This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-banyandb.git
The following commit(s) were added to refs/heads/main by this push:
new b331ba01 Introducing TLS in HTTP server. Resolves : apache/skywalking
[BanyanDB]#9759 (#245)
b331ba01 is described below
commit b331ba01837d6ac5b80d846e3a774563fd814842
Author: Pranjal Joshi <[email protected]>
AuthorDate: Fri Feb 3 14:51:49 2023 +0530
Introducing TLS in HTTP server. Resolves : apache/skywalking
[BanyanDB]#9759 (#245)
* Introducing TLS in HTTP server. Resolves : apache/skywalking
[BanyanDB]#9759
Co-authored-by: Gao Hongtao <[email protected]>
---
banyand/liaison/http/server.go | 55 +++++++++++++++++++++++++++++++++++++-----
docs/installation.md | 17 +++++++++----
pkg/test/setup/setup.go | 2 +-
3 files changed, 62 insertions(+), 12 deletions(-)
diff --git a/banyand/liaison/http/server.go b/banyand/liaison/http/server.go
index 6008bc90..5a8ec23d 100644
--- a/banyand/liaison/http/server.go
+++ b/banyand/liaison/http/server.go
@@ -28,8 +28,10 @@ import (
"github.com/go-chi/chi/v5"
"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+ "github.com/pkg/errors"
"go.uber.org/multierr"
"google.golang.org/grpc"
+ "google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
databasev1
"github.com/apache/skywalking-banyandb/api/proto/banyandb/database/v1"
@@ -44,6 +46,10 @@ import (
var (
_ run.Config = (*service)(nil)
_ run.Service = (*service)(nil)
+
+ errServerCert = errors.New("http: invalid server cert file")
+ errServerKey = errors.New("http: invalid server key file")
+ errNoAddr = errors.New("http: no address")
)
// NewService return a http service.
@@ -61,16 +67,44 @@ type service struct {
srv *http.Server
listenAddr string
grpcAddr string
+ creds credentials.TransportCredentials
+ keyFile string
+ certFile string
+ grpcCert string
+ tls bool
}
func (p *service) FlagSet() *run.FlagSet {
- flagSet := run.NewFlagSet("")
+ flagSet := run.NewFlagSet("http")
flagSet.StringVar(&p.listenAddr, "http-addr", ":17913", "listen addr
for http")
- flagSet.StringVar(&p.grpcAddr, "grpc-addr", "localhost:17912", "the
grpc addr")
+ flagSet.StringVar(&p.grpcAddr, "http-grpc-addr", "localhost:17912",
"http server redirect grpc requests to this address")
+ flagSet.StringVarP(&p.certFile, "http-cert-file", "", "", "the TLS cert
file of http server")
+ flagSet.StringVarP(&p.keyFile, "http-key-file", "", "", "the TLS key
file of http server")
+ flagSet.StringVarP(&p.grpcCert, "http-grpc-cert-file", "", "", "the
grpc TLS cert file if grpc server enables tls")
+ flagSet.BoolVarP(&p.tls, "http-tls", "", false, "connection uses TLS if
true, else plain HTTP")
return flagSet
}
func (p *service) Validate() error {
+ if p.listenAddr == "" {
+ return errNoAddr
+ }
+ if p.grpcCert != "" {
+ creds, errTLS := credentials.NewClientTLSFromFile(p.grpcCert,
"")
+ if errTLS != nil {
+ return errors.Wrap(errTLS, "failed to load the grpc
cert")
+ }
+ p.creds = creds
+ }
+ if !p.tls {
+ return nil
+ }
+ if p.certFile == "" {
+ return errServerCert
+ }
+ if p.keyFile == "" {
+ return errServerKey
+ }
return nil
}
@@ -101,9 +135,11 @@ func (p *service) PreRun() error {
func (p *service) Serve() run.StopNotify {
var ctx context.Context
ctx, p.clientCloser = context.WithCancel(context.Background())
- opts := []grpc.DialOption{
- // TODO: add TLS
- grpc.WithTransportCredentials(insecure.NewCredentials()),
+ opts := make([]grpc.DialOption, 0, 1)
+ if p.creds == nil {
+ opts = append(opts,
grpc.WithTransportCredentials(insecure.NewCredentials()))
+ } else {
+ opts = append(opts, grpc.WithTransportCredentials(p.creds))
}
client, err := newHealthCheckClient(ctx, p.l, p.grpcAddr, opts)
if err != nil {
@@ -130,9 +166,16 @@ func (p *service) Serve() run.StopNotify {
p.mux.Mount("/api", http.StripPrefix("/api", gwMux))
go func() {
p.l.Info().Str("listenAddr", p.listenAddr).Msg("Start liaison
http server")
- if err := p.srv.ListenAndServe(); err != http.ErrServerClosed {
+ var err error
+ if p.tls {
+ err = p.srv.ListenAndServeTLS(p.certFile, p.keyFile)
+ } else {
+ err = p.srv.ListenAndServe()
+ }
+ if err != http.ErrServerClosed {
p.l.Error().Err(err)
}
+
close(p.stopCh)
}()
return p.stopCh
diff --git a/docs/installation.md b/docs/installation.md
index edc82e86..c81204ec 100644
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -127,18 +127,25 @@ Usage:
standalone [flags]
Flags:
- --addr string the address of banyand listens
(default ":17912")
+ --addr string the address of banyand listens
(default ":17912")
--cert-file string the TLS cert file
--etcd-listen-client-url string A URL to listen on for client
traffic (default "http://localhost:2379";)
--etcd-listen-peer-url string A URL to listen on for peer
traffic (default "http://localhost:2380";)
- --grpc-addr string the grpc addr (default
"localhost:17912")
-h, --help help for standalone
--http-addr string listen addr for http (default
":17913")
+ --http-cert-file string the TLS cert file of http server
+ --http-grpc-addr string http server redirect grpc
requests to this address (default "localhost:17912")
+ --http-grpc-cert-file string the grpc TLS cert file if grpc
server enables tls
+ --http-key-file string the TLS key file of http server
+ --http-tls connection uses TLS if true, else
plain HTTP
--key-file string the TLS key file
- --logging.env string the logging (default "dev")
- --logging.level string the level of logging (default
"info")
+ --logging.env string the logging (default "prod")
+ --logging.level string the root level of logging
(default "info")
+ --logging.levels stringArray the level logging of logging
+ --logging.modules stringArray the specific module
--max-recv-msg-size int the size of max receiving message
(default 10485760)
--measure-block-mem-size int block memory size (default
16777216)
+ --measure-idx-batch-wait-sec int index batch wait in second
(default 1)
--measure-root-path string the root path of database
(default "/tmp")
--measure-seriesmeta-mem-size int series metadata memory size
(default 1048576)
--metadata-root-path string the root path of metadata
(default "/tmp")
@@ -148,8 +155,8 @@ Flags:
--show-rungroup-units show rungroup units
--stream-block-mem-size int block memory size (default
8388608)
--stream-global-index-mem-size int global index memory size (default
2097152)
+ --stream-idx-batch-wait-sec int index batch wait in second
(default 1)
--stream-root-path string the root path of database
(default "/tmp")
--stream-seriesmeta-mem-size int series metadata memory size
(default 1048576)
--tls connection uses TLS if true, else
plain TCP
- -v, --version version for standalone
```
diff --git a/pkg/test/setup/setup.go b/pkg/test/setup/setup.go
index e172455f..3c75a191 100644
--- a/pkg/test/setup/setup.go
+++ b/pkg/test/setup/setup.go
@@ -51,7 +51,7 @@ func Common(flags ...string) (string, string, func()) {
ff := []string{
"--addr=" + addr,
"--http-addr=" + httpAddr,
- "--grpc-addr=" + addr,
+ "--http-grpc-addr=" + addr,
"--stream-root-path=" + path,
"--measure-root-path=" + path,
"--metadata-root-path=" + path,
