consul/agent/grpc-external/server.go

package external

import (
	"time"

	middleware "github.com/grpc-ecosystem/go-grpc-middleware"
	recovery "github.com/grpc-ecosystem/go-grpc-middleware/recovery"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/keepalive"

	agentmiddleware "github.com/hashicorp/consul/agent/grpc-middleware"
	"github.com/hashicorp/consul/tlsutil"
	"github.com/hashicorp/go-hclog"
)

// NewServer constructs a gRPC server for the external gRPC port, to which
// handlers can be registered.
func NewServer(logger agentmiddleware.Logger, tls *tlsutil.Configurator) *grpc.Server {
	recoveryOpts := agentmiddleware.PanicHandlerMiddlewareOpts(logger)

	opts := []grpc.ServerOption{
		grpc.MaxConcurrentStreams(2048),
		middleware.WithUnaryServerChain(
			// Add middlware interceptors to recover in case of panics.
			recovery.UnaryServerInterceptor(recoveryOpts...),
		),
		middleware.WithStreamServerChain(
			// Add middlware interceptors to recover in case of panics.
			recovery.StreamServerInterceptor(recoveryOpts...),
		),
		grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{
			// This must be less than the keealive.ClientParameters Time setting, otherwise
			// the server will disconnect the client for sending too many keepalive pings.
			// Currently the client param is set to 30s.
			MinTime: 15 * time.Second,
		}),
	}
	if tls != nil && tls.GRPCServerUseTLS() {
		creds := credentials.NewTLS(tls.IncomingGRPCConfig())
		opts = append(opts, grpc.Creds(creds))
	}
	return grpc.NewServer(opts...)
}

// BuildExternalGRPCServers constructs two gRPC servers for the external gRPC ports.
// This function exists because behavior for the original `ports.grpc` is dependent on
// whether the new `ports.grpc_tls` is defined. This behavior should be simplified in
// a future release so that the `ports.grpc` is always plain-text and not dependent on
// the `ports.grpc_tls` configuration.
func BuildExternalGRPCServers(grpcPort int, grpcTLSPort int, t *tlsutil.Configurator, l hclog.InterceptLogger) (grpc, grpcTLS *grpc.Server) {
	if grpcPort > 0 {
		// TODO: remove this deprecated behavior in a future version and only support plain-text for this port.
		if grpcTLSPort > 0 {
			// Use plain-text if the new grpc_tls port is configured.
			grpc = NewServer(l.Named("grpc.external"), nil)
		} else {
			// Otherwise, check TLS configuration to determine whether to encrypt (for backwards compatibility).
			grpc = NewServer(l.Named("grpc.external"), t)
			if t != nil && t.GRPCServerUseTLS() {
				l.Warn("deprecated gRPC TLS configuration detected. Consider using `ports.grpc_tls` instead")
			}
		}
	}
	if grpcTLSPort > 0 {
		if t.GRPCServerUseTLS() {
			grpcTLS = NewServer(l.Named("grpc_tls.external"), t)
		} else {
			l.Error("error starting gRPC TLS server", "error", "port is set, but invalid TLS configuration detected")
		}
	}
	return
}
grpc: rename public/private directories to external/internal (#13721) Previously, public referred to gRPC services that are both exposed on the dedicated gRPC port and have their definitions in the proto-public directory (so were considered usable by 3rd parties). Whereas private referred to services on the multiplexed server port that are only usable by agents and other servers. Now, we're splitting these definitions, such that external/internal refers to the port and public/private refers to whether they can be used by 3rd parties. This is necessary because the peering replication API needs to be exposed on the dedicated port, but is not (yet) suitable for use by 3rd parties. 2022-07-13 15:33:48 +00:00			`package external`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00
			`import (`
Added new auto_encrypt.grpc_server_tls config option to control AutoTLS enabling of GRPC Server's TLS usage Fix for #14253 Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2022-08-24 16:31:38 +00:00			`"time"`

Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`middleware "github.com/grpc-ecosystem/go-grpc-middleware"`
			`recovery "github.com/grpc-ecosystem/go-grpc-middleware/recovery"`
			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/credentials"`
peerstream: set keepalive enforcement to 15s (#13796) The client is set to send keepalive pings every 30s. The server keepalive enforcement must be set to a number less than that, otherwise it will disconnect clients for sending pings too often. MinTime governs the minimum amount of time between pings. 2022-07-18 23:12:03 +00:00			`"google.golang.org/grpc/keepalive"`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00
grpc: rename public/private directories to external/internal (#13721) Previously, public referred to gRPC services that are both exposed on the dedicated gRPC port and have their definitions in the proto-public directory (so were considered usable by 3rd parties). Whereas private referred to services on the multiplexed server port that are only usable by agents and other servers. Now, we're splitting these definitions, such that external/internal refers to the port and public/private refers to whether they can be used by 3rd parties. This is necessary because the peering replication API needs to be exposed on the dedicated port, but is not (yet) suitable for use by 3rd parties. 2022-07-13 15:33:48 +00:00			`agentmiddleware "github.com/hashicorp/consul/agent/grpc-middleware"`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`"github.com/hashicorp/consul/tlsutil"`
Add separate grpc_tls port. To ease the transition for users, the original gRPC port can still operate in a deprecated mode as either plain-text or TLS mode. This behavior should be removed in a future release whenever we no longer support this. The resulting behavior from this commit is: `ports.grpc > 0 && ports.grpc_tls > 0` spawns both plain-text and tls ports. `ports.grpc > 0 && grpc.tls == undefined` spawns a single plain-text port. `ports.grpc > 0 && grpc.tls != undefined` spawns a single tls port (backwards compat mode). 2022-08-19 17:07:22 +00:00			`"github.com/hashicorp/go-hclog"`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`)`

grpc: rename public/private directories to external/internal (#13721) Previously, public referred to gRPC services that are both exposed on the dedicated gRPC port and have their definitions in the proto-public directory (so were considered usable by 3rd parties). Whereas private referred to services on the multiplexed server port that are only usable by agents and other servers. Now, we're splitting these definitions, such that external/internal refers to the port and public/private refers to whether they can be used by 3rd parties. This is necessary because the peering replication API needs to be exposed on the dedicated port, but is not (yet) suitable for use by 3rd parties. 2022-07-13 15:33:48 +00:00			`// NewServer constructs a gRPC server for the external gRPC port, to which`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`// handlers can be registered.`
			`func NewServer(logger agentmiddleware.Logger, tls tlsutil.Configurator) grpc.Server {`
			`recoveryOpts := agentmiddleware.PanicHandlerMiddlewareOpts(logger)`

			`opts := []grpc.ServerOption{`
			`grpc.MaxConcurrentStreams(2048),`
			`middleware.WithUnaryServerChain(`
			`// Add middlware interceptors to recover in case of panics.`
			`recovery.UnaryServerInterceptor(recoveryOpts...),`
			`),`
			`middleware.WithStreamServerChain(`
			`// Add middlware interceptors to recover in case of panics.`
			`recovery.StreamServerInterceptor(recoveryOpts...),`
			`),`
peerstream: set keepalive enforcement to 15s (#13796) The client is set to send keepalive pings every 30s. The server keepalive enforcement must be set to a number less than that, otherwise it will disconnect clients for sending pings too often. MinTime governs the minimum amount of time between pings. 2022-07-18 23:12:03 +00:00			`grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{`
			`// This must be less than the keealive.ClientParameters Time setting, otherwise`
			`// the server will disconnect the client for sending too many keepalive pings.`
			`// Currently the client param is set to 30s.`
			`MinTime: 15 * time.Second,`
			`}),`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`}`
Added new auto_encrypt.grpc_server_tls config option to control AutoTLS enabling of GRPC Server's TLS usage Fix for #14253 Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2022-08-24 16:31:38 +00:00			`if tls != nil && tls.GRPCServerUseTLS() {`
Restructure gRPC server setup (#12586) OSS sync of enterprise changes at 0b44395e 2022-03-22 12:40:24 +00:00			`creds := credentials.NewTLS(tls.IncomingGRPCConfig())`
			`opts = append(opts, grpc.Creds(creds))`
			`}`
			`return grpc.NewServer(opts...)`
			`}`
Add separate grpc_tls port. To ease the transition for users, the original gRPC port can still operate in a deprecated mode as either plain-text or TLS mode. This behavior should be removed in a future release whenever we no longer support this. The resulting behavior from this commit is: `ports.grpc > 0 && ports.grpc_tls > 0` spawns both plain-text and tls ports. `ports.grpc > 0 && grpc.tls == undefined` spawns a single plain-text port. `ports.grpc > 0 && grpc.tls != undefined` spawns a single tls port (backwards compat mode). 2022-08-19 17:07:22 +00:00
			`// BuildExternalGRPCServers constructs two gRPC servers for the external gRPC ports.`
			// This function exists because behavior for the original `ports.grpc` is dependent on
			// whether the new `ports.grpc_tls` is defined. This behavior should be simplified in
			// a future release so that the `ports.grpc` is always plain-text and not dependent on
			// the `ports.grpc_tls` configuration.
			`func BuildExternalGRPCServers(grpcPort int, grpcTLSPort int, t tlsutil.Configurator, l hclog.InterceptLogger) (grpc, grpcTLS grpc.Server) {`
			`if grpcPort > 0 {`
			`// TODO: remove this deprecated behavior in a future version and only support plain-text for this port.`
			`if grpcTLSPort > 0 {`
			`// Use plain-text if the new grpc_tls port is configured.`
			`grpc = NewServer(l.Named("grpc.external"), nil)`
			`} else {`
			`// Otherwise, check TLS configuration to determine whether to encrypt (for backwards compatibility).`
			`grpc = NewServer(l.Named("grpc.external"), t)`
			`if t != nil && t.GRPCServerUseTLS() {`
			l.Warn("deprecated gRPC TLS configuration detected. Consider using `ports.grpc_tls` instead")
			`}`
			`}`
			`}`
			`if grpcTLSPort > 0 {`
			`if t.GRPCServerUseTLS() {`
			`grpcTLS = NewServer(l.Named("grpc_tls.external"), t)`
			`} else {`
			`l.Error("error starting gRPC TLS server", "error", "port is set, but invalid TLS configuration detected")`
			`}`
			`}`
			`return`
			`}`