

  • 例子
代码语言:txt复制
---
cert:
  - name: "consul-cert"                    # Required
    provider: "consul"                     # Required, etcd, consul, localFS, remoteFs are supported options
    description: "Description of entry"    # Optional
    locale: "*::*::*::*"                   # Required, ""
    endpoint: "localhost:8500"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    datacenter: "dc1"                      # Optional, default: "", consul datacenter
    serverCertPath: "server.pem"           # Optional, default: "", key of value in consul
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in consul
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "consul-cert"                   # Enable grpc TLS

4.从 ETCD 读取证书

配置项

详情

需要

默认值

cert.etcd.name

ETCD 获取器名称

""

cert.etcd.locale

遵从 locale: <realm>::<region>::<az>::<domain>

""

cert.etcd.endpoint

ETCD 地址:http://x.x.x.x or x.x.x.x

N/A

cert.etcd.basicAuth

ETCD basic auth,格式:<user:pass>.

""

cert.etcd.serverCertPath

服务器证书路径

""

cert.etcd.serverKeyPath

服务器证书路径

""

cert.etcd.clientCertPath

客户端证书路径

""

cert.etcd.clientCertPath

客户端证书密钥路径

""

  • 例子
代码语言:txt复制
---
cert:
  - name: "etcd-cert"                      # Required
    description: "Description of entry"    # Optional
    provider: "etcd"                       # Required, etcd, consul, localFs, remoteFs are supported options
    locale: "*::*::*::*"                   # Required, default: ""
    endpoint: "localhost:2379"             # Required, http://x.x.x.x or x.x.x.x both acceptable.
    serverCertPath: "server.pem"           # Optional, default: "", key of value in etcd
    serverKeyPath: "server-key.pem"        # Optional, default: "", key of value in etcd
grpc:
  - name: greeter
    port: 8080
    enabled: true
    cert:
      ref: "etcd-cert"                   # Enable grpc TLS
微服务 SSL证书ssl grpc rk-boot tls 证书

0 人点赞