Documentation
¶
Overview ¶
Package grpctls implements dynamic TLS credential support for gRPC.
Example ¶
// create shared metrics
observer, err := tlsprom.NewObserver(tlsprom.WithGRPC())
check(err)
prometheus.MustRegister(observer)
// create shared TLS config
cfg, err := dynamictls.NewConfig(
dynamictls.WithObserver(observer),
dynamictls.WithBase(&tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
MinVersion: tls.VersionTLS13,
}),
dynamictls.WithCertificate(certFile, keyFile),
dynamictls.WithRootCAs(caFile),
dynamictls.WithClientCAs(caFile),
dynamictls.WithHTTP2(),
)
check(err)
defer cfg.Close()
// create shared credentials
creds, err := grpctls.NewCredentials(cfg)
check(err)
// create frontend server with backend client
conn, err := grpc.Dial(
backendAddr,
grpc.WithTransportCredentials(creds),
grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
)
check(err)
defer conn.Close()
srv := grpc.NewServer(grpc.Creds(creds))
pb.RegisterTestServiceServer(srv, &testServer{
backend: pb.NewTestServiceClient(conn),
})
// listen and serve
lis, err := net.Listen("tcp", addr) // NB: use plain listener
check(err)
check(srv.Serve(lis))
Output:
Example (Client) ¶
// create metrics
observer, err := tlsprom.NewObserver(
tlsprom.WithGRPC(),
tlsprom.WithClient(),
)
check(err)
prometheus.MustRegister(observer)
// create TLS config
cfg, err := dynamictls.NewConfig(
dynamictls.WithObserver(observer),
dynamictls.WithBase(&tls.Config{
MinVersion: tls.VersionTLS13,
}),
dynamictls.WithCertificate(certFile, keyFile),
dynamictls.WithRootCAs(caFile),
dynamictls.WithHTTP2(),
)
check(err)
defer cfg.Close()
// create client with credentials
creds, err := grpctls.NewCredentials(cfg)
check(err)
conn, err := grpc.Dial(
addr,
grpc.WithTransportCredentials(creds),
grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
)
check(err)
defer conn.Close()
client := pb.NewTestServiceClient(conn)
// use client
_ = client
Output:
Example (Server) ¶
// create metrics
observer, err := tlsprom.NewObserver(
tlsprom.WithGRPC(),
tlsprom.WithServer(),
)
check(err)
prometheus.MustRegister(observer)
// create TLS config
cfg, err := dynamictls.NewConfig(
dynamictls.WithObserver(observer),
dynamictls.WithBase(&tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
MinVersion: tls.VersionTLS13,
}),
dynamictls.WithCertificate(certFile, keyFile),
dynamictls.WithRootCAs(caFile), // NB: metrics use RootCAs to verify local cert expiration
dynamictls.WithClientCAs(caFile),
dynamictls.WithHTTP2(),
)
check(err)
defer cfg.Close()
// create server with credentials
creds, err := grpctls.NewCredentials(cfg)
check(err)
srv := grpc.NewServer(grpc.Creds(creds))
pb.RegisterTestServiceServer(srv, &testServer{})
// listen and serve
lis, err := net.Listen("tcp", addr) // NB: use plain listener
check(err)
check(srv.Serve(lis))
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewCredentials ¶
func NewCredentials(config *dynamictls.Config) (credentials.TransportCredentials, error)
NewCredentials returns gRPC transport credentials based on the given dynamic TLS config.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.