// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: BUSL-1.1 package external import ( "time" "github.com/armon/go-metrics" middleware "github.com/grpc-ecosystem/go-grpc-middleware" recovery "github.com/grpc-ecosystem/go-grpc-middleware/recovery" "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/keepalive" "github.com/hashicorp/consul/agent/consul/rate" agentmiddleware "github.com/hashicorp/consul/agent/grpc-middleware" "github.com/hashicorp/consul/tlsutil" ) var ( metricsLabels = []metrics.Label{{ Name: "server_type", Value: "external", }} ) // NewServer constructs a gRPC server for the external gRPC port, to which // handlers can be registered. func NewServer(logger agentmiddleware.Logger, metricsObj *metrics.Metrics, tls *tlsutil.Configurator, limiter rate.RequestLimitsHandler) *grpc.Server { if metricsObj == nil { metricsObj = metrics.Default() } recoveryOpts := agentmiddleware.PanicHandlerMiddlewareOpts(logger) unaryInterceptors := []grpc.UnaryServerInterceptor{ // Add middlware interceptors to recover in case of panics. recovery.UnaryServerInterceptor(recoveryOpts...), } streamInterceptors := []grpc.StreamServerInterceptor{ // Add middlware interceptors to recover in case of panics. recovery.StreamServerInterceptor(recoveryOpts...), agentmiddleware.NewActiveStreamCounter(metricsObj, metricsLabels).Intercept, } if tls != nil { // Attach TLS middleware if TLS is provided. authInterceptor := agentmiddleware.AuthInterceptor{TLS: tls, Logger: logger} unaryInterceptors = append(unaryInterceptors, authInterceptor.InterceptUnary) streamInterceptors = append(streamInterceptors, authInterceptor.InterceptStream) } opts := []grpc.ServerOption{ grpc.MaxConcurrentStreams(2048), grpc.MaxRecvMsgSize(50 * 1024 * 1024), grpc.InTapHandle(agentmiddleware.ServerRateLimiterMiddleware(limiter, agentmiddleware.NewPanicHandler(logger), logger)), grpc.StatsHandler(agentmiddleware.NewStatsHandler(metricsObj, metricsLabels)), middleware.WithUnaryServerChain(unaryInterceptors...), middleware.WithStreamServerChain(streamInterceptors...), grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ // This must be less than the keealive.ClientParameters Time setting, otherwise // the server will disconnect the client for sending too many keepalive pings. // Currently the client param is set to 30s. MinTime: 15 * time.Second, }), } if tls != nil { // Attach TLS credentials, if provided. tlsCreds := agentmiddleware.NewOptionalTransportCredentials( credentials.NewTLS(tls.IncomingGRPCConfig()), logger) opts = append(opts, grpc.Creds(tlsCreds)) } return grpc.NewServer(opts...) }