Comments (7)
from grpc-go.
Hi @TalLerner, a possible solution is to implement your own TransportCredentials that delegates to TLS credentials created using one of the available constructors. Your custom TransportCredentials can provide the option to switch the delegate during runtime. An example of such a TransportCredentials
implementation is as follows:
type DynamicCreds struct {
delegate credentials.TransportCredentials
rwMutex sync.RWMutex
}
func (d *DynamicCreds) ClientHandshake(ctx context.Context, host string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ClientHandshake(ctx, host, conn)
}
func (d *DynamicCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ServerHandshake(conn)
}
func (d *DynamicCreds) Info() credentials.ProtocolInfo {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.Info()
}
func (d *DynamicCreds) Clone() credentials.TransportCredentials {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return NewDynamicCreds(d.delegate.Clone())
}
func (d *DynamicCreds) OverrideServerName(name string) error {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.OverrideServerName(name)
}
func (d *DynamicCreds) UpdateDelegate(newCreds credentials.TransportCredentials) {
d.rwMutex.Lock()
defer d.rwMutex.Unlock()
if newCreds == d {
fmt.Printf("Can't point to self!")
return
}
d.delegate = newCreds
}
func NewDynamicCreds(delegate credentials.TransportCredentials) *DynamicCreds {
return &DynamicCreds{
delegate: delegate,
rwMutex: sync.RWMutex{},
}
}
You can then create DynamicCreds
and use them while starting your server as follows:
serverCertFile := data.Path("x509/server_cert.pem")
serverKeyFile := data.Path("x509/server_key.pem")
serverCreds, err := credentials.NewServerTLSFromFile(serverCertFile, serverKeyFile)
if err != nil {
log.Fatalf("Failed to generate credentials: %v", err)
}
dynCreds := NewDynamicCreds(serverCreds)
opts = []grpc.ServerOption{grpc.Creds(dynCreds)}
grpcServer := grpc.NewServer(opts...)
When you want to change the delegate, you can call dynCreds.UpdateDelegate()
while passing in the new credentials. This way you gain the ability to change only the transport credentials without updating the server options.
I tried this out in arjan-bal/routeguide@b7b0608 which has a server that switches it's TLS certs every 5 seconds.
Let me know if this works for you.
from grpc-go.
Another option suggested by @atollena is to create a tls.Config with empty Certificates
, write a closure that gets the latest certificates and assign it to the GetCertificate field of the tls.Config
. The tls library will call your closure during every handshake to fetch the certificates.
Use this tls.Config to create gRPC transport credentials by calling the constructor.
from grpc-go.
This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.
from grpc-go.
from grpc-go.
This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.
from grpc-go.
This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.
from grpc-go.
Related Issues (20)
- Question about option experimental.WithRecvBufferPool HOT 2
- Flake: Test/BlockingPickSCNotReady
- Valid allow-all Authz Policy return permission denied HOT 10
- bug: `FATAL: [core] grpc: Server.RegisterService found duplicate service registration for "grpc.health.v1.Health"` HOT 3
- dualstack: Move resolver re-resolution out of subconn and into pickfirst HOT 1
- Issue: DirectPath side effect imports increase binary size by ~16MiB HOT 3
- xDS load reporting is not populating `total_issued_requests` field in LRS reports
- Reasoning about retry throttling parameters
- Add cancel cause when client sends RST_STREAM frame HOT 3
- Requests go through after about 1000s (16-17 minutes) HOT 11
- NewClient functions behaviour is incompatible with secure forward-proxies HOT 7
- How to give grpc connection Creating a Listener HOT 2
- server.ServeHTTP Experimental Status HOT 10
- Dependency on "testing" from "google.golang.org/grpc/experimental/stats" HOT 6
- encoding.GetCodec(proto.Name) broke in 1.66.0 HOT 7
- Create tests for two potential cardinality violation bugs HOT 1
- Backport #7571 to 1.66 once merged HOT 2
- Why is Metadata still being used instead of Attributes in clientconn.go? HOT 3
- Feature Request: Add Support for Generating Full Method Names List for Service-Level gRPC Interceptors
- xds: v1.66.0 regression in `xds.BootstrapContentsForTesting` HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-go.