wu-sheng commented on a change in pull request #7565: URL: https://github.com/apache/skywalking/pull/7565#discussion_r699437159
########## File path: docs/en/setup/backend/grpc-security.md ########## @@ -44,3 +44,28 @@ gRPCSslCertChainPath: /path/to/server.crt Since `sharding-server` only receives data from an external source, it doesn't need a CA at all. If you port to Java agent, refer to [the Java agent repo](http://github.com/apache/skywalking-java) to config java agent and enable TLS. + +## mutual TLS mode + +To enable `mTLS` mode for gRPC channel requires [Sharing gRPC Server](./backend-receivers.md/#grpchttp-server-for-receiver) enabled, as following configuration. + +```properties +receiver-sharing-server: + selector: ${SW_RECEIVER_SHARING_SERVER:default} + default: + # For gRPC server + gRPCHost: ${SW_RECEIVER_GRPC_HOST:0.0.0.0} + gRPCPort: ${SW_RECEIVER_GRPC_PORT:11801} + maxConcurrentCallsPerConnection: ${SW_RECEIVER_GRPC_MAX_CONCURRENT_CALL:0} + maxMessageSize: ${SW_RECEIVER_GRPC_MAX_MESSAGE_SIZE:0} + gRPCThreadPoolQueueSize: ${SW_RECEIVER_GRPC_POOL_QUEUE_SIZE:0} + gRPCThreadPoolSize: ${SW_RECEIVER_GRPC_THREAD_POOL_SIZE:0} + gRPCSslEnabled: ${SW_RECEIVER_GRPC_SSL_ENABLED:true} + gRPCSslKeyPath: ${SW_RECEIVER_GRPC_SSL_KEY_PATH:"/path/to/server.pem"} + gRPCSslCertChainPath: ${SW_RECEIVER_GRPC_SSL_CERT_CHAIN_PATH:"/path/to/server.crt"} + gRPCSslTrustedCAsPath: ${SW_RECEIVER_GRPC_SSL_TRUSTED_CAS_PATH:"/path/to/ca.crt"} + authentication: ${SW_AUTHENTICATION:""} +``` Review comment: A question, could you share what are the major differences of settings between mTLS and `Config OAP server` part? ########## File path: docs/en/setup/backend/grpc-security.md ########## @@ -44,3 +44,28 @@ gRPCSslCertChainPath: /path/to/server.crt Since `sharding-server` only receives data from an external source, it doesn't need a CA at all. If you port to Java agent, refer to [the Java agent repo](http://github.com/apache/skywalking-java) to config java agent and enable TLS. + +## mutual TLS mode + +To enable `mTLS` mode for gRPC channel requires [Sharing gRPC Server](./backend-receivers.md/#grpchttp-server-for-receiver) enabled, as following configuration. + +```properties +receiver-sharing-server: + selector: ${SW_RECEIVER_SHARING_SERVER:default} + default: + # For gRPC server + gRPCHost: ${SW_RECEIVER_GRPC_HOST:0.0.0.0} + gRPCPort: ${SW_RECEIVER_GRPC_PORT:11801} + maxConcurrentCallsPerConnection: ${SW_RECEIVER_GRPC_MAX_CONCURRENT_CALL:0} + maxMessageSize: ${SW_RECEIVER_GRPC_MAX_MESSAGE_SIZE:0} + gRPCThreadPoolQueueSize: ${SW_RECEIVER_GRPC_POOL_QUEUE_SIZE:0} + gRPCThreadPoolSize: ${SW_RECEIVER_GRPC_THREAD_POOL_SIZE:0} + gRPCSslEnabled: ${SW_RECEIVER_GRPC_SSL_ENABLED:true} + gRPCSslKeyPath: ${SW_RECEIVER_GRPC_SSL_KEY_PATH:"/path/to/server.pem"} + gRPCSslCertChainPath: ${SW_RECEIVER_GRPC_SSL_CERT_CHAIN_PATH:"/path/to/server.crt"} + gRPCSslTrustedCAsPath: ${SW_RECEIVER_GRPC_SSL_TRUSTED_CAS_PATH:"/path/to/ca.crt"} + authentication: ${SW_AUTHENTICATION:""} +``` Review comment: And this is not documented yet, https://github.com/apache/skywalking/pull/7565#discussion_r698094625. Could you polish the whole document, and make the whole doc more clear. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
