Skip to content

Commit

Permalink
chore: Handle TLS (#120)
Browse files Browse the repository at this point in the history 
* chore: Handle TLS on RPC bootstrapping

* update cargo lock

* Update IAC on CD as well
  • Loading branch information
@gonzalezzfelipe
gonzalezzfelipe authored Sep 9, 2024
1 parent 2569859 commit 22a0569
Show file tree
Hide file tree
Showing 11 changed files with 133 additions and 66 deletions.
1 change: 1 addition & 0 deletions .github/iac/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,5 +78,6 @@ module "fabric_rpc" {
email_ses_access_key_id = local.email_ses_access_key_id
email_ses_secret_access_key = local.email_ses_secret_access_key
email_ses_verified_email = local.email_ses_verified_email
url_prefix = "rpc-stg"
}

28 changes: 28 additions & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ anyhow = "1.0.86"
async-trait = "0.1.80"
sqlx = { version = "0.7.4", features = ["runtime-tokio-rustls", "sqlite", "chrono"] }
tokio = { version = "1.38.0", features = ["macros", "rt-multi-thread", "time"] }
tonic = "0.11.0"
tonic = { version = "0.11.0", features = ["tls"] }
serde = { version = "1.0.203", features = ["derive"] }
serde_json = "1.0.117"
tracing = "0.1.40"
Expand Down
26 changes: 26 additions & 0 deletions bootstrap/rpc/cert.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
locals {
cert_secret_name = "rpc-tls"
}

resource "kubernetes_manifest" "certificate_cluster_wildcard_tls" {
manifest = {
"apiVersion" = "cert-manager.io/v1"
"kind" = "Certificate"
"metadata" = {
"name" = local.cert_secret_name
"namespace" = var.namespace
}
"spec" = {
"dnsNames" = [
"${var.url_prefix}.${var.dns_zone}"
]

"issuerRef" = {
"kind" = "ClusterIssuer"
"name" = "letsencrypt-dns01"
}
"secretName" = local.cert_secret_name
}
}
}

10 changes: 10 additions & 0 deletions bootstrap/rpc/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,16 @@ variable "email_ses_verified_email" {
default = "[email protected]"
}

variable "url_prefix" {
type = string
default = "rpc"
}

variable "dns_zone" {
type = string
default = "demeter.run"
}

variable "replicas" {
type = number
default = 1
Expand Down
4 changes: 4 additions & 0 deletions bootstrap/rpc/rpc.toml.tftpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ client_id="${auth0_client_id}"
client_secret="${auth0_client_secret}"
audience="${auth0_audience}"

[tls]
ssl_crt_path = "/certs/tls.crt"
ssl_key_path = "/certs/tls.key"

[stripe]
url = "https://api.stripe.com/v1"
api_key = "${stripe_api_key}"
Expand Down
24 changes: 15 additions & 9 deletions bootstrap/rpc/service.tf
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,27 @@
resource "kubernetes_service_v1" "fabric_rpc_service" {
resource "kubernetes_service_v1" "service" {
metadata {
name = "rpc"
namespace = var.namespace
name = "fabric-rpc"
annotations = {
"service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" : "instance"
"service.beta.kubernetes.io/aws-load-balancer-scheme" : "internet-facing"
"service.beta.kubernetes.io/aws-load-balancer-type" : "external"
}
}

spec {
type = "ClusterIP"
load_balancer_class = "service.k8s.aws/nlb"
selector = {
role = local.role
}

port {
name = "grpc"
port = local.port
protocol = "TCP"
name = "api"
port = 443
target_port = local.port
protocol = "TCP"
}

selector = {
role = local.role
}
type = "LoadBalancer"
}
}
13 changes: 13 additions & 0 deletions bootstrap/rpc/sts.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ resource "kubernetes_stateful_set_v1" "rpc" {
}

port {
name = "api"
container_port = local.port
}

Expand All @@ -74,6 +75,11 @@ resource "kubernetes_stateful_set_v1" "rpc" {
mount_path = "/fabric/crds"
}

volume_mount {
mount_path = "/certs"
name = "certs"
}

resources {
limits = {
cpu = var.resources.limits.cpu
Expand All @@ -100,6 +106,13 @@ resource "kubernetes_stateful_set_v1" "rpc" {
}
}

volume {
name = "certs"
secret {
secret_name = local.cert_secret_name
}
}

dynamic "toleration" {
for_each = var.tolerations

Expand Down
51 changes: 0 additions & 51 deletions bootstrap/services/main.tf
View file

This file was deleted.

15 changes: 14 additions & 1 deletion src/bin/rpc.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@ use std::{collections::HashMap, env, path::PathBuf, time::Duration};

use anyhow::Result;
use dotenv::dotenv;
use fabric::drivers::{cache::CacheConfig, grpc::GrpcConfig};
use fabric::drivers::{
cache::CacheConfig,
grpc::{GrpcConfig, GrpcTlsConfig},
};
use serde::{de::Visitor, Deserialize, Deserializer};
use tokio::try_join;
use tracing::Level;
Expand Down Expand Up @@ -55,6 +58,11 @@ struct EmailConfig {
ses_verified_email: String,
}
#[derive(Debug, Clone, Deserialize)]
struct TlsConfig {
ssl_crt_path: PathBuf,
ssl_key_path: PathBuf,
}
#[derive(Debug, Clone, Deserialize)]
struct Config {
addr: String,
db_path: String,
Expand All @@ -64,6 +72,7 @@ struct Config {
stripe: StripeConfig,
secret: String,
topic: String,
tls: Option<TlsConfig>,
kafka_producer: HashMap<String, String>,
kafka_consumer: HashMap<String, String>,
}
Expand Down Expand Up @@ -102,6 +111,10 @@ impl From<Config> for GrpcConfig {
ses_secret_access_key: value.email.ses_secret_access_key,
ses_region: value.email.ses_region,
ses_verified_email: value.email.ses_verified_email,
tls_config: value.tls.map(|value| GrpcTlsConfig {
ssl_key_path: value.ssl_key_path,
ssl_crt_path: value.ssl_crt_path,
}),
}
}
}
Expand Down
25 changes: 21 additions & 4 deletions src/drivers/grpc/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ use std::path::PathBuf;
use std::str::FromStr;
use std::time::Duration;
use std::{path::Path, sync::Arc};
use tonic::transport::Server;
use tonic::Status;
use tonic::{
transport::{Identity, Server, ServerTlsConfig},
Status,
};
use tracing::{error, info};

use dmtri::demeter::ops::v1alpha::project_service_server::ProjectServiceServer;
Expand Down Expand Up @@ -99,9 +101,18 @@ pub async fn server(config: GrpcConfig) -> Result<()> {

let address = SocketAddr::from_str(&config.addr)?;

info!(address = config.addr, "Server running");
let mut server = if let Some(tls) = config.tls_config {
let cert = std::fs::read_to_string(tls.ssl_crt_path)?;
let key = std::fs::read_to_string(tls.ssl_key_path)?;
let identity = Identity::from_pem(cert, key);

Server::builder().tls_config(ServerTlsConfig::new().identity(identity))?
} else {
Server::builder()
};

Server::builder()
info!(address = config.addr, "Server running");
server
.add_service(reflection)
.add_service(project_service)
.add_service(resource_service)
Expand All @@ -113,6 +124,11 @@ pub async fn server(config: GrpcConfig) -> Result<()> {
Ok(())
}

pub struct GrpcTlsConfig {
pub ssl_crt_path: PathBuf,
pub ssl_key_path: PathBuf,
}

pub struct GrpcConfig {
pub addr: String,
pub db_path: String,
Expand All @@ -131,6 +147,7 @@ pub struct GrpcConfig {
pub ses_secret_access_key: String,
pub ses_region: String,
pub ses_verified_email: String,
pub tls_config: Option<GrpcTlsConfig>,
}

impl From<Error> for Status {
Expand Down

0 comments on commit 22a0569

Please sign in to comment.