feat: Add TLS support for gRPC service

[poltao]

I hereby agree to the terms of the GreptimeDB CLA.

Refer to a related PR or issue link (optional)

close #3336

What's changed and what's your intention?

• Add grpc service tls configure
• use tonic::transport::ServerTlsConfig

Checklist

• I have written the necessary rustdoc comments.
• I have added the necessary unit tests and integration tests.
• This PR requires documentation updates.

[sunng87]

It's great to see this! Thank you @realtaobo!

Before we get deep, I want to make sure that actually there are two types of grpc communications in GreptimeDB cluster:

• the client-server grpc: by which our sdk talks to the frontends.
• the intra-cluster grpc: by which frontends/datanodes/metasrvs talks to each other.

If we are going to implement both, we need to make sure that they may or must use different tls configuration including certificates/keys/modes. We will need separated configuration items for that.

I will recommend you to do them in separated patches. Perhaps with this one, we focus on the client-server grpc first.

[poltao]

I will recommend you to do them in separated patches. Perhaps with this one, we focus on the client-server grpc first.

Yes, you're right, and PR becoming clearer. Let me revert the changes of DataNode. And the intra-cluster grpc tls will be impl in next patches.

[codecov]

Codecov Report

Attention: Patch coverage is 95.55556% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 85.16%. Comparing base (614643e) to head (1172458).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3957      +/-   ##
==========================================
- Coverage   85.47%   85.16%   -0.31%     
==========================================
  Files         980      980              
  Lines      170117   170158      +41     
==========================================
- Hits       145406   144914     -492     
- Misses      24711    25244     +533     

[sunng87]

Please let me know when the patch is ready for review @realtaobo , thank you!

[poltao]

@sunng87 PTAL

[sunng87]

It mostly looks good to me. If you have time, you may want to look into tonic to see if there is a chance to make certificate reloadable without restarting the server.

[poltao]

There seem to be there things to do:

• Support the intra-cluster grpc communications with TLS, from comment
• Refactored DatanodeOptions, that is replace some grpc config(max_recv_message_size, etc.) with GrpcOptions, from comment
• It seems that grpc,mysql,pg are all using the same TLS configuration directly. We could refactor these with: Reading the TLS configuration from config file firstly, from comment

---

I believe these tasks should be deferred to the future PRs, and we should keep the PR simple for now. @sunng87 @zyy17 How do you think so?

[zyy17]

There seem to be there things to do:

• Support the intra-cluster grpc communications with TLS, from comment
• Refactored DatanodeOptions, that is replace some grpc config(max_recv_message_size, etc.) with GrpcOptions, from comment
• It seems that grpc,mysql,pg are all using the same TLS configuration directly. We could refactor these with: Reading the TLS configuration from config file firstly, from comment

I believe these tasks should be deferred to the future PRs, and we should keep the PR simple for now. @sunng87 @zyy17 How do you think so?

I think so. Thank you for your summary! 😊

[zyy17]

LGTM