Skip to content

Commit

Permalink
Add Canary TLS support (#5086)
Browse files Browse the repository at this point in the history
* add support for TLS connections by Canary, add development config for Canary with TLS

* update README to include new config option

* remove testing config

---------

Co-authored-by: David Porter <david.porter@uber.com>
Co-authored-by: Shijie Sheng <shengs@uber.com>
Co-authored-by: Zijian <Shaddoll@users.noreply.github.com>
  • Loading branch information
4 people authored Mar 17, 2023
1 parent ff4eab2 commit a3e2774
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 1 deletion.
1 change: 1 addition & 0 deletions canary/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ cadence:
service: "cadence-frontend" # frontend service name
address: "127.0.0.1:7833" # frontend address
#host: "127.0.0.1:7933" # replace address with host if using Thrift for compatibility
#tlsCaFile: "path/to/file" # give file path to TLS CA file if TLS is enabled on the Cadence server
#metrics: ... # optional detailed client side metrics like workflow latency. But for monitoring, simply use server side metrics `workflow_success` is enough.
```
- **Metrics**: metrics configuration. Similar to server metric emitter, only M3/Statsd/Prometheus is supported.
Expand Down
2 changes: 2 additions & 0 deletions canary/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ type (
ThriftHostNameAndPort string `yaml:"host"`
// gRPC host name and port
GRPCHostNameAndPort string `yaml:"address"`
// TLS cert file if TLS is enabled on the Cadence server
TLSCAFile string `yaml:"tlsCaFile"`
}
)

Expand Down
30 changes: 29 additions & 1 deletion canary/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,20 @@ import (
"sync"
"time"

"crypto/tls"
"crypto/x509"
"io/ioutil"

"go.uber.org/cadence/.gen/go/cadence/workflowserviceclient"
"go.uber.org/cadence/compatibility"
"go.uber.org/yarpc"
"go.uber.org/yarpc/api/transport"
"go.uber.org/yarpc/peer"
"go.uber.org/yarpc/peer/hostport"
"go.uber.org/yarpc/transport/grpc"
"go.uber.org/yarpc/transport/tchannel"
"go.uber.org/zap"
"google.golang.org/grpc/credentials"

apiv1 "github.com/uber/cadence-idl/go/proto/api/v1"

Expand Down Expand Up @@ -59,10 +67,30 @@ func NewCanaryRunner(cfg *Config) (Runnable, error) {
var dispatcher *yarpc.Dispatcher
var runtimeContext *RuntimeContext
if cfg.Cadence.GRPCHostNameAndPort != "" {
var outbounds transport.Outbounds
if cfg.Cadence.TLSCAFile != "" {
caCert, err := ioutil.ReadFile(cfg.Cadence.TLSCAFile)
if err != nil {
logger.Fatal("Failed to load server CA certificate", zap.Error(err))
}
caCertPool := x509.NewCertPool()
if !caCertPool.AppendCertsFromPEM(caCert) {
logger.Fatal("Failed to add server CA certificate", zap.Error(err))
}
tlsConfig := tls.Config{
RootCAs: caCertPool,
}
tlsCreds := credentials.NewTLS(&tlsConfig)
grpcTransport := grpc.NewTransport()
tlsChooser := peer.NewSingle(hostport.Identify(cfg.Cadence.GRPCHostNameAndPort), grpcTransport.NewDialer(grpc.DialerCredentials(tlsCreds)))
outbounds = transport.Outbounds{Unary: grpcTransport.NewOutbound(tlsChooser)}
} else {
outbounds = transport.Outbounds{Unary: grpc.NewTransport().NewSingleOutbound(cfg.Cadence.GRPCHostNameAndPort)}
}
dispatcher = yarpc.NewDispatcher(yarpc.Config{
Name: CanaryServiceName,
Outbounds: yarpc.Outbounds{
cfg.Cadence.ServiceName: {Unary: grpc.NewTransport().NewSingleOutbound(cfg.Cadence.GRPCHostNameAndPort)},
cfg.Cadence.ServiceName: outbounds,
},
})
clientConfig := dispatcher.ClientConfig(cfg.Cadence.ServiceName)
Expand Down

0 comments on commit a3e2774

Please # to comment.