vshard: multilisten and SSL

[TarantoolBot]

Product: Tarantool
Root document: https://www.tarantool.io/en/doc/latest/reference/configuration/#box-cfg-params
https://www.tarantool.io/en/enterprise_doc/security/#traffic-encryption ?
SME: @ Gerold103

Details

Multilisten is a feature which allows Tarantool to listen on
multiple ports at the same time (>= Tarantool 2.10.0-beta2).

SSL is a Tarantool Enterprise feature which allows to encrypt
the traffic.

The features are united by the fact that box.cfg.listen is not
equal to what is used for connecting to the instance.

In case of multilisten box.cfg.listen is an array of URIs while
replica_object.uri in vshard config should be a single URI.

In case of SSL box.cfg.listen should have a certificate and a
private key and an optional password. The connect-URI can have no
options, or have a CA-certificate to validate the server, or have
an own cert and a private key to be validated by the server.
Other combinations of parameters might be possible.

To use the features there are 2 ways.

The first way - in the common section of vshard config specify
only replica_object.uri values. Then on the needed storages pass
the listen option in the root of the config. It works for all
box.cfg options, not only for listen. Example of multilisten
usage:

-- For storage_1_a:
{
    sharding = {
        ['storage_1_uuid'] = {
            replicas = {
                ['storage_1_a_uuid'] = {
                    uri = 'storage:storage@127.0.0.1:3301',
                    name = 'storage_1_a',
                },
            },
        },
    },
    listen = {
        'storage:storage@127.0.0.1:3301',
        'storage:storage@127.0.0.1:3302',
    },
}
-- For other storages and all routers:
{
    sharding = {
        ['storage_1_uuid'] = {
            replicas = {
                ['storage_1_a_uuid'] = {
                    uri = 'storage:storage@127.0.0.1:3301',
                    name = 'storage_1_a',
                },
            },
        },
    },
}

Similar with SSL.

The second way - use a new config option: replica_object.listen.
Example of SSL usage (Tarantool Enterprise only):

{
    sharding = {
        ['storage_1_uuid'] = {
            replicas = {
                ['storage_1_a_uuid'] = {
                    uri = {
                        uri = 'storage:storage@127.0.0.1:3301',
                        params = {
                            transport = 'plain',
                            ssl_ca_file = ca_file,
                        }
                    },
                    listen = {
                        uri = 'storage:storage@127.0.0.1:3301',
                        params = {
                            transport = 'plain',
                            ssl_cert_file = cert_1_a_file,
                            ssl_key_file = key_1_a_file,
                        }
                    },
                    name = 'storage_1_a',
                },
            },
        },
    },
}

Similar with multilisten.

All routers and other storages will use the value in uri to
connect to the instance. The instance itself will use the value
from listen for box.cfg.listen.

VShard supports multilisten and SSL since 0.1.20 (not released
yet).
Requested by @Gerold103 in tarantool/vshard@caa33da.

[andreyaksenov]

3.0 docs for SSL: https://www.tarantool.io/en/doc/latest/concepts/configuration/configuration_connections/#securing-connections-with-ssl